Archive for the ‘ Linux ’ Category

Grub re-install

Problem

All I get is "grub" or a "grub>" prompt when I try and boot

Solution

You have to install GRUB on the MBR (Master Boot Record). To do this just follow this steps:

READ THIS FIRST !!

First you will need to know what Grub calls the hard disk drive partition that holds the required files.

A quick aside :- There are three ways of defining hard disk drives and their partitions. The first, that you’re most probably familiar with, is Windows/MS-DOS letters (such as C: or D: ).

The second is Linux’s method, which is to give the first device (hard disk drive or CD-ROM drive) on the first IDE (ribbon) cable the name /dev/hda, the second device (hard disk drive or CD-ROM drive) on the first cable is called /dev/hdb, the first device (hard disk drive or CD-ROM drive) on the second cable is called /dev/hdc and the second device on the second cable is called /dev/hdd .

So, you’ve got the names hda, hdb, hdc, and hdd for all of your four possible IDE/SCSI attached devices, although you probably only have a hard disk on hda and a CD ROM / DVD drive on hdb.

The hard disks are, probably, cut up into partitions that are numbered from one. So the first partition on the first hard disk attached to the first IDE cable will be called /dev/hda1, while the second will be called /dev/hda2 and, for further example, the fifth partition on the second hard disk on the second IDE cable would be called /dev/hdd5.

Get the idea?

Now to the third way of naming a hard disk and partition. Grub uses the letters “hd” followed by a number starting at zero to name the hard disks. To denote a particular partion a comma and a further number, again starting at zero is added. All of this is surrounded by brackets ().

So to Grub, the first hard disk drive attached to the first IDE/SCSI cable is called (hd0) , and to specify the first partition on that drive you would need to type (hd0,0)

(First of all, enter your BIOS setup and in BOOT Sequence window choose to boot with CDROM first.) Once the server is up in the live CD, you need to find out which is the correct partition containing the boot directory.

Issue the below command to find this.

grub> find /boot/grub/stage1

and you’ll get returned the hard disk name and partition that has that file (see above for how Grub names these). However, if you have a separate /boot partition, remove /boot from the above command.

grub> find /grub/stage1
(hd0,0)

You can see (hd0,0). The output of this command is the name of the hard disk and partition that holds the stage1 file.

So, when you tried this, you got (hd0,0) returned to you. This tells me that your /boot/ folder lives on the first partition on hard disk on the first IDE cable. If it had returned (hd0,1) instead, that would have shown you that the /boot/ folder lived on the second partition of the first hard disk on the first IDE cable.

Once we have found this out we need to give Grub this in the next commands.

The root command tells Grub where to base all of its file path searches from. We take the hard disk and partition, given by the find command and use it with the root command, like so :-

grub> root (hd0,0)

Next comes the kernel command. This tells Grub the name of the kernel (core part of Linux) that you want to load when, later, you do the boot command.

As there is no way that you can remember the full name of the kernel, you can use the tab key facility in Grub (the tab key is that one with two opposite facing horizontal arrows that sit above the Caps Lock key on most keyboards).

HOLD ON !!

Let me explain the root command with example. If I did nor give root hd0,0) and pressed tab after typing kernel, you can see no output fro grub. This happens as we have not specified to grub a base harddisk and partition where it can look for kernel files.

grub> find /grub/stage1
 (hd0,0)

grub> kernel /
Error 12: Invalid device requested

Now I am giving root (hd0,0) to grub. Now grub can suggest you options as grub now know where to look for possible files.

grub> root (hd0,0)
 Filesystem type is ext2fs, partition type 0x83

grub> kernel /
 Possible files are: grub symvers-2.6.9-100.ELsmp.gz boot symvers-2.6.9-89.35.1.ELsmp.gz vmlinuz-2.6.9-89.35.1.ELsmp initrd-2.6.9-100.ELsmp.img grub.OLD System.map-2.6
.9-023stab053.2-enterprise System.map-2.6.9-89.35.1.ELsmp initrd-2.6.9-89.35.1.ELsmp.img config-2.6.9-89.35.1.ELsmp System.map-2.6.9-100.ELsmp message config-2.6.9-100
.ELsmp initrd-2.6.9-023stab053.2-enterprise.img vmlinuz-2.6.9-100.ELsmp lost+found message.ja vmlinux-2.6.9-023stab053.2-enterprise vmlinuz-2.6.9-023stab053.2-enterpri
se

Thats enough for root stuff. Carry on below.

Load the kernel. If you dont know with which kernel the server was up, follow the steps below.

Mount the harddrive partition to get the /boot partition. If the /boot is separate partition, mount it, otherwise mount / partition. In the below example, its separate partition.

[root@vps9 grub]# fdisk  -l

Disk /dev/sda: 139.9 GB, 139978604544 bytes
255 heads, 63 sectors/track, 17018 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          65      522081   83  Linux
/dev/sda2              66         587     4192965   82  Linux swap
/dev/sda3             588        1109     4192965   82  Linux swap
/dev/sda4            1110       17018   127789042+   5  Extended
/dev/sda5            1110        1370     2096451   83  Linux
/dev/sda6            1371       17018   125692528+  83  Linux

How to confirm which is the /boot partition? Look for the * in the “Boot” coloumn in the fdisk output. Now mount it.

mkdir /oldboot
mount /dev/sda1 /oldboot
cat /oldboot/grub/grub.conf

Note the default loaded kernel grub lines. Eg :

title Virtuozzo (2.6.9-023stab053.2-enterprise)
        root (hd0,0)
        kernel /vmlinuz-2.6.9-023stab053.2-enterprise ro root=LABEL=/ console=ttyS0,57600 console=tty debug
        initrd /initrd-2.6.9-023stab053.2-enterprise.img

Go back to grub prompt and pass the kernel

grub> kernel /vmlinuz-2.6.9-023stab053.2-enterprise ro root=LABEL=/

NOTE:-

If with “root=LABEL=/” the kernel failed to boot, then get the / partition and supply it as root=/dev/sda5. You can check it by using e2label.

[root@vps9 grub]# e2label /dev/sda5
/

Now pass the initrd

grub> initrd /initrd-2.6.9-023stab053.2-enterprise.img

Boot the passed kernel

grub> boot

Linux will now boot.

Re-installing Grub from within Linux

Once the server is up, ssh into the server. From command prompt you will need to enter the grub-install command. This takes one parameter – the name of the hard disk whose master boot record (mbr) will be having grub installed on it.

[root@vps9 grub]# grub-install /dev/sda
Installation finished. No error reported.
This is the contents of the device map /boot/grub/device.map.
Check if this is correct or not. If any of the lines is incorrect,
fix it and re-run the script `grub-install'.

# this device map was generated by anaconda
(fd0)     /dev/fd0
(hd0)     /dev/sda

That will do.

 


If you’re still having boot problems

Grub errors messages

The complete list of error messages are at the end of this HowTo.

The two that I’ve bumped into are

Error 15
File note found.

Which normally means that you have mistyped the file name. Try using the tab key to help you fill in Grub commands.

Error 17
Unable to mount (use) the partition.

This may be that you have mistyped the number (remember, Grub counts from zero and not one), or that the partition that you pointed at does not have a valid file system.

Kernel panics If you get an error message, while booting, along these lines :-

 

Kernel panic: No init found. Try passing init= option to kernel

Your kernel needs something called an “initrd” and can’t find one. There are a number of reasons that this can happen.

-> You haven't put an initrd statement in your Grub.conf or while at the Grub prompt.

