Server Management

Server Management
Server Management has a lot of factors. Administrators need to have a solid understand of the Linux operating system, permissions, the file system, drives, users, etc. in order to be able to have a safe and secure system.

Server Management Tutorials

Manage Users with Quotas Editing Mount Points Monitoring User Activity with psacct or acct NIS Server Config NIS Clients Kerberos Server Set Up screen HylaFax on CentOS Network Design for a Small Business

Understanding CPU Process States Understanding the GRUB Bootloader Create Quota Profiles Create Group Quotas Create User Quotas Quota Commands Summary Verify Quota Configuration

Our Latest Server Management

Understanding CPU Process States

by Mike on May 23, 2009 in Server Management Each program that runs on your computer/server is a process. Understanding how the state, or status, of the process will go a long way in managing your computer/server correctly. One of the difficult issues of management in Linux is viewing information and then being able to take that information and interpret what it means. This is certainly the case with processes as the commands to view them powerful and informative but not full of description. This article provides a simple review of the basic states of processes. One concept that you need to recognize is that the CPU can only execute one process at a time, so you will see these states vary as processes receive the resources they need and the permission to be runnable. Each process is listed in a particular state which relates to the processs ability to receive CPU time. Runnable process can be executed Sleeping process waiting for a resource of some kind Zombie process is trying to die but cannot Stopped process is suspended and not able to execute A Runnable process has acquired the resources it needs and is just waiting for the CPU time to execute. The Sleeping process is often a daemon waiting for terminal input or an established network connection. The Sleeping process will not get any CPU time until is receives a signal. Zombies have completed their execution but are still hanging around. The PPID (Parent Process ID) of a Zombie will help you figure out where they came from. The

Stopped process have been forbidden to run administratively. This process is waiting for a CONT signal to start up again. One way you can view these processes is by using the ps command. ps When any Linux system is operating there are hundreds of processes that could be running. A basic understanding of how these processes function is a great advantage to a Linux user. There are a number of ways to view these processes. A common method of viewing processes is by using the terminal. The ps command generates a snapshot of the currently running processes. The results show several important categories;the user, PID (Process ID), % of CPU usage, % of Memory and the start time. This is an easy way to locate a process that is taking too many resources or too large a percentage of CPU and Memory on the system that can cause all other processes to be very slow. This is a good way to review your system to look for problems. Options -a shows processes used by other users -u the user format showing user names and start times -x includes processes not started from a terminal like a daemon such as ftp -f forest mode, displays process family trees -l long format,priority,parent and start time of process -w wide output -C cmd display an instance of a command -U user display processes of specific user Output Definitions USER process owner PID process ID %CPU % of CPU used by process %MEM % of memory used by process VSZ virtual size of process RSS resident set size or number of pages in memory TTY terminal ID STAT process state R runnable, S sleeping, Z zombie, D uninterruptible sleep, T stopped START time process started TIME CPU time consumed COMMAND command name Here is an example of reviewing the samba processes on a server. ps u -C smbd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 2626 0.0 0.4 10416 2516 ? Ss 04:29 0:00 smbd -D root 2630 0.0 0.4 10416 2488 ? S 04:29 0:00 smbd -D root 3701 0.0 0.6 11152 3428 ? S 04:37 0:00 smbd -D The S shows that these processes are sleeping.

Understanding the GRUB Bootloader: Course

by Mike on September 6, 2009 in Server Management

GRUB stands for Grand Unified Bootloader and was created in 1995 by Erich Boleyn as he wanted to have a multiboot option . Intel based motherboards must be started with a 16-bit operating system because of a limitation to 640 kilobytes of RAM at startup. GRUB is used to facilitate the 16-bit requirement and load the 32-bit Linux kernel. The AMD CMOS is 64-bit so it can load the 64-bit kernel for Linux. In order for GRUB to work it must use a three step process on CentOS. The first step loads and executes the Master Boot record, this is the IPL or initial program loader for GRUB. The first stage of GRUB also starts stage1.5 which is able to understand the filesystem and acts as a bridge to stage2. Then stage1.5 will start stage2 which reads the file in /boot/grub/grub.conf and starts the kernel. This course provide a basic understanding of GRUB and give you some illustrations on how to secure it and to fix several common problems. Course Difficulty The course level is for an Experienced Linux Administrator. Please note that any changes you make to GRUB could lead to a system that does not boot if you make a mistake so learn on a test system. Course Outline Configure GRUB GRUB Commands GRUB Protection GRUB Error Messages Fix GRUB Config Fix Boot SuperGrub Quiz Course Support The course author, among others, will be available for questions in the Forum. Quizzes The quizzes are there to help you focus on the key points made about each distro. So before you take the quiz be sure you understand all of the features that you will be tested on. Start The Course Here is a summary of the boot process and where GRUB is positioned. If you are looking for a Live CentOS Server Course CLICK HERE. Power On BIOS Starts POST Hardware Probe Select boot Device Load and execute MBR Bootloader Load/execute first stage of GRUB Load/execute stage1.5 of GRUB Load/execute second stage of GRUB Kernel Initialization Load/execute kernel Hardware probe Mount Initial RAM disks

Initialize Devices Mount root System init Starts Load/execute /sbin/init Select runlevel run the rc command run rc?.d/K* stop run rc?.d/S* start run kudzu run daemons text based logins start XWindow GRUB is a boot loader, which is the first piece of software that runs when the server starts. GRUB loads and transfers control to the operating system, specifically the kernel. GRUB is flexible enough to understand different filesystems and kernel executable formats. Features GRUB has a fistful of options, including the most important to be able multiboot. In the design, the primary goals beyond multiboot were easy to use aspect for users, generous functionality to support both the experts and designer and backward compatibility. The other features which exist are multiple executable formats, support for nonmultiboot kernels, ability to load multiple modules, ability to load a configuration file, create a menu interface, flexible command line, support for multiple filesystem types, automatic decompression using gzip, ability to access data on any installed device, independent of drive geometry translations, detect all the installed RAM, support for LBA mode, support for network booting and support for remote terminals. Yep, lots of features. Naming Convention When you name devices with grub it must be placed within ( ). So if you are naming a hard drive it would look like this: (hd0,0) hd is the hard drive, 0 means that it is the first hard drive detected, and 0 is the first partition on the hard drive. Note, that if you were using the /boot partition for grub, which is typical, the Linux file system lists this drive differently. /dev/sda1 = (hd0,0) Grub always lists drives and partitions from 0 while the Linux file system lists them from 1. The other item of note is that GRUB only uses the hd convention, in other words it does not distinguish IDE, SATA or SCSI. GRUB only counts the drive numbers starting with zero.

Here is an example output from df, note the /boot directory is hda1 or according to GRUB, (hd0,0) because it is the first drive, first partition. /dev/hda2 /dev/hda3 /dev/hda1 / /home /boot

{ 2 comments }
Marcus September 7, 2009 at 12:33 am

You say: When you name devices with grub it must be placed within ( ). So if you are naming a hard drive it would look like this: (hd0,1) hd is the hard drive, 0 means that it is the first hard drive detected, and 1 is the first partition on the I guess it should say hd0,0 instad. Best Regards Marcus
mike September 7, 2009 at 2:08 am

Thanks for the notice you are correct and I have fixed it.this just illustrates how easy it can be to make a mistake with the GRUB and the natural way we think. { 1 trackback }

Destillat KW37-2009 | duetsch.info - GNU/Linux, Open Source, Softwareentwicklung, Selbstmanagement, Vim ...

