Teklimbu's Weblog

Server and Network Monitoring using MRTG – Part 1

teklimbu — Mon, 28 Jan 2008 15:41:20 +0000

This is the 1st series of articles highlighting the usage of MRTG for server and network monitoring.

In my previous article, I touched upon the basics of installing MRTG, Net-SNMP and used the cfgmaker tool to generate simple MRTG graphs. In this article, we further move on to the topic of creating MRTG graphs for a single Linux/Unix machine using only shell scripts.

The final goal or mission of these series of articles is to provide users concrete and professional examples of monitoring their servers and network devices using MRTG. In the end of these series of articles, we will round up and unite all these MRTG graphs to our web based network monitoring system called Nagios.

I had provided the basics steps of installation and configuration of Nagios in my previous article which can be found at:

http://teklimbu.wordpress.com/2008/01/01/network-management-using-nagios/

For this article, I will be just be using a shell script called system which I had found on the web some time ago. This script provides various data such as memory usage, processes running, tcp connections, etc..

The shell script called system and it’s corresponding mrtg.cfg configuration file can be used to monitor your workstations and servers and it looks quite cool! You won’t even be needing SNMP for this script to work but the downside is that this script can monitor only a single network interface. Of course, we can modify this script to report every network interface on your server! And we will be using other scripts in future articles reporting the traffic analysis from multiple network interfaces.

Which tools and programs will we be using in this article? We will only be using the Apache web server, the MRTG tool and of course the shell script called “system“.

As always, if you want anything to be displayed graphically on a web page, you will need a web server. Apache is the default Web server used with Linux and Unix hosts. Even Windows based operating systems uses them!

A large fraction of the websites running on the Internet today are powered by the Apache web server. Hence our first step is installing a very basic form of Apache suiting our needs. As of today (28-Jan-2008), the latest version of Apache is 2.2.8

Installing the Apache Web server

(1.) Download Apache

cd /usr/local/src

wget http://ftp.cuhk.edu.hk/pub/packages/apache.org/httpd/httpd-2.2.8.tar.gz

(2.) unzip the sources

tar zxvf httpd-2.2.8.tar.gz

(3.) Configure Apache

cd httpd-2.2.8

./configure

–prefix=/usr/local/httpd \

–enable-so

(4.) Compile and install Apache

make && make install

(5.) Start the Apache web server

/usr/local/httpd/bin/apachectl start

That’s it. Apache 2.2.8 should now be running!

Moving on, we will next compile and install the MRTG package.

MRTG Installation

(1.) Create local directory and change to that directory.

mkdir -p /usr/local/src/mrtg

cd /usr/local/src/mrtg

(2.) Download MRTG. The latest version of MRTG as on 28-Jan-2008 is 2.15.2.

wget http://oss.oetiker.ch/mrtg/pub/mrtg-2.15.2.tar.gz

(3.) Unzip the package.

tar zxvf mrtg-2.15.2.tar.gz

cd mrtg-2.15.2

(4.) Configure MRTG

./configure –prefix=/usr/local/mrtg-2

Note: you may need to install the GD library. For Debian users, it’s just a matter of typing: apt-get install libgd-dev

However, you can download the GD package and compile it manually.

wget http://www.libgd.org/releases/oldreleases/gd-2.0.33.tar.gz

tar zxvf gd-2.0.33.tar.gz

cd gd-2.0.33

./configure

make && make install

(5.) Compile and install the MRTG software.

make && make install

That’s it. MRTG is now installed in the prefixed directory: /usr/local/mrtg-2

The main shell script: system

We will use the following shell script called system.

(1.) mkdir -p /usr/local/mrtg-2/scripts/

(2) vi /usr/local/mrtg-2/scripts/system

#Copy and paste the following

###Start of script called system####

#!/bin/sh

TYPE=$1
PARAM=$2

if [ "$TYPE" = "processes" ]; then
INDATA=`cat /proc/loadavg | cut -d ‘ ‘ -f4 | cut -d ‘/’ -f 2`
OUTDATA=`cat /proc/loadavg | cut -d ‘ ‘ -f4 | cut -d ‘/’ -f 1`
fi

if [ "$TYPE" = "network" ]; then
LINE=`cat /proc/net/dev | grep $PARAM | sed s/$PARAM://`
INDATA=`echo $LINE | awk ‘{print $1}’ `
OUTDATA=`echo $LINE | awk ‘{print $9}’ `
fi

if [ "$TYPE" = "uptime" ]; then
INDATA=`cat /proc/uptime | cut -d ‘ ‘ -f1`
OUTDATA=`cat /proc/uptime | cut -d ‘ ‘ -f2`
fi

if [ "$TYPE" = "tcp" ]; then
INDATA=`netstat -an | grep -c ESTABLISHED`
OUTDATA=$INDATA
fi

if [ "$TYPE" = "memory" ]; then
INDATA=`free -bt | grep buffers\/cache | awk ‘{print $3}’`
OUTDATA=`free -bt | grep buffers\/cache | awk ‘{print $4}’`
fi

echo $INDATA
echo $OUTDATA
echo `uptime | cut -d”,” -f1,2`
echo $TYPE

###End of system script####

(3.) Save the script and exit from your editor.

The mrtg.cfg file

Next we will create the configuration file called mrtg.cfg

(1.) Create the necessary Apache and MRTG directories

mkdir -p /usr/local/mrtg-2/system/

mkdir -p /usr/local/httpd/htdocs/mrtg/status

(2.) vi /usr/local/mrtg-2/system/mrtg.cfg

#Copy and paste the following:

WorkDir: /usr/local/httpd/htdocs/mrtg/status

#RunAsDaemon:Yes

Interval:5

Options[_]: nopercent,growright,noinfo,gauge

MaxBytes[_]: 125000000

Xsize[_]: 600
Ysize[_]: 200
Ytics[_]: 10

###############################################################################
#
# HTML formatting stuff
#
###############################################################################

PageTop[^]:

Network

- Traffic
- Open Connections

System Stats

- Load Averages
- Swap Memory
- Processes
- Uptime and Idle Time
- CPU
- Memory Usage

PageFoot[^]:

AddHead[^]:

###############################################################################
#
# Stats
#
###############################################################################
#—————————-
# Network
#—————————-
Target[index]: `/usr/local/mrtg-2/scripts/system network eth0`
Options[index]: nopercent, noinfo
Title[index]: Traffic Analysis for eth0
PageTop[index]:

Traffic Analysis for eth0

#—————————-
# TCP Connections
#—————————-
Target[tcp]: `/usr/local/mrtg-2/scripts/system tcp`
Title[tcp]: Established TCP Connections
PageTop[tcp]:

Established TCP Connections

YLegend[tcp]: Connections
ShortLegend[tcp]:
LegendI[tcp]:
LegendO[tcp]: Established

#—————————-
# Load
#—————————-

Target[load]: `/usr/local/mrtg-2/scripts/system load`
Options[load]: gauge, nopercent, noinfo
MaxBytes[load]: 3000

Title[load]: Load Averages
PageTop[load]:

Load Averages

YLegend[load]: Load (10E-2)
ShortLegend[load]: (10E-2)
LegendI[load]: 5-minute stagger
LegendO[load]: 15-mintute stagger
Legend1[load]: Load Average over last 5 minutes
Legend2[load]: Load Average over last 15 minutes
Legend3[load]: Average over last 5 minutes
Legend4[load]: Average over last 15 minutes

#—————————-
# Swap
#—————————-

Target[swap]: `/usr/local/mrtg-2/scripts/system swap`

Title[swap]: Swap Memory Usage

PageTop[swap]:

Swap Memory Usage

YLegend[swap]: Swap Usage

ShortLegend[swap]:

LegendI[swap]:

LegendO[swap]: Used

#—————————-
# Processes
#—————————-

Target[processes]: `/usr/local/mrtg-2/scripts/system processes`
Title[processes]: Processes
PageTop[processes]:

Processes

YLegend[processes]: Processes
ShortLegend[processes]:
LegendI[processes]: Total
LegendO[processes]: Running

#—————————-
# Uptime
#—————————-

Target[uptime]: `/usr/local/mrtg-2/scripts/system uptime`

Title[uptime]: Uptime and Idle Time

PageTop[uptime]:

Uptime and Idle Time

YLegend[uptime]: Uptime (sec)

ShortLegend[uptime]:

LegendI[uptime]: Total Uptime

LegendO[uptime]: Idle Time

#—————————-
# CPU
#—————————-

Target[cpu]: `/usr/bin/awk ‘/cpu /{print $2+$3; print $2+$3+$4; print “quite some time”; print “domain.com”}’

Title[cpu]: CPU Usage

PageTop[cpu]:

CPU Usage

MaxBytes[cpu]: 100

Options[cpu]: nopercent,growright,noinfo,bits

LegendI[cpu]: user:

LegendO[cpu]: total:

Ylegend[cpu]: %CPU

ShortLegend[cpu]: %CPU

Legend1[cpu]: Time spent in user mode

Legend2[cpu]: Time spent in user mode + time spent in system mode

Legend3[cpu]: Maximum occurance of time spent in user mode

Legend4[cpu]: Maximum occurance of (time spent in user mode + time spent in system mode)

#—————————-
# Memory
#—————————-

Target[memory]: `/usr/local/mrtg-2/scripts/system memory`
Options[memory]: gauge, noinfo
MaxBytes[memory]: 665536000

Title[memory]: Memory Utilization
PageTop[memory]:

Memory Utilization

YLegend[memory]: Bytes
ShortLegend[memory]: B
LegendI[memory]: Used:
LegendO[memory]: Buffers + Cache:
Legend1[memory]: Free real memory
Legend2[memory]: Free swap memory
Legend3[memory]: Maximal 5 Minute Memory In Use
Legend4[memory]: Maximal 5 Minute Active Memory

(3.) Save the file and exit.

Run the MRTG tool to generate your graphs

Next we need to run mrtg using the above configuration file to generate our graphs.

(1.) Run the command below three (3) times.

env LANG=C /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/system/mrtg.cfg

(2.) We will need to generate the MRTG graphs automatically every 5 minutes, so we have to add an entry in the cron table.

vi /etc/crontab

#Copy and paste the following

*/5 * * * * root env LANG=C /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/system/mrtg.cfg 2>&1 /dev/null

Well that’s it! Fire your web browser and enter something like the following in your URL:

localhost/mrtg/status

192.168.0.1/mrtg/status

Your graphs will be generate every 5 minutes and will look something like the following after sometime.

Well we will move on to more advanced topics like monitoring Cisco routers and switches, Squid, Apache, Bind, Qmail, IPTABLES using SNMP and shell/perl scripts in our next series of articles covering MRTG. Till then, enjoy your server monitoring with MRTG!

Effective User management under Linux/Unix

teklimbu — Sun, 20 Jan 2008 17:52:56 +0000

In this article, we look into the topic of managing our users on our local Linux/Unix box. As we know it, Linux/Unix is a multiuser environment, therefore, one of the main tasks of a system administrator is to create user accounts and provide a secure environment for users to do their work in.

Adding and removing users is still one of the most important task of a system administrator. Therefore, we as system administrators need a good understanding of how the Linux/Unix accounting system works in order to provide good network services to our users and clients.

Good account management is also the key determinant to system security. Infrequently used accounts are prime targets for crackers. So are accounts with weak passwords.

Adding new users to your system involves a lot of processes running in the background. Several databases are updated, a local mail directory is created. So is the user’s home directory. You supply some deal of information including a username and password.

The /ETC/PASSWD FILE

Below is a listing of some contents inside the /etc/passwd file.

11:42:43 tek@gw-tek-sp:~$ cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
nobody:x:99:99:Nobody:/:/sbin/nologin
tek:x:506:506: Tek Limbu:/home/tek:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

The /etc/passwd file contains a list of users recognized by the system. The system consults this file at login time to determine a user’s UID and to verify the user’s password. Each line in the file represents one user and contains seven (7) fields separated by colons:

Login name
Encrypted password (unless a shadow password file is used)
UID number
Default GID number
“Various” information, full name, phone number, etc
Home directory
Login shell

As computing processing power has become faster, it has become very dangerous to leave encrypted password in a world readable plain text file. For this reason, most Linux/Unix distributions allows us to hide the encrypted passwords by placing them in a separate file which is not world-readable. The file is called the shadow file and can be found in /etc/shadow.

19:03:55 root@gw-tek-sp:~$ ls -l /etc/shadow

-r——– 1 root root 1981 Jan 8 22:55 /etc/shadow

If we look at the /etc/shadow file with the ls -l command, we see that it’s has a very restricted set of permissions. Only the SUPERUSER or root has permissions to access it and even for the root user, those are read-only permissions. Other users can’t even touch or see the file!

(1.) Login name

The 1st field on the /etc/passwd file consists of the login name. As shown below, the 1st field represents the user called “tek“.

tek:x:506:506: Tek Limbu:/home/tek:/bin/bash

Also known as usernames, login names must be unique and no more than 32 characters in length. But who needs a login name more than 32 characters long!
With the exception of the “colons” and “newlines”, they may contain any other characters. Very old versions of UNIX limit the permissible characters in a username to be only of 8 characters in length. But these are getting very rare these days.

(2.) Encrypted password

The 2nd field in the /etc/passwd file consists of our username’s password in an encrypted form. But these days, on newer systems, the encrypted password is not kept on this world-readable file any longer due to security reasons. Therefore, they are kept in the /etc/shadow file who has a very restrictive permission set and is not world-readable.

Let’s look at the example shown below:

tek:x:506:506: Tek Limbu:/home/tek:/bin/bash

As you can see, there is an “x” representing the encrypted password. Why? That’s because this system is using the more secure /etc/shadow file to store encrypted passwords.

Password encryption are based either on the DES or MD5 secure hashing algorithm. DES, the Data Encryption Standard is a cipher which is an algorithm for performing encryption and decryption.

The operation of a cipher usually depends on a piece of auxiliary information, called a key. This key is a piece of information that controls the operation of a cryptographic algorithm.

DES was created in 1976, and is consisted of 56-bit keys which has since been subsequently enjoyed widespread use internationally.

DES is now considered to be insecure for many applications which is mainly due to it’s 56-bit key size being too small. Today’s processing power can easily decrypt a DES encrypted password. One major disadvantage of using DES encryption is that it limits the password length to be just 8 characters in length! Even though your password may consist of 15 characters, only the first 8 characters are significant with the remaining characters being ignored silently.

Luckily, almost all major Linux/Unix distributions these days deploy the MD5 secure hashing algorithm with a 128-bit hash value. Hence MD5 are much secure in comparison to DES. This is primarily due to MD5’s larger 128-bit hash length. However, even MD5 have their own disadvantages!

If you are really paranoid about password security and encryption, I recommend you to read about the Blowfish hash algorithm or Advanced Encryption Standard (AES).

(3.) UID number

The user ID (or UID) is a unique number that differentiates a user from any other user on a given system. This is the 3rd field represented in /etc/passwd file. Users need to have a way to identify themselves for the purposes of accounting, security, logging and resource management on a system. Therefore, every user on the system must have a User ID (UID).

Let’s look again at the example for the username “tek” as shown below:

tek:x:506:506: Tek Limbu:/home/tek:/bin/bash

As can be seen above, the Username “tek” has a UID of 506 and a Group ID (GID) of 506. We will discuss the GID in more detail in the next section.

The UID and GID are often automatically assigned in sequence by the account creation program. So, the user added after “tek” would have a UID of 507. Some Linux distributions assign all users to a specific group called “user”. Others, like Red Hat or Centos, typically assign users to their own unique group, which means the UID and GID are usually identical.

The range of values for a UID varies amongst different systems; at the very least, a UID can be between 0 and 65535, with some restrictions:

The Superuser must always have a UID of zero (0).
The user “nobody” was traditionally assigned the largest possible UID (as the opposite of the Superuser). More recently, the user is assigned a UID in the system range (1–100, see below) or between 65530–65535.
UIDs from 1 to 100 are otherwise reserved for system use by convention; some manuals recommend that UIDs from 101 to 499 (RedHat) , 501 to 600 (Centos) or even 999 (Debian) be reserved as well.

The UID value references users in the /etc/passwd file. Shadow password files and Network Information Service (NIS) also refer to numeric UIDs. The user identifier is a necessary component of Unix file systems and processes. Some operating systems might have support for 16-bit UIDs, making 65536 unique IDs possible, though a modern system with 32-bit UIDs will potentially make 4,294,967,296 distinct values available.

