Ray's IT notes

CA management - tinyca

2011-09-21T17:45:00.000+08:00

TinyCA is a program with a simple graphical user interface that makes managing a small CA (Certification Authority) easy. TinyCA works as a frontend for openssl and can deal with several independent CAs.
With TinyCA you can create and manage x509 and S/MIME server and client certificates. You can choose between RSA and DSA keys, as well as between different digest algorithms.
The certificates can be exported as PEM, DER, TXT and PKCS#12 or as a convenient archive containing both key and certificate. Certificates can be revoked by adding them to a certificate revocation list.

Juniper screen OS debug transaction flow

2011-09-12T12:39:00.000+08:00

Capturing Debug flow basic:

Cl db

Set ff src-ip x.x.x.x dst-ip y.y.y.y

Set ff src-ip y.y.y.y dst-ip x.x.x.x

(where

x.x.x.x== client ip which is accessing the server y.y.y.y==public ip of server i.e VIP ip of the server)

debug flow basic

(Then initiate the concerned traffic from source x.x.x.x to y.y.y.y)

Get db str

Undebug all

Cl db

Capturing snoop detail

Cl db

Snoop filter ip src-ip x.x.x.x dst-ip y.y.y.y direction both Snoop detail len 1514 Snoop (and then press `y?)

(Then initiate the concerned traffic from source x.x.x.x to y.y.y.y)

Get db str

Snoop off

RHEL6 disable ipv6

2011-09-02T11:48:00.001+08:00

Edit /etc/sysconfig/network
Change the following:
NETWORKING_IPV6=yes to NETWORKING_IPV6=no

Add a new file /etc/modprobe.d/ECS.conf containing
alias net-pf-10 off
alias ipv6 off

Stop the ipv6tables service
service ip6tables stop

Disable the ipv6tables service
chkconfig ip6tables off

After these changes, IPv6 will be disabled after the next reboot of your system.

verify ipv6 is disable
lsmod | grep ipv6
ifconfig

netstat

ref.: http://linuxnet.ch/groups/linuxnet/revisions/5b3a1/6/

Delete comment using grep

2011-07-27T14:16:00.000+08:00

grep -v ^\# myfile.conf | grep . > nocommentfile.conf

use esxcli kill stunk vm in ESXi 4.1

2011-05-16T19:00:00.000+08:00

Find world ID
# esxcli vms vm list
Soft kill vm
#esxcli vms vm kill -w 81238123 -t soft <---here 81238123 is world ID

Delete comment using grep

2011-05-16T11:31:00.001+08:00

grep -v ^\# myfile.conf | grep . > nocommentfile.conf

Samba join domain win2008 + squid authentication with ntlm_auth

2011-05-16T11:23:00.001+08:00

Step:

upgrade samba to 3.5 (for win2008)
edit /etc/samba/smb.conf
edit /etc/krb5.conf
edit /etc/pam.d/system-auth
add winbind option in /etc/nsswitch.conf
config iptables to allow 139,445,389 port, or allow all for testing
change selinux to permissive or disable just for testing
setup time, ensure no more than 5 min different with your DC
startup smb, winbind, oddjobd
join domain
test with wbinfo, kinit, ntlm_auth, check if your linux host appear in AD\computer ou
edit /etc/squid/squid.conf
make sure squid group have permission to access /var/lib/samba/winbindd_privilege folder
Startup squid
client pc proxy config
client pc edit group policy, change Network security: LAN Manager authentication level:Send LM & NTLM - use NTLMv2
client pc test to access internet with user authentication

For detail please check here:

In other to make squid authentication work with win2008, we need to upgrade samba to 3.5 version.
You have to download the repo file manually if using centos 5 which is samba3.0.X

[root@centosvm ~]#vi /etc/yum.repo.d/sernet-samba.repo
[sernet-samba]
name=SerNet Samba Team packages (CentOS 5)
type=rpm-md
baseurl=http://ftp.sernet.de/pub/samba/3.5/centos/5
enabled=1
gpgcheck=0

or wget repo file and save in /etc/yum.repo.d/
[root@centosvm]# wget http://ftp.sernet.de/pub/samba/3.5/centos/5/sernet-samba.repo

[root@centosvm ~]#yum update
[root@centosvm ~]#yum update samba samba-client
[root@centosvm ~]#yum install samba3-winbind samba3-utils

==========================================
[root@centosvm ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
MYDOMAIN.COM = {
  kdc = 192.168.1.10
  default_domain = MYDOMAIN.COM
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

==========================================

add following statement to /etc/pam.d/system-auth
session required pam_mkhomedir.so skel=/etc/skel umask=0022
==========================================
[root@centosvm ~]#cat /etc/samba/smb.conf

   workgroup = MYDOMAIN
   password server = 192.168.1.10
   realm = MYDOMAIN.COM
   security = ads
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/false
   winbind use default domain = yes
   winbind offline logon = false
   winbind enum users = yes
   winbind enum groups = yes
   encrypt passwords = yes

   server string = Samba Server Version %v

   interfaces = lo eth0 192.168.1.0/24
   hosts allow = 127. 192.168.1.
   bind interfaces only = true