Create Quota Profiles

by Mike on October 6, 2009 in Server Management Create Profiles with edquota One advantage of the edquota command is that an administrator is able to create one quota for a user and then use that user as a template or profile for other users. Create a profile for a user, save and test the quota to be sure it is correct. Then use the edquota command to roll out that profile to other users. Lesson 5 | Quiz Here is an example. Disk quotas for user fred (uid 505): Filesystem blocks soft hard inodes soft hard /dev/sdc1 34000 35000 40000 234 0 0 Here fred represents the profile so that once fred quota file is saved it may be used to create other user quotas. Use this command to create similar quotas for harry and mary. The p option is what is used to create the template. Make sure the user that you want to have be the template immediately follows the -p option. edquota -p fred harry mary Effectively what this means is that when you set up a system you will want to verify the limits that you want to use for users. You may even have different classes of users to create a number of different templates. Now you could

create templates like: tech, office_users, power_users, etc. and give each a different template. However the disadvantage is that you have create these are real users and so there is the mess of having users that are really not used and there is the security issues of unused accounts. I have found it is better to use real users as you have a more realistic template and can actually get feedback from the user to verify their needs. edquota -u edit user -g edit group -t edit soft time limit -p create template

Create Group Quotas

by Mike on October 6, 2009 in Server Management Group Quotas allow you to manage the total resources used by a group. This allows you to contain a groups usage of disk space on the server. Lesson 4 | Lesson 6 Here are the steps to create group quotas. Add a Group groupadd sales Create a directory called sales. mkdir /sales Edit /etc/fstab to enable group quotas vi /etc/fstab /dev/sdb2 /sales ext3 defaults 1 1

Now change the default line above which is for a Logical Volume to the one below which enables quotas. /dev/sdb2 /sales ext3 usrquota, grpquota 1 1

Note that this example show both user and group quotas on the partition. You do not have to have user quotas, you can work with group quotas alone. Save the change and then mount the /sales directory. mount -a If you make additional changes you will need to unmount and then remount the directory. mount -o remount /sales Start the quotacheck Change to init level 1 init 1 Run the quotacheck command:

quotacheck -cug /sales Return to runlevel 5 or runlevel 3 (text mode). init 5 Turn the quota on quotaon /sales Set user quota specifics setquota -g sales 200 800 0 0 /sales Test your settings as tom. Note tom must be a member of the sales group. As root edit the /etc/group file and add tom and others that you want to be a part of the group. Here tom,mary and joe are all a part of the group. sales:x:1003:tom, mary, joe su tom Move to the sales directory. cd /sales quota (this will show current quotas for the group) Create some disk usage. dd if=/dev/zero of=filespace bs=1k count=150

quota (this will show current quotas for the group) dd if=/dev/zero of=filespace bs=1k count=900

Continue to add space and then evaluate the changes that occur. Once the group reaches the soft limit there will be a warning and a 7 day grace period.

Create User Quotas

by Mike on October 6, 2009 in Server Management You will want to create and test user quotas to guarantee system resources for all users. Having been a Linux administrator for over 10 years I have never found a group of users that does not have someone who will abuse the resources on the server by using it all for themselves. And, no talking with them and explaining the problems of running out of resources does not do much good with this specific type of individual. Lesson 3 | Lesson 5 Once you have install the quotas program you will need to create specific resource limits for users.

Add a User useradd tom Edit /etc/fstab to enable user quotas vi /etc/fstab If the /home directory was created with LVM it will look like this: /dev/VolGroup00/LogVol00 /home ext3 defaults 1 1 If you are not using LVM it but have a label it will look like this: LABEL=/home /home ext3 defaults 1 1 Now change the default line above which is for a Logical Volume to the one below which enables quotas. /dev/VolGroup00/LogVol00 /home ext3 usrquota 1 1

Save the change and then remount the /home directory. mount -o remount /home Start the quotacheck Change to init level 1 init 1 Run the quotacheck command: quotacheck -cug /home Return to runlevel 5 or runlevel 3. init 5 Turn the quota on quotaon /home Set user quota specifics. Here the setquota command is used and a soft limit of 200 and a hard limit of 800 is set. Yes, this is very small but it provide a way for you to test how it all works as the limits are hit quickly in testing. You want to be very familiar with how it all works before you roll it out to your users. setquota -u tom 200 800 0 0 /home Test your settings as tom su tom quota (this will show current quotas for the user) count=150

dd if=/dev/zero of=filespace bs=1k

Each time you increase space usage run quota to see the changes. dd if=/dev/zero of=filespace bs=1k count=900

Once you are done with testing be sure you understand how to increase or decrease limits on your system. Both of the options can be performed with the edquota command and the -u option so that you can modify the resources for a user. edquota -u fred This command will open up fred quota file which has seven columns. The top of the file will list the user name and UID. The first column will list the directory file system. This is usually in the format of the partition that the quotas are on. An example: /dev/hda6 The second column lists the number of blocks that are currently used by the user. These are 1KB blocks. An example: 4485296 This is almost 4.5 GB. The next two columns represent the soft and hard limits for the users. 0 means that the user has no limits. 4000000 in the soft limit means that when the user reaches 4 GB they will activate a message that they are in violation of their quota. The grace period set in days gives this user the opportunity to make changes to move under the soft limit. Once the grace period is over, the user will be forced to make the necessary changes. The hard limit represents a boundary that the user will not be able to cross. Administrators do not need to set hard limits unless the grace period is used. If an administrator does not use the grace period the result will be that the soft limit will be the boundary for users. Typically, users appreciate a reasonable boundary with a warning system so that in the middle of an important project they are not forced with deleting data before they can save. Of course there are always the users that will push it to the limit.

Quota Commands Summary

by Mike on October 6, 2009 in Server Management There are a number of excellent quota commands that will help you get the job done quickly. You will want to practice these commands so that you can use them quickly when you need to as users will probably see it a crisis situation when they cannot save when they go over the quotas you set. Lesson 2 | Lesson 4 quota -u check quotas for a user -g check quotas for a group -q show file systems where the user is over the limit Example: quota -u tom repquota This command creates a summary of quotas on a file system. -u report on quotas for a user -a report on quotas for entire file system

-v report all quotas even if no usage -g report quotas for groups Example: repquota /home edquota This provides a way to edit quotas for users. -u edit user -g edit group -t edit soft limit time -p setup a policy for another user In this example the already established policy for fred is given to mary. This is a way to create a standard policy. edquota -p fred mary Another way of setting quotas is with the setquota command. setquota -u user -g group -t set grace period setquota -u joe 2000 6000 0 0 /home quotacheck The following options can be employed with the command quotacheck to gain information for managing the server, run only when the file system is unmounted in most cases. The file system is not ready to run quotas until the quotacheck command is run to see what disk space is already used. Commands Descriptions -a scan for quotas by checking the /etc/mtab file -v verbose scan -u scan for user quotas -g scan for group quotas -m remounts a scanned filesystem If you run a command like this (only run it on an umounted system), it will check all the above: quotacheck -avugm /home This command will check the /etc/mtab. If the quotas were setup correctly there should be a aquota file in the directory that the quotas were setup on. Try this command for quotas on the /home directory, assuming /home is on a separate partition. ls -la /home/aquota.* You should see the output that the file exists, either called aquota.user (for user quotas) or aquota.group (for group quotas). These are binary files that store disk usage in the top level of the partitions.