Easy one to fix, just make sure that you have the correct (and correctly spelt) initrd for Grub to pass to the kernel. Have a look at the “All I get is either a “grub>” prompt or just “grub” when I try and boot” section of this HowTo.

-> The "root=" parameter on the kernel statement does not point to the correct hard disk and partition.

The “root=” parameter on the kernel statement often says “root=LABEL=/”, which often works just fine, but sometimes you have to be more exact. I’ve only found this to be a problem when I’m using a separate /boot and root (/) partition, or when Mandrake is involved. So change the “LABEL=/” bit to the partition that contains your root (/) folder. If your root (/) partition is on /dev/hda6, for example, then make the root statement look like “root=/dev/hda6”.

-> The initrd file has become corrupted or been deleted.

You’ll need to get a Linux up using either a distribution/rescue CD or a rescue diskette. Then change the root to your hard disk drive by entering, from the shell command prompt, chroot /dev/hdxy . Where the “x” is the letter of the hard disk and the “y” is the number of the partition. So, if your normal /boot folder is on /dev/hda2 , then enter chroot /dev/hda2/

Then change directory to the /boot folder, move the old .img file out of the way – assuming it’s still there – by renaming it to *.img.old , and then create a new initrd by typing mkinitrd -v -f initrd-KERNEL-VERSION.img KERNEL-VERSION . Replace “KERNEL-VERSION” with the version of the kernel that you are trying to load. If you do a full listing of the /boot folder you’ll see the same numbers and letters in the full kernel file’s name (eg. for the kernel called “vmlinuz-2.4.22-10mdk” , you would want to create an initrd called “initrd-2.4.22-10mdk.img” and the kernel version would be “2.4.22-10mdk” ).

 

Footnote: – Search order at boot up time. Your PC will look for an operating system in a number of places, in an order set out in the BIOS. If you find that your PC refuses to look for an operating system in either your floppy diskette drive (if you are attempting to boot from a rescue diskette) or from your CD-ROM / DVD drive (if you are trying to boot from an installation CD / DVD), then you’ll need to enter your BIOS setup.

To enter the BIOS setup screens you will need to press either the Del key or the F2 key during the POST checks (which one is dependent on your PC). So, turn your PC on and while it is giving you all of those messages about how much RAM you have and what disks it knows about, press the relevant key for your PC. Keep pressing until you are presented with either a blue or grey BIOS screen.

Using a combination of the cursor arrow keys, the tab key and the enter key, navigate your way to the option to change the boot order.

On an AMIBIOS (grey) screen, you will need to move right to the Boot option, press Enter and then move down to the Boot Device Priority option and press Enter , then select the first device, press Enter and select from the list. When you’ve picked the correct boot device (Floppy or CDROM), press the Esc key to exit up the levels, then move across to Exit and select Exit saving changes .

On an Award BIOS (blue) screen, move down to the Advanced BIOS Features, press Enter, then move down to the First Boot Device, again press Enter and select from the list. Once done, press the Esc key to move back up levels and then across and down to the Save & Exit Setup option.
There are other BIOSs out there , but these are to only two that I have access to. Hopefully, though, you’ll have got the idea of what to do, from the above description. And you can always escape out of trouble by repeatedly pressing the Esc key.

 

Grub Error messages :-

1 : Filename must be either an absolute filename or blocklist This error is returned if a file name is requested which doesn’t fit the syntax/rules listed in the Filesystem.

2 : Bad file or directory type This error is returned if a file requested is not a regular file, but something like a symbolic link, directory, or FIFO.

3 : Bad or corrupt data while decompressing file This error is returned if the run-length decompression code gets an internal error. This is usually from a corrupt file.

4 : Bad or incompatible header in compressed file This error is returned if the file header for a supposedly compressed file is bad.

5 : Partition table invalid or corrupt This error is returned if the sanity checks on the integrity of the partition table fail. This is a bad sign.

6 : Mismatched or corrupt version of stage1/stage2 This error is returned if the install command points to incompatible or corrupt versions of the stage1 or stage2. It can’t detect corruption in general, but this is a sanity check on the version numbers, which should be correct.
7 : Loading below 1MB is not supported This error is returned if the lowest address in a kernel is below the 1MB boundary. The Linux zImage format is a special case and can be handled since it has a fixed loading address and maximum size.

8 : Kernel must be loaded before booting This error is returned if GRUB is told to execute the boot sequence without having a kernel to start.

9 : Unknown boot failure This error is returned if the boot attempt did not succeed for reasons which are unknown.

10 : Unsupported Multiboot features requested This error is returned when the Multiboot features word in the Multiboot header requires a feature that is not recognized. The point of this is that the kernel requires special handling which GRUB is probably unable to provide.

11 : Unrecognized device string This error is returned if a device string was expected, and the string encountered didn’t fit the syntax/rules listed in the Filesystem.
12 : Invalid device requested This error is returned if a device string is recognizable but does not fall under the other device errors.

13 : Invalid or unsupported executable format This error is returned if the kernel image being loaded is not recognized as Multiboot or one of the supported native formats (Linux zImage or bzImage, FreeBSD, or NetBSD).

14 : Filesystem compatibility error, cannot read whole file Some of the filesystem reading code in GRUB has limits on the length of the files it can read. This error is returned when the user runs into such a limit.

15 : File not found This error is returned if the specified file name cannot be found, but everything else (like the disk/partition info) is OK.

16 : Inconsistent filesystem structure This error is returned by the filesystem code to denote an internal error caused by the sanity checks of the filesystem structure on disk not matching what it expects. This is usually caused by a corrupt filesystem or bugs in the code handling it in GRUB.

17 : Cannot mount selected partition This error is returned if the partition requested exists, but the filesystem type cannot be recognized by GRUB.

18 : Selected cylinder exceeds maximum supported by BIOS This error is returned when a read is attempted at a linear block address beyond the end of the BIOS translated area. This generally happens if your disk is larger than the BIOS can handle (512MB for (E)IDE disks on older machines or larger than 8GB in general).

19 : Linux kernel must be loaded before initrd This error is returned if the initrd command is used before loading a Linux kernel.

20 : Multiboot kernel must be loaded before modules This error is returned if the module load command is used before loading a Multiboot kernel. It only makes sense in this case anyway, as GRUB has no idea how to communicate the presence of such modules to a non-Multiboot-aware kernel.

21 : Selected disk does not exist This error is returned if the device part of a device- or full file name refers to a disk or BIOS device that is not present or not recognized by the BIOS in the system.

22 : No such partition This error is returned if a partition is requested in the device part of a device- or full file name which isn’t on the selected disk.

23 : Error while parsing number This error is returned if GRUB was expecting to read a number and encountered bad data.

24 : Attempt to access block outside partition This error is returned if a linear block address is outside of the disk partition. This generally happens because of a corrupt filesystem on the disk or a bug in the code handling it in GRUB (it’s a great debugging tool).

25 : Disk read error This error is returned if there is a disk read error when trying to probe or read data from a particular disk.

26 : Too many symbolic links This error is returned if the link count is beyond the maximum (currently 5), possibly the symbolic links are looped.

27 : Unrecognized command This error is returned if an unrecognized command is entered on the command-line or in a boot sequence section of a configuration file and that entry is selected.

28 : Selected item cannot fit into memory This error is returned if a kernel, module, or raw file load command is either trying to load its data such that it won’t fit into memory or it is simply too big.