(4.) Default GID number

The 4th field called the group identifier, often abbreviated to GID, is a numeric value used to represent a specific group. The range of values for a GID varies amongst different systems; at the very least, a GID can be between 0 and 65535, with one restriction: the login group for the Superuser must have GID 0.

This numeric value is used to refer to groups in the /etc/passwd and /etc/group files or their equivalents. Shadow password files and Network Information Service (NIS) also refer to numeric GIDs. The group identifier is a necessary component of Linux/Unix file systems and processes.

The limits on the range of possible group identifiers come from the memory space used to store them. Originally, a signed 16-bit integer was used. Realizing that sign was not necessary—negative numbers don’t make valid group IDs—an unsigned integer was used instead, allowing group IDs between 0 and 65535. Modern operating systems usually use unsigned 32-bit integers, which allow for group IDs between 0 and 4294967295.

The switch from 16 to 32 bits was originally not necessary—one machine or even one network did not serve more than 65536 users at the time—but was made to eliminate the need to do so in the future, when it would be more difficult to implement. Remember the history of IPv4 where we thought that 4 billion IP addresses would have been enough? Well that was not the case, so the Internet world is heavily developing on IPv6.

As mentioned on this article, Linux/Unix is a multiple user operating system. Every time a new user is created, a UID for this user is created. In addition, a Group ID (GID), for this user is also created.

Therefore, in a system having multiple users, these users can be categorized into groups. In case you may not know, conventional Linux/Unix file system permissions are organized into three classes, user, group, and others.

(5.) “GECOS” information, full name, phone number, etc

The 5th field is commonly used to store personal information about each user in the system. It does not have a well defined syntax. Interestingly, this field is also known as GECOS. According to the authors of www.admin.com, the GECOS field originally held the login information needed to transfer batch jobs from UNIX systems at Bell Labs to a mainframe running GECOS (the General Electric Comprehensive Operating System)!

We can use any methods for storing user’s data on this field but the program called finger interprets comma-separated GECOS entries in the following order:

Full Name (Often the only field used)
Office number and building
Office telephone extension
Home phone number

If I run the finger program for username “tek”, I get the following information:

23:40:39 tek@gw-tek-sp:~$ finger tek

Login: tek Name: Tek Limbu
Directory: /home/tek Shell: /bin/bash
On since Thu Jan 17 23:38 (NPT) on pts/0 from 192.168.6.10
No mail.
No Plan.

If users of the system wants to change their GECOS information, they can use the command called chfn. Let’s take an example as shown below:

23:40:49 tek@gw-tek-sp:~$ chfn tek

Changing finger information for tek.
Password:
Name [Tek Limbu]: Tek Bahadur Limbu
Office []: Wlink HQ
Office Phone []: 977-1-5555555
Home Phone []: 977-1-4444444

Finger information changed.

As can be seen above, we have changed and added new entries. Now if I run the finger program for username tek, I get the following:

23:45:25 tek@gw-tek-sp:~$ finger tek

Login: tek Name: Tek Bahadur Limbu
Directory: /home/tek Shell: /bin/bash
Office: Wlink HQ, 977-1-5555555 Home Phone: 977-1-4444444
On since Thu Jan 17 23:38 (NPT) on pts/0 from 192.168.6.10
No mail.
No Plan.

But it can sometimes be a nuisance for system administrators if users keep on changing their GECOS information containing some weird words on a daily basis! So in the best interest of everybody, it is often useful to disable this chfn command completely from the system.

23:49:48 root@gw-tek-sp:~$ chmod a-x /usr/bin/chfn

This way, users on your system won’t be able to update their information any longer! Well it is up to the system administrator to decide if they want to disable the chfn command.

(6.) Home directory

Normal users usually get a home directory when their accounts get created. User’s shells are cd‘d to their home directories when they log in to the system. If a user’s home directory is missing at login time for some reasons, the system will print a message something like the one below:

warning: cannot change directory to : No such file or directory

Linux/Unix systems generally allow the login to proceed and put the user in the root directory (/root).

(7.) Login shell

The login shell is usually a command interpreter such as the Bourne Shell (Bash) or the C shell (/bin/csh or /bin/sh). The Bash shell is the default shell used in Linux if /etc/passwd does not specify any specific login shell. But on FreeBSD or Solaris systems, the default shell is usually the C shell (/bin/csh).

On Linux systems, the C shell (/bin/sh) is a actually just a symbolic link to the Bash shell (/bin/bash).

For a complete list of shells available on your system, check out the file /etc/shells.

For example, it might look something like the following:

00:27:37 root@gw-tek-sp:~$ cat /etc/shells

/bin/sh
/bin/bash
/sbin/nologin
/bin/ash
/bin/bsh
/bin/ksh
/usr/bin/ksh
/usr/bin/pdksh
/bin/tcsh
/bin/csh
/bin/zsh

The /ETC/SHADOW FILE

As said on the preceding paragraphs, the primarily use of the /etc/shadow file is for security reasons. This fact is due to the shadow file being readable only by the SUPERUSER and simply can’t be accessed in any way by normal users.

When shadow passwords are in use, the password field in the /etc/passwd file is represented by or contains the character “x“. We should maintain both the shadow and passwd files simultaneously. However, thanks to tools like “useradd”, it is possible to maintain both of them using a single tool.

A sample entry from an /etc/shadow file may look something like the following:

tek:$1$xXiCmk/P$3oTnfjo1ZtCOtxy1jcSTD/:13156:0:99999:7:::

One thing to note is that the shadow file is not a superset of the passwd file. One should use a tool such as useradd which will maintain both files for you automatically. Similar to the /etc/passwd file where each line contains seven (7) fields, each line in the /etc/shadow file contains nine (9) fields.

Each line in the shadow file are separated by colons in the following way:

Login name
Encrypted password
Date of last password change
Minimum days between password changes
Maximum days between password changes
Number of days to warn users before password expiration
Number of days after password expiration that the account is disabled
Account expiration date
A reserved unused field

The /etc/group File

In a similar way as there is an /etc/passwd file, there is an /etc/group file. This is the file which lists all the available groups on your system.

Looking at the line for user “tek” in /etc/passwd will reveal:

tek:x:506:506: Tek Limbu:/home/tek:/bin/bash

Here, we see the username “tek” has a Group ID (GID) of 506. If we look at the contents of the file /etc/group, we might see something like the following:

wheel:x:10:root,tek
staff:x:23:tek,emi,john,anuj,sony
squid:x:24:tek,john,anuj
tek:x:506:

Each line represents one group and contains four fields:

Group name
Encrypted password (rarely used!)
GID number
List of members

We see from the above information that the user “tek” has an individual GID of 506. Additionally, the user also belongs to the groups called “wheel”, “staff” and “squid”.

One use for groups is with project or departmental teams who may require access to the same set of materials, such as project guidelines, data, and documents. Creating either a separate partition or a section in the main file system for all of these team files to reside on reduces the need for excessive use of symbolic links between user directories. Set the permissions appropriately such that group members can enter and work.

Another nice use for groups is to even use them to restrict access. If you have a set of people who just simply should not have access to a specific file or directory, then you can put them into a group and then deny access to that group for the file or directory while giving access to the owner and to the rest of the ‘world’.

Let’s look at an example. Suppose we have a Squid proxy server. Suppose it’s main configuration and bin files reside in the directory called /etc/squid.

Now let’s change the permission of the of the directory /etc/squid to user squid and group squid.

16:05:20 root@gw-tek-sp:~$ chown -R squid:squid /etc/squid/

16:05:22 root@gw-tek-sp:~$ cd /etc/squid

16:13:28 root@gw-tek-sp:/etc/squid$ chmod u=rwx,g=rwx,o= *

What the above commands do is that it will allow the user squid and any other users belonging to group squid to read,write, and execute the contents of the directory /etc/squid/. However, every other users and groups will be denied permission to the directory /etc/squid/.

How do we exactly add users in our Linux/Unix machine?

ADDING USERS

Technically speaking, the process of adding users on your system consists of the following steps:

Edit the /etc/passwd and /etc/shadow files to define the user’s account
Set an initial password for the new user
Create, chown, and chmod the user’s home directory

The command called useradd can automate this process for you to some extent. However, for the purposes of practice and demonstration, we will add a user called “john” manually executing one step at a time.

Editing the passwd and shadow files

To safely edit the /etc/passwd file, we use the universal command called vipw to invoke our choice of text editor (probably vi) on a copy of the file. The existence of the temporary edit file serves as a lock; vipw allows only one person to edit the /etc/passwd file at a time, and thus prevents users from changing their passwords while the /etc/passwd file is being edited.

When the text editor terminates the editing work on the /etc/passwd file, vipw replaces the original passwd file with your edited copy.

Now moving on to the example of adding a user called “john”, we invoke the vipw command as user root.

18:26:24 root@gw-tek-sp:# vipw

Then we will add the following entry to the /etc/passwd file:

john:x:525:10:John Shrestha, Sys Dep, 555:/home/john:/bin/bash

We then adding a matching entry to /etc/shadow by running the following command:

18:35:03 root@gw-tek-sp:~$ vipw -s

john:*::::::::

This will cause the user john not to have current entry for an encrypted password and sets the account to never expire.

Setting an initial password for user john

The above commands and entries will not generate a password for the user john. However the user root can change and reset any user’s password with the passwd command as shown below:

19:36:02 root@gw-tek-sp:~$ passwd john

Changing password for user john.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

By the way, never leave a new account or any account that has access to a shell –without a password.

Creating the user’s home directory

After setting an initial password and adding the relevant entries for user john in /etc/passwd and /etc/shadow, we move on to create john’s home directory.

19:53:23 root@gw-tek-sp:~$ mkdir /home/john
19:53:29 root@gw-tek-sp:~$ cp /etc/skel/.[a-zA-Z]* /home/john/
19:53:31 root@gw-tek-sp:~$ chown john /home/john/
19:53:37 root@gw-tek-sp:~$ chgrp wheel /home/john/
19:53:43 root@gw-tek-sp:~$ chmod 700 /home/john/

We then copy the default start-up files and scripts from the /etc/skel/ directory to the directory /home/john/

The reason why we are using the chown and chgrp commands is to set john’s home directory to user john and group wheel is because any directories created by user root will initially be own by root.

chmod 700 will cause john’s home directory be to accessible, readable and executable only by user john. Even the group members won’t have be able to access john’s home directory and the files residing beneath john’s home directory.

Copying in the default startup files and scripts

We can customize some commands and utilities by placing configuration files in a newly created user’s home directory. Most of these files begins with a initial dot (.) to elide these files.

The table below summarizes the widely used startup files for both Linux and Unix.

The useradd command is normally the one you will use to create new users on your system. It will automatically create the relevant entries in /etc/passwd and /etc/shadow files.

The syntax for the useradd command is illustrated below:

useradd -d home_directory -e expire_date -g initial_group -p password login_name

Therefore, to create a new user called “john” , put him in groups wheel and staff and set his account to expire on 25-Dec-2008, we would use the following command:

useradd -d /home/john -e 2008-12-25 -g wheel -G staff -m -s /bin/bash john

The -m option specifies that if the home directory does not exist, it will be created and so will the files and directories contained in /etc/skel be copied to the /home/john directory. The -s parameter will assign the type of shell to the user. In this case, user john will be given the bash shell.

Since the useradd program will also take files from the directory called /etc/skel and copy these to the newly user’s home directory, therefore, any files that should be given to a new user – such as login files to set up environment variables – should be set up in that directory.

You might want to customize your common startup scripts for new users under the directory /etc/skel/

REMOVING USERS

Disabling a user’s account is simply a matter of editing the file /etc/passwd and removing the relevant user’s entry!

The user will no longer be able to log in at all and will not be recognized as an existing user account. To fully remove the user from the system, we also have to remove the user from the /etc/shadow and /etc/group files. We then proceed to remove the user’s home, mail, and spool directories.

However, for clarity and simplicity, we use the universal command called userdel to remove existing users from the system.

13:26:46 root@gw-tek-sp:$ userdel -r john

The above example removes the user called john from the system. It removes john’s entry from the /etc/passwd and /etc/shadow files.

The “-r” parameters removes the user’s home directory and any sub-directories and files beneath john’s home directory.

However, even after this, there may still be other files in the system that belong to the phantom UID once known as user john, such as e-mail in /var/mail or temporary files in /tmp. The userdel command won’t remove these or look for them. We have to manually locate these files and inspect them and decide if we want to keep or delete them.

DISABLING LOGINS

On some occasions, a user’s login must be temporarily disabled for various reasons. If your system is the only system on the network where users are allowed to login, then it is simply a matter of putting a star (*) in the encrypted password fields of the /etc/passwd and /etc/shadow files.

However if your server is centralized across the network, then users may still be able to login even if you have disabled the user from your system’s /etc/passwd and /etc/shadow files!

So the best possible way to temporarily disable a user from your system is to replace the user’s shell with a /sbin/nologin shell or with a shell script which prints a message stating why the login has been disabled.

MODIFYING USER ACCOUNTS

We can modify existing users information either by manually editing the /etc/passwd and /etc/shadow files or we can use the in-built tool called usermod.

Suppose we want to modify user john’s home directory from /home/john to /home/newjohn, add john to the groups student and sysadm, we would issue the following command:

# usermod -d /home/newjohn -g student -G sysadm john

The example above modifies john’s home to a new directory called /home/newjohn and adds john to both the student and sysadm groups.

Well that’s it! I hope this article has given you enough hindsights to manage your local users of your system in an effective way. We will dive and discuss into advanced user management using the Network Information Service (NIS) or Open LDAP for a centralized login and access control system in the future.

Till then, happy user management on your Linux/Unix system!

System integrity using Files, Permissions, Processes, Root and Sudo

teklimbu — Sun, 06 Jan 2008 11:07:48 +0000

To be a good in system administration, we have to understand the basics of files, processes and permissions of our Linux/Unix hosts. Therefore, in this article, we will cover the basic stuffs regarding files, processes, permissions, the SUPERUSER “root” account and the sudo program.

Every file and process on a Linux/Unix system is owned by a particular user account. Every file has both an owner and a group owner. What this means is that the owner of the file enjoys one special property that is not shared with everyone on the system. This property is the ability to modify the permissions of the file.

Other users on the system can’t access files belonging to others without the owner’s permission, so this restriction helps protect a user’s files against “malicious” users!

Please note that all credits for this article goes to the authors of the book called “LINUX ADMINISTRATION HANDBOOK”. I recommend this book for all levels of system administrators. It can be accessed from the site http://www.admin.com

Having said that, although the owner of a file can always be a single person, many people can be group owners of the file if they are all part of a single Linux/Unix group. Groups are defined in the /etc/group file.

Ownerships of a file can be shown with the ls -l filename command as shown below:

-bash-3.00$ ls -l /export/home/tek/records
-rw-r–r– 1 tek wheel 869 Jan 4 14:43 /export/home/tek/records

As seen above, the file named records is owned by the user “tek” and the group “wheel”.

Linux/Unix in reality keeps track of owners and groups represented by numbers rather than as text names. User identification numbers (UIDs) are mapped to user names in the /etc/passwd file and Group identification numbers (GIDs) are mapped to group names in the /etc/group file.

The text names that corresponds to UIDs and GIDs are designed only for the convenience of the system’s human users! Next time a command such as ls are issued which displays ownership information, then the files /etc/passwd and /etc/group are queried.

Processes

A process is the term used by Linux/Unix to represent a running program through which the running program’s use of memory, processor time, and I/O resources can be managed.

Unlike files, processes have not two but four identities associated with them. They are a real and effective UID and a real and effective GID. The “real” numbers are used for accounting purposes, and the “effective” numbers are used for the determination of access permissions.

Superuser or root privilege UID (SUID) is always equal to 0 (zero).

For example, the Real UID (RUID) is the UID of the process that created the process itself. It can be changed only if the running process has Effective UserID (EUID)=0.

The effective UID (EUID) is used to evaluate privileges of the process to perform a particular action. EUID can be changed either to Real UserID (RUID), or SUID if EUID is not equal to 0. If EUID=0, it can be changed to anything.

Most of the time, the real and effective numbers are the same.

The owner of a process can send the process signals such as kill and can also reduce the process scheduling priority.