Verify Quota Configuration

by Mike on October 6, 2009 in Server Management

Once you have quotas set up on the server, whether they are user or group quotas, you will need to test them to verify they are working correctly. Set the quota for a user and then add file space as that user to verify that quotas are changing in the process. Lesson 1 | Lesson 3 One command that I always liked ot use is repquota. For example if your quotas are on the /home directory run this command: repquota /home That should show current status and keep up to date with changes. This will confirm both user and group quotas. Turn Quotas Off This command turns quotas off. quotaoff -vaug quotas may be enabled again by running the command quotaon Maintain Quotas The quotacheck command must be run on a regular basis to maintain the quotas that have been set. Use this command in a crontab -e or in one of the following files to regularly run the command. It will mean that the commands are much more accurate. quotacheck -avug Files that the command could be placed into. Frequency depends on the amount of changes that are expected. /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly

Manage Users with Quotas

by Mike on October 6, 2009 in Server Management Quotas Mini-Course The quotas mini-course is designed to help you implement quotas for users and groups. Quotas are a way to guarantee resources for your users. The guarantee of resources to your users is fundamental to good system administration. When users run out of space there is always trouble and you can be sure as administrator that trouble will be pointed at you. Whenever you implement quotas with users it is a good idea to create soft limits which provide them a warning for 7 days but during that time they can still save. Certainly some users will ignore the soft limit and push to the hard limit where they cannot go over the limit and can lose data because they cannot save. Course Difficulty This course is for new administrators or home administrators with little experience. Working out quotas on a test box first is highly recommended. Course Support You can find support where you can ask questions in the forum.

The Linux kernel must be able to support quotas. Install quotas yum install quotas Check to see if the quota rpm is installed rpm -qi quota Find a list of tools that are associated with quota rpm -ql quota Commands /sbin/quotaon /fs /sbin/quotaoff /fs /usr/sbin/edquota username /usr/bin/quota /usr/sbin/repquota /sbin/quotacheck Description This command will enable quotas for the filesystem. This command will disable quotas for the filesystem. Edit the quotas for a specific user. Users can review the quotas set for them. Generates a report of disk usage by users. Checks for quota usage

When the computer starts there is a script that will check to see if /etc/fstab has been modified to provide quotas. This script will run the two commands needed to enable quotas; quotacheck and quotaon. The script is found at /etc/rc.sysinit if you would like to view it. Edit /etc/fstab In order for a directory to use quotas it must be set up in the /etc/fstab file. The file system which you place quotas on must be unmounted and then remounted for quotas to work. Here is the process (for the /home directory): Be careful, make a backup of /etc/fstab before making modifications. In the example below the upper line shows the default, the lower line shows the modifications to begin the process of setting up quotas. The second line sets up user quotas, the third line sets up user quotas and group quotas. /dev/hda7 /home ext3 defaults 12 ##################################### /dev/hda7 /home ext3 exec,dev,suid,rw,usrquota 12 ##################################### /dev/hda7 /home ext3 exec,dev,suid,rw,usrquota,grpquota 12 Once the changes have been made, (you made a backup right?), then restart the system to remount the quotas after being setup. touch /home/aquota.user chmod 600 /home/aquota.user mount -o remount /home quotaon -avug /home quotacheck -augm /home This must be done after you have set up quotas on the file system of your choice.

Editing Mount Points

by Mike on December 7, 2009 in Server Management fstab /etc/fstab contains a listing of all of the potential mounted drives on the system both local and remote. The file /etc/rc.sysinit reads the /etc/fstab to mount the drives on startup. This text file is the file you

edit if you wanted to mount a partition permanently once the system boots. One point to note, this file lists potential partitions that can be mounted, it does not however guarantee that they are actually mounted. If you wanted to see the mounted partitions you could either use the df command or you can view /etc/mstab, see below. Need more information about Linux Administration, check out the CentOS Server Course or the Ubuntu Server Course. # This file is edited by fstab-sync see man fstab-sync for details LABEL=/1 / ext3 defaults 11 LABEL=/bk /bk ext3 defaults 12 LABEL=/boot1 /boot ext3 defaults 12 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 00 LABEL=/home /home ext3 defaults 12 LABEL=/opt /opt ext3 defaults 12 none /proc proc defaults 00 none /sys sysfs defaults 00 LABEL=/tmp /tmp ext3 defaults 12 LABEL=/usr /usr ext3 defaults 12 LABEL=/var1 /var ext3 defaults 12 LABEL=SWAP-sda3 swap swap defaults 00 LABEL=SWAP-sdc2 swap swap defaults 00 /dev/hda /media/cdrecorder auto pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed 0 0 Understanding /etc/fstab The file /etc/fstab is divided into label, mount point, file system, options, dump order and fsck order. Label The local devices are labeled by e2label so that each local mount point will have a Label. The example below shows the label as LABEL=/home. LABEL=/home /home ext3 defaults 12 Mounts that are not local will not be labeled in this way. Mount Point The Mount Point is where a directory is mounted in the file system structure. In the example /home is the mount point. LABEL=/home /home ext3 defaults 12 File System The file system is the formatted file system on the drive. In the example the file system is ext3 which has the journaling included. LABEL=/home /home ext3 defaults 1 2 Options There are a number of Options that are available when mounting a drive. Mount Option Description async read and write data asynchronously atime update inodes when file is accessed auto normal formats for floppy or removable drive defaults rw,suid,dev,exec,auto,nouser,async dev allows accesses to devices (consoles or drives) exec permit binaries to execute noatime inode is not updated when accessed noauto must mount manually nodev devices not read noexec binaries cannot be run nosuid disallows setuid and segid

nouser only root can mount filesystem remount filesystem can be remunted ro read only rw read and write suid allows setuid and setgid sync read and write done at same time user allows noroot users to mount filesystem Dump Order The Dump Order is important for backups. Place a 1 for local devices so dump can backup. The example shows a 1. LABEL=/home /home ext3 defaults 12 fsck Order This allows you to set priorities for which device gets checked by fsck first in case of a system crash. Usually a 0 is placed for devices that do not need to be checked like swap and a 1 is placed for the / directory to be checked first and a 2 on all other devices. The example is a 2. LABEL=/home /home ext3 defaults 12 Add an Additional Device You cannot use a Label unless it has been explicitly created so you will need to use the block device as in the example. Typically a drive that is local and not removable will be 1 and 2 while a removable device like a ZIP drive will be 0 and 0. /dev/hdc1 /bac ext3 defaults 1 2 Add this line for the device and mount point that you created and save. When you restart each time it will be available. cat /etc/fstab LABEL=/ / ext3 defaults 11 LABEL=/var /var ext3 defaults 12 LABEL=/home /home ext3 usrquota 12 LABEL=/boot /boot ext3 defaults 12 tmpfs /dev/shm tmpfs defaults 00 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 00 proc /proc proc defaults 00 LABEL=SWAP-hda3 swap swap defaults 00 The /etc/mtab is used to list actual mounts that exist. This is the difference with /etc/fstab which lists potential mount points. cat /etc/mtab /dev/hda2 / ext3 rw 0 0 proc /proc proc rw 0 0 sysfs /sys sysfs rw 0 0 devpts /dev/pts devpts rw,gid=5,mode=620 0 0 /dev/hda6 /var ext3 rw 0 0 /dev/hda5 /home ext3 rw,usrquota 0 0 /dev/hda1 /boot ext3 rw 0 0 tmpfs /dev/shm tmpfs rw 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0