29 : Disk write error This error is returned if there is a disk write error when trying to write to a particular disk. This would generally only occur during an install of set active partition command.

30 : Invalid argument This error is returned if an argument specified to a command is invalid.

31 : File is not sector aligned This error may occur only when you access a ReiserFS partition by block-lists (e.g. the command `install’). In this case, you should mount the partition with the `-o notail’ option.

32 : Must be authenticated This error is returned if you try to run a locked entry. You should enter a correct password before running such an entry.

33 : Serial device not configured This error is returned if you try to change your terminal to a serial one before initializing any serial device.

34 : No spare sectors on the disk This error is returned if a disk doesn’t have enough spare space. This happens when you try to embed Stage 1.5 into the unused sectors after the MBR, but the first partition starts right after the MBR or they are used by EZ-BIOS.

Install and patch Nethog

Error:

———-

nethogs: cui.cpp:80: void Line::show(int, unsigned int): Assertion `m_pid <= 100000′ failed.
Aborted (core dumped)

———

Soln:

wget http://sourceforge.net/projects/nethogs/files/nethogs/0.8/nethogs-0.8.0.tar.gz/download?use_mirror=iweb
tar -xvzf nethogs-0.8.0.tar.gz
cd nethogs/
yum install libpcap libpcap-devel
http://sourceforge.net/p/nethogs/patches/_discuss/thread/f9045ed7/107d/attachment/nethogs-0.8.0-alt-pid32.patch
/usr/bin/patch -p1 < nethogs-0.8.0-alt-pid32.patch
make
make install

/usr/local/sbin/nethogs eth0

Df -h and du showing different result

We may come across the situation in which “du -sch” and “df -h” will show different result.

In our case, we can take the example of /var partition.

/dev/sda3             146G  144G     0 100% /var

But, du -sch result show only 82 GB.

# du -sch *
7.8G    cpanel
70G     lib
7.1G    lve
86G     total

The difference is that whenever an application has an open file, but the file is already deleted, then it is counted in the df output (because the space is certainly not free) but not in du (because it is not being used by a file).

The problem we will face here is mysql may not start. Here we cannot kill all the processes of mysql and free up /var partition.

But, the real issue is when /var is used by a process which we cannot kill. For example, lets take r1soft backup is running. In that case we cannot kill those processes because it will create issue with replication of data.

So, use the following command to find out the files, which is using large space.

lsof | grep deleted | grep var
cdp-2-6     783208     root  txt       REG       8,2    2497576960  6033403 (deleted) /var/r1soft/bin/2-6/cdp-2-6

Now, go to the file descriptor of that particular process.

# cd /proc/783210/fd
[/proc/783208/fd]# ll
total 0
dr-x------ 2 root root  0 May  6 04:16 ./
dr-xr-xr-x 5 root root  0 May  5 16:48 ../
lrwx------ 1 root root 64 May  6 04:16 10 -> /dev/hcp
lrwx------ 1 root root 64 May  6 04:16 11 -> (deleted)\ /var/.r1soft_hcp_sda3.cow_hcp1_1

10 –> points to /dev/hcp 11 –> points to /var/.r1soft_hcp_sda3.cow_hcp1_1

which is actually deleted. Now, just null those files as

>10
>11

Now, see the result.

# df -h | grep var
//dev/sda3             146G   86G   53G  63% /var

Done 🙂

FSCK on LVM from Live CD or From Single User Mode

As it is an important issue to deal with low level thing in the server archtecture. Being an GNU/Linux administrator/NOC/Ops one has to have the clear cut understanding what they are doing.Because handling the production box require lot of common sense and in depth knowlegde about the platform/OS.

So without much ado lets play with it or let me show you the simple tricks.

I do not issue any guarantee that this will work for you.

So the first question come into the mind why the hell you need to check the filesystem?? Specially the root(/) part of it…sound pretty dull and boring…huh..please don’t ignore this.You know ignorance is a sin…so do not commit it.

Now filesystem can be corrupted in various ways..few common ways are :

1) Not properly shutdown the server(although most of the cases journaling will do the healing)

2) Sudden power cut left your system down with lot of processing going on

3)Somebody has done something special(bad sense) to corrupt the data on that particular partition.

It is a bad idea and not recommended to run fsck(yes,this is the inbuilt tool you need to use)the mounted partition or drive.So don’t do that.

Now, running fsck on other partition like /home,/var,/usr …

First and foremost thing to be done is get into a single user mode..how do you do that?

ok once you type init 1 at the terminal prompt you will be taken to the singe user mode.From there simply unmount the partions as show below:

root@laptop_:/home/ # init 1 —> this will bring to the single user mode

root@laptop:/home/ # umount /dev/sda2 —> assuming this partion hold the /home section.

Now run the fsck:

root@:/home/ # e2fsck -y /dev/sda2

Ok..let me explain the flags or switch I passed with the fsck .

y——> it will try to detect and fix any filesystem related corruption without manual intervention.

f———–> this will force check even the system check says it’s clean.

v——–> It will provide you the verbose explanation what that comming going through on the terminal screen.

Now a major problem in our hand. That we find out that root(/)partition of the filesystem gor corrupted due to some reasons.So we need to fix that issue to get back the system as soon as possible on the track.

For this kind of problem..it significant that on a mounted system you just cannot run fsck…as I said earlier..becauase it will corrupt the data on it.So we need a installation cd/dvd for our rescue. The first cd/dvd will do the job for us or get a systemrescuecd to do that.

Once you boot with one of those cd/dvd and put the below text at the command prompt it presents:

#linux rescue nomount

Now once you fire that one you are on the prompt so you can begin work on that.First we need to do is fire a mknod command.Now ask me why need to do that???

Because we had passed the option nomount in the last section so it will not parse any file system or it will not initialize any filesystem or create any device to operate on.If you try to run fsck now it will fail.

So to run correctly the fsck to on a filesystem we need to create device file for that.For that we need to run mknod.But to use mknod we need to know the Major number and Minor number of the device.Lets get those number…wait before that I need to tell you few thing about what Major number and Minor number of a device and how it signifies.

What is Major Number and Minor number??

Traditionally, the major number identifies the driver associated with the device. For example, /dev/null and /dev/zero are both managed by driver 1, whereas virtual consoles and serial terminals are managed by driver 4; similarly, both vcs1 and vcsa1 devices are managed by driver 7. Modern Linux kernels allow multiple drivers to share major numbers, but most devices that you will see are still organized on the one-major-one-driver principle.

The minor number is used by the kernel to determine exactly which device is being referred to. Depending on how your driver is written, you can either get a direct pointer to your device from the kernel, or you can use the minor number yourself as an index into a local array of devices. Either way, the kernel itself knows almost nothing about minor numbers beyond the fact that they refer to devices implemented by your driver.

So it’s clear?? right.lets move on we need to find out the major number and minor number of the device to run mknod:

root@bhaskar-laptop_08:42:30_Mon Aug 16:/home/bhaskar # ls -al /dev/sda
brw-rw—- 1 root disk 8, 0 Aug 16 07:15 /dev/sda

See it will look like this…as 4the and 5th column holds the major number and minor number.Now create the device file:

#mknod /dev/sda b 8 0

It will create the device file.Once it’s done you are safe to run fsck on that particular partition holding your root(/) filesystem.

#e2fsck -yfv /dev/YourRootPartition(sda,hda,….)

Now lets have some fun with LVM.

We need few tools to manipulate that kind of partition which will provide the lvm package within the os or in come inbuilt with other rescue cd.