Under normal circumstances, it is not possible for a process to change it’s 4 ownership credentials. There is a special situation in which the effective user (EUID) and group ID (EGID) can and needs to be changed.

When a command which has the “setuid” or “setgid” permissions is executed, the effective UID (EUID) or GID (EGID) of the resulting process can be set to the UID or GID of the file containing the program image rather than the UID or GID of the user executing the command.

For example, let us look at the program called “passwd“.

-bash-3.00$ ls -l /usr/bin/passwd
-r-sr-sr-x 1 root sys 22620 Jan 23 2005 /usr/bin/passwd

As you know it, passwd is the command used for changing the passwords for a given user in a Linux/Unix environment.

As can be seen above, the UID and GID permissions are set to root and sys respectively. How is it possible for a normal user to run this program then? Well that’s what we called the “setuid” or “setgid” permissions!

The normal user’s privileges are thus “promoted” for the execution of that specific command only. Hence Linux/Unix’s setuid facility allows programs run by normal users to make use of the root account in a very limited way.

As in the passwd command example below, we can see the “setuid” permissions in action:

-bash-3.00$ /usr/bin/passwd tek
Enter existing login password:
New Password:
Re-enter new Password:
passwd: password successfully changed for tek

Here we see the passwd command that users run to change their login password is a setuid program. The program passwd modifies the /etc/passwd file in a very well-defined way and then terminates. To prevent abuse, the passwd program requires the users to prove that they know the current password before it agrees to make the requested password change. Nice security!

ROOT: The SUPERUSER

What exactly is the root account? Why does it has a very special place in Linux/Unix systems? Well the main defining characteristic property of the root account is that it’s UID is set to 0 (zero).

Linux/Unix systems permit the superuser (that is root) to perform any valid operation on any file or process. In addition, some process issuing system calls or requests directly to the kernel can only be executed by the superuser.

Below are some restricted operations which can only be performed by the superuser (root):

Creating device files
Setting the system’s hostname
Configuring network interfaces
Setting the system clock
Raising resource usage limits and process priorities
Shutting down the system

An example of superuser powers is the ability of a process owned by root to change it’s UID and GID. The login program and it’s window system equivalents like GDM and KDM are a case in point.

The login program that prompts you for your username and password when you log in to the system initially runs as root. If the username and password matches, the login program changes it’s UID and GID to your UID and GID and starts up your user environment. Once a root process has changed it’s ownerships to become a normal user process, it can never recover it’s former privileged state!

Therefore, it is extremely important for any system administrator to choose a very complex and secure password for the root user! I recommend a minimum of 8 characters with a mixture of Capital letters and numerical numbers! A warning has to be issued here, which is not to make the root’s password so complicated that you can’t remember it!

For remote administration, we obviously use the program called the Secure Shell (SSH) to manage our servers. For that matter, it is advisable to disable direct root access via SSH. To disable SSH to root user and set other security restrictions, at least enable/disable it’s parameters as shown below:

vi /etc/ssh/sshd_config

###Recommended values###

# Listen port (Default is 22, but change is to a higher port above 1025!)
Port 2012

# Only v2 (recommended)
Protocol 2

# Port forwarding
AllowTcpForwarding no

# X11 tunneling options
X11Forwarding no

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 120

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries 4
MaxAuthTriesLog 3

PermitEmptyPasswords no

PermitRootLogin no
###End of sshd_config###

BECOMING ROOT

A better way to access the root account is to use the su command. If invoked without any arguments, su will prompt for the root password and then start up a root shell. The privileges of this shell remain in effect until the shell terminates (Ctrl+D or the exit command).

su does not record the commands executed as root, but it does create a log entry that states who became root and when.

So we have to extra careful as to whom to give root’s password! It is also a good idea to get in the habit of typing the full pathname to the su command rather than relying on the shell to find the command for you!

-bash-3.00$ whereis su
su: /sbin/su /sbin/su.static /usr/bin/su /usr/man/man1m/su.1m

Note: The exact location of the su command may differ from one system to another.

Next time you want to become root, simply type:

/usr/bin/su -

This will give you some protection against programs called su that may have been slipped into your search path with the intention of retrieving passwords.

sudo: a limited su

Since the privileges of the superuser account cannot be subdivided, it is hard to give someone the ability to do one task (backups) without giving that person the root privileges of the root account. Also if the SUPERUSER account is used by several administrators, you will have only a vague idea of who’s using it and doing what?

These types of problems can be resolved to some extent by a program called “sudo“. It is available in Debian, RedHat, SuSE, FreeBSD packages among other distributions.

For installation in Debian, it’s as simple as: apt-get install sudo

For Fedora and Centos, it’s: yum install sudo

For FreeBSD, you just make install in /usr/ports/security/sudo

sudo takes as it’s argument a command line to be executed as root (or as another restricted user). sudo consults the file /etc/sudoers, which lists the people who are authorized to use sudo and the commands they are allowed to run on the system.

If the proposed command is permitted for the user, sudo prompts the user’s own password and executes the command.

For example, suppose we have a normal user called “john” belonging to the “wheel” group. Under normal circumstances, user “john” can’t run the tcpdump command.

To give our normal user “john” the limited sudo access to the tcpdump command, we add the following entry in /etc/sudoers file.

(1.) vi /etc/sudoers

#Add the following

john, %wheel ALL= /sbin/, /usr/sbin, /usr/sbin/tcpdump

(2.) Save and exit.

If user “john” were to run the tcpdump command without sudo, it would resemble as:

john@localhost:~$ /usr/sbin/tcpdump
tcpdump: no suitable device found

But for user “john” to run the tcpdump command, he simply types the following sudo command:

john@localhost:~$ sudo /usr/sbin/tcpdump

Password:

Running tcpdump using sudo

Hence in this way, we can give a normal user some privilege to run a command to which only a superuser is allowed to.

Please note that I have touched only the tip of the sudo program. However below is a summary of what you can achieve using sudo:

Accountability is much improved because of command logging
Operators can do chores without unlimited root privileges
The real root password can only be known to one or few users
Privileges can be revoked without the need to change the root password
A single file /etc/sudoers can be used to control access for an entire network.

Linux/Unix Filesystem

In the Linux/Unix world, almost everything is represented by the file system. Processes, Serial ports, devices, you name it, is represented and managed via the file system.

In a nutshell, the filesystem can be summarized as:

A namespace – a way of naming things and organizing them in a hierarchy
An API – a set of system calls for navigating and manipulating objects
A security model – a scheme for protecting, hiding, and sharing things
An implementation – software that ties the logical model to actual hardware

The filesystem is presented as a single unified hierarchy that starts at the directory / and continues downward through an arbitrary number of subdirectories. / is also called the root directory.

The list of directories that must be traversed to locate a particular file, together with it’s filename, form a “pathname”. Pathnames can be either absolute (/tmp/foo) or relative (mydocs/chap4) . Relative pathnames are interpreted starting at the current directory.

The terms file, filename, pathname, and path are more or less interchangeable. Filename and path can be used for both absolute and relative paths; pathnames generally suggests an absolute path.

The filesystem can be arbitrarily deep. However, each component of a pathname must have a name no more than 255 characters long, and a single path may not contain more than 4095 characters. To access a file with a pathname longer than 4095 characters, you must cd to an intermediate directory and use relative pathname.

There are no restrictions on the naming of files and directories, except that the names are limited in length and must not contain the “/” character or nulls. Spaces are permitted but because of UNIX’s long tradition of separating command-line arguments at whitespace, legacy software tends to break when spaces appear within filenames. However, these cases are very rare nowadays.

In shell and in scripts, spaceful filenames just need to be quoted to keep their pieces together. For example, the command:

-bash-3.00$ more “My very long file.txt”

would preserve My very long file.txt as a single argument to more command.

Below is a graphical summary representing the Linux/Unix File System:

MOUNTING AND UNMOUNTING FILESYSTEMS

As seen on the diagram above, the filesystem is composed of smaller chunks – also called filesystems- each of which consists of one directory and it’s subdirectories and files. For clarity, we use the term “file tree” to refer to the overall layout of the filesystem and reserve the word “filesystem” for the chunks attached to the tree!

Most filesystems are disk partitions but they can be anything that obeys the proper API: network file servers, kernel components, memory-based disk emulators, etc.

Filesystems are attached to the tree with the mount command. mount maps a directory within the existing file tree, called the mount point, to the root of the newly attached filesystem.

For example on a Linux host,

root@localhost# mount /dev/hda4 /mbox

The above command will install the filesystem stored on the disk partition represented by /dev/hda4 under the path /mbox. You can then use command “ls /mbox” to see that filesystem’s contents.

On a Solaris host:

# mount /dev/dsk/c2d0s6 /mbox

The above command will mount a secondary hard drive represented by /dev/dsk/c2d0s6 to the path /mbox in Solaris.

A list of the filesystems that are mounted on a particular system is kept in the /etc/fstab file in Linux/FreeBSD machines. On a Solaris machines, it is kept in the /etc/vfstab file.

The information contained in this file allows filesystems to be checked (fsck -A) and mounted (mount -a) automatically at boot time. It also serves as documentation for the layout of the filesystems on disk and enables short commands such as mount /var for which the location of the filesystem to mount is looked up in /etc/fstab or /etc/vfstab.

Filesystems are detached with the umount command. You cannot unmount a filesystem that is “busy” or in use! There must not be any open files or processes whose current directories are located on that filesystem, and if the filesystem contains executable programs, they cannot be running!

When you are trying to umount a filesystem and the kernel complains that the filesystem is busy, you can run fuser to find out why.

For example, running the df -h command below shows:

df -h command

Viewing the contents of /etc/fstab:

Linux /etc/fstab

If we try to umount /usr :

umount /usr showing as busy!

Running fuser -mv /usr:

“fuser -mv” command showing why /usr can’t be unmounted

File Types and Permissions

Linux/Unix defines seven (7) types of files. They are defined as follows:

Regular files
Directories
Character device files
Block device files
Local domain sockets
Named pipes (FIFOs)
Symbolic links

We can determine the type of an existing file with the ls -ld command. The first (1st) character of the ls output encodes the type of file.

For example,

# ls -ld /etc/ssh

drwxr-xr-x 2 root sys 512 Nov 21 14:28 /etc/ssh

Remembering that the 1st character determines the type of file, the table below are the codes representing various types of files:

As can be seen from the table above, rm is the universal tool for deleting files you don’t want anymore!

A word of caution: Use rm very carefully. You could mistakenly remove a very important file such needed by your system. If that happens, your system might not boot anymore!

If in doubt, always use the -i option with the rm command.

For example,

# rm -i /etc/rmmount.conf
rm: remove /etc/rmmount.conf (yes/no)?

(1.) Regular files

A regular file is just a file containing certain amount of bytes! Linux/Unix imposes no structure on its contents. Text files, data files, executable programs like gcc, shared libraries are all stored as regular files.

(2.) Directories

A directory contains named references to other files. You can create directories with the mkdir command and delete them with the rmdir command if they are empty. If the directory is not empty, you are wipe it with the rm -r command.

For example, let’s list the contents of the /etc/ssh

# ls -al /etc/ssh

total 208
drwxr-xr-x 2 root sys 512 Nov 21 14:28 .
drwxr-xr-x 87 root sys 4608 Jan 7 11:24 ..
-rw-r–r– 1 root sys 88301 Jan 22 2005 moduli
-rw-r–r– 1 root sys 861 Jan 22 2005 ssh_config
-rw——- 1 root root 668 Nov 21 14:28 ssh_host_dsa_key
-rw-r–r– 1 root root 605 Nov 21 14:28 ssh_host_dsa_key.pub
-rw——- 1 root root 883 Nov 21 14:28 ssh_host_rsa_key
-rw-r–r– 1 root root 225 Nov 21 14:28 ssh_host_rsa_key.pub
-rw-r–r– 1 root sys 5215 Jan 7 15:38 sshd_config

If you have noticed, in every directory, there are two (2) special entries “.” and “..”.

They refer to the directory itself and to its parent directory respectively; hence they cannot be removed! Since the root directory has no parent directory, the path “/..” is equivalent to the path “/.” (and both are equivalent to /).

(3.) Character and Block device files

Device files allow programs to communicate with the system’s hardware and peripherals. When the kernel is configured, modules that know how to communicate with each of the system’s devices are linked in. These days, the kernel can also load modules dynamically.

But what exactly is a kernel module? Modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. Without modules, we would have to build monolithic kernels and add new functionality directly into the kernel image. Besides having larger kernels, this has the disadvantage of requiring us to rebuild and reboot the kernel every time we want new functionality.

Microsoft Windows needs to reboot so often because they lack the support of modules from their NT kernel unlike Linux/Unix!

The module for a particular device, called a device driver, takes care of the messy details of managing the device.

Device drivers present a standard communication interface that looks like a regular file. When the kernel is given a request that refers to a character or block device file, it simply passes the request to the appropriate device driver.

It is important to differentiate between device files and device drivers. The device files are are just ordinary points that are used to communicate with the drivers. They are not the drivers themselves.

But what is the difference between a character device file and a block device file? Character device files allow their associated drivers to do their own input and output (I/O) buffering.

Block device files are used by drivers that handle input and output (I/O) in large chunks and want the kernel to perform the buffering for them.

Simply, a block device would read/write bytes in fixed size blocks, as in disk sectors. Character devices read/write 0 or more bytes, in a stream, such as a TTY or a keyboard.

Device files are characterized by two numbers, called the major and minor device numbers. The major device number tells the kernel which driver the file refers to, and the minor device number tells the driver which physical unit to address.

If we on at the example below,

09:26:57 root@gw-dml-sp:~$ ls -l /dev/lp0

crw-rw—- 1 root lp 6, 0 Jan 4 13:05 /dev/lp0

From above, the major device number is 6 and the minor device number is 0.

We can create device files with the mknod command and remove them with the rm command. Most systems provide a script called /dev/MAKEDEV that creates the appropriate sets of device files for common devices.

(4.) Local domain sockets

Sockets are connections between processes that allow them to communicate in a proper manner. Linux/Unix provides several different kinds of sockets, most of which involve the use of a network. Local domain sockets are accessible only from the local host and are referred to through a filesystem object rather than a network port. They are also known as “UNIX domain sockets“.

Although socket files are visible to other processes as directory entries, they cannot be read from or written to by processes not involved in the connection. Some standard facilities that use local domain sockets are the printing system, the GNOME and KDE Window Systems, and syslog.

Local domain sockets are created with the socket system call and can be removed with the rm command or the unlink system call once they have no more users.

(5.) Named pipes

Like local domain sockets, named pipes allow communication between two processes running on the same host. They are also known as “FIFO files” (FIFO is short form for “First In, First Out”).

You can create named pipes with the mknod command and remove them with rm.

Like local domain sockets, real-world instances of named pipes are very few and rarely need administrative action.

(6.) Symbolic links

Symbolic links consist of a special type of file that serves as a reference to another file or directory. Unix-like operating systems in particular often feature symbolic links. Basically, a symbolic or soft link points to a file by name.

You can think of symbolic links in a similar way when you create “desktop shortcuts” in MS-Windows!
Unlike a hard link, which points directly to data and represents another name for the same file, a symbolic link contains a path which identifies the target of the symbolic link. Thus, when a user removes a symbolic link, the file to which it pointed remains unaffected. Symbolic links may refer to files even on other mounted file systems.

We create symbolic links with the ln -s command and remove them with the rm command.

For example, if we want to make a symbolic link between the file /etc/ssh/sshd_config and /home/tek/myssh_config, we issue the following command:

# ln -s /etc/ssh/sshd_config /home/tek/mysshd_config

# ls -l /home/tek/mysshd_config

lrwxrwxrwx 1 tek tek 20 Jan 8 21:48 /home/tek/mysshd_config -> /etc/ssh/sshd_config

FILE ATTRIBUTES AND PERMISSIONS

Every file has a set of nine (9) permission bits that control who can read, write, and execute the contents of the file. The nine permission bits are used to determine what operations on a file, and by whom.

Linux/Unix does not allow permissions to be set on a per-user basis. Instead, there are sets of permissions for the owner of the file, the group owners of the file, and everyone else. Each set has three bits: a read bit, a write bit, and an execute bit.

In a summary, there are three types of people that can do things to files – the Owner of the file, anyone in the Group that the file belongs to, and Others (everyone else). In UNIX they are referred to using the letters U (for Owner or User), G (for Group), and O (for Others).