When you look at the /proc directory mounts you will see that there are two mounts referring to the / directory which is used by initrd scripts to mount the filesystem. cat /proc/mounts rootfs / rootfs rw 0 0 /dev/root / ext3 rw,data=ordered 0 0 /dev /dev tmpfs rw 0 0 /proc /proc proc rw 0 0 /sys /sys sysfs rw 0 0 none /selinux selinuxfs rw 0 0 /proc/bus/usb /proc/bus/usb usbfs rw 0 0 devpts /dev/pts devpts rw 0 0 /dev/hda6 /var ext3 rw,data=ordered 0 0 /dev/hda5 /home ext3 rw,data=ordered,usrquota 0 0 /dev/hda1 /boot ext3 rw,data=ordered 0 0 tmpfs /dev/shm tmpfs rw 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0 /etc/auto.misc /misc autofs rw,fd=6,pgrp=1949,timeout=300,minproto=5,maxproto=5,indirect 0 0 -hosts /net autofs rw,fd=12,pgrp=1949,timeout=300,minproto=5,maxproto=5,indirect 0 0

Monitoring User Activity with psacct or acct

by Mike on January 15, 2010 in Server Management Monitoring with psacct An excellent program for monitoring users and applications is psacct. This program will work in the background of your system recording what all users are doing on your system as well as the resources that are being consumed. I originally started using this program when a client asked for a way to monitor his developers and what they were doing on the servers that they were working on. psacct provided an excellent solution which told not only how long the developers were on the box but what commands they were using and how much of the resources they were using. Another great application for this program is to use it to evaluate the resources that applications are consumed on your server. So for example you could see the total resources consumed by apache, mysql, etc. Whether you are a CentOS Administrator or an Ubuntu Server Administrator or a home user wanting to track activity on your machine, this is a good program to explore.

Install Process Accounting yum install psacct on Ubuntu sudo apt-get install acct Start Process Accounting /etc/init.d/psacct start Starting process accounting: [ OK ]

on Ubuntu sudo service acct start Connect Time The connect time in hours is based on logins and logouts. The ac command provides a total. ac total 256.64

Accounting By Day The systems default login accounting file is /var/log/wtmp. ac -d Nov 1 total Nov 3 total Nov 6 total Nov 7 total Nov 8 total Nov 9 total Nov 10 total Nov 13 total cut Today total 8.78 6.15 13.68 15.50 10.54 10.56 8.41 8.66 19.33

Time Totals for Users ac -p root mike total 5.83 251.29 257.13

Commands of Users You can search out the commands of users with the lastcomm command which prints out the previously executed commands. Explanation of Output: Process Flag ping S Username mike Terminal Time pts/5 0.00 secs Thu Nov 30 13:39

Flags: S - executed as super-user F - executed after but not following exec D - terminated with core file X - terminated with signal SIGTERM lastcomm mike bash X bash X ping S nmap ping S ping S mike mike mike mike mike mike __ __ pts/5 pts/4 pts/5 pts/5 0.04 secs Thu Nov 30 12:49 0.04 secs Thu Nov 30 12:57 0.00 secs Thu Nov 30 13:39 4.01 secs Thu Nov 30 13:38 0.00 secs Thu Nov 30 13:37 0.00 secs Thu Nov 30 13:34

ping bash bash consoletype bash id grep bash grep bash egrep bash dircolors bash

S mike pts/5 0.00 secs Thu Nov 30 13:34 X mike __ 0.03 secs Thu Nov 30 13:28 F mike pts/6 0.00 secs Thu Nov 30 13:28 mike pts/6 0.00 secs Thu Nov 30 13:28 F mike pts/6 0.00 secs Thu Nov 30 13:28 mike pts/6 0.00 secs Thu Nov 30 13:28 mike pts/6 0.00 secs Thu Nov 30 13:28 F mike pts/6 0.00 secs Thu Nov 30 13:28 mike pts/6 0.00 secs Thu Nov 30 13:28 F mike pts/6 0.00 secs Thu Nov 30 13:28 mike pts/6 0.00 secs Thu Nov 30 13:28 F mike pts/6 0.00 secs Thu Nov 30 13:28 mike pts/6 0.00 secs Thu Nov 30 13:28 F mike pts/6 0.00 secs Thu Nov 30 13:28

Search Logs for Commands Using the lastcomm command you will be able to view each use of an individual command. lastcomm grep grep grep grep grep lastcomm grep grep grep grep grep grep Print Summary The sa command will print a summary of commands that were executed. It will also condense the information into a summary file called savacct which contains the number of times that the command was executed. The useracct file keeps a summary of the commands by user. Output Fields cpu - sum of system and user time in cpu minutes re - actual time in minutes k - cpu-time averaged core usage, in 1k units k*sec - cpu storage integral (kilo-core seconds) u - user cpu time in cpu minutes s - system time in cpu minutes /usr/sbin/sa Print User Information Use the -u option to provide information on individual users. /usr/sbin/sa -u mike mike mike mike pts/6 pts/6 pts/5 pts/5 0.00 secs Thu Nov 30 13:28 0.00 secs Thu Nov 30 13:28 0.00 secs Thu Nov 30 12:57 0.00 secs Thu Nov 30 12:57 0.00 secs Wed Mar 14 06:07 0.00 secs Wed Mar 14 06:07 0.00 secs Wed Mar 14 05:39 0.00 secs Wed Mar 14 05:39 0.00 secs Wed Mar 14 05:16

mike pts/7 mike pts/7 root pts/7 root pts/7 root pts/2

/usr/sbin/sa -u root 0.00 cpu 598k mem accton root 0.00 cpu 1081k mem initlog root 0.00 cpu 920k mem initlog root 0.00 cpu 1172k mem touch root 0.00 cpu 1402k mem psacct mike 0.01 cpu 7282k mem kdeinit * mike 0.00 cpu 6232k mem gnome-panel * mike 0.02 cpu 4848k mem gnome-terminal Display Number of Processes An increase in these fields indicates a problem. This prints the number of processes and the number of CPU minutes. If these numbers continue to increase it is time to look into what is happening. /usr/sbin/sa -m 195 220.31re mike root postgres smmsp 0.09cp 2220k 65 198.37re 88 21.86re 40 0.09re 2 0.00re

0.08cp 2135k 0.00cp 1084k 0.00cp 4879k 0.00cp 1827k

Display All Names This option will show each of the programs on your server so you may evaluate, real time, memory usage and which programs are running. sa -a 221 83.36re 1 0.01re 7 0.33re 1 40.78re 37 0.00re 32 0.00re 27 0.00re 26 0.00re 15 0.00re 11 0.00re 8 0.00re 7 0.00re 6 0.00re 5 0.01re 3 0.41re 3 0.40re 3 0.00re 3 0.00re 2 40.98re 2 0.14re 2 0.00re 0.01cp 1414k 0.00cp 1471k rpmq 0.00cp 2465k sendmail* 0.00cp 1844k sshd 0.00cp 964k bash* 0.00cp 604k tmpwatch 0.00cp 4984k postmaster* 0.00cp 1116k df 0.00cp 959k id 0.00cp 709k egrep 0.00cp 636k sa 0.00cp 817k grep 0.00cp 562k ac 0.00cp 789k awk 0.00cp 1219k crond* 0.00cp 674k run-parts 0.00cp 774k dircolors 0.00cp 673k consoletype 0.00cp 1344k bash 0.00cp 1628k sshd* 0.00cp 914k logrotate

Sort by Percentage This will provide the highest percentage users first. sa -c 232 100.00% 83.36re 100.00% 0.01cp 100.00% 1482k

14 7 37 32 32 31 15 11

6.03% 3.02% 15.95% 13.79% 13.79% 13.36% 6.47% 4.74%

41.09re 49.29% 0.01cp 58.82% 957k ***other* 0.33re 0.39% 0.00cp 41.18% 2465k sendmail* 0.00re 0.00% 0.00cp 0.00% 964k bash* 0.00re 0.00% 0.00cp 0.00% 4984k postmaster* 0.00re 0.00% 0.00cp 0.00% 604k tmpwatch 0.00re 0.00% 0.00cp 0.00% 1122k df 0.00re 0.00% 0.00cp 0.00% 959k id 0.00re 0.00% 0.00cp 0.00% 709k egrep

NIS Server Config

by Mike on February 17, 2010 in Server Management The Network Information Service distributes information on the network that must be shared between the Linux machines. Sun Microsystems developed a system known as Yellow Pages (YP) that eventually became known as NIS. The original YP is added to most commands for NIS ypserver, ypbind, and yppasswd. Typically NIS is used to distribute information about the users and how they authenticate to Linux. Specifically, /etc/passwd and /etc/group. NIS provides a means to central administration of the network users. When a user logs into a system using NIS, the system first checks the local /etc/passwd file , if it cannot find the user it will then check the NIS server. If you are looking for videos or training on NIS see our Online Server Courses.