   # logs split per machine
   log file = /var/log/samba/%m.log
   # max 50KB per log file, then rotate
   max log size = 500

   os level = 20
   preferred master = no
   dns proxy = no

   load printers = yes
   cups options = raw

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

[root@centosvm ~]#service smb start
[root@centosvm ~]#service winbind start
[root@centosvm ~]#service oddjobd start
[root@centosvm ~]#service ntp start <----ensure time is same with DC
==========================================
NOTE: Ensure setting in /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind

==========================================

[root@centosvm ~]#net ads join -U administrator

[root@centosvm ~]#kinit administrator
[root@centosvm ~]#ntlm_auth --username=ray
[root@centosvm ~]#wbinfo -t
[root@centosvm ~]#wbinfo -u
==========================================

[root@centosvm ~]# vi /etc/squid/squid.conf
http_port 3128
icp_port 3130

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_effective_user squid
cache_effective_group squid
coredump_dir /var/spool/squid
visible_hostname centosvm

access_log /var/log/squid/access.log squid

auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
acl NTLMUsers proxy_auth REQUIRED
http_access allow all NTLMUsers
http_access allow manager localhost
http_access deny !localnet
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
icp_access allow all
http_access deny all

==========================================

[root@centosvm ~]# service squid start

NOTE: Ensure squid have permission to access /var/lib/samba/winbindd_privileged
eg: chown .squid /var/lib/samba/winbindd_privileged

Config client PC group policy, run "gpedit.msc" Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Change Network security: LAN Manager authentication level:Send LM & NTLM - use NTLMv2 session security if negotiated

EtherChannel config

2011-03-29T15:07:00.001+08:00

==========PAgP Config:=============
Switch(config)# interface type mod/num
Switch(config-if)# channel-protocol pagp
Switch(config-if)# channel-group number mode {on | {{auto | desirable} [non-silent]}}

Example:
Switch(config)# port-channel load-balance src-dst-port
Switch(config)# interface range gig 3/1 – 4
Switch(config-if)# channel-protocol pagp
Switch(config-if)# channel-group 1 mode desirable non-silent
================================

=========LACP Config==============
Switch(config)# lacp system-priority priority
Switch(config)# interface type mod/num
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group number mode {on | passive | active}
Switch(config-if)# lacp port-priority priority

Example:
Switch(config)# lacp system-priority 100
Switch(config)# interface range gig 2/1 – 4 , gig 3/1 – 4
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group 1 mode active
Switch(config-if)# lacp port-priority 100
Switch(config-if)# exit
Switch(config)# interface range gig 2/5 – 8 , gig 3/5 – 8
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group 1 mode active
=================================

Desktop enhancement - Macubuntu

2011-03-21T17:38:00.001+08:00

Free accounting system - Features | GnuCash

2011-03-21T15:47:00.003+08:00

Many many icons - NounProject

2011-03-21T15:44:00.001+08:00

NounProject

Extending LVM disks in Linux using Vmware virtual disks

2011-03-14T16:45:00.002+08:00

Here is the current file system. It needs another 3Gb on the LogVol00 filesystem. The Linux system is a VMware virtual system with Virtual disks.

[root@dbvrac1 ~]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
9127580 6692828 1971088 78% /
/dev/sda1 101086 12651 83216 14% /boot
none 596544 0 596544 0% /dev/shm

The partitions are as follows

[root@dbvrac1 ~]# sfdisk -s
/dev/sda: 10485760
/dev/sdb: 10485760
/dev/sdc: 10485760
/dev/sdd: 10485760
/dev/sde: 10485760
/dev/sdf: 10485760

First the Vmware virtual disks needs to increase. 13Gb is the new size. Shutdown the Vmware guest and resize the disk on the Vmware host:

# vmware-vdiskmanager -x 13GB dbvrac1.vmdk
Using log file /tmp/vmware-root/vdiskmanager.log
The old geometry C/H/S of the disk is: 1305/255/63
The new geometry C/H/S of the disk is: 1697/255/63
Disk expansion completed successfully.

Start up the Vmware guest again.
This has added space on the /dev/sda partition. This can be seen by running sfdisk -s again:

[root@dbvrac1 ~]# sfdisk -s
/dev/sda: 13631488
/dev/sdb: 10485760
/dev/sdc: 10485760
/dev/sdd: 10485760
/dev/sde: 10485760
/dev/sdf: 10485760

To use the space, a partition first has to be created on /dev/sda

[root@dbvrac1 ~]# ls -al /dev/sda*
brw-rw---- 1 root disk 8, 0 Jun 29 2009 /dev/sda
brw-rw---- 1 root disk 8, 1 Jun 29 2009 /dev/sda1
brw-rw---- 1 root disk 8, 2 Jun 29 2009 /dev/sda2

The new partition will be /dev/sda3.