Therefore there are three types of permissions:

   r  - read the file or directory
   w  - write to the file or directory
   x  - execute the file or search the directory

Each of these permissions can be set for any one of three types of user:

u  - the user who owns the file (you)
g  - members of the group to which the owner belongs
o  - all other users

Let us look at an example:

-bash-3.00$ ls -l /usr/bin/yelp

-rwxr-xr-x 1 root other 107504 Dec 17 2004 /usr/bin/yelp

As you can see above, there are nine (9) permission bits on the file /usr/bin/yelp

On the left side, you can see the file attributes and permissions:

-rwxr-xr-x

-	r	w	x	r	-	x	r	-	x
	*Owner*			*Group*			*Other*
File	Read	Write	Execute	Read	No-Write	Execute	Read	No-Write	Execute

As can be seen, the following users have the following permissions on the file:

Owner – can read, write, and execute

Group – can read, no-write, and execute

Other – can read, no-write, and execute

Owner of /usr/bin/yelp is root and group owner of /usr/bin/yelp is other.

More examples:

drwxrwxrwx : a folder which has read, write and execute permissions for the owner, the group and for other users.
-rwxr–r– : a file that can be read and written by the user, but only read and executed by the group, and only read by everyone else.

Using numbers (octal) for permissions

We can also use numbers for setting file and folder permissions. Each of the three numbers corresponds to each of the three sections of letters. The first number determines the owner permissions, the second number determines the group permissions and the third number determines the other permissions. Each number can have one of eight values ranging from 0 to 7. Each value corresponds to a certain setting of the read, write and execute permissions.

These values are added together for any one user category:

    1   =   execute only
    2   =   write only
    3   =   write and execute (1+2)
    4   =   read only
    5   =   read and execute (4+1)
    6   =   read and write (4+2)
    7   =   read and write and execute (4+2+1)

For example:

777 is the same as rwxrwxrwx
755 is the same as rwxr-xr-x

ls output is slightly different for a device file. For example,

09:17:07 root@gw-dml-sp:~$ ls -l /dev/tty0

crw-rw—- 1 root tty 4, 0 Jan 4 13:05 /dev/tty0

crw-rw—-

-	r	w	x	r	-	x	r	-	x
	*Owner*			*Group*			*Other*
Character file	Read	Write	Non-Execute	Read	Write	Non-Execute	No-Read	No-Write	Non-Execute

As can be seen, the file /dev/tty0 is a Character device file whose owner and group owner can read, write but could not execute it since this is a character device file!

The filesystem maintains about forty (40) separate pieces of information for each file! But the good news is that most of them are only useful for the filesystem itself. As a system administrator, we should be concerned mostly with the link count, owner, group, mode, size, last access time, last modification time, and type.

Looking at the next example,

09:32:10 root@gw-dml-sp:~$ ls -l /bin/gzip

-rwxr-xr-x 3 root root 55792 Feb 22 2005 /bin/gzip

Summary:

The first field specifies the file’s type and mode. The first character is a dash, so /bin/gzip is a regular file.

The next nine characters in this field are the three sets of permission bits. I have stressed several times the order of this 3 sets of permission bits. The order is owner-group-other.

In the example of: -rwxr-xr-x 3 root root 55792 Feb 22 2005 /bin/gzip

In this case, the owner can read-write-execute, the Group owner can only execute-read and Others can only execute.

The next field in the listing is the link count for the file. In this case, it is 3, indicating that /bin/gzip is just one of three names for this file (the others are /bin/gunzip and /bin/zcat). Each time a hard link is made to a file, the count link is incremented by 1.

The setuid and setgid bits

The bits with octal values 4000 and 2000 are the setuid and setgid bits. These bits allow programs to access files and processes that would otherwise be off-limits to the user that runs them.

When set on a directory, the setuid bit causes newly created files within the directory to take on the group ownership of the directory rather than the default group of the user of the user that created the file.

The Sticky Bit

The bit with octal value 1000 is called the sticky bit. If a sticky bit is set on a directory, the filesystem won’t allow anyone to delete or rename a file unless that person is the owner of the directory, the owner of the file, or the superuser. This convention helps to make directories like /tmp a little more secure.

If the setuid bit had been set, the x representing the owner’s execute permission would have been replaced with an s, and if the setgid bit had been set, the x for the group would also have been replaced with an s.

The last character of the permissions (execute permission for “other”) is shown as t if the sticky bit of the file is turned on. If either the setuid/setgid bit or the sticky bit is set but the corresponding execute bit is not, these bits appear as S or T.

The filesystem automatically keeps track of modification time stamps, link counts, and file size information. The permission bits, ownership, and group ownership can only be changed by with the chmod, chown, chgrp commands.

chmod: change permissions

The chmod command changes the permissions on a file. Only the owner of the file and the superuser can change its permissions.

The octal notation is generally more convenient for administrators but the mnemonic syntax can be useful for new comers.

The first argument to chmod is a specification of the permissions to be assigned, and the second and subsequent arguments are names of files on which these permissions apply to.

To see chmod in action,

As can be seen above, the original permission of the file /home/tek/myprog was:

-rw-rw-r–

Upon issuing the command chmod 711 /home/tek/myprog, the permission was changed to:

-rwx–x–x

The same effect can be applied using mnemonic syntax instead of octal notation.

For example,

chown: change ownership and group

The chown command changes the file’s ownership and group ownership. It’s syntax mirrors that of chmod, except that the first argument specifies the new owner and group in the form of user.group (user:group). Either of user or group may be left out. If there is no group, you don’t need the dot either.

Looking at the example below:

The above command changes the owner:group of the file /home/tek/robots.txt from root:root to tek:wheel.

To change a file’s group, you must either be the owner of the file and belong to the group you’re changing to or be the superuser. However, you must be the superuser to change the file’s owner.

Like chmod, chown offers the recursive -R flag to change the settings of a directory and all the files underneath it. For example, the sequence:

# chmod -755 ~john

# chown -R john:wheel ~john

might be used to setup the home directory of a new user called john after copying the default startup files. The commands above will set the directory /home/john and all it’s files and sub directories to be owned by user john and group wheel.

chgrp

Traditional UNIX uses a separate command called chgrp, to change the group owner of a file. Linux provides the chgrp command too. It works just like chown but chgrp takes just a parameter which is the group owner.

For example:

The above chgrp command will change the group owner from tek to wheel.

I hope that the materials above will serve as a basis to understand the file system and structure of your Linux/Unix machines. It should also give you hindsights to avoid common mistakes such as making a important file to be read, written, or executed by everybody. It should also provide you how to protect and give access to important files and directories only to certain users on your system.

Network Management using Nagios

teklimbu — Tue, 01 Jan 2008 17:56:03 +0000

If you are reading this article, then you should be well aware that there are various and different types of network devices, servers, electronic gadgets, transport mediums, media converters, etc, which are somehow connected to each other to form the Internet.

The internet is the biggest network in the world consisting of billions of computers, servers, workstations, routers, switches, printers, mainframes, mobile devices, etc, connected to each other in one way or another.

1 question certainly arises, which is, how do we keep track of this giant network and it’s billions of network devices connected to the Internet?

If you are a system administrator, then I’m sure you are in charge of maintaining at least a couple of servers and network devices such as a router. In truth, a system administrator’s job is unlimited and sad but truth is also thankless job. We look after a lot of different servers ranging from web servers, proxy servers, dns servers, mail servers just to name a few. In fact, any given system administrator could well be managing any where from 5 to 500 different kinds of servers and network devices.

On average, a single server could be serving approximately 500 users. Hence if one of your server should go down, then 500 people will be banging your phone and speaking some horrible or alien language to you!

If you add 2 dozen more servers and network devices and for some reason they should go down, then that’s when you know that you are in real deep trouble!

So how do we keep ourselves sane and how to we keep ourselves informed if all our servers and network services are working in fine shape and condition. The answer is to use a host and service monitoring system designed to inform us of network problems before our clients, end-users or managers do!

There are various different tools used for monitoring servers and network devices out of which the 2 best known tools are Nagios and Zabbix.

In a nutshell,

Nagios is a popular open source computer system and network monitoring application software. It watches hosts and services that you specify, alerting you when things go bad and again when they get better.

It can be used for monitoring of network services (SMTP, POP3, HTTP, NNTP, ICMP, SNMP, FTP, SSH, etc) .

The best part of it is that it supports simple plugins designed to allow users to easily develop their own service checks depending on needs, by using the tools of choice (Bash, C++, Perl, Ruby, Python, PHP, C#, etc.)

Zabbix is also an open source network monitoring system designed to monitor and track the status of various network services, servers, and other network hardware. The main difference between Nagios and Zabbix is that Zabbix uses MySQL, PostgreSQL, SQLite or Oracle to store data. Its web based frontend is written in PHP.

The point to note is that whichever tool you choose to use, the tool must allow us to be constantly aware of change in our environment to which we should be aware and to record data points over a period of time to allow for trend analysis, capacity planning, and fault isolation down the road.

In this article, we will go about installing and configuring Nagios for monitoring our network devices and servers.

For Nagios to work, you must have an existing Apache web server running. If not, then simply follow the steps below to configure a simple running Apache-2.2.6 web server:

(1.) Add User and Group “apache” and download Apache-2.2.6

groupadd apache

useradd -g apache apache

mkdir -p /usr/local/src/httpd

cd /usr/local/src/httpd

wget http://mirror.nyi.net/apache/httpd/httpd-2.2.6.tar.gz

(2.) unzip the sources

tar zxvf httpd-2.2.6.tar.gz

(3.) Configure Apache

cd httpd-2.2.6

./configure

–prefix=/usr/local/httpd \

–enable-so

(4.) Compile and install Apache

make && make install

(5.) Start the Apache web server

/usr/local/httpd/bin/apachectl start

That’s it. Apache 2.2.6 should now be running!

NAGIOS INSTALLATION

Now that our web server is running, we move on to the installation of Nagios itself.

(1.) Create the user “nagios” and group “nagcmd”. Then add user “nagios” and “apache” to the nagcmd group.

useradd nagios

groupadd nagcmd

usermod -G nagcmd nagios
usermod -G nagcmd apache

(2.) Download the latest version of Nagios to your regular download directory. As of 01-Jan-2008, the latest version of Nagios is nagios-3.0rc1. We also have to download the nagios-plugins.

mkdir -p /usr/local/src/nagios

cd /usr/local/src/nagios

wget http://superb-east.dl.sourceforge.net/sourceforge/nagios/nagios-3.0rc1.tar.gz

wget http://nchc.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz

(3.) Unzip and unpack the sources files.

cd /usr/local/src/nagios

tar zxvf /usr/local/src/nagios/nagios-3.0rc1.tar.gz

(4.) Configure your nagios installation

cd /usr/local/src/nagios/nagios-3.0rc1
./configure –prefix=/usr/local/nagios \
–with-nagios-user=nagios \
–with-nagios-group=nagios \
–with-cgiurl=/usr/local/nagios/share/nagios/cgi-bin

(5.) Compile and make install

make all

(6.) Install binaries, init script, sample config files and set permissions on the external command directory.

make install
make install-init
make install-config
make install-commandmode

(7.) Configure admin email address

vi /usr/local/nagios/etc/objects/contacts.cfg

###Change the following###

email nagios@localhost

to

email tekbdrlimbu@hotmail.com

(8.) Configure the Web interface

ln -s /usr/local/httpd/conf /etc/httpd
ln -s /usr/local/httpd/conf /etc/httpd

cd /usr/local/src/nagios/nagios-3.0rc1

make install-webconf

(9.) Add password to username “nagiosadmin”

/usr/local/httpd/bin/htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

(10.) Unzip and unpack the nagios plugins

cd /usr/local/src/nagios

tar zxvf /usr/local/src/nagios/nagios-plugins-1.4.11.tar.gz

cd /usr/local/src/nagios/nagios-plugins-1.4.11/

(11.) Run configure

./configure –with-nagios-user=nagios –with-nagios-group=nagios

(12.) Compile and make install

make

make install

(13.) Verify Nagios configuration files and rung Nagios in Daemon mode

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
/usr/local/nagios/bin/nagios -d /usr/local/nagios/etc/nagios.cfg

(14.) Copy the Nagios config files to Apache config directory

cp /usr/local/nagios/etc/nagios.cfg /usr/local/httpd/conf/

(15.) Include nagios.conf in your httpd.conf file and restart Apache

vi /usr/local/httpd/conf/httpd.conf

##Add the following line to httpd.conf###

Include /usr/local/httpd/conf/nagios.conf

###Save httpd.conf and exit and restart Apache###

/usr/local/httpd/bin/apachectl restart

(16.) Fire your web browser to check your Nagios installation

http://localhost/nagios

http://192.168.0.1/nagios

You should see something like the following:

Nagios initial screen

Nagios Service Detail Screenshot

That’s it. Nagios is installed now. Next we will go about configuring checks on various hosts and network devices on our network.

To be continued tomorrow …..

Monitoring your Linux/Unix servers and network devices using MRTG and SNMP

teklimbu — Wed, 05 Dec 2007 15:57:25 +0000

This tutorial will guide you to create MRTG graphs for your Linux/Unix Server or just about any network device which supports SNMP.

This guide will present you the layout in a practical way and will not go in depth to explain the theories behind how they work. This is because the users will explore and learn them by themselves.

SNMP stands for Simple Network Management Protocol.

It is an application layer protocol that helps the exchange of management information between network devices. It is based on TCP/IP and allows us to extract various information like network traffic and performance which in turn help us plan our network for growth and problems.

More information about SNMP can be found at it’s site at: http://net-snmp.sourceforge.net/

First of all, you need the MRTG package.

MRTG stands for Multi Router Traffic Grapher. It can be used to monitor and graphically display traffic and usage of an internet connection among many other things.

More information about MRTG can be found on it’s creator’s site at: http://oss.oetiker.ch/mrtg/

In addition to MRTG, you will need a Web server to display the graphs and statistics generated by MRTG. More information to setup an Apache web server can be found in the following URL:

http://teklimbu.wordpress.com/2007/10/08/configuring-apache2

In case, you are in a hurry, follow the steps below to install a very basic Apache web server.

(1.) Download Apache

cd /usr/local/src

wget http://mirror.nyi.net/apache/httpd/httpd-2.2.6.tar.gz

(2.) unzip the sources

tar zxvf httpd-2.2.6.tar.gz

(3.) Configure Apache

cd httpd-2.2.6

./configure

–prefix=/usr/local/httpd \

–enable-so

(4.) Compile and install Apache

make && make install

(5.) Start the Apache web server

/usr/local/httpd/bin/apachectl start

That’s it. Apache 2.2.6 should now be running!

Moving on, we will next compile and install the MRTG package.

MRTG Installation

(1.) Create local directory and change to that directory.

mkdir -p /usr/local/src/mrtg

cd /usr/local/src/mrtg

(2.) Download MRTG. The latest version of MRTG as on 05-Dec-2007 is 2.15.2.

wget http://oss.oetiker.ch/mrtg/pub/mrtg-2.15.2.tar.gz

(3.) Unzip the package.

tar zxvf mrtg-2.15.2.tar.gz

cd mrtg-2.15.2

(4.) Configure MRTG

./configure –prefix=/usr/local/mrtg-2

Note: you may need to install the GD library. For Debian users, it’s just a matter of typing: apt-get install libgd-dev

(5.) Compile and install the MRTG software.

make && make install

That’s it. MRTG is now installed in the prefixed directory: /usr/local/mrtg-2

Net-SNMP Installation

(1.) Create local directory to your download SNMP

mkdir -p /usr/local/src/snmp

cd /usr/local/src/snmp

(2.) Download the latest source package of net-snmp. The latest version of net-snmp as on 05-Dec-2007 is 5.2.4.

wget http://nchc.dl.sourceforge.net/sourceforge/net-snmp/net-snmp-5.2.4.tar.gz

(3.) Unzip the source file

tar zxvf net-snmp-5.2.4.tar.gz

(4.) Configure your SNMP package

cd /usr/local/src/snmp/net-snmp-5.2.4
./configure –prefix=/usr/local/net-snmp

Note: You will be asked some questions regarding setting up SNMP such as the following:

(a.) Default version of SNMP to use: Choose 2

(b.) System Contact Information: type in your email address

(c.) System Location: Type in the location of this box

(d.) Location to write log file: /var/log/snmpd.log

(e.) Location to write persistent information: /var/net-snmp

If your configuration options was successful you will see something the following:

———————————————————
Net-SNMP configuration summary:
———————————————————

SNMP Versions Supported: 1 2c 3
Net-SNMP Version: 5.2.4
Building for: linux
Network transport support: Callback Unix TCP UDP
SNMPv3 Security Modules: usm
Agent MIB code: mibII ucd_snmp snmpv3mibs notification target agent_mibs agentx utilities
SNMP Perl modules: disabled
Embedded perl support: disabled
Authentication support: MD5 SHA1
Encryption support: DES AES

———————————————————
(5.) Compile and install SNMP

make && make install

If everything completes without any errors, that’s it. Net-SNMP is installed in your machine!