We need to find out physical disk,volume group and logical partition ..where we are going to run fsck..right?

pvscan :Physical scanning of particular disk

root@-laptop:/home/ # pvscan
PV /dev/sda8 VG laptop lvm2 [46.15 GiB / 21.15 GiB free]
Total: 1 [46.15 GiB] / in use: 1 [46.15 GiB] / in no VG: 0 [0 ]

vgscan :Volume group scanning

root@-laptop:/home/ # vgscan
Reading all physical volumes. This may take a while…
Found volume group “laptop” using metadata type lvm2

lvscan :Logical volume scanning

root@-laptop:/home/ # lvscan
ACTIVE ‘/dev/laptop/data’ [25.00 GiB] inherit

Now it is not activates then you need to activate the specific logical volume like this:

#lvchange -ay “yourLogicalVolume”

The final step:

Run the fsck on logical volume:

#e2fsck -yfv /YourLogicalVolume

How to Secure your DNS Server

To secure your dns server all you need to do is just add the following lines to your /etc/named.conf file.

1. First you should know the 2 Ips of your dns server. Just open /etc/nameserverips and there you will get the 2 dns ips.

tail /etc/nameserverips

2. Open /etc/named.conf

Look for options { line and above it add these lines

acl “trusted” {
x.x.x.x;
y.y.y.y;
};

where x and y are your 2 dns ips in step (1).

3. Look for line

// query-source address * port 53;

below it , insert the following lines.

version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This will disable dns recursion (preventing your server to be open dns server), prevent zone transfers and notification all restricted to your DNS only and not to outside queries. The version will hide the bind version.

4. Prevent DNS Spoofing

If you are running bind 8.x or prior versions, then there is a possibility that your dns server is left unprotected from forged IPs. To prevent this from happening, add this one line in your options

Options {
use-id-pool yes;
}

Once all is complete, restart the named.

service named restart

For more added security, refer to this secure bind template

4. Once everything is done, you will need to check your dns server with online tools like dnsstuff for vulnerabilities.

http://www.pingability.com (free)
http://www.pweb.cz/en/dns-test/ (free)
http://www.intodns.com/ (free)
http://dnsstuff.com (paid)

Testing DNS server with Dig Commands

Dig command to test open dns server

dig @server http://www.example.com

If the server responds resolving the example.com and answers it with IP address, then it is open dns server and it responds to recursive dns queries. Remember this command should only be issued from a shell outside the network or perhaps from another different server.

Dig command to do Zone Transfer

dig domain.com axfr

If you are able to download zone records, then you must disable zone transfer.

Dig command to get version of Bind

Dont show the bind version and if you havent upgraded, it could be subjected to attacks.

dig @server -c CH -t txt version.bind

Secure cPanel Servers

Install Firewall

The very first first step on securing a server is installing a firewall (atleast IP tables based) to close all unused or unwanted ports. Once the firewall is installed it is often considered 50% of work done. You can install CSF firewall or APF firewall. Often BFD (brute force detection) utilities comes with firewall.

We will install CSF (Config security firewall) as it is easy to install with plenty of features and easily integrated to CPanel (if you are running)

wget http://www.configserver.com/free/csf.tgz
tar zxf csf.tar.gz
sh /csf/install.sh

Follow the installer and once installed, you can start the firewall.

csf -s
// start the firewall
csf -r
// restart the firewall
csf -f
// flush the rules or stop the firewall.

Harden SSH server

Very often you will see SSH attacks from various bots trying to get access to your server by connected to port 22 with unlimited number of login attempts to break in to your system. Imagine attacks coming from different IPs can put lot of load in you server. You can trace those failed attempts by checking your log file

cat /var/log/secure
cat /var/log/messages

To harden your SSH server,

  • Run SSH on other port rather than default port 22
  • Disable Root login
  • Use only protocol 2
  • Enable Public key authentication.

Disable Telnet & Other Unused Services

You may want to disable services like telnet, finger and other unwanted services running on your server with xinet.

nano /etc/xinetd.d/telnet
// OR
nano /etc/xinetd.d/krb5-telnet

look for lines disable=no and change to disable=yes

chkconfig telnet off

Hardening PHP for Security

PHP is the most popular scripting language for apache and mysql. You will need to disable system level functions in the php configuration file.

nano /usr/local/lib/php.ini

Look for the lines and make sure you have the lines as below..

disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
magic_quotes_gpc = On

It is best to keep magic_quotes to on as otherwise you forms using POST may be used for SQL injection attacks.

Disable Open DNS Recursion (DNS Server)

If you are running bind DNS server, then you might want to check your dns server statistics with dnstools.com. You dont want to allow recursive lookups to performed on your server other than local IP. It can also slowdown your server.

nano /etc/named.conf

Under Options { place a line

Options {
recursion no;
…..

Then restart the bind

service named restart

You will also need to restrict zone transfers and notifications

Install Mod_Security

ModSecurity is a free open source web application firewall which can help you to guard against LFI (local file inclusion attacks) and SQL injection vulnerabilities.

CPanel Installation:

Just go to Cpanel WHM > Plugins > Enable Mod_Security > Save

Source Installation:

That should install mod security in your cpanel. Under apache it should show under installed modules if you run test.php with phpinfo() in it. Try adding some mod security rules. Installing mod_security could be sometimes complicated. Dont use apxs for compiling mod_security as it causes number of problems.

Note: Mod_security needs libxml2 and http-devel libraries before it can be installed. It also requires mod_unique_id enabled in apache modules. To install mod_unique_id, you have to place

LoadModule unique_id_module modules/mod_unique_id.so

in your httpd.conf file.

yum install libxml2 libxml2-devel httpd-devel

Download the latest version of mod_security for apache2 from http://www.modsecurity.org

wget http://www.modsecurity.org/download/modsecurity-apache_2.1.7.tar.gz
tar zxf modsecurity-apache_2.5.4.tar.gz
cd modsecurity-apache_2.5.4
cd apache2

Then

If you cannot find ./configure then you will need to edit Makefile and make change to top_dir = /usr/lib/httpd (for centos)

make
make install

Next, copy the rule files depending on which you want (you can also select minimal rules file which comes with source). Make a directory named modsecurity under /etc/httpd/conf and copy all the modsecurity rules there. Finally include those files in the httpd.conf file

# /etc/httpd/conf/httpd.conf

LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf

Then

/etc/init.d/httpd restart

Log Files

Watch for log files to detect any errors or intrusion activity

/var/log/httpd/modsec_audit
/var/log/httpd/error_log

If you get any errors, i have compiled a list of errors while compiling. see here

Install Mod_Evasive

ModEvasive module for apache offers protection against DDOS (denial of service attacks) in your server.

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar zxf mode_evasive-1.10.1.tar.gz
cd mod_evasive

then run the following command for apache2…

> /usr/sbin/apxs -cia mod_evasive20.c

Once mod evasive is installed, place the following lines in your /etc/httpd/conf/httpd.conf

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>

Follow the instructions in the README for more tuning of mod_evasive. This will compile, install and activate the module in your server.