[root@dbvrac1 /]# fdisk /dev/sda

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First cylinder (1306-1697, default 1306):
Using default value 1306
Last cylinder or +size or +sizeM or +sizeK (1306-1697, default 1697):
Using default value 1697

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Validate that the new partition has been created

[root@dbvrac1 ~]# ls -al /dev/sda*
brw-rw---- 1 root disk 8, 0 Jun 29 2009 /dev/sda
brw-rw---- 1 root disk 8, 1 Jun 29 2009 /dev/sda1
brw-rw---- 1 root disk 8, 2 Jun 29 2009 /dev/sda2
brw-rw---- 1 root disk 8, 2 Jun 29 2009 /dev/sda3

/dev/sda3 is the new partition.
Reboot to load the new partition into the kernel.

Create a physical volume for LVM:

[root@dbvrac1 ~]# pvcreate /dev/sda3
Physical volume "/dev/sda3" successfully created

Add the new physical volume to the volume group:

[root@dbvrac1 ~]# vgextend VolGroup00 /dev/sda3
Volume group "VolGroup00" successfully extended

Extend the logical volume over the new space in the volume group.
Find out how much more space can be added:

[root@dbvrac1 ~]# vgdisplay
--- Volume group ---
VG Name VolGroup00
System ID
Format lvm2
Metadata Areas 2
Metadata Sequence No 4
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 2
Open LV 2
Max PV 0
Cur PV 2
Act PV 2
VG Size 12.88 GB
PE Size 32.00 MB
Total PE 412
Alloc PE / Size 315 / 9.84 GB
Free PE / Size 97 / 3.03 GB
VG UUID 7yenoW-lzsd-xK8a-j2Vj-qgty-TFXK-L0lhTL

There is 3.03Gb available.
Extend the volume:

[root@dbvrac1 ~]# lvextend -L+3.03G /dev/VolGroup00/LogVol00
Rounding up size to full physical extent 3.03 GB
Extending logical volume LogVol00 to 11.88 GB
Logical volume LogVol00 successfully resized

Resize the filesystem:

[root@dbvrac1 ~]# resize2fs /dev/VolGroup00/LogVol00
resize2fs 1.35 (28-Feb-2004)
/dev/VolGroup00/LogVol00 is mounted; can't resize a mounted filesystem!

Cannot use resize2fs as it is online. Use ext2online instead.

[root@dbvrac1 ~]# ext2online /dev/VolGroup00/LogVol00
ext2online v1.1.18 - 2001/03/18 for EXT2FS 0.5b

Check file system:

[root@dbvrac1 ~]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
12256820 6695112 4940796 58% /
/dev/sda1 101086 12651 83216 14% /boot
none 596544 0 596544 0% /dev/shm

ref.: Extending LVM disks in Linux using Vmware virtual disks - Dbvisit Community

vmware esx update command

2011-02-15T16:58:00.002+08:00

0.1. Suppose ssh is ready; patch is download from http://www.vmware.com/patch/download/

0.2 Upload patch file to esx server with scp or using viclient browse datastore and upload

1. Enter maintain mode
ESX:
vimsh -n -e /hostsvc/maintenance_mode_enter
ESXi:
vim-cmd /hostsvc/maintenance_mode_enter

2. Execute update
cd /path/to/patchfile
esxupdate --bundle update-esx-patch.zip update

3. Exit maintenance mode
ESX:
vimsh -n -e /hostsvc/maintenance_mode_exit
ESXi:
vim-cmd /hostsvc/maintenance_mode_exit

4. System reboot

Using Local Group Policy Editor for security issue

2011-02-11T12:05:00.002+08:00

ref.: http://www.techrepublic.com/blog/10things/10-ways-to-tweak-windows-7-using-the-local-group-policy-editor/1014

Improve VMware Console Mouse Experience with Windows Server 2008

2011-01-27T15:31:00.001+08:00

ref.: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1011709
ref.: http://vm-pro.com/improve-vmware-console-mouse-experience-with-windows-server-2008/

vmware-vmrc example

2011-01-21T16:51:00.000+08:00

Directly connect to ESX

vmware-vmrc -h 192.168.1.123 -m "[datastore1] rayvm/rayvm.vmx"

vmware-vmrc -h 192.168.1.123 -u "administrator" -p "yourpassword" -m "[datastore1] rayvm/rayvm.vmx"

Directly connect to VMware Server

vmware-vmrc.exe -h 192.168.1.246:8333 -m "[datastore1] rayvm/rayvm.vmx"

VM migrate with vSphere client

2011-01-18T10:10:00.002+08:00

ref:http://blog.infinity.idv.tw/

Creating a DVD Slideshow Using Imagination

2011-01-14T14:45:00.000+08:00

The name of the program is Imagination which is available in repository
Export video format: VOB, FLV, 3GP, OGV

Windows Server Domain and Forest Functional Levels

2010-12-31T13:05:00.000+08:00

ref.: http://blogs.techrepublic.com.com/datacenter/?p=308

	2000 native	2003 native	2008 native
DCs allowed	W2K, W2K3, W2K8	W2K3, W2K8	W2K8 only
Domain features	Universal groups, Group nesting, Group conversions, Security identifier (SID) history	Ability to rename domain controllers via netdom.exe, Logon time stamp dates, Redirect Users and Computers, Authorization Manager policies in AD, Constrained delegation, Selective authentication	Distributed File System replication support for SYSVOL, Advanced encryption, Last Interactive Logon information, Fine-grained password policies
Forest features	All default AD features	Forest trust, domain rename, linked-value replication, Read-only domain controller deployment, instances of the dynamic auxiliary class named dynamicObject in a domain directory partition, convert inetOrgPerson object instance into a User object instance, create instances of new group types to support role-based authorization, deactivation and redefinition of attributes and classes in the schema	No new additional forest-level features