Configuration of snmpd.conf

Let us now create a snmpd.conf file which contains the basic elements for extracting information about your machine.

(1.) Create the etc directory to hold your snmpd.conf file.
mkdir -p /usr/local/net-snmp/etc

(2.) Create the snmpd.conf

vi /usr/local/net-snmp/etc/snmpd.conf

##Copy and paste the following##

#############Start of snmpd.conf###########################
#
# snmpd.conf
#
# – created by Tek Limbu on 05-Dec-2007
#
#######################################################
# SECTION: System Information Setup
#
# This section defines some of the information reported in
# the “system” mib group in the mibII tree.

# syslocation: The [typically physical] location of the system.
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysLocation.0 variable will make
# the agent return the “notWritable” error code. IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments: location_string

syslocation Kathmandu-Nepal

# syscontact: The contact information for the administrator
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysContact.0 variable will make
# the agent return the “notWritable” error code. IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments: contact_string

syscontact tekbdrlimbu@hotmail.com

#####################################################
# SECTION: Access Control Setup
#
# This section defines who is allowed to talk to your running
# snmp agent.

# rocommunity: a SNMPv1/SNMPv2c read-only access community name
# arguments: community [default|hostname|network/bits] [oid]

rocommunity MyPass333

#Disk size in Megabytes (MB).

disk /usr

disk /var

#################End of snmpd.conf########################

The most important data in any SNMP configuration is the community string which can be compared to a password. In the above snmpd.conf file, the rocommunity stands for read-only community string which has the value “MyPass333″. As with passwords, this has to be kept as as secret!

(3.) Run the SNMP daemon using the above snmpd.conf file.

/usr/local/net-snmp/sbin/snmpd -c /usr/local/net-snmp/etc/snmpd.conf

(4.) Test to see if SNMP is working and functioning properly.

/usr/local/net-snmp/bin/snmpwalk -v2c -c MyPass333 localhost system
You should see something like the following:

###############################################

SNMPv2-MIB::sysDescr.0 = STRING: Linux gw-npj-sp 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
SNMPv2-MIB::sysUpTime.0 = Timeticks: (168913) 0:28:09.13
SNMPv2-MIB::sysContact.0 = STRING: tekbdrlimbu@hotmail.com
SNMPv2-MIB::sysName.0 = STRING: linux-box-hostname
SNMPv2-MIB::sysLocation.0 = STRING: Kathmandu-Nepal
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

##############################################

Looks familiar doesn’t it? This is because we supplied the information in the snmpd.conf file!

Creating your 1st MRTG graph using SNMP

Assuming that you have did everything mentioned above correctly, then we will move on to generate a very simple graph showing the traffic status of your machine’s network interfaces.

(1.) Create the directory to store your MRTG configuration (cfg) files.

mkdir -p /usr/local/mrtg-2/etc

(2.) Create the directories to store your MRTG cfg files and it’s output files in your Apache DocumentRoot directory.

Assuming that you followed the steps outlined in the URL:

http://teklimbu.wordpress.com/2007/10/08/configuring-apache2

Then, your DocumentRoot will be the default “/usr/local/httpd/htdocs/” directory.

mkdir -p /usr/local/httpd/htdocs/mrtg/traffic

(3.) Run the cfgmaker tool installed from the MRTG package

/usr/local/mrtg-2/bin/cfgmaker –output=/usr/local/mrtg-2/etc/mrtg.cfg –global “workdir: /usr/local/httpd/htdocs/mrtg/traffic” -ifref=ip –global ‘options[_]: growright,bits’ MyPass333@localhost

The above command will produce the output file “mrtg.cfg” and all graphs generated will be stored in the “workdir” directory.

output file= /usr/local/mrtg-2/etc/mrtg.cfg

workdir= /usr/local/httpd/htdocs/mrtg/traffic/

(4.) Finally run the mrtg tool to generate the graphs.

env LANG=C /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/etc/mrtg.cfg

(5.) Your graphs should now be generated. Fire up your web browser and enter the IP address or hostname of your machine.

http://192.168.0.1/mrtg/traffic

If this machine is your desktop, simply type:

http://localhost/mrtg/traffic

Note: Replace the IP above with the actual IP of your Linux machine.

(5.) Generate your index.html file using the tool called indexmaker which comes with the MRTG package.

/usr/local/mrtg-2/bin/indexmaker –title=”Traffic Status” \

/usr/local/mrtg-2/etc/mrtg.cfg \

> /usr/local/httpd/htdocs/mrtg/traffic/index.html

You should see something like the following graph:

Graph showing traffic analysis for eth0

(6.) We need to setup an entry in the cron table to update the MRTG graphs every 5 minutes. On a Linux or FreeBSD machine, you can do it the following way:

vi /etc/crontab

##### Copy and paste the following #####

*/5 * * * * root env LANG=C /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/etc/mrtg.cfg > /dev/null 2>&1

Note: The above statement should be in a single line, i.e. no line breaks.

There you have it. Your graphs will update every 5 minutes indicating the traffic flow in your eth0 network interface.

Now that you have used cfgmaker to extract the traffic of the network interfaces of your Linux machine, it can be used on any network devices which support SNMP.

Moving on, to explore more about SNMP and MRTG, we will create a new configuration file which will generate graphs showing the CPU load, Memory Usage, TCP connections and disk partitions of your Linux/Unix machine.

The cfg file used for this task is taken from the site: www.linuxhomenetworking.com. This is a great site for all level of Linux/Unix users.

MRTG and SNMP are covered in depth at:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch22

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch23

Having said that, let’s move on..

(1.) Create a new directory for Apache to store the graphs

mkdir -p /usr/local/httpd/htdocs/mrtg/server

(2.) Create a new configuration file called server-mrtg.cfg

vi /usr/local/mrtg-2/etc/server-mrtg.cfg

##### Copy and paste the following:######

#####Start of server-mrtg.cfg########

# Configuration file for non bandwidth server statistics
#

#
# Define global options
#

LoadMIBs: /usr/local/net-snmp/share/snmp/mibs/UCD-SNMP-MIB.txt,

/usr/local/net-snmp/share/snmp/mibs/TCP-MIB.txt
workdir: /usr/local/httpd/htdocs/mrtg/server

#
# CPU Monitoring
# (Scaled so that the sum of all three values doesn’t exceed 100)
#

Target[server.cpu]:ssCpuRawUser.0&ssCpuRawUser.0:MyPass333@localhost + ssCpuRawSystem.0&ssCpuRawSystem.0:MyPass333@localhost + ssCpuRawNice.0&ssCpuRawNice.0:MyPass333@localhost
Title[server.cpu]: Server CPU Load
PageTop[server.cpu]:

CPU Load – System, User and Nice Processes

MaxBytes[server.cpu]: 100
ShortLegend[server.cpu]: %
YLegend[server.cpu]: CPU Utilization
Legend1[server.cpu]: Current CPU percentage load
LegendI[server.cpu]: Used
LegendO[server.cpu]:
Options[server.cpu]: growright,nopercent
Unscaled[server.cpu]: ymwd

#
# Memory Monitoring (Total Versus Available Memory)
#

Target[server.memory]: memAvailReal.0&memTotalReal.0:MyPass333@localhost
Title[server.memory]: Free Memory
PageTop[server.memory]:

Free Memory

MaxBytes[server.memory]: 100000000000
ShortLegend[server.memory]: B
YLegend[server.memory]: Bytes
LegendI[server.memory]: Free
LegendO[server.memory]: Total
Legend1[server.memory]: Free memory, not including swap, in bytes
Legend2[server.memory]: Total memory
Options[server.memory]: gauge,growright,nopercent
kMG[server.memory]: k,M,G,T,P,X

#
# Memory Monitoring (Percentage usage)
#
Title[server.mempercent]: Percentage Free Memory
PageTop[server.mempercent]:

Percentage Free Memory

Target[server.mempercent]: ( memAvailReal.0&memAvailReal.0:MyPass333@localhost ) * 100 / ( memTotalReal.0&memTotalReal.0:MyPass333@localhost )
options[server.mempercent]: growright,gauge,transparent,nopercent
Unscaled[server.mempercent]: ymwd
MaxBytes[server.mempercent]: 100
YLegend[server.mempercent]: Memory %
ShortLegend[server.mempercent]: Percent
LegendI[server.mempercent]: Free
LegendO[server.mempercent]: Free
Legend1[server.mempercent]: Percentage Free Memory
Legend2[server.mempercent]: Percentage Free Memory

#
# New TCP Connection Monitoring (per minute)
#

Target[server.newconns]: tcpPassiveOpens.0&tcpActiveOpens.0:MyPass333@localhost
Title[server.newconns]: Newly Created TCP Connections
PageTop[server.newconns]:

New TCP Connections

MaxBytes[server.newconns]: 10000000000
ShortLegend[server.newconns]: c/s
YLegend[server.newconns]: Conns / Min
LegendI[server.newconns]: In
LegendO[server.newconns]: Out
Legend1[server.newconns]: New inbound connections
Legend2[server.newconns]: New outbound connections
Options[server.newconns]: growright,nopercent,perminute

#
# Established TCP Connections
#

Target[server.estabcons]: tcpCurrEstab.0&tcpCurrEstab.0:MyPass333@localhost
Title[server.estabcons]: Currently Established TCP Connections
PageTop[server.estabcons]:

Established TCP Connections

MaxBytes[server.estabcons]: 10000000000
ShortLegend[server.estabcons]:
YLegend[server.estabcons]: Connections
LegendI[server.estabcons]: In
LegendO[server.estabcons]:
Legend1[server.estabcons]: Established connections
Legend2[server.estabcons]:
Options[server.estabcons]: growright,nopercent,gauge

#
# Disk Usage Monitoring
#

Target[server.disk]: dskPercent.1&dskPercent.2:MyPass333@localhost
Title[server.disk]: Disk Partition Usage
PageTop[server.disk]:

Disk Partition Usage /usr and /var

MaxBytes[server.disk]: 100
ShortLegend[server.disk]: %
YLegend[server.disk]: Utilization
LegendI[server.disk]: /usr
LegendO[server.disk]: /var
Options[server.disk]: gauge,growright,nopercent
Unscaled[server.disk]: ymwd
######End of server-mrtg.cfg#######

(3.) Generate the MRTG graphs

env LANG=C /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/etc/server-mrtg.cfg

(4.) Create the index.html file running indexmaker

/usr/local/mrtg-2/bin/indexmaker –title=”Server Status” \
/usr/local/mrtg-2/etc/server-mrtg.cfg \
> /usr/local/httpd/htdocs/mrtg/server/index.html

(5.) Fire up your web browser and point it to:

http://192.168.0.1/mrtg/server/

or if this is your local machine

http://localhost/mrtg/server

You should see something like the following graphs:

MRTG graph showing your server status

(6.) Finally create a cron table entry to generate update these graphs every 5 minutes.

vi /etc/crontab

###Copy and paste the following###

*/5 * * * * root env LANG=C /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/etc/server-mrtg.cfg

That’s it. You have just created an effective method for monitoring your Linux/Unix box!

Of course, MRTG is very versatile and can generate traffic graphs from your Squid proxy, Apache Web, Bind DNS, Qmail, routers, switches, just to mention a few. We will visit these topics in the coming days to come.

Till then, enjoy monitoring your server with your newly generated MRTG graphs!

WWW, Open Source and Nepal

teklimbu — Fri, 23 Nov 2007 09:47:11 +0000

I am diverting from my regular technical articles regarding operating systems and softwares to a different topic. This article represents the general aspect of the internet services provided in Nepal and also gives general information of my country.

The Internet is making the world smaller, that’s the latest buzz we hear everyday. A day never goes and passes by without the mention of the word “GOOGLE”. Everybody around the world seems to be bracing social networking such as Facebook, Orkut, Bebo or Myspace.

However, to a 3rd world country like Nepal, does it really matter?

Let me brief the audience about Nepal in a few sentences.

Nepal is a land locked country and home place of natural beauty. The northern Himalayan range is covered with snow over the year where the highest peak of the world, the Mount Everest, stands tall at 29029 feet. The middle Hill range is surrounded and covered by beautiful mountains, high hill peaks, valleys and lakes. Nepal’s total area coverage is 147,000 square meters. Natural resources like lakes and rivers give Nepal the advantage and edge for producing hydro electricity.

Nepal has a huge potential of hydro power that comes to about 83,000 MW out of which 43,000 MW is economically viable.

According to statistics, 5000 megawatts (MW) of power can serve 5 million average homes. If we consider that the average household in Nepal has 6 persons, then 5000 MW of energy can serve a population of 28 million. That is roughly equal to the population of Nepal which is approximately 28 million.

We will have a surplus of 38,000 MW of hydro power! This surplus energy can be exported and utilized in different sectors including technology, education, health care, manufacturing, etc. In fact, Water to Nepal is what Oil is to Iraq!

To the dismay of the reader, which is sad but true, however only about 700 MW is currently being utilized! That is less than 2% of the total potential hydro power energy that Nepal can produce!

The point that I am trying to make is that more could be done to tap this vast amount of hydro power out of which a fraction can be invested in building high speed multiple fiber optical lines connecting Nepal to the rest of the Internet.

Remember that we are sandwiched between China and India which are the fasting growing economical countries in the world. They both have superior technical infrastructures and high speed fiber optical carriers. By sharing borders with both of them (China 1,236 km, India 1,690 km), this is in fact an advantage for Nepal in terms of getting fiber optical data carriers from them.

The 3 geographical divisions of Nepal. Courtesy of www.nepalvista.com

Nepal is also a very diverse country with more more than 100 caste/ethnic groups speaking more than 75 different dialects with the total population being at 28 million at 2006.

The preliminary estimate of per capita GDP is just U.S. $ 315. Thirty-one (31%) percent of the population live below the absolute poverty line. The GDP growth is a minimal 2.3 % but this too is overshadowed by the population growth at 2.25 %.

Due to this factors, it’s hardly surprising that Nepal rank near the bottom of virtually every measure of development.

The active Internet users in Nepal is only about 175,000 with approximately 9 local ISPs. Now if we compare 175,000 internet users with the population of 28 million, that’s less than 1%. Therefore, I believe that Information Technology (IT) has more room and a bright future in Nepal.

With only negative data and values, does Nepal have a future in the internet? Or can Nepal benefit from the internet and the world wide web? Yes it can. How? Effective governance, efficient use of man power and by using open source technologies to power the Internet for Nepal.

Due to various political events during the past 2 years, a lot of the internal level of fighting inside the country has resided. This is given new hopes for peace and prosperity to the people of Nepal. I don’t think that matters will get any worse from here onwards because we have already faced the worst! Nepal deserves better times and better growth in the coming years.

Major Towns in Nepal having internet connectivity. Courtesy of www.nepalvista.com

Being a third world country brings it’s own share of technical burdens. High speed fiber optical lines generally do not exists in 3rd world countries like Nepal. Or simply, getting internet bandwidth via underground fiber optical carriers is not economically viable to private ISPs. The government owned Internet Service Provider despite having fiber optical data connections is almost non existent or simply is not utilizing it’s full capacities.

Therefore, satellites had and have been playing a major role for relaying international bandwidth from Nepal to the rest of the Internet network.

Below is a description of how many third world countries like Nepal get access to the Internet.

There are over 300 communications satellites in the geostationary orbit, directly above the equator, spaced typically 2 or 3 degrees apart. Because they orbit the earth at the same speed and in the same direction as the earth rotates they remain fixed in the sky and we can use a fixed pointing Very Small Aperture Terminal (VSAT) to communicate.