Install RkHunter (Rootkit)

RkHunter is a rootkit scanner scans for vulnerabilities, insecure files, backdoors in your system and reports it so that you can further harden the server. Installing RkHunter is very easy!

yum install rkhunter

To run checks in your system

rkhunter –checkall
OR
rkhunter -c

You can find what command options are available under rkhunter by issuing this help command

> rkhunter –help

Install PortsEntry

Portsentry is a tool to detect port scans and log it. Download the sorce package of portsentry from sourceforge.net

wget http://path/to/portsentry-1.2.tar.gz
tar zxf portsentry-1.2.tar.gz
make linux
make install

If you get errors like while compiling

make linux
SYSTYPE=linux
Making
gcc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function ‘PortSentryModeTCP’:
./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness
./portsentry.c: In function ‘PortSentryModeUDP’:
./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’ diffe r in signedness
./portsentry.c: In function ‘Usage’:
./portsentry.c:1584: error: missing terminating ” character
./portsentry.c:1585: error: ‘sourceforget’ undeclared (first use in this function)
./portsentry.c:1585: error: (Each undeclared identifier is reported only once
./portsentry.c:1585: error: for each function it appears in.)
./portsentry.c:1585: error: expected ‘)’ before ‘dot’
./portsentry.c:1585: error: stray ‘\’ in program
./portsentry.c:1585: error: missing terminating ” character
./portsentry.c:1595: error: expected ‘;’ before ‘}’ token
make: *** [linux] Error 1

To fix:

Open portsentry.c and look for the following line. There will be a extra carriage return breaking the line and you have to delete the carriage return and make single line. It should look like below.

printf (“Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n”);

Then run make and make install. That should fix it!

To launch portsentry

/usr/local/psionic/portsentry/portsentry -stcp
/usr/local/psionic/portsentry/portsentry -sudp

check the log files /var/log/secure on what portsentry is active or not.

Prevent IP Spoofing

IP spoofing is a security exploit and can be prevented from placing nospoof on in host.conf file. Edit the host.conf file and place the following lines. If you run dns bind, give it preference.

order bind,hosts
nospoof on

Install ClamAV

Antivirus protection is the last thing you need for your security to protect against worms and trojans invading your mailbox and files! Just install clamav (a free open source antivirus software for linux). More information can be found on clamav website

yum install clamav

Once you have installed clamav in your centos…here are some of the basic commands using the software..

1. To update the antivirus database

> freshclam

2. To run antivirus

clamav -r /home

3. Running as Cron Daily Job

To run antivirus as a cron job (automatically scan daily) just run crontab -e from your command line. Then add the following line and save the file.

02 1 * * * root clamscan -R /var/www

This will run the cron job daily @ 1.02 AM by scanning the public html. You can change the folder to whatever you want for mail etc.

Configuring NIS

Configuring The NFS Server

Here are the steps to configure the NFS server in this scenario:

1. Edit the /etc/exports file to allow NFS mounts of the /home directory with read/write access.

/home                   *(rw,sync)

2. Let NFS read the /etc/exports file for the new entry, and make /home available to the network with the exportfs command.

[root@bigboy tmp]# exportfs -a
[root@bigboy tmp]#

3. Make sure the required nfs, nfslock, and portmap daemons are both running and configured to start after the next reboot.

[root@bigboy tmp]# chkconfig nfslock on
[root@bigboy tmp]# chkconfig nfs on
[root@bigboy tmp]# chkconfig portmap on
[root@bigboy tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@bigboy tmp]# service nfslock start
Starting NFS statd: [  OK  ]
[root@bigboy tmp]# service nfs start
Starting NFS services:  [  OK  ]
Starting NFS quotas: [  OK  ]
Starting NFS daemon: [  OK  ]
Starting NFS mountd: [  OK  ]
[root@bigboy tmp]#

After configuring the NFS server, we have to configure its clients, This will be covered next.

Configuring The NFS Client

You also need to configure the NFS clients to mount their /home directories on the NFS server.

These steps archive the /home directory. In a production environment in which the /home directory would be actively used, you’d have to force the users to log off, backup the data, restore it to the NFS server, and then follow the steps below. As this is a lab environment, these prerequisites aren’t necessary.

1. Make sure the required netfs, nfslock, and portmap daemons are running and configured to start after the next reboot.

[root@smallfry tmp]# chkconfig nfslock on
[root@smallfry tmp]# chkconfig netfs on
[root@smallfry tmp]# chkconfig portmap on
[root@smallfry tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@smallfry tmp]# service netfs start
Mounting other filesystems:  [  OK  ]
[root@smallfry tmp]# service nfslock start
Starting NFS statd: [  OK  ]
[root@smallfry tmp]#

2. Keep a copy of the old /home directory, and create a new directory /home on which you’ll mount the NFS server’s directory.

[root@smallfry tmp]# mv /home /home.save
[root@smallfry tmp]# mkdir /home
[root@smallfry tmp]# ll /
...
...
drwxr-xr-x    1 root   root     11 Nov 16 20:22 home
drwxr-xr-x    2 root   root   4096 Jan 24  2003 home.save
...
...
[root@smallfry tmp]#

3. Make sure you can mount bigboy’s /home directory on the new /home directory you just created. Unmount it once everything looks correct.

[root@smallfry tmp]# mount 192.168.1.100:/home /home/
[root@smallfry tmp]# ls /home
ftpinstall  nisuser  quotauser  smallfry  www
[root@smallfry tmp]# umount /home
[root@smallfry tmp]#

4. Start configuring autofs automounting. Edit your /etc/auto.master file to refer to file /etc/auto.home for mounting information whenever the /home directory is accessed. After five minutes, autofs unmounts the directory.

#/etc/auto.master
/home      /etc/auto.home --timeout 600

5. Edit file /etc/auto.home to do the NFS mount whenever the /home directory is accessed. If the line is too long to view on your screen, you can add a \ character at the end to continue on the next line.

#/etc/auto.home
*   -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp \
   192.168.1.100:/home/&

6. Start autofs and make sure it starts after the next reboot with the chkconfig command.

[root@smallfry tmp]# chkconfig autofs on
[root@smallfry tmp]# service autofs restart
Stopping automount:[  OK  ]
Starting automount:[  OK  ]
[root@smallfry tmp]#

After doing this, you won’t be able to see the contents of the /home directory on bigboy as user root. This is because by default NFS activates the root squash feature, which disables this user from having privileged access to directories on remote NFS servers. You’ll be able to test this later after NIS is configured.

Note: This automounter feature doesn’t appear to function correctly in my preliminary testing of Fedora Core 3. See Chapter 29, “Remote Disk Access with NFS“, for details.

All newly added Linux users will now be assigned a home directory under the new remote /home directory. This scheme will make the users feel their home directories are local, when in reality they are automatically mounted and accessed over your network.

Configuring The NIS Server

NFS only covers file sharing over the network. You now have to configure NIS login authentication for the lab students before the job is done. The configuration of the NIS server is not difficult, but requires many steps that you may overlook. Don’t worry, we’ll review each one in detail.

Note: In the early days, NIS was called Yellow Pages. The developers had to change the name after a copyright infringement lawsuit, yet many of the key programs associated with NIS have kept their original names beginning with yp.

Install the NIS Server Packages

All the packages required for NIS clients are a standard part of most Fedora installations. The ypserv package for servers is not. Install the package according to the steps outlined in Chapter 6,”Installing Linux Software“.

Edit Your /etc/sysconfig/network File

You need to add the NIS domain you wish to use in the /etc/sysconfig/network file. For the school, call the domain NIS-SCHOOL-NETWORK.

#/etc/sysconfig/network
NISDOMAIN="NIS-SCHOOL-NETWORK"

Edit Your /etc/yp.conf File

NIS servers also have to be NIS clients themselves, so you’ll have to edit the NIS client configuration file /etc/yp.conf to list the domain’s NIS server as being the server itself or localhost.