ICMP Security Failures Messages

2010-12-09T11:51:00.000+08:00

Error Procedures

   As is usual with ICMP messages, upon receipt of one of these error
   messages that is uninterpretable or otherwise contains an error, no
   ICMP error message is sent in response.  Instead, the message is
   silently discarded.  However, for diagnosis of problems, a node
   SHOULD provide the capability of logging the error, including the
   contents of the silently discarded datagram, and SHOULD record the
   event in a statistics counter.

   On receipt, special care MUST be taken that the ICMP message actually
   includes information that matches a previously sent IP datagram.
   Otherwise, this might provide an opportunity for a denial of service
   attack.

   The sending implementation MUST be able to limit the rate at which
   these messages are generated.  The rate limit parameters SHOULD be
   configurable.  How the limits are applied (such as, by destination or
   per interface) is left to the implementor's discretion.

 Security Considerations

   When a prior Security Association between the parties has not
   expired, these messages SHOULD be sent with authentication.

   However, the node MUST NOT dynamically establish a new Security
   Association for the sole purpose of authenticating these messages.
   Automated key management is computationally intensive.  This could be
   used for a very serious denial of service attack.  It would be very
   easy to swamp a target with bogus SPIs from random IP Sources, and
   have it start up numerous useless key management sessions to
   authentically inform the putative sender.

   In the event of loss of state (such as a system crash), the node will
   need to send failure messages to all parties that attempt subsequent
   communication.  In this case, the node may have lost the key
   management technique that was used to establish the Security
   Association.

   Much better to simply let the peers know that there was a failure,
   and let them request key management as needed (at their staggered
   timeouts).  They'll remember the previous key management technique,
   and restart gracefully.  This distributes the restart burden among
   systems, and helps allow the recently failed node to manage its
   computational resources.

   In addition, these messages inform the recipient when the ICMP sender
   is under attack.  Unlike other ICMP error messages, the messages
   provide sufficient data to determine that these messages are in
   response to previously sent messages.

   Therefore, it is imperative that the recipient accept both
   authenticated and unauthenticated failure messages.  The recipient's
   log SHOULD indicate when the ICMP messages are not validated, and
   when the ICMP messages are not in response to a valid previous
   message.

   There is some concern that sending these messages may result in the
   leak of security information.  For example, an attacker might use
   these messages to test or verify potential forged keys.  However,
   this information is already available through the simple expedient of
   using Echo facilities, or waiting for a TCP 3-way handshake.

   The rate limiting mechanism also limits this form of leak, as many
   messages will not result in an error indication.  At the very least,
   this will lengthen the time factor for verifying such information.

ref.:http://www.faqs.org/rfcs/rfc2521.html

Install X server via YUM on Redhat/CentOS

2010-12-09T09:47:00.000+08:00

First you can see all the yum groups available with the command:

yum grouplist

You can install X and Gnome or KDE like this:

yum groupinstall "X Window System" "GNOME Desktop Environment"

or

yum groupinstall "X Window System" "KDE (K Desktop Environment)"

You may also want to add some other groups from the list like "Graphical Internet" or "Office/Productivity"
ref: http://wikinux.wetpaint.com/page/Install+X+server+via+YUM+on+Redhat%2FCentOS

Migrate user accounts from linux server to another linux server

2010-11-11T15:15:00.001+08:00

ref.: http://www.cyberciti.biz/faq/howto-move-migrate-user-accounts-old-to-new-server/

Backup
# mkdir /root/move/
# export UGIDLIMIT=500

# awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd > /root/move/passwd.mig
# awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/group > /root/move/group.mig
# awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /root/move/shadow.mig
# cp /etc/gshadow /root/move/gshadow.mig
# tar -zcvpf /root/move/home.tar.gz /home
# tar -zcvpf /root/move/mail.tar.gz /var/spool/mail

Restore

# mkdir /root/newsusers.bak
# cp /etc/passwd /etc/shadow /etc/group /etc/gshadow /root/newsusers.bak


# cd /path/to/location
# cat passwd.mig >> /etc/passwd
# cat group.mig >> /etc/group
# cat shadow.mig >> /etc/shadow
# /bin/cp gshadow.mig /etc/gshadow

# cd /
# tar -zxvf /path/to/location/home.tar.gz


# cd /
# tar -zxvf /path/to/location/mail.tar.gz

# reboot

Linux delete large number files (argument list too large when using rm)

2010-10-28T18:32:00.000+08:00

ref.: http://linux.byexamples.com/archives/326/rm-complains-argument-list-too-long/

There is a limitation of rm command, where you can’t delete a large groups of files with *. For examples,

rm -rf something*

If there are large amount of files initiate with something, rm will fails and complains

/bin/rm: Argument list too long.