For Internet traffic, we use a geosynchronous based satellite for communication. A geosynchronous satellite is a satellite whose orbital track on the Earth repeats regularly over points on the Earth over time.

If such a satellite’s orbit lies over the equator, it is called a geostationary satellite. The orbits of the satellites are known as the geosynchronous orbit and geostationary orbit.

When satellites communicate with each other, the portion of the radioelectric phantom that they will use determines practically everything: the capacity of the system, the power and the price. The different wavelengths have different properties. The long wavelengths can cross great distances and cross obstacles.

The most common frequencies used for Satellite based internet networks are C band (3700-6425 MHz) and Ku band (10,700-12,7500 MHz). A simple diagram illustrating this satellite setup is shown below

Typical ISP Internet Network Operation Setup via satellite

Actually satellite based internet services are not really bad or unreliable. In fact, it is very stable and reliable too. Bandwidth speeds up to 100 mbps (downlink) and 50 mbps (uplink) can be achieved using this types of Satellite mediums.

The 1st major disadvantage of using satellites (VSAT) is a result of their high altitude: radio signals take approximately 0.25 of a second to reach and return from the satellite, resulting in a small but significant signal delay. This delay increases the difficulty of telephone conversation and reduces the performance of common network protocols such as TCP/IP, but does not present a problem with non-interactive systems such as television broadcasts.

This is also the reason why we get to see the minimum latency of 500 ms while connecting to international networks.

The 2nd major disadvantage of using satellites (VSAT) is the high price for international bandwidth resulting in significant bandwidth prices for the average internet user.

Besides the necessary satellite equipments such as the satellite modem, DVB modem, router and switch, all other servers providing critical internet services are based on Open Source software which of course are stable, secure, flexible and most importantly FREE.

Moving on, you can see that we need a minimum of 7 Linux/Unix servers. This comprises the following:

(1.) Bandwidth Manager (B/W Mgr) running on Linux and using HTB.

This server running with a Linux kernel greater than 2.4.20 will act as bandwidth shaper which will shape the bandwidth of clients. The shaping is done using special tools from the iproute2 package which consists of the program tc (traffic controller).
It uses the HTB queuing technique to shape, rate-limit, priorizing and share the
bandwidth. In addition to HTB, the Mangle table of IPTABLES are used to for mangling packets. It is used to change the TOS, TTL and MARK values of IP packets. This machine will have at least 3 network interfaces.

The other main purpose of this server is to provide Firewall services in addition with the router to protect the whole network behind it.

(2.) FreeRadius and Database server running on Linux/FreeBSD for authentication and accounting purposes.

This server will be running the software or service called FreeRadius which will be used for Authentication and Accounting purposes for various types of network access.

In addition to authentication, an SQL database (Mysql, PostgreSQL, Oracle) will store all information including traffic volume, time volume, account types and all other tables used for accounting purposes.

In simple terms, for an ISP, this server provides the basis for accounting and billing of it’s customers.

(3.) Bind DNS server running on Solaris/FreeBSD for providing Domain Name Services.

DNS is the service which translates a hostname (www.example.com) to an IP address (123.123.123.123).

An IP address (Internet Protocol address) is a unique address that computers and network devices use in order to identify and communicate with each other on a network.

An IP address, uses 32-bit values, usually represented in dotted-decimal notation (four numbers, each ranging from 0 to 255, separated by dots, e.g. 123.123.123.123).

Without DNS, in order to browse a website such as www.cnn.com, we would have to type it’s computer’s IP address. Now imagine the consequences without having DNS service.

Or Simply, if DNS do not exists, 98% of all networks connected to the Internet would be impossible to be accessed! Or we will have keep a very very long list mapping the IP address to each of the individual computer connected to the Internet. To be exact, we will have to keep an IP address book with 120 million IP addresses.

Similarly, reverse DNS maps an IP address to it’s hostname. Reverse DNS is mainly used by Email systems for anti-spamming purposes.

(4.) Postfix/Qmail SMTP Server running on FreeBSD offering SMTP, IMAP, POP services.

It is believed that 70 % of all internet users uses it for Email purposes. A mail transfer agent or MTA is a computer program or software agent that transfers electronic mail messages from one computer to another.

A MTA speaks the SMTP protocol is used by all email systems on the internet to interact with different mail systems. Therefore, to provide email services, Unix systems since the 1970s have deployed the software called Sendmail. However, due to many security exploits in the Sendmail MTA, other MTAs such Postfix or Exim are deployed these days. The Qmail MTA also has a large installation base.

(5.) Squid Proxy Server running on Solaris/FreeBSD for caching web traffic for improved performance and bandwidth savings.

A proxy server is a machine which services the web requests of its clients by forwarding requests to other servers. A proxy server may service requests without contacting the specified server, by retrieving content saved from a previous request, made by the same client or even other clients. This is also called caching.

Caching proxies keep local copies of frequently requested resources, allowing large organizations and ISPs to significantly reduce their upstream and downlink bandwidth usage and cost, while at the same time increasing performance significantly.
In reality, a proxy server can save as much as 30-50% of the actual bandwidth utilization and costs by serving content from it’s cache and it’s siblings.

(6.) PPPoE Server running on FreeBSD for authenticating PPPoE clients and PPPoE traffic control.

PPPoE, Point-to-Point Protocol over Ethernet, is a network protocol for encapsulating PPP frames inside Ethernet frames.
Ethernet networks are packet-based and have no concept of a connection or circuit. But using PPPoE, users can virtually “dial” from one machine to another over an Ethernet network, establish a point to point connection between them and then transport data packets over the connection.
PPPoE is also a specification for connecting multiple computer users on an Ethernet local area network to a remote site through common customer premises equipment, which could be a SM modem, ADSL modem, Cable modem or simply a cable line distributed from our Cable network.
To handle PPPoE authentication requests, shape bandwidth for PPPoE clients and to route it’s traffic, we will need this PPPoE server.

(7.) Web Server for providing web hosting services and control panel running on Solaris/FreeBSD/Linux.

This web hosting server will provide clients the necessary tools to host their own websites accessible via the World Wide Web (WWW).

Typically, once their choice of domain names (www.thisismysite.com) are registered, clients are given a certain amount of storage on the web hosting server and a control panel to manage various services like web pages, FTP, Email, etc. For an e-commerce site, Secure Sockets Layer (SSL) is required which provides secure communications using cryptographic protocols.

We normally use the term LAMP (Linux, Apache,Mysql,PHP) or SAMP (Solaris, Apache, Mysql,PHP) or FAMP (FreeBSD, Apache, Mysql, PHP) as the platform of choice for the development and deployment of high performance web applications. These are minimum features any web developer wants supported on his/her web hosting platform.

We will go through the details of setting up each of these servers in future articles.

————————————————————————————-

The 7 servers mentioned above are the absolute minimum setup required for a small ISP. If the customer base grows, there will be a need to add more hardware devices and servers. In fact, for an ISP serving 30,000 customers, the number of different servers required range anywhere from 50 – 600.

Regarding the server’s hardware, a refurbished Dell GX-270 machine costs U.S. $250 and an entry level Dell SC-430 costs about U.S.$ 599. Besides that, all we need is Free Open Source software and a few good system administrators to utilize them.

Now imagine a middle size ISP running 500 servers based on Open Source operating systems and softwares. If those 500 servers were running Windows based operating systems which costs in the range of $999 – $3,999 and multiply that amount by 500, you can actually see the total costs sky rocketing.

Even on the 7 servers setup in the diagram above, we are already saving a minimum of U.S.$ 7,000.

And we still have not added the extra costs for other softwares besides the operating systems!!

Frankly speaking, open source softwares can fulfill 95 % of the total demands for an ISP with the remaining 5 % being fulfilled by Windows based products.

Given that the government and private parties can work out a solution mutually, then I can foresee the internet user base grow from the current 175,000 mark to 2,000,000 within a period of 5 years.

That is because the Nepali government have the capacity to deliver Dial-UP and DSL internet services up to 1,000,000 clients. With help from neighboring countries, a high speed fiber optical internet gateway has already been installed. Now if the government decides to share this fiber optical line with the private ISPs, imagine the speed improvements and the reduced internet costs! The private ISPs already have stable wireless networks and cable networks just to mention a few.

So I believe that the 2 million internet users mark can be achieve easily. The only remaining part is to educate our citizens regarding information technology. And I am sure it will start with introducing them to the world of open source.

How will Nepal actually benefit from the Internet and it’s vast amount of resources. The 2 most importance sectors are E-commerce and Education.

(1.) E-commerce

Nepal produces one of the best handmade carpets in the world. The carpets are hand-woven first, then are, washed, trimmed, stretched and fine-trimmed for finishing by hand. Currently most of those carpets are exported to European and North American countries using a very traditional and tedious method.

The same goes for handicrafts, garments and other exports. Now, if the manufacturer deploys a small IT department to provide a website providing various information of it’s products and a secure site for e-commerce, it will improve the speed of the transaction tremendously. This will also guarantee the overall quality and cheaper prices for the products because they clients will be purchasing directly from the manufacturer.

Introducing e-commerce in this sector will go a long way to benefit this under estimated economy.

(2.) Education

Education is the ultimate tool for the development of any country. In fact, I believe, that education is directly proportional to the economy and development of a country given it follows healthy standard. Take for example, Singapore, which places Education and Healthcare in the topmost priority. Since gaining it’s independence in 1965, it achieved it’s status from being a third world country to being the most advanced and dynamic country in the world within a single generation. To be exact, it took Singapore just 26 years to develop from a village to become the most advanced financial hub in the world! If there is any country where Nepal can learn and get inspired, then it’s going to be Singapore.

In the past fifty years in Nepal, there has been a dramatic expansion of educational facilities. Beginning with about ten thousand students in 1951, there now are approximately 5.5 million students.

However, there are many defects, problems and challenges with the education system in Nepal. Educational management, it’s qualities and it’s access are some of the critical issues haunting Nepal. There is too much social disparities based on gender, ethnicity, economic class, etc. Primary resources like books, proper classrooms, properly trained teachers are always below required level.

And most important of all, political parties should stop the politics practiced in schools and stop the poisoning of our education system with unwanted politics.

I believe that providing a couple of internet connected computers in every school will give some life to our education system. This way, students will get access to all kinds of study materials, learn about different education cultures and approaches, apply for online study courses among other things and of course make new acquaintances.

It should also be noted that 50% of the population in Nepal falls under than age of 30 years. In fact, this will be the next generation who will drive and lead this gorgeous and beautiful country. Therefore, providing quality education should be the number 1 priority.

We have the capabilities to deliver internet content even to remote areas and villages in different parts of the country. It’s just that it’s impractical and impossible financially for private business ventures to actually setup a internet hub in those places.

However, this can be changed if private ISPs get the support from the government and international donor agencies.

We have a 800,000 workforce working abroad, some working as Gurkhas in the British army and the Singaporean police force while others are contributing to the man power in the Gulf and Malaysia. They contribute a total remittance value worth around U.S. $ 1 billion.

If you compare that amount to the government’s yearly budget which is about US$1.2 billion, they will be on par with each other!

If we can utilized this capital, promote tourism and manage our water resources intelligently, then, I believe that every family in Nepal will get internet connectivity within a single generation.

Getting internet content to these homes will of course be powered by Open Source technology.

Finally, I will end this article saying that Nepal is not a POOR country and she can definitely become fully independent herself. We just don’t seem to realize that we are a chicken hen which can actually lay golden eggs if she wants!

Long Live Nepal!

An Encounter with Solaris 10

teklimbu — Tue, 30 Oct 2007 07:01:27 +0000

2 weeks ago, our main festival started for which we had 5 days off! Now that is a considerable amount of free time to any system administrator. Free time to system administrators gives us the ability to think freely from the daily workload and unnecessary pressure.

Before the holidays started, I had decided to learn something new to further enhance my experience and understanding about the open source operating systems world. I am not really an expert on Linux or BSD based operating systems. However, I do have some years of experience with Redhat and Debian based Linux operating systems. Since 2 years back, I have been running some server stuffs mostly on FreeBSD operating systems.

Trying out Gentoo has always been on my mind but I thought it’s Linux after all and suddenly Solaris came to my mind. I have to admit that I had always been biased to Solaris. I thought that it was not really an open source operating system and it ran only on those weird looking SPARC boxes manufactured by Sun Microsystems.

But I was wrong! Solaris seems to be full of promises and definitely seems to be the operating system of the future. In fact, it is probably the only Unix operating system which still contains the original Unix code when Unix was first developed in the 1970s. That may explain why it’s stability is so rock solid.

And I learned that it’s almost as free and open source like the GPL or BSD license! A majority of the codebase has been open-sourced by Sun Microsystems.

Solaris’ source code (with a few exceptions) has been released under the Common Development and Distribution License (CDDL) via the OpenSolaris project. The CDDL is an OSI-approved license. It is considered by the Free Software Foundation to be free but incompatible with the GPL.

As I searched and read more articles and reviews about the Solaris 10 operating systems, 3 strong points stood out in almost all of the articles and reviews. They are ZFS, DTrace and Containers.

(A.) ZFS

The first is ZFS (Zettabyte File System) which is a 128-bit file system, so it can store 18 billion billion (18 x billion x billion) times more data than current 64-bit systems! Quoting from the OpenSolaris project, ZFS is a new kind of file system that provides simple administration, transactional semantics, end-to-end data integrity, and immerse scalability.

ZFS has an inbuilt Volume Manager and ZFS file systems are built on top of virtual storage pools called zpools. Zpools may be configured in different ways such as RAID-0, RAID-1, RAID-Z or RAID-Z2 using cheap disks. Because cheap disks can fail, so ZFS provides disk scrubbing which is to read all data to detect latent errors while they are still correctable.

In a sentence, ZFS is a totally different rewrite of existing file systems and is actually supposed to be very simple and fun to use.

I believe that ZFS will be the predominate file system to be deployed in data centers all over the world in the not to distance future!

To sum it up, check out the cool and amusing video below:

http://video.google.com.au/videoplay?docid=8100808442979626078

(B.) DTrace

The second convincing point of Solaris 10 is it’s DTrace utility. It is a comprehensive dynamic tracing framework for Solaris. It is built into Solaris so that it can be used by admins and developers to examine the behavior of user programs and operating system itself. Quoting from the dtrace blog at blogs.sun.com/dtrace/entry/what_is_dtrace…

DTrace dynamically modifies the Operating System kernel itself and user processes. It records the data at locations of interest called probes. DTrace uses the D scripting language (a subset of the C language), designed specifically for dynamic tracing. Users write scripts in D which tell DTrace, what functions are to be traced, what is to be done and what information is required. So if there is an mis-configured application out there in your system to which you are finding hard to debug and trace, then DTrace should do it for you.

Since it is dynamic, when Dtrace is in use or in action, only those modules that are needed by a particular command are loaded and used. This will greatly improve performance since lesser resources are required or accessed.

And according to it’s documentation, DTrace is completely safe to use. It will never you to damage the system through it’s use. But I have to admit that I have never used DTrace extensively and only time and experience will tell us if DTrace is indeed suppose to be a sysadmin’s best friend!

However, although DTrace is supposed to be the most powerful tracing and debugging utility in the world, using it can prove to be very challenging.

Since it both a tool and a scripting language, learning to use it effectively can be quite tough. But there are some graphical based programs utilizing DTrace appearing in the market which should make DTrace more easier to use. One of them is “Chime”, which can be downloaded from:

http://www.opensolaris.org/os/project/dtrace-chime/

(C.) Containers

The third notable point of Solaris 10 is Zones or Containers. If you have used FreeBSD jails, then Solaris Containers are going to be familiar. They are based on the same basic concept. Each Container is like a virtual OS, complete with IP address, separate configuration and even a separate package manager.

This may seem similar to VMware or Xen but it isn’t. The difference is that all the Zones/Containers/Jails share the same kernel. Using Zones, we can use just one server allocating different applications to different groups. Administrators can configure CPU, memory, network bandwidth as they wish to each secured container. The end result is better utilization of expensive hardware and fewer physical systems to house and power.

Moving forward, the first step of installation software is to check if it meets the hardware requirements. You can visit the URL below to check to make sure if your hardware is supported:

http://www.sun.com/bigadmin/hcl/

From my experience with Linux and FreeBSD based operating systems, even, if your hardware is not yet supported on OS platforms, there is always a way or a hack to make your hardware devices work. So you don’t really have to worry if your hardware is not yet supported. Since I will probably be using Solaris on a server platform, I did not have to worry about devices such as sound cards or graphical cards being not supported yet!