# /etc/yp.conf - ypbind configuration file
ypserver 127.0.0.1

Start The Key NIS Server Related Daemons

Start the necessary NIS daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot.

[root@bigboy tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@bigboy tmp]# service yppasswdd start
Starting YP passwd service: [  OK  ]
[root@bigboy tmp]# service ypserv start
Setting NIS domain name NIS-SCHOOL-NETWORK:  [  OK  ]
Starting YP server services: [  OK  ]
[root@bigboy tmp]# 

[root@bigboy tmp]# chkconfig portmap on
[root@bigboy tmp]# chkconfig yppasswdd on
[root@bigboy tmp]# chkconfig ypserv on

Table 30.1 lists a summary of the daemon’s functions.

Table 30-1 Required NIS Server Daemons

Daemon Name Purpose
portmap The foundation RPC daemon upon which NIS runs.
yppasswdd Lets users change their passwords on the NIS server from NIS clients
ypserv Main NIS server daemon
ypbind Main NIS client daemon
ypxfrd Used to speed up the transfer of very large NIS maps

Make sure they are all running before continuing to the next step. You can use the rpcinfo command to do this.

[root@bigboy tmp]# rpcinfo -p localhost
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100009    1   udp    681  yppasswdd
    100004    2   udp    698  ypserv
    100004    1   udp    698  ypserv
    100004    2   tcp    701  ypserv
    100004    1   tcp    701  ypserv
[root@bigboy tmp]#

The ypbind and ypxfrd daemons won’t start properly until after you initialize the NIS domain. You’ll start these daemons after initialization is completed.

Initialize Your NIS Domain

Now that you have decided on the name of the NIS domain, you’ll have to use the ypinit command to create the associated authentication files for the domain. You will be prompted for the name of the NIS server, which in this case is bigboy.

With this procedure, all nonprivileged accounts are automatically accessible via NIS.

[root@bigboy tmp]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS 
servers.  bigboy is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
        next host to add:  bigboy
        next host to add:
The current list of NIS servers looks like this:

bigboy

Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/NIS-SCHOOL-NETWORK/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'

bigboy has been set up as a NIS master server.

Now you can run ypinit -s bigboy on all slave server.
[root@bigboy tmp]#

Note: Make sure portmap is running before trying this step or you’ll get errors, such as:

failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid...

You will have to delete the /var/yp/NIS-SCHOOL-NETWORK directory and restart portmap, yppasswd, and ypserv before you’ll be able to do this again successfully.

Start The ypbind and ypxfrd Daemons

You can now start the ypbind and the ypxfrd daemons because the NIS domain files have been created.

[root@bigboy tmp]# service ypbind start
Binding to the NIS domain: [  OK  ]
Listening for an NIS domain server.
[root@bigboy tmp]# service ypxfrd start
Starting YP map server: [  OK  ]
[root@bigboy tmp]# chkconfig ypbind on
[root@bigboy tmp]# chkconfig ypxfrd on

Make Sure The Daemons Are Running

All the NIS daemons use RPC port mapping and, therefore, are listed using the rpcinfo command when they are running correctly.

[root@bigboy tmp]# rpcinfo -p localhost
    program vers proto   port
     100000    2   tcp    111  portmapper
     100000    2   udp    111  portmapper
     100003    2   udp   2049  nfs
     100003    3   udp   2049  nfs
     100021    1   udp   1024  nlockmgr
     100021    3   udp   1024  nlockmgr
     100021    4   udp   1024  nlockmgr
     100004    2   udp    784  ypserv
     100004    1   udp    784  ypserv
     100004    2   tcp    787  ypserv
     100004    1   tcp    787  ypserv
     100009    1   udp    798  yppasswdd
  600100069    1   udp    850  fypxfrd
  600100069    1   tcp    852  fypxfrd
     100007    2   udp    924  ypbind
     100007    1   udp    924  ypbind
     100007    2   tcp    927  ypbind
     100007    1   tcp    927  ypbind
[root@bigboy tmp]#

Adding New NIS Users

New NIS users can be created by logging into the NIS server and creating the new user account. In this case, you’ll create a user account called nisuser and give it a new password.

Once this is complete, you then have to update the NIS domain’s authentication files by executing the make command in the /var/yp directory.

This procedure makes all NIS-enabled, nonprivileged accounts become automatically accessible via NIS, not just newly created ones. It also exports all the user’s characteristics stored in the /etc/passwd and /etc/group files, such as the login shell, the user’s group, and home directory.

[root@bigboy tmp]# useradd -g users nisuser
[root@bigboy tmp]# passwd nisuser
Changing password for user nisuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@bigboy tmp]# cd /var/yp
[root@bigboy yp]# make
gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating netid.byname...
gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'
[root@bigboy yp]#

You can check to see if the user’s authentication information has been updated by using the ypmatch command, which should return the user’s encrypted password string.

[root@bigboy yp]# ypmatch nisuser passwd
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/::504:100::/home/nisuser:/bin/bash
[root@bigboy yp]

You can also use the getent command, which has similar syntax. Unlike ypmatch, getent doesn’t provide an encrypted password when run on an NIS server, it just provides the user’s entry in the /etc/passwd file. On a NIS client, the results are identical with both showing the encrypted password.

[root@bigboy yp]# getent passwd nisuser
nisuser:x:504:100::/home/nisuser:/bin/bash
[root@bigboy yp]#

Configuring The NIS Client

Now that the NIS server is configured, it’s time to configure the NIS clients. There are a number of related configuration files that you need to edit to get it to work. Take a look at the procedure.

Run authconfig

The authconfig or the authconfig-tui program automatically configures your NIS files after prompting you for the IP address and domain of the NIS server.

[root@smallfry tmp]# authconfig-tui

Once finished, it should create an /etc/yp.conf file that defines, amongst other things, the IP address of the NIS server for a particular domain. It also edits the /etc/sysconfig/network file to define the NIS domain to which the NIS client belongs.

# /etc/yp.conf - ypbind configuration file
domain NIS-SCHOOL-NETWORK server 192.168.1.100

#/etc/sysconfig/network
NISDOMAIN=NIS-SCHOOL-NETWORK

In addition, the authconfig program updates the /etc/nsswitch.conf file that lists the order in which certain data sources should be searched for name lookups, such as those in DNS, LDAP, and NIS. Here you can see where NIS entries were added for the important login files.

#/etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis

Note: You can also locate a sample NIS nsswitch.conf file in the /usr/share/doc/yp-tools* directory.

Start The NIS Client Related Daemons

Start the ypbind NIS client, and portmap daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot. Remember to use the rpcinfo command to ensure they are running correctly.

[root@smallfry tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@smallfry tmp]# service ypbind start
Binding to the NIS domain:
Listening for an NIS domain server.
[root@smallfry tmp]#

[root@smallfry tmp]# chkconfig ypbind on
[root@smallfry tmp]# chkconfig portmap on

Note: Remember to use the rpcinfo -p localhost command to make sure they all started correctly.

Verify Name Resolution

As the configuration examples refer to the NIS client and server by their hostnames, you’ll have to make sure the names resolve correctly to IP addresses. This can be configured either in DNS, when the hosts reside in the same domain, or more simply by editing the /etc/hosts file on both Linux boxes.

#
# File: /etc/hosts (smallfry)
#
192.168.1.100    bigboy

#
# File: /etc/hosts (bigboy)
#
192.168.1.102    smallfry

Test NIS Access To The NIS Server

You can run the ypcat, ypmatch, and getent commands to make sure communication to the server is correct.