The solution is to make use of find, xargs and rm.

find . -name 'something*' -print0 | xargs -0 rm -rf

Online Diagram Software

2010-10-06T10:36:00.000+08:00

http://www.gliffy.com/

Data Recovery with Linux

2010-09-08T16:25:00.001+08:00

https://help.ubuntu.com/community/DataRecovery

http://www.cgsecurity.org/wiki/TestDisk

http://www.cgsecurity.org/wiki/PhotoRec

Full backup NTFS partition using Linux

2010-07-19T10:26:00.005+08:00

Backup:
Suppose backup partition is sda1 (The first partition on master HD) and the backup data will store on another system/drive

0. Optional step, backup boot menu if your using multiboot. Do it in windows: bcdedit /export "C:\bcdbackup\bcdbackup"
1. Bootup with rescue CD
2. mount another location to place the backup data, as example we use sda2
> mkdir /mnt/backup
> mount /dev/sda2 /mnt/backup
> dd if=/dev/sda of=sda.mbr bs=512 count=1    <----Backup MBR
> sfdisk -l /dev/sda > sda.sf         <---Backup partition status
> ntfsclone --save-image -o - /dev/sda1 | gzip > sda1.pimg.gz <---Wait with coffee
3. Verify the backup data with "ls /mnt/backup"

Restore:
1. Bootup with rescue CD
2. Start to restore mbr, partition status and partition
> mkdir /mnt/backup
> mount /mnt/backup /dev/sda2
> cd /mnt/backup
> dd of=/dev/sda if=sda.mbr bs=512 count=1
> sfdisk -f /dev/sda < sda.sf
> mknod /dev/sda1 b 8 1     <------create special or ordinary file for sda1, so you need to check major and minor number
> gunzip < sda1.pimg.gz | ntfsclone -r -O /dev/sda1 -
3. Optional step, do it in windows: bcdedit /import "C:\bcdbackup\bcdbackup"

Ubuntu Document search

2010-06-25T10:24:00.000+08:00

Good stuff for ubuntu player:
http://people.canonical.com/~kirkland/search.html

Tomcat5 + Apache on Centos

2010-06-15T11:02:00.000+08:00

Install Tomcat5:
    The easy way is yum install tomcat5 tomcat5-webapps

Testing:
    netstat -ntlp <-----------Check the default 8080 port is ready
    http://localhost:8080/   <------Test the url

If you don't wanna join tomcat to apache2 you can stop here.

Join Tomcat to Apache2
There are several ways to join tomcat to apache2

jk (mod_jk)
http_proxy (mod_proxy)
proxy_ajp (mod_proxy_ajp)

Now I use the easiest way - ajp_proxy:

vi /etc/httpd/conf.d/proxy_ajp.conf

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

ProxyPass /tomcat/ ajp://localhost:8009/

Double check the proxy_ajp.conf have included in httpd.conf

restart httpd and test with url "http://localhost/tomcat/"

Clamav install with yum in Centos

2010-06-10T17:05:00.000+08:00

1: Create yum repository file
vi /etc/yum.repos.d/dag.repo
[dag]
name=Dag RPM Repository for RHEL5
baseurl=http://ftp.riken.jp/Linux/dag/redhat/el5/en/$basearch/dag/
enabled=1
gpgcheck=1

2: Download and import the key
wget http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
rpm --import RPM-GPG-KEY.dag.txt

3: yum install clamd

Apache htaccess Digest Authentication config

2010-06-10T14:15:00.000+08:00

Suppose the http document directory is /var/www/html
Step 1
Then create .htaccess file in it
vi /var/www/html/.htaccess
AuthName "myauth"
Authtype Digest
AuthDigestProvider file
AuthUserFile /etc/httpd/conf.d/.digpass
Require valid-user

Step 2
issue the follow command to create login account
htdigest -c /etc/httpd/conf.d/.digpass myauth tom

ps.: Don't forget to change "AllowOverride AuthConfig" in httpd.conf

Apache+SSL in Centos

2010-05-27T18:04:00.000+08:00

1. Install package
yum install mod_ssl openssl

2. Create CA and generate Cert
# Generate private key 
openssl genrsa -out ca.key 1024 

# Generate CSR 
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

# Move the files to the correct locations
mv ca.crt /etc/pki/tls/certs
mv ca.key /etc/pki/tls/private/ca.key
mv ca.csr /etc/pki/tls/private/ca.csr

3. Config SSL for httpd
Setup the path for the cert and ca key
vi /etc/httpd/conf.d/ssl.conf 
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

4. Setup Virtual Host in Apache

<virtualhost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory /var/www/vhosts/yoursite.com/httpsdocs>
AllowOverride All
</directory>
DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
ServerName yoursite.com
</virtualhost>

/etc/init.d/httpd restart

Apache htaccess simple config

2010-05-26T17:00:00.000+08:00

AllowOverride AuthConfig - Provide login screen before view the web site
Sample config:
httpd.conf

====================================
    Options FollowSymLinks
    AllowOverride AuthConfig
    Order allow,deny
    Allow from all