The next big step is the actual installation of Solaris 10 itself. Just follow either of the 2 excellent guides below and your Solaris box will be up and running within 2 hours!

http://www.blastwave.org/docs/s10u3_howto.html

http://www.sun.com/software/solaris/howtoguides/installationhowto.jsp#1

The following are the basic questions you will be asked in order to setup a fully functional Solaris networked box:

(1.) Your IP address, subnet mask and default gateway

(2.) Your hostname for this Solaris box

(3.) Your time zone

(4.) The Root password of this box (keep it simple for the 1st time. You can later change it later!). There is nothing worse than forgetting the root user’s password after the complete installation!!!

(5.) Selecting and enabling the network services.

(6.) The rest of the installation are just a matter of selections with either a “Yes” or “No”!

(7.) Selecting the primary boot disk and allocate the partitions for Solaris. You may just want to accept the defaults here if you are confused.

(8.) The last step of the installation will ask you to “reboot”. Remember to remove your Solaris CD from your cd-rom before rebooting!

Note: The images below are the actual snapshots from http://www.blastwave.org

One image has also been used from wikepedia.

In fact, I have never seen or read an OS installation guide as detailed and informative like the one created by the folks at www.blastwave.org! Thanks a lot blastwave.org and great work folks.

They should also be given an applause for creating a “Debian like apt-get” package management tool with “pkg-get” for Solaris.

After the installation is complete, your will see a very nice and beautiful screen like the one below:

Solaris Login Screen (image from blastwave.org)

Wow that’s cool! Who would have thought that Solaris installation is this easy! I am quite surprised. So Ubuntu should watch out!

The next step is to create a normal user/group account. In the Linux/Unix world, it’s often considered a bad thing to login as root either remotely or locally! It will also compromise the security of your system!

Select “Command Line Login” from the “Options” menu of your Login Screen.

We will create a User called “admin” and a group called “wheel”. Then we will add user “admin” to the “wheel” group.

Run the following command on the root’s console:

# groupadd wheel

# useradd -c “admin” -d /export/home/admin -g wheel -m -s /bin/bash admin

# passwd admin

Exit from the command line shell and use your newly created Username and Password to login.

You will then be prompted to select a default Desktop Window Manager. Just select Select “Java Desktop System Release 3″ because it’s much more flexible and is in fact Solaris’s version of the Gnome Desktop!

Solaris Desktop (image from blastwave.org)
That’s great graphics which I did not expected from Solaris! Below are 2 more snapshots of the Sun Java Desktop running Gnome.

Screenshot 1 of Sun Java Desktop running Gnome (blastwave.org)

Screenshot 2 of Sun Java Desktop running Gnome (wikipedia.org)

Next we will setup our DNS servers for our Solaris box and connect our new Solaris box to the rest of our network and to the internet.

(1.) Edit the file /etc/inet/resolv.conf

vi /etc/inet/resolv.conf

(2.) Type in your name servers to make /etc/inet/resolv.conf look something like the following:

search example.com

nameserver 192.168.1.1

nameserver IP.OF.ISP.DNS_SERVER

Of course, you need to change the above to reflect to your own name server!

(3.) Create a symbolic link of /etc/inet/resolv.conf to /etc/resolv.conf

ln -s /etc/inet/resolv.conf /etc/resolv.conf

(4.) Edit /etc/nsswitch.conf to use your DNS settings for name resolving.

vi /etc/nsswitch.conf

Add the following “dns” entry to /etc/nsswitch.conf to look something like:

hosts files dns

(5.) Verify your default router in /etc/defaultrouter and make sure that your gateway is listed in that file!

cat /etc/defaultrouter

(6.) Verify the hostname and IP address for your new Solaris machine.

cat /etc/hosts

cat /etc/ipnodes

Next time, if you have to change your machine’s hostname or IP address, then these are the files where you have to look into.

(6.) Open a shell prompt and verify that you can ping other hosts on the Internet such as yahoo.com or google.com. Or just fire your web browser and make sure that you can access websites!

# ping www.yahoo.com
www.yahoo.com is alive
# ping -s www.yahoo.com
PING www.yahoo.com: 56 data bytes
64 bytes from f1.www.vip.sp1.yahoo.com (209.131.36.158): icmp_seq=0. time=604. ms
64 bytes from f1.www.vip.sp1.yahoo.com (209.131.36.158): icmp_seq=1. time=1.05e+03 ms
64 bytes from f1.www.vip.sp1.yahoo.com (209.131.36.158): icmp_seq=2. time=602. ms
64 bytes from f1.www.vip.sp1.yahoo.com (209.131.36.158): icmp_seq=3. time=684. ms
64 bytes from f1.www.vip.sp1.yahoo.com (209.131.36.158): icmp_seq=4. time=605. ms

The high latency of the above ping results is due to my satellite based link!!

Well that’s it! You have your Solaris box up and connected to the internet. Because I am new to Solaris myself, I still have a lot of reading, experimenting, hacking to do!!

Below are the summary of some of the commands which you might find useful:

(1.) uname -aX

This command will display the current name of your system, architecture, Solaris version and various other information.

(2.) prtconf -v

This command will provide all the PCI hardware details residing on your Solaris box.

(3.) prstat

This is similar to Linux or FreeBSD “top” utility and provides current live processes running on your Solaris box.

(5.) psrinfo -v

This command will display the CPU information of your Solaris box

(5.) prtconf | grep Memory

This command will provide the current physical memory (RAM) on your Solaris box.

(6.) ifconfig -a

Displays your current IP address, netmask, broadcast, name and status of your network card.

Please note that I am just covering a small fish in an ocean full of Solaris!
We will dive into more complex topics like the IPFilter firewall, the next generation ZFS file system and the most powerful debugging tool called DTrace in the future.

Till then, enjoy your new Sun Java Desktop and visit the following sites for much more information on Solaris:

(1.) Bigadmin

(2.) The Blog of Ben Rockwood

(3.) Blastwave.org

(4.) Sunfreeware.com

(5.) OpenSolaris.org

(6.) http://blogs.sun.com/jonathan/

These sites are all you need to stay up to date with the latest news and technology related to the Solaris operating system. Take out some of your free time and make a point in reading the materials found on these sites. They will make you very familiar and conversant to the Solaris operating system.

The last blog is from SUN’s CEO (Jonathan Schwartz) himself!

My first days with Solaris has really been enriching and an enchanting experience. It gave me the “Deva Vu” feeling, reminding me of the good old times when I first started using Linux way back in the year 2000! I hope that your Encounter with Solaris 10 will also be the same as mine!

Managing your Linux/Unix log files using logrotate

teklimbu — Tue, 16 Oct 2007 09:31:42 +0000

This How-To details the steps required to manage and rotate your server’s log files. A simple truth about Linux/Unix logs are that they are everywhere. Your kernel, program daemons, firewalls, etc, generate their respective log files. In fact, there are so many log files of various levels that sometimes, it can be a nightmare to maintain them. Hence, this guide is a simple step towards maintaining those log files to keep your system in check and in good health.

Log files are one of the most important files where almost all precious and sometimes unnecessary information are stored in regard to your server’s running state. For example, if your system’s security has been breached or compromised, it’s these log files which will come to your rescue to help you identity where or what went wrong.

In case if you don’t know, your Linux/Unix server is currently logging kernel and security logs in the file called /var/log/messages. Just do a simple ” tail -f /var/log/messages ” to get feel and see the actual current logs generated by various daemons running on your system.

Now if your server also has a Apache Web server or a Squid Proxy server running and you want to manage their respective logs in your own fashion, then the following information might help you out.

First of all, you will need the program called “logrotate”. Logrotate is very useful utility which can rotate log files and archive them in a location that you specify. We will be using “logrotate” in conjunction with “cron“.

In Linux/Unix, cron is a time-based scheduling service in Unix-like computer operating systems. It is available on almost all versions of Linux and Unix.

Having said that, logrotate should be installed in your Linux/Unix distribution but if is not, simply use your system package management system to install it.

For example, for Debian based system, all you need to do to install logrotate is:

apt-get install logrotate

For this guide, we will be rotating and managing the log files generated by Apache and Squid on a FreeBSD-6.x and a Linux Debian-4.1 box. However, it should be also work on other Linux distributions like RedHat, Slackware or SuSE since the fundamentals are the same of all Linux based distributions.

I also assume that your Apache logs are kept in /var/log/apache and your Squid logs are kept in /var/log/squid.

On a FreeBSD-6.x box:

(1.) Make and Install from ports:

cd /usr/ports/sysutils/logrotate

(2.) Configure and Compile

make install clean

If all goes well, we are done and logrotate is installed.

(3.) Create a new logrotate.conf file.

vi /usr/local/etc/logrotate.conf

# Added the following to rotate Apache and Squid logs

# see “man logrotate” for details
# rotate log files weekly
#weekly
daily

# keep 4 weeks worth of backlogs
rotate 7

# send errors to root
#errors root

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# RPM packages drop log rotation information into this directory
include /usr/local/etc/logrotate.d

/var/log/lastlog {
monthly
rotate 12
}

# system-specific logs may be configured here

(4.) Create a directory for specific logrotate files

mkdir -p /usr/local/etc/logrotate.d

(5.) First, create a logrotate file for Squid to rotate it’s access.log files for 90 days and cache.log for 7 days.

cd /usr/local/etc/logrotate.d/

vi /usr/local/etc/logrotate.d/squid

#Copy and paste the following

/var/log/squid/access.log {
daily
rotate 90
copytruncate
compress
notifempty
missingok
}
/var/log/squid/cache.log {
daily
rotate 7
copytruncate
compress
notifempty
missingok
}

(6.) Create the necessary directories and files for logrotate and test and debug logrotate

mkdir /var/lib/

touch /var/lib/logrotate.status

/usr/local/sbin/logrotate -d /usr/local/etc/logrotate.conf
/usr/local/sbin/logrotate -f /usr/local/etc/logrotate.conf

(7.) Next, we will rotate and manage Apache logs

vi /usr/local/etc/logrotate.d/apache

#Add the following to rotate and manage Apache access_log and error_log for 30 days.

#Note: If your Apache logs may be in a different directory, simply change the directory.

/var/log/apache/access_log {
daily
rotate 30
copytruncate
compress
notifempty
missingok
}
/var/log/apache/error_log {
daily
rotate 30
copytruncate
compress
notifempty
missingok
}

If all goes well, that’s it. Your Apache and Squid logs should be rotated.

The last thing is to add an entry into crontab and letting the cron daemon rotate your Apache and Squid logs automatically.

(8.) Automating logrotate using crontab

vi /etc/crontab

#Add the following to rotate your logs at 1 AM in the morning

#Logrotate
0 1 * * * root /usr/local/sbin/logrotate /usr/local/etc/logrotate.conf > /dev/null 2>&1

That’s it. Your Apache and Squid logs will be rotating without manual intervention!!

Using logrotate on a Debian-4.1 box

(1.) Install the logrotate program

apt-get install logrotate

(2.) Create the necessary directories and files

mkdir -p /var/lib/logrotate/

touch /var/lib/logrotate/status

mkdir -p /etc/logrotate.d/

(3.) Create a new logrotate.conf

vi /etc/logrotate.conf

#Copy and paste the following

# see “man logrotate” for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp — we’ll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

# system-specific logs may be configured here
(4.) Create the squid logrotate file to rotate and manage access.log for 90 days and cache.log for 7 days.

vi /etc/logrotate.d/squid

#Copy and paste the following

/var/log/squid/access.log {
daily
rotate 90
copytruncate
compress
notifempty
missingok
}
/var/log/squid/cache.log {
daily
rotate 7
copytruncate
compress
notifempty
missingok
}

(5.) Create the Apache logrotate file to rotate and manage access_log for 30 days and error_log for 30days.

vi /etc/logrotate.d/apache

#Copy and paste the following. Note: your apache log’s directory might be different. Simply change the path of your directory.

/var/log/apache/access_log {
daily
rotate 30
copytruncate
compress
notifempty
missingok
}
/var/log/apache/error_log {
daily
rotate 30
copytruncate
compress
notifempty
missingok
}
(6.) Test and debug your logrotate configuration for any errors

/usr/sbin/logrotate -d /etc/logrotate.conf

/usr/sbin/logrotate -f /etc/logrotate.conf

If all goes well, you are good to go.

(7.) Now all that is left is to automate the logrotate process from crontab

vi /etc/crontab

#Copy and paste the following

#Logrotate at 1 AM in the morning

0 01 * * * root /usr/sbin/logrotate /etc/logrotate.conf > /dev/null 2>&1

That’s it! The cron daemon will automatically rotate your Apache and Squid logs at 1 AM on a daily basis.

Happy Log rotating !!!

Running A Transparent Linux Squid Bridge / Turn your Linux box into a Cisco like Catalyst switch

teklimbu — Thu, 11 Oct 2007 09:38:17 +0000

This How-To guides you to run your Linux box with Squid in a transparent bridge mode.

Let us face some facts. Not everybody, especially a small office network or a small home network can afford a Cisco catalyst switch. To replicate the features of a sophisticated switch like a Cisco catalyst switch, we can setup a Linux box with more than 2 network interfaces to run in bridging mode. Or more simply, a Linux bridged box having switching capabilities.

A bridge is a way to connect two Ethernet segments together in a protocol independent way. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.

You can think of a bridge like a network switch. We will be using this Linux Transparent Squid Bridge like a switch according to the network diagram below:

Internet (5)

↑↓

Router (4)

↑↓

Linux Bridge (3)

↑↓

Physical Switch (2)

↑↓

LAN Network (1)

Reasons for running a Linux bridge are:

(A.) The job of the bridge is to examine the destination of the data packets one at a time and decide whether or not to pass the packets to the other side of the Ethernet segment. The result is a faster, quieter network with less collisions.

(B.) You can overcome hardware incompatibilities with a bridge, without leaving the address-range of your IP-net or subnet. E.g. it’s possible to bridge between different physical media like 10 Base T and 100 Base TX.

(C.) You don’t need to change your existing network layout. You just plug in the bridge and you start working. If for some reasons, your Linux bridge box should go down, reconnect the cables from your switch (2) to your router (4), and nobody will even notice that something was not working!


Features of a Linux Bridge box:

STP: The Spanning Tree Protocol is a nifty method of keeping Ethernet devices connected in multiple paths working. The participating switches negotiate the shortest available path by STP.
Multiple Bridge Instances: Multiple bridge instances allow you to have more than one bridge on your box up and running, and to control each instance separately.
Fire-walling

Because we are running a Linux box with a kernel 2.4.x or 2.6.x, we can also apply some IPTABLES firewall rules.

What do I need to run such a Linux Bridge?

You just need a Linux OS with a kernel greater than 2.4. I prefer the 2.6 kernel. The minimum number of network interfaces in your Linux box should at least be 2. This guide assumes that the Linux box has 2 network interfaces, i.e., eth0 and eth1.

However, you may use any number of network interfaces supported on by the hardware of your Linux box.

You then need the “bridge-utils” package. The 2nd tool needed is “ebtables”.

You can use either the binaries installed by your OS distribution or simply download them from the internet.

On a Debian box , it’s as simple as: apt-get install bridge-utils ebtables

The Bridge-Utils package contains the main tools required to setup and configure a Linux bridge. Among the tools provided by bridge-utils, brctl will primarily be used to construct the bridge.

The ebtables program is a filtering tool for a bridging firewall. The filtering is focussed on the Link Layer Ethernet frame fields. It also gives us the ability to alter the Ethernet MAC addresses.

Now that you have a 2.4/2.6 Linux kernel box and you have somehow managed to install the bridge-utils and ebtables packages, we can move on to the next topic of configuring the bridge and running a transparent squid on it.