[root@smallfry tmp]# ypcat passwd
nisuser:$1$Cs2GMe6r$1hohkyG7ALrDLjH1:505:100::/home/nisuser:/bin/bash
quotauser:!!:503:100::/home/quotauser:/bin/bash
ftpinstall:$1$8WjAVtes$SnRh9S1w07sYkFNJwpRKa.:502:100::/:/bin/bash
www:$1$DDCi/OPI$hwiTQ.L0XqYJUk09Bw.pJ/:504:100::/home/www:/bin/bash
smallfry:$1$qHni9dnR$iKDs7gfyt..BS9Lry3DAq.:501:100::/:/bin/bash
[root@smallfry tmp]#

[root@smallfry tmp]# ypmatch nisuser passwd
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash
[root@smallfry tmp]#

[root@smallfry tmp]# getent passwd nisuser
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash
[root@smallfry tmp]#

Possible sources of error would include:

  • Incorrect authconfig setup resulting in errors in the /etc/yp.conf, /etc/sysconfig/network and /etc/nsswitch.conf files
  • Failure to run the ypinit command on the NIS server
  • NIS not being started on the NIS server or client.
  • Poor routing between the server and client, or the existence of a firewall that’s blocking traffic

Try to eliminate these areas as sources of error and refer to the syslog /var/log/messages file on the client and server for entries that may provide additional clues.

Test Logins via The NIS Server

Once your basic NIS functionality testing is complete, try to test a remote login. Failures in this area could be due to firewalls blocking TELNET or SSH access and the TELNET and SSH server process not being started on the clients.

Logging In Via Telnet

Try logging into the NIS client via telnet if it is enabled

[root@bigboy tmp]# telnet 192.168.1.201
Trying 192.168.1.201...
Connected to 192.168.1.201.
Escape character is '^]'.
Red Hat Linux release 9 (Shrike)
Kernel 2.4.20-6 on an i686
login: nisuser
Password:
Last login: Sun Nov 16 22:03:51 from 192-168-1-100.simiya.com
[nisuser@smallfry nisuser]$

Logging In Via SSH

Try logging into the NIS client via SSH.

[root@bigboy tmp]# ssh -l nisuser 192.168.1.102
nisuser@192.168.1.102's password:
[nisuser@smallfry nisuser]$

In some versions of Linux, the NIS client’s SSH daemon doesn’t re-read the /etc/nsswitch.conf file you just modified until SSH is restarted. SSH logins, therefore, won’t query the NIS server until this is done. Restart SSH on the NIS client.

[root@smallfry root]# service sshd restart
Stopping sshd:[  OK  ]
Starting sshd:[  OK  ]
[root@smallfry root]#

NIS Slave Servers

NIS relies a lot on broadcast traffic to operate, which prevents you from having an NIS server on a different network from the clients. You can avoid this problem on your local subnet by using slave servers that are configured to automatically synchronize their NIS data with that of the single master server.

You can also consider placing multiple NIS servers on a single subnet for the sake of redundancy. To do this, configure the NIS clients to have multiple NIS servers for the domain in the /etc/yp.conf file.

Configuring NIS Slave Servers

In this scenario, you need to add an NIS slave server named nisslave (IP address 192.168.1.254) to the NIS-SCHOOL-NETWORK NIS domain. You also must configure the NIS master server, bigboy, to push its database map information to the slave whenever there is an update. Here are the steps you need.
1. As you’re referring to our servers by their hostnames, you’ll have to make sure the names resolve correctly to IP addresses. This can be done either in DNS, when the hosts reside in the same domain, or more simply by editing the /etc/hosts files on both servers as seen in Table 30.2.

Table 30-2 NIS Master / Slave /etc/hosts Files

Master (Bigboy) Slave (Nisslave)
#
# File: /etc/hosts (Bigboy)
#
192.168.1.254    nisslave
#
# File: /etc/hosts (Nisslave)
#
192.168.1.100    bigboy

2. Configure the NIS slave as a NIS client of itself in the /etc/yp.conf file, and configure the NIS domain in the /etc/sysconfig/network file as seen in Table 30.3.

Table 30-3 NIS Master / Slave /etc/yp.conf Files

/etc/yp.conf /etc/sysconfig/network
#
# File: /etc/yp.conf (Bigboy)
#
ypserver 127.0.0.1
#
# File: /etc/sysconfig/network
#
NISDOMAIN="NIS-SCHOOL-NETWORK"

3. On the slave server, run ypbind so the slave can query the master server.

[root@nisslave tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@nisslave tmp]# service ypbind start
Binding to the NIS domain:
Listening for an NIS domain server.
[root@nisslave tmp]#

[root@nisslave tmp]# chkconfig portmap on
[root@nisslave tmp]# chkconfig ypbind on

4. Optimize database map transfers by the NIS map transfer daemon, which should the started on both the master and slave.

[root@nisslave tmp]# service ypxfrd start
Starting YP map server: [  OK  ]
[root@nisslave tmp]#
[root@nisslave tmp]# chkconfig ypxfrd on

[root@bigboy tmp]# service ypxfrd start
Starting YP map server: [  OK  ]
[root@bigboy tmp]#
[root@bigboy tmp]# chkconfig ypxfrd on

5. Do a simple database query of the master from the slave using the ypwhich command with the -m (master) switch. You should get a listing of all the tables.

[root@nisslave tmp]# ypwhich -m
mail.aliases bigboy
group.bygid bigboy
passwd.byuid bigboy
rpc.bynumber bigboy
...
...
[root@nisslave tmp]#

6. Do an initial database download to the slave from the master with the ypinit command using the -s switch for a slave-type operation and specifying server bigboy as the master from which the data is to be obtained. You should see “Trying ypxfrd – success” messages. If the messages say “Trying ypxfrd – not running,” then start ypxfrd on both servers.

[root@nisslave tmp]# /usr/lib/yp/ypinit -s bigboy
We will need a few minutes to copy the data from bigboy.
Transferring services.byservicename...
Trying ypxfrd ... success

Transferring group.byname...
Trying ypxfrd ... success
...
...

nisslave's NIS data base has been set up.
If there were warnings, please figure out what went wrong, and fix it.

At this point, make sure that /etc/passwd and /etc/group have
been edited so that when the NIS is activated, the data bases you
have just created will be used, instead of the /etc ASCII files.
[root@nisslave tmp]#

If your database is corrupt or your /etc/hosts files are incorrect, you’ll get map enumeration errors as shown. Use the make command again to rebuild your database on the master when necessary.

[root@nisslave tmp]# /usr/lib/yp/ypinit -s bigboy
Can't enumerate maps from bigboy. Please check that it is running.
[root@nisslave tmp]#

7. Now that the data has been successfully downloaded, it’s time to make the slave server serve NIS clients with ypserv.

[root@nisslave tmp]# service ypserv start
Starting YP server services:
[root@nisslave tmp]#
[root@nisslave tmp]# chkconfig ypxfrd on

8. Log on to the master server. Add the slave server to the master server’s database map by editing the /var/yp/ypservers file on the master.

[root@bigboy yp]# cd /tmp
[root@bigboy tmp]# cd /var/yp/
[root@bigboy yp]# vi ypservers

Add nisslave to the file.

#
# File: /var/yp/ypservers
#
bigboy
nisslave

9. The make file in the /var/yp directory defines how the NIS server will build the database map and how the master will relate to the NIS slave. Make a copy of the master’s make file for safekeeping.