AccessFileName .htaccess

====================================

/var/www/html/.htaccess

====================================

AuthName     "htaccess protect"
Authtype     Basic
AuthUserFile /var/www/.htpasswd <---the .htpasswd file will be created later
require      valid-user
(or you can change to specify user "require user     tom")
====================================

Create .htpasswd file:
htpasswd -c /var/www/.htpasswd owner

Add another account:htpasswd /var/www/.htpasswd tom

vmware remote console on firefox 3.6.x problem

2010-05-21T12:21:00.002+08:00

The problem is the vmrc plugin is not available on firefox 3.6.x, it return timeout error. So my solution is just run the vmrc directly, you can follow the steps:

copy the plugin from /

usr/lib/vmware/webAccess/tomcat/apache-tomcat-6.0.16/webapps/ui/plugin/ to client site.
on client, just unzip it, (for me, unzip vmware-vmrc-linux-x64.xpi)

after extract, you can see vmware-vmrc in plugin folder, run it directly and give the hostname (e.g: 192.168.0.2:8333), username and password.

Linux:
vmware-vmrc -h [<hostname>] [-u <username> -p <password>] [-M <moid> | <datastore path>]

Windows:
vmware-vmrc.exe -h <hostname> [-u <username> -p <password>] -M <moid> | <datastore path>

You can find the object id (moid) from vmInventory.xml
For example: "C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in\vmware-vmrc.exe" -h localhost:8333 -M 16

Windows startup no desktop screen -- explorer.exe don't startup

2010-05-11T15:44:00.000+08:00

open registry (menu Start -> run (or run Comand prompt): regedit).

open: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ Current
Version \ Winlogon

At right pane there is "Shell". The value of it must be "explorer.exe"

sql 2008 server express installation fail - Performance counter registry hive consistency

2010-05-03T16:31:00.001+08:00

Solution1:
Install with the following command:
C:\Users\Administrator\Downloads\SQLEXPRWT_x64_EN.exe U>setup.exe /ACTION=install /SKIPRULES=PerfMonCounterNotCorruptedCheck

Solution2 (Environment: win vista sp2 32bit):
I fixed by change the registry
go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
then you can copy 0404 reg key and create new reg key call 004
Then install again.

Ubuntu 內的千千靜聽－ amarok

2010-05-02T21:34:00.000+08:00

apt-get install amarok

https://help.ubuntu.com/community/Amarok

Debian/Ubuntu inter-vlan configuration

2010-04-22T14:39:00.000+08:00

Suppose your switch is ready.
Install vlan package > add 802.1q module > config interface

1. apt-get install vlan

2. modprobe 8021q

3. vi /etc/network/interfaces
#add the following content, here I create 3 VLANs

auto vlan10 vlan20 vlan30

iface vlan10 inet static
address 192.168.10.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

iface vlan20 inet static
address 192.168.20.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

iface vlan30 inet static
address 192.168.30.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

iptables in NAT (MASQUERADE, SNAT, DNAT)

2010-04-14T21:16:00.000+08:00

Assumption in the case to config NAT
eth0 connection to external network
eth1 connection to internal network
Enable ip route
echo 1 > /proc/sys/net/ipv4/ip_forward

Set up IP FORWARDing and Masquerading
(this is the most simple method to config NAT for internal users)

[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[root@linux ~]#iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@linux ~]#iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

For this case using MASQUERADE, there is alternative
[root@linux ~]#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

(suppose ppp0 is ready for external network)

More information (Just sample for your reference):
SNAT
Example: Internal users access external network with private IP

[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 202.175.12.34
(Map source addresses to 202.175.12.34)

[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 202.175.12.34-202.175.12.39
(Map source addresses to the range of 202.175.12.34~202.175.12.39)

DNAT
Example: External users access internal server

[root@linux ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.1.10
[root@linux ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.1.5-192.168.1.10
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.10:80 
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.10:8080
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp  --dport 80 -j REDIRECT --to-ports 8080

iptables general configuration

2010-04-14T19:49:00.000+08:00

List iptables contents

[root@linux ~]# iptables -L -n
[root@linux ~]# iptables -L -nv
[root@linux ~]# iptables -t nat -L -n

Flush iptables contents
[root@linux ~]# iptables -F
[root@linux ~]# iptables -t nat -F
[root@linux ~]# iptables -F FORWARD
[root@linux ~]# iptables -X MYCHAIN

Set policy for chain
Example:
[root@linux ~]# iptables -P INPUT DROP
Result:
Chain INPUT (policy DROP)
target     prot opt source               destination 

Add rules to the chain
Template:
iptables [-AI Chain] [-io interface] [-p protocal] [-s source ip] [-d destination ip] -j [ACCEPT|DROP]
Example:
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.0.1 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
[root@linux ~]# iptables -A INPUT -s 192.168.2.200 -j LOG
(log all traffic from 192.168.2.200 and record to /var/log/messages)
[root@linux ~]# iptables -A INPUT -p icmp -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP
[root@linux ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 \
> --sport 1024:65534 --dport ssh -j DROP
[root@linux ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
(Accept the response packet, here state can be NEW,RELATED,ESTABLISHED,INVALID)
[root@linux ~]# iptables -A INPUT -m state --state INVALID -j DROP
[root@linux ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT

Insert a rule to the chain
[root@linux ~]# iptables -I INPUT 2 -i eth0 -p tcp --dport 21 -j DROP
(Insert to the 2rd rule)

Replace a rule
[root@linux ~]# iptables -R INPUT 2 -i eth0 -p tcp --dport 21 -j DROP
(Replace the 2rd rule)

Delete rules
[root@linux ~]# iptables -D INPUT -i eth0 -p tcp --dport 21 -j DROP
[root@linux ~]# iptables -D INPUT 2
(Delete the 2rd rule)

Save and Restore
Whatever you did in command, it will lost after system reboot, so we need to save
to the file that will load when system bootup. For redhat distribution, it will 
save in /etc/sysconfig/iptables
Two command used to backup and restore.
Example:
[root@linux ~]# iptables-save > filename
(Save iptables from running config to a file)
[root@linux ~]# iptables-save > /etc/sysconfig/iptables
(Save iptables from running config to startup config)
[root@linux ~]# iptables-restore < filename

vsftpd simple config

2010-04-08T18:47:00.001+08:00

ref.: http://ubuntuforums.org
Basic Setup

To disable anonymous login and to enable local users login and give them write permissions:

Code:

# No anonymous login
anonymous_enable=NO
# Let local users login
# If you connect from the internet with local users, you should enable TLS/SSL/FTPS
local_enable=YES

# Write permissions
write_enable=YES

NOTE: It is not advisable to use FTP without TLS/SSL/FTPS over the internet because the FTP protocol does not encrypt passwords. If you do need to transfer files over FTP, consider the use of virtual users (same system users but with non system passwords) or TLS/SSL/FTPS (see below).

To chroot users

To jail/chroot users (not the vsftpd service), there are three choices. Search for "chroot_local_users" on the file and consider one of the following:

Code:

# 1. All users are jailed by default:
chroot_local_user=YES
chroot_list_enable=NO

# 2. Just some users are jailed:
chroot_local_user=NO
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the jailed users.

# 3. Just some users are "free":
chroot_local_user=YES
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the "free" users.

To deny (or allow) just some users to login

To deny some users to login, add the following options in the end of the file:

Code:

userlist_deny=YES
userlist_file=/etc/vsftpd.denied_users

In the file /etc/vsftpd.denied_users add the username of the users that can't login. One username per line.

To allow just some users to login:

Code:

userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users

In the file /etc/vsftpd.allowed_users add the username of the users that can login.

The not allowed users will get an error that they can't login before they type their password.

TLS/SSL/FTPS

NOTE: you definitely have to use this if you connect from the Internet.

To use vsftpd with encryption (it's safer), change or add the following options (some options aren't on the original config file, so add them):

Code:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990

No need to create a certificate. vstfpd uses the certificate Ubuntu creates upon it's installation, the "snake-oil" certificate (openssl package, installed by default).

Install a VNC Server in Ubuntu

2010-04-08T13:54:00.000+08:00

Step1: Install vnc4server and xinetd
sudo apt-get install vnc4server xinetd

Step2: Edit ~/.vnc/xstartup
Uncomment the lines that start with unset and exec. Comment out the lines that start with xsetroot, vncconfig, xterm, and twm.
The final file should look like:
#!/bin/sh
# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
#xsetroot -solid grey
#vncconfig -iconic &
#xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
#twm &

Step3: Stop vncserver
vnc4server -kill :1

Step4: start vncserver
vnc4server

No Password login - SSH

2010-03-25T15:57:00.000+08:00

Step 1: Create public and private keys using ssh-key-gen on local-host

jsmith@local-host$ [Note: You are on local-host here]

jsmith@local-host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Pess enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 
jsmith@local-host

Step 2: Copy the public key to remote-host using ssh-copy-id

jsmith@local-host$ ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host
jsmith@remote-host's password:
Now try logging into the machine, with "ssh 'remote-host'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.

Step 3: Login to remote-host without entering the password

jsmith@local-host$ ssh remote-host
Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2
[Note: SSH did not ask for password.]

jsmith@remote-host$ [Note: You are on remote-host here]

ref.: http://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-ssh-copy-id/

Apache+SSL in Debian Quick Setup

2010-03-23T14:51:00.000+08:00

Step1: apt-get install apache2 openssl

Step2: (Generate cert file)

mkdir /etc/apache2/ssl
 
  RANDFILE=/dev/random openssl req $@ -new -x509 -days 365 -nodes \
    -out /etc/apache2/ssl/apache.pem \
    -keyout /etc/apache2/ssl/apache.pem

  chmod 600 /etc/apache2/ssl/apache.pem

Step3: (Config for apache2)
  cd /etc/apache2/sites-available/
  cp default ssl

Step4: (Enable the site. This is done by making a sym-link to the configuration 
from /etc/apache2/sites-enabled/.)
  a2ensite ssl