The structure used for NIS is the normal client-server setup . The configuration for NIS uses a domain that is used to indicate a group of systems on a LAN or subnet. Each of these systems on the domain will use the same map, which refers to a common database. These databases are stored in a DBM format which is based on ASCII text files. Each NIS domain needs to have a NIS server that acts as a information base for the domain. The NIS clients will query the NIS server for information that they will need. Maps are the information that is stored in the database. You can divide the NIS servers into masters and slaves to provide a level of redundancy for the maps. The slave will maintain a copy of the maps and will update fro the master whenever a change is made. The program that notifies the slave of any changes is yppush There are four basic topologies used for NIS: 1.single domain one master no slaves 2.single domain with slaves one master, one or more slaves 3.multiple domains each domain has a master but no slaves 4.multiple domains with slaves each domain with a mast and one or more slaves

It only makes sense that if you are really interested in having NIS work right you will need at least one master and one slave as a backup. Configuring a NIS server Install the necessary applications. yum install yp-tools ypbind ypserv portmap Set Up the Domain Name Use this command: nisdomainname mydomain You can est to see if the domain is active by using the command without the argument. nisdomainname Configure the Server Daemon The two configuration files are /var/yp/securents and /etc/ypserv.conf. The default settings for /etc/ypserv.conf are: dns: no *:shadow.byname:port : yes *:passwd.adjunct.byname : port : yes *:*:none Edit /etc/yp.conf domain central 192.168.5.95 In this example central is the name of the domain and the IP Address is the IP of the NIS server. Configure the Security The /var/yp/securenets allows access to the NIS only to those networks listed. 255.255.255.255 127.0.0.1 255.255.255.0 192.168.5.0 This example will allow the local host an all computers on the 192.168.5.0 network. Edit /etc/hosts.allow PORTMAP: 192.168.5.0 This allows the network to have access to portmap. Start the Server Before starting the server make sure portmap is running by issuing the command: service portmap start You can use either start/stop/restart/status. Yo can also use rpcinfo to see information. rpcinfo -p localhost Create Databases The command that is used to initiate the database is ypinit and will create maps for the system and place them in

/var/yp and list them under your domainname. The files that will be included in your maps are: /etc/passwd /etc/group /etc/hosts /etc/Networks /etc/services /etc/protocols /etc/netgroup /etc/rpc The database is created with this command: /usr/lib/yp/ypinit -m When you initialize the maps you will need to know what slave servers you may want to enter as those names can be added at the time of the database creation. Specify the hostname and any slave and then use Ctrl+D, select y: and it is complete. The -m of the command tells NIS that the database is created for the master server. Once the slave has been set up as a client you can add the database from the masterserver with this command: /usr/lib/up/ypinit -s masterhost This tells NIS to get the database from the masterhost server. Start NIS Password Daemon yppasswd allows users to update their information than then it is propagated to the master server and slaves. yppasswd will only run on the master server. Start the master server yppasswd with this command: /etc/rc.d/init.d/yppasswdd start By default NIS users cannot change their full name or login shell. However, these can be allowed by starting yppasswd with these arguments: yppasswdd -e chfn This allows full name changes. yppasswdd - chsh This will allow shell changes. Transfer Maps to Slaves The command ypxfrd is used to transfer maps to slave servers. Once the slave receives information that the master has changed the slave will start ypxfr to read the new map. To speed up the process issue this command /etc/rc.d/init.d/ypxfrd start If you need to update a map run make in the /var/yp directory of the master server and this will update maps and propagate them tot he slave servers. Starting NIS Servers at boot You need to make changes permanent and make them so they are available at start time. Open /etc/sysconfig/network with a test editor and add a line:

NISDOMAIN=mydomainname mydomainname must be the name that you have chosen. Now open a terminal and use chkconfig. chkconfig level 35 yppasswd on Adding Users to the Database Add a user with the normal commands and password set up. useradd jim passwd jim Move into the /var/yp directory and run make. cd /var/yp make { 2 comments }
Paul Ortega April 28, 2010 at 3:15 pm

Does /var/yp/securenets have to be created on the slave NIS server? If so, is it updated when the master server is updated?
mike May 4, 2010 at 5:09 pm

In order to get the update to work you will need to configure the Slaveit will need to pull the maps from the Master.

NIS Clients
by Mike on February 19, 2010 in Server Management Set Up NIS Clients The NIS Server-Client relationship requires that you set up a client in order to work with the NIS server. This will enable you to login on the client from a user and password located on the database of the NIS server. The client machine will first look in the /etc/passwd file and then check the database on the NIS server. Here you can find how to set up the NIS Server. If you are looking for videos or training on NIS see our Online Server Courses. The first step is to set up the NIS domain with this command: nisdomianname mydomain This is the same as the server set up. The next step is binding the client to the server. The client uses a daemon called ypbind with the configuration file /etc/yp.conf to connect the client and the server. One method to make this happed is to edit /etc/yp.conf on the client and add this line to the file:

ypserver 192.168.5.95 Of course, make sure you put the IP Address of yoru server there. Another method is to allow the clients to broadcast for the domainname server with this line: domain mydomain broadcast Finally, another method is to add the servers whether they are masters r slaves on the domain in the same file. Use the format: domain mydomain server 192.168.5.95 domain mydomain server 192.168.5.2 This lists the servers on your domain. You can also use the authconfig tool to set up NIS on the client. Open a terminal and type authconfig-tui as root.

Once the program opens check the Cache Information as this will speed up access in the future. Then check the NIS check box. Type in the domain name and the server IP. Now click next and make sure Use Shadow Passwords and Use MD5 passwords are checked and click next.

Now enter the name of your domain and the IP Address of the NIS server. Your client should start looking for the NIS server. Now you need to set up the client so that ypbind starts at boot.