[root@bigboy yp]# cp Makefile Makefile.old

10. Edit the make file to allow the master to push maps to the slave.

#
# File: /var/vp/Makefile
#

#
# Allow the master to do database pushes to the slave
#
NOPUSH=false

11. Use the make command to rebuild the database. The make command automatically pushes database updates to the servers listed in the /var/yp/servers file.

[root@bigboy yp]# make
gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'
Updating ypservers...
YPPUSH: gethostbyname(): Success
YPPUSH: using not FQDN name
gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'
gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'
Updating netid.byname...
YPPUSH: gethostbyname(): Success
YPPUSH: using not FQDN name
gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'
[root@bigboy yp]#

12. On the slave server, create a cron file in the /etc/crond.d directory, in this case named nis_sync, that will run periodic database downloads from the master server. This helps to ensure that the slave servers have current databases even if they miss updates from the master in the event the school goes offline for maintenance. Restart the cron daemon so that the configuration in this file becomes active.

[root@nisslave yp]# vi /etc/cron.d/nis_sync

#
# File: /etc/cron.d/nis_sync
#
20 *    * * *    /usr/lib/yp/ypxfr_1perhour
40 6    * * *    /usr/lib/yp/ypxfr_1perday
55 6,18 * * *    /usr/lib/yp/ypxfr_2perday

[root@nisslave yp]# service crond restart

That’s a lot of work but it’s still not over. There is one final configuration step that needs to be done on the NIS clients before you’re finished.

Configuring NIS Clients With Slaves

Edit the /etc/yp.conf file on all the clients to include nisslave, and restart ypbind.

#
# File: /etc/yp.conf (Smallfry)
#
domain NIS-SCHOOL-NETWORK server 192.168.1.100
domain NIS-SCHOOL-NETWORK server 192.168.1.254

[root@smallfry tmp]# service ypbind restart
Shutting down NIS services: [  OK  ]
Binding to the NIS domain: [  OK  ]
Listening for an NIS domain server..
[root@smallfry tmp]#

Changing Your NIS Passwords

You should also test to make sure your users can change their NIS passwords from the NIS clients with the yppasswd command. The process is different whether there is only a single NIS master or a master-slave server relationship.

When There Is Only An NIS Master

When there is only a single NIS server, password changes can be made only on the NIS server using the yppasswd command.

Users Changing Their Own Passwords

Users can change their passwords by logging into the NIS server and issuing the yppasswd command.

[nisuser@bigboy nisuser]$ yppasswd
Changing NIS account information for nisuser on bigboy.my-site.com.
Please enter old password:
Changing NIS password for nisuser on bigboy.my-site.com.
Please enter new password:
Please retype new password:

The NIS password has been changed on bigboy.my-site.com.

[nisuser@bigboy nisuser]$

User “Root” Changing Passwords

The root user can change other users’ passwords issuing the yppasswd command with the -p switch that specifies the username that needs the change.

[root@bigboy tmp]# yppasswd -p nisuser
Changing NIS account information for nisuser on bigboy.my-site.com.
Please enter root password:
Changing NIS password for nisuser on bigboy.my-site.com.
Please enter new password:
Please retype new password:

The NIS password has been changed on bigboy.my-site.com.

[root@bigboy tmp]#

When There Is A NIS Master / Slave Pair

With an NIS master and slave pair configuration, passwords can be changed on the NIS clients or the NIS slave, but not on the NIS master.

Possible Password Errors

There are a number of unexpected errors you may find when changing passwords – errors that have nothing to do with bad typing.

Segmentation Faults

Running the yppasswd command on the wrong client or server depending on your NIS master and slave configuration can cause segmentation fault errors. (Make sure you follow the chapter’s guidelines for password changes!) Here are some sample password change failures on an NIS client with only one NIS master server.

[nisuser@smallfry nisuser]$ yppasswd
Segmentation fault
[nisuser@smallfry nisuser]$

[root@smallfry root]# yppasswd -p nisuser
Segmentation fault
[root@smallfry root]#

Daemon Errors

The yppasswdd daemon must be running on both the client and server for password changes to work correctly. When they aren’t running, you’ll get errors.

[root@smallfry etc]# yppasswd -p nisuser
yppasswd: yppasswdd not running on NIS master host ("bigboy").
[root@smallfry etc]#

You’ll also get a similar error if you attempt to change an NIS password on an NIS master server in a master and slave configuration.

Considerations For A Non NFS Environment

In many cases NFS, isn’t used to create a centralized home directory for users and, therefore, you’ll have to create it on each NIS client and not on the server.

This example creates the home directory for the NIS client, smallfry. After doing this, you have to copy a BASH login profile file into it and modify the ownership of the directory and all the files to user nisuser.

Logins should proceed normally once this has been done and all the other steps have been followed.

[root@smallfry tmp]# mkdir /home/nisuser
[root@smallfry tmp]# chmod 700 /home/nisuser/
[root@smallfry tmp]# ll /home
total 2
drwx------    2 nisuser users        1024 Aug  4 08:05 nisuser
[root@smallfry tmp]#
[root@smallfry tmp]# cp /etc/skel/.* /home/nisuser/
cp: omitting directory `/etc/skel/.'
cp: omitting directory `/etc/skel/..'
cp: omitting directory `/etc/skel/.kde'
[root@smallfry tmp]# chown -R nisuser:users /home/nisuser
[root@smallfry tmp]#

NIS Troubleshooting

Troubleshooting is always required as any part of your daily routine, NIS is no exception. Here are some simple steps to follow to get it working again.

1. The rpcinfo provides a list of TCP ports that your NIS client or server is using. Make sure you can TELNET to these ports from the client to the server and vice versa. If this fails, make sure all the correct NIS daemons are running and that there are no firewalls blocking traffic on the network or on the servers themselves. These ports change from time to time, so memorizing them won’t help much.

The example tests from the client to the server.

[root@bigboy tmp]# rpcinfo -p
    program vers proto   port
     100000    2   tcp    111  portmapper
     100000    2   udp    111  portmapper
     100024    1   udp  32768  status
     100024    1   tcp  32768  status
     391002    2   tcp  32769  sgi_fam
     100009    1   udp   1018  yppasswdd
     100004    2   udp    611  ypserv
     100004    1   udp    611  ypserv
     100004    2   tcp    614  ypserv
     100004    1   tcp    614  ypserv
     100007    2   udp    855  ypbind
     100007    1   udp    855  ypbind
     100007    2   tcp    858  ypbind
     100007    1   tcp    858  ypbind
  600100069    1   udp    874  fypxfrd
  600100069    1   tcp    876  fypxfrd
[root@bigboy tmp]#

[root@smallfry tmp]# telnet 192.168.1.100 858
Trying 10.41.32.71...
Connected to 10.41.32.71.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[root@smallfry tmp]#

2. Always use the ypmatch, getent, and ypwhich commands to check your NIS connectivity. If there is any failure, check your steps over again and you should be able to find the source of your problem.

3. Do not fail to create a user’s home directory, set its permissions, and copy the /etc/skel files correctly. If you forget, which is a common error, your users may have incorrect login prompts and no ability to create files in their home directories.

It can never be overemphasized that one of the best places to start troubleshooting is by looking in your error log files in the /var/log directory. You’ll save a lot of time and effort if you always refer to them whenever the problem doesn’t appear to be obvious.

Refer : linuxhomenetworking.com