Installing and configuring Squid

(1.) Create the user squid and group squid

groupadd squid

useradd -g squid squid

(2.) Download the latest version of squid in /usr/local/src

cd /usr/local/src
wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE18.tar.gz

(3.) Unzip it’s contents

tar zxvf squid-2.6.STABLE18.tar.gz

(4.) Configure squid with the following parameters

cd squid-2.6.STABLE18

./configure –bindir=/usr/local/sbin \

–sysconfdir=/usr/local/etc/squid \
–datadir=/usr/local/etc/squid \
–libexecdir=/usr/local/libexec/squid \
–localstatedir=/usr/local/squid \
–enable-removal-policies=heap,lru \
–enable-storeio=diskd,aufs,coss,ufs,null \
–enable-time-hack \
–enable-snmp \
–with-large-files \
–enable-large-cache-files \
–prefix=/usr/local \
–disable-ident-lookups \
–enable-cache-digests \
–enable-underscores \
–enable-kill-parent-hack \
–enable-follow-x-forwarded-for

(5.) If all goes well, run

make all
make install

That’s it. Squid should now be installed. It’s time to do some Squid configurations.

Note: If you encounter problems in configuring or compilation, 99% of them can be solved. The errors are either related to missing compilers, packages or dependencies.

(6.) Create a new Cache directory for Squid

mkdir -p /usr/local/squid/cache

(7.) Create a new /usr/local/etc/squid/squid.conf

cd /usr/local/etc/squid

mv /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.default.config

vi /usr/local/etc/squid/squid.conf

##Copy and paste following working configuration
########### Start of squid.conf ##############
cache_effective_user squid
cache_effective_user squid

http_port 3128 transparent

cache_dir ufs /usr/local/squid/cache 2000 16 256

cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_store_log none

emulate_httpd_log on

cache_mem 16 MB

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

hosts_file /etc/hosts

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 40% 4320

acl all src 0.0.0.0/0.0.0.0

##Define your network below

acl mynetwork src 192.168.0.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https

acl Safe_ports port 1025-65535 #unregistered ports

acl SSL_ports port 443 563

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow mynetwork
http_access deny all
http_reply_access allow all
icp_access allow mynetwork

icp_access deny all

visible_hostname proxybridge.hostname.com

coredump_dir /usr/local/squid

######## End of squid.conf ##########

(8.) Change the permissions of squid logs and cache_dir

chown -R squid:squid /usr/local/squid/

chown -R squid:squid /usr/local/etc/squid/

(9.) Initialize Squid’s cache and run Squid in daemon mode

/usr/local/sbin/squid -z

/usr/local/sbin/squid -D

Check for any errors. If there are none, put the proxy server manually in your web browser and try browsing websites!

Next, we will setup a bridge using the tools provided by the package “bridge_utils”

As stated above, 1 of the most important tools installed by the bridge-utils package is brctl command.

We will be using the brctl command for creating a logical bridge instance with the name br0. You will need at least 1 bridge instance for bridging to work.

(1.) Creating the logical bridge instance called br0.

#Add bridge instance called br0

brctl addbr br0

#Show your bridge status
brctl show

#Show MAC addresses on your bridge

brctl showmacs br0
(2.) Add your network interfaces to the bridge.

brctl addif br0 eth0

brctl addif br0 eth1

(3.) Zero in your IP network interfaces to 0.0.0.0 and bring it up.
ifconfig eth0 0.0.0.0 promisc up

ifconfig eth1 0.0.0.0 promisc up

(4.) Bring up the bridge. Since we also want to administer this bridge box, we point an IP address to the br0 interface.

ifconfig br0 192.168.100.9 netmask 255.255.255.0 up

(5.) Give your bridge interface br0 a default gateway so that you can access it via SSH, etc.

route add default gw 192.168.100.1 dev br0

That’s it. You have a simple yet a very effective Linux bridge box!

The final remaining part is to redirect the web requests from your network to your bridged box running Squid transparently.

(1.) To redirect web traffic from your LAN to your Bridge box transparently, run the following script called rc.bridge.

#####Start of rc.bridge script ######

#!/bin/sh

###Date: 12-Oct-2007

###tekbdrlimbu@hotmail.com####

/sbin/ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 \
–ip-destination-port 80 -j redirect –redirect-target ACCEPT
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 \
-j REDIRECT –to-port 3128
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-ports 3128
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-ports 3128
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT –to-ports 3128

######### End of rc.bridge script #####

Run this script and restart Squid. You will have a working Squid transproxy running in a Linux bridged box!!!

We will cover more advanced topics like Spanning Tree Protocol (STP) , MAC and ARP filtering , etc, in the coming days ahead.

Happy bridging!!!

Configuring WCCP2 on a Cisco 3620/7206 router with Squid-2.6.18 running on FreeBSD-6.x

teklimbu — Wed, 10 Oct 2007 07:21:04 +0000

This How-To details the steps required to configure WCCP version 2 with a Cisco 3620 or 7206 router together with Squid-2.6.STABLE18 running on FreeBSD-6.2.

Cisco’s WCCP (Web Cache Control Protocol) version 2 is used for sending web requests from clients to 1 or more Squid proxy servers. WCCP feature allows us to redirect Web traffic to our proxy servers which in turn provides Web caching, filtering, or other services, thus reducing transmission costs and downloading time.

With WCCP, we can build a “cache cluster” for load balancing, scaling, and fault tolerance.

For example, in the case of 2 proxy severs, if 1 proxy server goes down, WCCP redirects clients requests to the 2nd working proxy server.

In the rare circumstance where both or all of your proxy servers should go down, WCCP will determine the dead proxy servers and will route clients web requests directly from your cisco router.

Note: Only Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the WCCP.

How WCCP and transparent intercepting Squid caches work?

A Client’s Web browser makes a request, which goes to the cisco router.
The router intercepts the request.
The router redirects the request to a new location inside a generic routing encapsulation (GRE) frame to prevent any modifications to the original packet.
A (GRE) tunnel is established between our FreeBSD squid boxes and the cisco 3620/7206 router.
All redirected requests from the router are encapsulated down the GRE tunnel to our FreeBSD Squid caches.
The FreeBSD Squid boxes decapsulates the GRE traffic and redirects the WCCP packets onto Squid.
This redirection is achieved transparently using FreeBSD IP forwarding and IPFW firewall.
Squid pulls apart the request, then attempts to deliver the content either from the local cache or via direct request from target.
The content is then delivered back to the router for delivery to the originator (ie. client’s browser).

Now to connect all the pieces of information regarding WCCP, the following steps are required:

(1.) Configure and compile your kernel

cd /usr/src/sys/i386/conf/

cp GENERIC SQUID_WCCP

vi SQUID_WCCP

(2.) Copy and paste the following kernel parameters

machine i386
cpu I686_CPU
ident SQUID_WCCP

options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time #extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.

device apic # I/O APIC
device eisa
device pci
device fdc
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
device ahd # AHA39320/29320 and onboard AIC79xx devices
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
device amd # AMD 53C974 (Tekram DC-390(T))
device isp # Qlogic family
device mpt # LSI-Logic MPT-Fusion
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr’)
device trm # Tekram DC395U/UW/F DC315U adapters
device adv # Advansys SCSI adapters
device adw # Advansys wide SCSI adapters
device aha # Adaptec 154x SCSI adapters
device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
device bt # Buslogic/Mylex MultiMaster SCSI adapters
device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
device amr # AMI MegaRAID
device arcmsr # Areca SATA II RAID
device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
device ciss # Compaq Smart RAID 5*
device dpt # DPT Smartcache III, IV – See NOTES for options
device hptmv # Highpoint RocketRAID 182x
device rr232x # Highpoint RocketRAID 232x
device iir # Intel Integrated RAID
device ips # IBM (Adaptec) ServeRAID
device mly # Mylex AcceleRAID/eXtremeRAID
device twa # 3ware 9000 series PATA/SATA RAID
device aac # Adaptec FSA RAID
device aacp # SCSI passthrough for aac (requires CAM)
device ida # Compaq Smart RAID
device mfi # LSI MegaRAID SAS
device mlx # Mylex DAC960 family
device pst # Promise Supertrak SX6000
device twe # 3ware ATA RAID
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
device sc
device agp # support several AGP chipsets
device pmtimer
device cbb # cardbus (yenta) bridge
device pccard # PC Card (16-bit) bus
device cardbus # CardBus (32-bit) bus
device sio # 8250, 16[45]50 based serial ports
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
device de # DEC/Intel DC21×4x (“Tulip”)
device em # Intel PRO/1000 adapter Gigabit Ethernet Card
device ixgb # Intel PRO/10GbE Ethernet Card
device txp # 3Com 3cR990 (“Typhoon”)
device vx # 3Com 3c590, 3c595 (“Vortex”)
device miibus # MII bus support
device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
device bfe # Broadcom BCM440x 10/100 Ethernet
device bge # Broadcom BCM570xx Gigabit Ethernet
device dc # DEC/Intel 21143 and various workalikes
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device lge # Level 1 LXT1001 gigabit Ethernet
device nge # NatSemi DP83820 gigabit Ethernet
device nve # nVidia nForce MCP on-board Ethernet Networking
device pcn # AMD Am79C97x PCI 10/100(precedence over ‘lnc’)
device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
device sf # Adaptec AIC-6915 (“Starfire”)
device sis # Silicon Integrated Systems SiS 900/SiS 7016
device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
device ste # Sundance ST201 (D-Link DFE-550TX)
device stge # Sundance/Tamarack TC9021 gigabit Ethernet
device ti # Alteon Networks Tigon I/II gigabit Ethernet
device tl # Texas Instruments ThunderLAN
device tx # SMC EtherPower II (83c170 “EPIC”)
device vge # VIA VT612x gigabit Ethernet
device vr # VIA Rhine, Rhine II
device wb # Winbond W89C840F
device xl # 3Com 3c90x (“Boomerang”, “Cyclone”)
device cs # Crystal Semiconductor CS89×0 NIC
device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
device ex # Intel EtherExpress Pro/10 and Pro/10+
device ep # Etherlink III based cards
device fe # Fujitsu MB8696x based cards
device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
device lnc # NE2100, NE32-VL Lance Ethernet cards
device sn # SMC’s 9000 series of Ethernet chips
device xe # Xircom pccard Ethernet
device wlan # 802.11 support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device an # Aironet 4500/4800 802.11 wireless NICs.
device ath # Atheros pci/cardbus NIC’s
device ath_hal # Atheros HAL (Hardware Access Layer)
device ath_rate_sample # SampleRate tx rate control for ath
device awi # BayStack 660 and others
device ral # Ralink Technology RT2500 wireless NICs.
device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory “disks”
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device bpf # Berkeley packet filter
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device ugen # Generic
device uhid # “Human Interface Devices”
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage – Requires scbus and da
device ums # Mouse
device ural # Ralink Technology RT2500USB wireless NICs
device urio # Diamond Rio 500 MP3 player
device uscanner # Scanners
device aue # ADMtek USB Ethernet
device axe # ASIX Electronics USB Ethernet
device cdce # Generic USB over Ethernet
device cue # CATC USB Ethernet
device kue # Kawasaki LSI USB Ethernet
device rue # RealTek RTL8150 USB Ethernet
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus and da)
device fwe # Ethernet over FireWire (non-standard!)

#Enable IPFW in Kernel to DROP packets by default rule

options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity
options IPSTEALTH #support for stealth forwarding
options DUMMYNET
options NETGRAPH

options DEVICE_POLLING
options HZ=1000

options SHMSEG=128
options SHMMNI=256
options SHMMAX=50331648 # max shared memory segment size (bytes)
options SHMALL=16384 # max amount of shared memory (pages)
options MSGMNB=16384 # max # of bytes in a queue
options MSGMNI=48 # number of message queue identifiers
options MSGSEG=768 # number of message segments
options MSGSSZ=64 # size of a message segment
options MSGTQL=4096 # max messages in system

(3.) Configure and compile your new kernel

(a.) config SQUID_WCCP

(b.) cd ../compile/SQUID_WCCP/

(c.) make cleandepend

(d.) make depend

(e.) make

(f.) make install

(g.) reboot

If all goes well, your kernel has been compiled!!!. Reboot with your new kernel.

(4.) Create the GRE tunnel on your FreeBSD-6.x box

ifconfig gre0 create
ifconfig gre0 IP.OF.SQUID.BOX 10.20.30.40 netmask 255.255.255.255 link2 tunnel IP.OF.SQUID.BOX IP.OF.CISCO.ROUTER up

(3.) Configuring WCCP on your squid box. Add the following in your squid.conf

wccp2_router IP.OF.CISCO.ROUTER
#wccp2_router LoopBack.IP.OF.CISCOROUTER

wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
(4.) Create the firewall rules to redirect web requests to Squid’s 3128 port via the GRE tunnel.

We will create the script called rc.firewall to save our IPFW rules. Use the script below:

#!/bin/sh

##### Start of rc.firewall script ######

##Change the network interfaces and IP addresses to match your network!

NET_IF=”em0″
IPFW=”/sbin/ipfw -q”

#IP of Proxy Server
IF_ADDR=”192.168.0.10″

NTP_SERVER=”192.168.0.55″

PROXY_NET=”192.168.0.0/27″

ALL_NET=”192.168.0.0/24″
CLIENT_NET=”192.168.0.128/25″
WIRELESS_NET=”172.16.0.128/25″
ADMIN_NET=”192.168.0.48/28″
SSH_PORT=”12345″

LOCALHOST=”127.0.0.1″

$IPFW -f flush

$IPFW add allow all from any to any via lo0

$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 via gre0 in

$IPFW add fwd 127.0.0.1,3128 ip from any to any via gre0 in
$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in
$IPFW add fwd 127.0.0.1,3128 tcp from any to any http in via gre0

#$IPFW add permit ip from any to any
$IPFW add allow all from $IF_ADDR to any

#$IPFW add fwd 127.0.0.1,3128 ip from any to any via gre0 in
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any http in via gre0
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in
#$IPFW add permit ip from any to any

#Allow local DNS caching
$IPFW add allow udp from $ALL_NET to any 53

$IPFW add allow udp from any 53 to $IF_ADDR
$IPFW add allow tcp from any 53 to $IF_ADDR

$IPFW add allow all from any to any out via $NET_IF

#######For DNS
#Allow DNS Query
$IPFW add allow udp from $ALL_NET 53 to $IF_ADDR
$IPFW add allow udp from $WIRELESS_NET 53 to $IF_ADDR

#For Proxy access
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in

$IPFW add allow tcp from $ALL_NET to any 3128 in via $NET_IF
$IPFW add allow tcp from $WIRELESS_NET to any 3128 in via $NET_IF

#####Allow Established session
$IPFW add allow tcp from any to any in via $NET_IF established

#$IPFW add allow tcp from any to $IF_ADDR 113

#For ICP Query
$IPFW add allow UDP from $PROXY_NET to $PROXY_NET 3130

$IPFW add allow udp from $NTP_SERVER 123 to $IF_ADDR

###Only needed for Experimental Multicast
#$IPFW add allow all from 224.9.9.1 to any
#$IPFW add allow all from any to 224.9.9.1
#$IPFW add allow all from me to 224.9.9.1

#######For SSH

$IPFW add allow tcp from $ADMIN_NET to $IF_ADDR $SSH_PORT

#for snmpwalk from Admin network
$IPFW add allow udp from $ADMIN_NET to me 3001
$IPFW add allow udp from $ADMIN_NET to me 161
$IPFW add allow udp from $ADMIN_NET to me 161
$IPFW add allow udp from $LOCALHOST to me 3001
$IPFW add allow udp from $LOCALHOST to me 161

###########
$IPFW add allow ICMP from $ALL_NET to any
$IPFW add allow ICMP from $WIRELESS_NET to any
#################################################

###Only if you want the world to send ICMP packets to your server!!

#ipfw add allow icmp from any to any icmptypes 8
#ipfw add allow icmp from any to any

$IPFW add allow all from $ADMIN_NET to me
$IPFW add allow all from me to $ADMIN_NET

$IPFW add 65533 deny log all from any to any

############# End of rc.firewall ###############

(5.) Configure WCCP on your Cisco router

Global Configuration

Router (config)#  ip wccp version 2

Router (config)#  ip wccp web-cache redirect-list 160

Access-List 160

permit ip 192.168.0.0 0.0.0.255 any

permit ip 172.16.0.0 0.0.0.255 any

Router (config)#   interface fastethernet 0/0
Router(config-if)# ip wccp web-cache redirect in

Router# write

END of Router WCCP confiruration.

(6.) Restart Squid and reload your firewall. If all goes well, you will have a working WCCP2 on your FreeBSD Box with Squid-2.6.STABLE18.

Happy Proxying with Squid + FreeBSD + Cisco WCCP !!!