Make sure it is running correctly: rpcinfo -u localhost ypbind It should say: program 100007 version 1 ready and waiting program 10007 version 2 ready and waiting Now try out a NIS command to see if it is working and the server is talking to the client. Use this command: ypcat passwd.byname This should return a list of the names in the database, even though they are encrypted. Make sure you edit /etc/host.conf on the client to reflect a change in hostname lookups. Change the line so it looks like this on the client: order hosts,nis,bind Finally, edit /etc/nsswitch.conf so that you can add standard NIS lookups when info is requested. Make the line look like this: passwd: shadow: group: hosts: files nis files nis files nis files nis

Make sure NIS will start at boot wit this command: chkconfig level 35 ypbind on Commands nisdomainname ypserv ypinit yppasswd ypxfrd yppush /var/yp/securenets /etc/ypserv.conf ypwhich ypcat yppoll ypmatch /etc/yp.conf /etc/nsswitch.conf /etc/host.conf Description Set a NIS domain Server activities Build and install NIS database Process user password changes Speed up transfer of maps Propagate maps to slaves Hosts permitted to access maps Special host access Display master server Print NIS entries in database Display server and version of NIS map Print value of entry map Client configuration file Configure system name database lookup Configure hostname resolution

Kerberos Server Set Up

by Mike on February 22, 2010

in Server Management Kerberos provides a secure network authentication model using secret-key cryptography. Kerberos can be used with multiple services to offer superior authentication security. On a Centos system you can review a list of possible programs that are listed for kerberos with yum. yum list | grep krb5 You will see by default the workstation is installed so it can be an option for authentication. yum install krb5-server Edit /etc/krb5.conf Note that when you edit this file be sure to use your domain and maintain the case on all changes. The realm names should be uppercase and the hostnames for DNS should be lowercase. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LOCALNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] LOCALNET = { kdc = kerb.localnet:88 admin_server = kerb.localnet:749 default_domain = localnet } [domain_realm] .localnet = LOCALNET

localnet = LOCALNET [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Edit /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 88 [realms] LOCALNET = { #master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 } Create the Database This database stores keys for the Kerberos realm. The -s option creates a stash file where the master key is stored. Access is controlled by the Master Password. /usr/kerberos/sbin/kdb5_util create -s Loading random data Initializing database /var/kerberos/krb5kdc/principal for realm LOCALNET,

master key name K/M@LOCALNET You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Edit /var/kerberos/krb5kdc/kadm5.acl This important file determines the administrators for kerberos. */admin@LOCALNET * The kadmind, once started, allows users to access the server to authenticate. kadmin.local -q addprinc mike/admin Authenticating as principal root/admin@LOCALNET with password. WARNING: no policy specified for mike/admin@LOCALNET; defaulting to no policy Enter password for principal mike/admin@LOCALNET: Re-enter password for principal mike/admin@LOCALNET: Principal mike/admin@LOCALNET created. kadmin.local Authenticating as principal root/admin@LOCALNET with password. WARNING: no policy specified for host/basic.localnet@LOCALNET; defaulting to no policy Principal host/basic.localnet@LOCALNET created. Start Kerberos service krb5kdc start service kadmin start service krb524 start netstat -aunt This should show these ports up and running. tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN

udp 0 0 192.168.5.12:88 0.0.0.0:* udp 0 0 192.168.5.12:750 0.0.0.0:* test Set Up kadmin.local Authenticating as principal root/admin@LOCALNET with password. kadmin.local: listprincs K/M@LOCALNET host/basic.localnet@LOCALNET kadmin/admin@LOCALNET kadmin/changepw@LOCALNET kadmin/history@LOCALNET kadmin/localhost.localdomain@LOCALNET krbtgt/LOCALNET@LOCALNET mike/admin@LOCALNET Check Tickets klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Login as Principal Then Check Tickets kinit mike/admi n klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: mike/admin@LOCALNET Valid starting Expires Service principal 02/21/10 04:42:38 02/22/10 04:42:36 krbtgt/LOCALNET@LOCALNET Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached Add a user kadmin -q addprinc -policy user tom Authenticating as principal mike/admin@LOCALNET with password. Password for mike/admin@LOCALNET: Enter password for principal tom@LOCALNET: Re-enter password for principal tom@LOCALNET: Add A Host kadmin.local -q ktadd -k /etc/krb5.keytab host/basic.localnet Authenticating as principal root/admin@LOCALNET with password. Entry for principal host/basic.localnet with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/basic.localnet with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/basic.localnet with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/basic.localnet with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.

screen
by Mike on May 20, 2010 in Server Management screen is an application that can allow you to create multiple sessions with one terminal connection. Install screen on a CentOS system. yum install screen Install on Debian or Ubuntu sudo apt-get install screen Start the application by using the command screen. [Press Space or Return to end.]

Command Options
Command key: ^A break ^B b clear C colon : copy ^[ [ detach ^D d digraph ^V displays * dumptermcap . fit F flow ^F f focus ^I hardcopy h help ? history { } info i kill K k lastmsg ^M m ^] " 0 1 2 3 4 5 6 7 8 9 I O ] | :kB: paste . windowlist -b select select 0 select 1 select 2 select 3 select 4 select 5 select 6 select 7 select 8 select 9 login on login off paste . split -v focus up Literal ^A: a license lockscreen log login meta monitor next number only other pow_break pow_detach prev quit readbuf redisplay remove , ^X H L a M ^@ N Q ^A B D ^H \ < ^L X removebuf reset screen select silence split suspend time title vbell version width windows wrap writebuf xoff xon = Z ^C ' _ S ^Z ^T A ^G v W ^W ^R > ^S ^Q

^N sp n

z t

^P p ^? l

w r s q

Here is a list of common commands, all starting with Ctrl+A Ctrl+A t 9:02:46 May 19 m67 1.02 0.97 0.70 Create a new window. Ctrl+A c List the window number, starts with 0. Ctrl+A N This is window 1 (bash). Move to previous screen. Ctrl+A p Quit using screen. Ctrl+A \ Really quit and kill all your windows [y/n]

Clear screen of all text including prompt. Ctrl+A C List Available windows. Ctrl+A Num Name 0 bash 1 bash Check version. Ctrl+A v screen 4.00.03jw4 (FAU) 2-May-06 Split Window The split window with screen is a handy feature. It allows you to connect to a remote server and split the window so that you can run two different applications and watch both. Once you have screen running use this command to create a vertical split. Ctrl+A S You can move between screens using this command. Ctrl+A tab When you move to the new window create a new screen with: Ctrl+A c $ $

Flags

Create vertical split window. Ctrl+A |

You can move between screens using this command. Ctrl+A tab When you move to the new window create a new screen with: Ctrl+A c You can terminate one window with this command: Ctrl+A k

Lock a window. Ctrl+A x

Close a window. Ctrl+A X

HylaFax on CentOS
by Mike on May 25, 2010 in Server Management HylaFax provides a way to receive faxes on your server and send them as email attachments to a user or number of users on your network. You can also send faxes from the server. This tutorial will show you how to set up HylFax on a CentOS server so that you can receive faxes. You will need a modem for this and certainly it makes sense to check the website for HylaFax to determine the easiest modem to set up.

Install Dependencies You will have several dependencies, when you install these they will also pull down some additional dependencies. yum install ghostscript sharutils Install from RPMForge Repositories In order to install from the RPMForge repositories you will need to add RPMForge in the yum.repos.d directory. yum install hylafax Find tty It is imperative that you locate the modem and how it connects to the server, which is indicated by a tty. You have valuable information in the kernl buffer, dmesg. The example below finds the information by looking at both the ttys and the usb connections as this is a USB modem. dmesg | grep tty serial8250: ttyS0 at I/O 0x3f8 (irq = 0) is a 16550A 00:07: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A cdc_acm 3-1:2.0: ttyACM0: USB ACM device dmesg | grep usb usbcore: registered new driver cdc_acm drivers/usb/class/cdc-acm.c: v0.25:USB Abstract Control Model driver for USB modems and ISDN adapters The serial connection you need to use is ttyACM0 for this modem, yours will likely be different. Configure HylaFax Begin the config process with this command: /usr/sbin/faxsetup As you work through the process be sure to enter your area code, the name of your company, phone number for the fax and the correct modem information that gathered in the previous step. Also be sure to indicate the correct permissions that are highlighted. No scheduler config file exists, creating one from scratch. Country code [1]? Area code [000]? 113 Long distance dialing prefix [1]?

International dialing prefix [011]? Dial string rules file (relative to /var/spool/hylafax) ["etc/dialrules"]? Tracing during normal server operation [1]? Default tracing during send and receive sessions [0xFFF]? Continuation cover page (relative to /var/spool/hylafax) []? Timeout when converting PostScript documents (secs) [180]? Maximum number of concurrent jobs to a destination [1]? Define a group of modems []? Time of day restrictions for outbound jobs ["Any"]? Timeout before purging a stale UUCP lock file (secs) [30]? Max number of pages to permit in an outbound job [0xffffffff]? Syslog facility name for ServerTracing messages [daemon]? The non-default scheduler parameters are: AreaCode: 113

Are these ok [yes]? Country code [1]? Area code [113]? Phone number of fax modem [+1.999.555.1212]? 1.113.234.1234 Local identification string (for TSI/CIG) ["NothingSetup"]? MyCompany.com Long distance dialing prefix [1]? International dialing prefix [011]? Dial string rules file (relative to /var/spool/hylafax) [etc/dialrules]? Tracing during normal server operation [1]? Tracing during send and receive sessions [0xFFF]? Protection mode for received facsimile [0600]? 644 Protection mode for session logs [0600]? 644 Protection mode for ttyS0 [0600]? 666 Rings to wait before answering [1]? Modem speaker volume [off]? Command line arguments to getty program ["-h %l dx_%s"]? Pathname of TSI access control list file (relative to /var/spool/hylafax) [""]? Tag line font file (relative to /var/spool/hylafax) [etc/lutRS18.pcf]? Tag line format string ["From %%l|%c|Page %%P of %%T"]? Time before purging a stale UUCP lock file (secs) [30]? Hold UUCP lockfile during inbound data calls [Yes]? Hold UUCP lockfile during inbound voice calls [Yes]? Percent good lines to accept during copy quality checking [95]? Max consecutive bad lines to accept during copy quality checking [5]? Max number of pages to accept in a received facsimile [25]? Syslog facility name for ServerTracing messages [daemon]? Set UID to 0 to manipulate CLOCAL [""]? The non-default server configuration parameters are: CountryCode: 1 AreaCode: 113 FAXNumber: 1.113.234.1234 LongDistancePrefix: 1 InternationalPrefix: 011

DialStringRules: etc/dialrules RingsBeforeAnswer: 1 SpeakerVolume: off GettyArgs: -h %l dx_%s LocalIdentifier: NothingSetup TagLineFont: etc/lutRS18.pcf TagLineFormat: From %%l|%c|Page %%P of %%T MaxRecvPages: 25 Probing for best speed to talk to modem: 38400 OK. Hmm, this looks like a Class 1 modem. Product code (ATI0) is Zoom V.90 USB U052099g -F Z207. Other information (ATI3) is Zoom V.90 USB U052099g -F Z207. DTE-DCE flow control scheme [default]? Modem manufacturer is Zoom. Modem model is 2980. Using prototype configuration file lucent The modem configuration parameters are: ModemFlowControl: rtscts ModemSetupDTRCmd: AT&D3 Are these ok [yes]? Creating new configuration file /var/spool/hylafax/etc/config.ttyACM0 Creating fifo /var/spool/hylafax/FIFO.ttyACM0 for faxgetty done. Done setting up the modem configuration. Checking /var/spool/hylafax/etc/config for consistency some parameters are different. The non-default scheduler parameters are: CountryCode: 1 AreaCode: 113 LongDistancePrefix: 1 InternationalPrefix: 011 DialStringRules: etc/dialrules Are these ok [yes]? Creating new configuration file /var/spool/hylafax/etc/config Should an entry be added for the FaxMaster to /etc/aliases [yes]? Users to receive fax-related mail [root]? user@your_domain Edit /etc/inittab You need to add an entry at the end of the file, be sure you use the tty setting for your modem. # Fax Modem t2:35:respawn:/usr/sbin/faxgetty ttyACM0

Edit /var/spool/hylafax/etc/FaxDispatch This file needs to be created to determine who the fax is sent to and to change it so it is a PDF. SENDTO=user@your_domain; FILETYPE=pdf; Add users who will accept faxes. This users should be the same ones you have entered in the FaxDispatch. /usr/sbin/faxadduser user_name Test the Fax cu -l ttyACM0 Connected. at+fclass=? 0,1,8 OK faxstat HylaFAX scheduler on dklinux1.klausner.com: Running Modem ttyACM0 (1.650.367.9139): Waiting for modem to come ready Trial Connection The 1132341234 is the number of the Fax sendfax -vv -n -k now +1hour -m -d 1132341234 /etc/hosts Trying localhost (127.0.0.1) at port 4559 Connected to localhost.localdomain. 220 your_domain.com server (HylaFAX Version 5.2.5) ready. -> USER root 230 User root logged in. match against (, 219) rule: offset 0 string = %! failed (comparison) rule: offset 0 short = 0x4d4d failed (comparison) rule: offset 0 short = 04949 failed (comparison) rule: offset 0 short = 0x1da failed (comparison) rule: offset 0 short = 0x1f1e failed (comparison) rule: offset 0 short = 0x1f9d failed (comparison) rule: offset 0 short = 0506 failed (comparison) rule: offset 0 short = 05343 failed (comparison) rule: offset 0 short = 0xf702 failed (comparison) rule: offset 0 string = GIF failed (comparison) rule: offset 0 long = 0x59a66a95 failed (comparison) rule: offset 0 short = 0x1b45 failed (comparison) rule: offset 0 short = 0x1b25 failed (comparison) rule: offset 0 short = 0x1b26 failed (comparison) rule: offset 0 short = 0x1b2a failed (comparison) rule: offset 0 string = %PDF failed (comparison) rule: offset 0 string = x T psc failed (comparison) rule: offset 0 string = begin failed (comparison) rule: offset 0 string = xbtoa failed (comparison) rule: offset 0 string = P1 failed (comparison)

rule: offset 0 string = P2 failed (comparison) rule: offset 0 string = P3 failed (comparison) rule: offset 0 string = P4 failed (comparison) rule: offset 0 string = P5 failed (comparison) rule: offset 0 string = P6 failed (comparison) rule: offset 0 string = WNGZWZSS failed (comparison) rule: offset 0 string = #Inventor V failed (comparison) rule: offset 0 string = \x89PNG failed (comparison) rule: offset 0 short = 0xffd8 failed (comparison) rule: offset 0 short = 0xd8ff failed (comparison) rule: offset 0 string = #FIG failed (comparison) rule: offset 0 short = 0xd0cf failed (comparison) rule: offset 0 ascii = success (result postscript, rule %F/textfmt -B -f Courier-Bold -Ml=0.4in -p 11 -s %s > %o <%i) CONVERT /usr/sbin/textfmt -B -f Courier-Bold -Ml=0.4in -p 11 -s default > /tmp//sndfaxLbELeQ < /etc/hosts Apply DisplayNumber rules to 6503679139 > return result 6503679139 -> FORM PS 200 Format set to PS. -> TYPE I 200 Type set to Image. SEND compressed data, 6015 bytes -> PORT 127,0,0,1,228,198 200 PORT command successful. -> MODE Z 200 Mode set to ZIP. -> STOT 150 FILE: /tmp/doc4.ps (Opening new data connection). SEND 2285 bytes transmitted (2.6x compression) 226 Transfer complete (FILE: /tmp/doc4.ps). -> JNEW 200 New job created: jobid: 4 groupid: 4. -> JPARM FROMUSER root 213 FROMUSER set to root. -> JPARM LASTTIME 000059 213 LASTTIME set to 000059. -> JPARM MAXDIALS 12 213 MAXDIALS set to 12. -> JPARM MAXTRIES 3 213 MAXTRIES set to 3. -> JPARM SCHEDPRI 127 213 SCHEDPRI set to 127. -> JPARM DIALSTRING 6503679139 213 DIALSTRING set to 6503679139. -> JPARM NOTIFYADDR user@your_domain.com 213 NOTIFYADDR set to user@your_domain.com. -> JPARM VRES 196 213 VRES set to 196. -> JPARM PAGEWIDTH 209 213 PAGEWIDTH set to 209. -> JPARM PAGELENGTH 296 213 PAGELENGTH set to 296.

-> JPARM NOTIFY none 213 NOTIFY set to none. -> JPARM PAGECHOP default 213 PAGECHOP set to default. -> JPARM CHOPTHRESHOLD 3 213 CHOPTHRESHOLD set to 3. -> JPARM DOCUMENT /tmp/doc4.ps 200 Added document /tmp/doc4.ps as docq/doc4.ps.4. -> JSUBM 200 Job 4 submitted. request id is 4 (group id 4) for host localhost (1 file) Tagged as: Hylafax

Network Design for a Small Business

by Mike on June 3, 2010 in Server Management This image represents a basic network plan for a small company. The goal of this article is to use this image to help describe basic concepts of networks and how they typically constructed as well as why they are designed the way they are. Of course there are many variations to this basic design. Many times the variations depend upon the needs of the company as well as the skills of those who work for the company. Gateway The Gateway connects two dissimilar networks. In this example the Gateway connects the Internet to the LAN and the DMZ which are both on different networks. The Gateway, as is often the case, also performs another function in that it acts as a firewall. The firewall is doing both Nat (Network Address Translation) to the LAN and port forwarding to the DMZ. Note that the DMZ is on a different network from the LAN. LAN The Local Area Network (LAN) is typically where you will place your workstations. This should be the most secure area of your network as this is where your company needs to protect its data as well as the workstations on the network. Typically the LAN is on a private network, which means that these IP Addresses on the LAN are not designed to route through your Gateway nor on the Internet they are only available on the local network. Caching DNS Server The LAN has a Caching DNS Server which the workstations point to for DNS resolution. The caching aspect allows the LAN to have faster access to commonly accessed sites as the server will cache this information for future

use. The Caching DNS Server is only available to the local network and may be used to provide DNS resolution for the local workstations. DHCP Server The DHCP Server provides IP Addresses automatically to the workstations, network printers and to the wireless network as people hook up laptops to it. The IP Addresses can be assigned permanently to workstations and printers so that you can map out locations easier. DMZ The Demilitarized Zone or DMZ is a separate network where the company will keep the pubic accessible servers like a web server, dns server and mail server. The DMZ is used to separate the public servers from the LAN because it much more likely that intrusion attempts will be made on the servers as they have services available to the public opening ports for attack. Te Gateway should be used to minimize the attacks and direct the public access only to the specific services required. For example, the Web Server should only receive traffic on port 80 and all other traffic coming from the Gateway should not be allowed. This protects the Web Server, to a degree, and cuts down network traffic. Web Server This is where the company web site is located. The Web Server is open on port 80 only to minimize attacks. However, in todays environment there should be a application firewall on the Web Server like Modsecurity. Most servers will be running PHP and MySQL to facilitate websites that are more interactive. This should require an application firewall to protect them properly. DNS Server Typically a small company will have two DNS Servers located on different subnets to provide backup for their mail and web service if one DNS server is unavailable. The DNS Server should only allow port 53 tcp and udp. It should also be configured so that the general public cannot do recursive lookups, lookups for web services that require the DNS Server to work until it finds an answer. Mail Server What ports are open on the Mail Server will depend upon how a company has their mail set up. Of course the MTA, Mail Transfer Agent, must have port 25 open so that all other mail can be sent and received. If your company allows web based email or POP3 will determine which other ports are open and if they are encrypted. Bridge The Bridge is different than the Gateway in that the Gateway typically uses NAT, Network Address Translation, to change the public IP Address 12.0.0.5), one that can route on the Internet and one that must be unique, to a private IP Address (192.168.1.1) that cannot route on the Internet and is used for internal connections. The other feature of a Bridge is that it filters traffic both with MAC Addresses, Addresses asigned to network cards, and it can filter based on iptables rules. In addition, the Bridge can be removed and it does not impact the network connectivity becaue it is not doing any NAT. This makes it a very powerful tool in protecting and monitoring your network. In the example, the wireless network has a bridge that allows the network to accept IP Addresses from teh DHCP Server but it also protects the workstations so that a compromised laptop brought into the network would not be able to attack workstations or infect them with viruses as the traffic would be blocked by the bridge. They would however be able to access the printer or any other devices you set up in the bridge. Basically, you have the bridge to control the extra risk involved with a wireless network. Switch The switch is a mechanical device that separates machines so that information going to one machine is not sent to the other machines on the network. This provides reduced network usage but more importantly it provides an element of security as each machine is separated from the traffic to the other machines. Please note however, this element of security is not foolproof.

{ 6 comments }
Caitlyn O June 4, 2010 at 11:33 am

Windows has been officially banned by Google employees. There are speculations as to why they did this, the biggest being that theyre releasing their Google OS soon. Another big one is that there are too many security difficulties with Windows. Let me break that myth down for you. Windows protection difficulties has minor to do with their quality of programming even though they do have more hackers than the others. Merely simply because they are the biggest utilized operating system in the U.S. Theyre targeted! Mac would have way a lot more safety breaches if they were the biggest running method utilized. A hacker is naturally likely to target who they have probably the most access to, not the minor guys.
jhansonxi June 4, 2010 at 4:31 pm

Depending on the data load between the DMZ and LAN and the bandwidth of the WAN connection it may be wise to add another firewalled link between the two essentially bypassing the WAN. Also note that switches are not mechanical devices, at least not any made since the invention of the transistor.
fundi June 5, 2010 at 8:50 am

Nice I like it well done. Now a few extra thing could be mentioned for a small business setup. 1. Web server and mail server could actually be used from a hosted service thus eliminating a second internet connection. (which is a cost effective way and often done by small businesses). 2. It would be nice to mention how this set up translates in actual hardware. Just like you say the Gateway serves often as a firewall small business use a Router as a Gateway, Switch, DNS server and Firewall. Likewise the Bridge to the wireless network is often just the wireless router. 3. An apt casher is another good idea if the business is running a linux based setup. 4. Finally how will this network actually do file sharing? and allow users to use any workstation (revolving profiles). Dont we need a some other services as well to accomplish this. But well done and easy to understand.
rich June 5, 2010 at 1:30 pm

Finally, a network design tutorial that isnt Windows-centric. A Linux server can handle many times the number of clients than a Windows server can, affecting the network design accordingly.
Saint DanBert June 6, 2010 at 4:22 am

In my Home/Small-business network, I also run caching DNS on my server. (I only need one server box thanks to the ability of a linux server to handle more load.) I have something that works but it is a real smash-up built with hammer and tongs. Id love to have a SOHO centric discussion of a local DNS. Why DNS? We would like clients to use names for SOHO LAN resources without knowledge of local IP addresses. This includes not only the workstations that are always part of the family but other as well. We dont want any war chalker to access everything, but the visiting Uncle or business colleague might want to print something or share files.
Ollie September 7, 2010 at 5:46 am

Great network design post, the diagrams were great. Thanks for sharing
http://beginlinux.com/server/server-management/