Step5: (To enable the ssl module from /etc/apache2/mods-available)
  a2enmod ssl

Step6: (Add 443 port to /etc/apache2/ports.conf)
  Listen 443

Step7: (Edit /etc/apache2/sites-available/ssl)
  NameVirtualHost *:443
  
   SSLEngine On
   SSLCertificateFile /etc/apache2/ssl/apache.pem

Step8: Restart apache2  /etc/init.d/apache2 restart

Simple logrotate - make your log file archieve

2010-03-15T14:56:00.000+08:00

If you want to make your log files archieve, you can create file in /etc/logrotate.d, those files will be included in logrotate.conf
Here is the file sample:

/var/log/linuxserver/linux.log {
        rotate 7
        daily
        compress
        delaycompress
        missingok
        notifempty
        create 660 linuxuser linuxuser } 

This config file will run daily, create maximum 7 archives owned by linuxuser 
and linuxuser group with 660 permissions,compress all logs and exclude only yesterdays and empty log files.
Here are some selected logrotate configuration keywords.

daily	Log files are rotated every day.
weekly	Log files are rotated if the current weekday is less than the weekday of the last rotation or if more than a week has passed since the last rotation. This is normally the same as rotating logs on the first day of the week, but if logrotate is not being run every night a log rotation will happen at the first valid opportunity.
monthly	Log files are rotated the first time logrotate is run in a month (this is normally on the first day of the month).
notifempty	Do not rotate the log if it is empty (this overrides the ifempty option).
nocompress	Old versions of log files are not compressed.
delaycompress	Postpone compression of the previous log file to the next rotation cycle. This only has effect when used in combination with compress. It can be used when some program cannot be told to close its logfile and thus might continue writing to the previous log file for some time.
compress	Old versions of log files are compressed with gzip by default.
mail address	When a log is rotated out of existence, it is mailed to address. If no mail should be generated by a particular log, the nomail directive may be used.
missingok	If the log file is missing, go on to the next one without issuing an error message.

To run the logrotate manually, issue the command:
logrotate -v /etc/logrotate.conf

Journaled quota

2010-03-11T15:29:00.001+08:00

Journaled quota

(Assume installed quota package)

vi /etc/fstab

/dev/sda1 / ext4 defaults,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1

touch /aquota.user /aquota.group
mount -o remount /
quotacheck -avug
quotaon -avug
edquota -u ray
edquota -g myquotagrp

RPM command example

2010-03-10T23:57:00.000+08:00

Install

# rpm -ivh foo-2.0-4.i386.rpm
# rpm -i ftp://ftp.redhat.com/pub/redhat/RPMS/foo-1.0-1.i386.rpm
# rpm -i http://oss.oracle.com/projects/firewire/dist/files/kernel-2.4.20-18.10.1.i686.rpm

Erase
# rpm -e foo

Upgrade
# rpm -Uvh foo-1.0-2.i386.rpm
# rpm -Uvh ftp://ftp.redhat.com/pub/redhat/RPMS/foo-1.0-1.i386.rpm
# rpm -Uvh http://oss.oracle.com/projects/firewire/dist/files/kernel-2.4.20-18.10.1.i686.rpm

Query

# rpm -qa  <------To query all installed packages.

# rpm -q foo  <------To query a RPM package.

# rpm -qi foo  <------To display package information.

# rpm -ql foo  <------To list files in installed package

# rpm -qf /usr/bin/mysql  <------Which package owns a file?
mysql-3.23.52-3

# rpm -qpl kernel-2.4.20-18.10.1.i686.rpm
# rpm -qpl ftp://ftp.redhat.com/pub/redhat/RPMS/foo-1.0-1.i386.rpm
# rpm -qpl http://oss.oracle.com/projects/firewire/dist/files/kernel-2.4.20-18.10.1.i686.rpm

List files in RPM file.


Verify
# rpm --verify mysql

To verify an installed package. The output is listed using the following codes that signify what failed:

S File size
  M Mode (includes permissions and file type)
  5 MD5 sum
  L Symlink 
  D Device 
  U User 
  G Group 
  T Mtime

Take for example the following:

# rpm --verify mysql
  S.5....T c /etc/my.cnf

This example indicates that file /etc/my.cnf failed on:

File size 
  MD5 Sum 
  Modified Time

However, the "c" tells us this is a configuration file so that explains the changes. It should still be looked at to determine what the changes were.

Recommended application and installation for new Ubuntu user

2010-01-29T12:37:00.000+08:00

For those just finished the system installation, please look below:

1. Setup input method:
go System>administration>language support>install/remove languages then choose what you want.

2. Compiz fusion - using simple-ccsm:
open terminal, execute the command "apt-get install simple-ccsm"

3. Google desktop:
You can download and install the plugin on your desktop.
http://desktop.google.com/plugins/

4. Virtual box
http://www.virtualbox.org/wiki/Linux_Downloads

5. vmserver
http://register.vmware.com/content/download.html

...to be continuous

Linux - Compression and Uncompression Example

2010-01-27T12:03:00.000+08:00

compress
compress bigfile     <--------- compress bigfile to be bigfile.Z, bigfile will be disappear.
compress -r myfolder     <---------compress all file to be .Z file in myfolder
compress -c bigfile     <---------display the result to stdout
compress -c bigfile > smallfile.Z      <---------by which, unchange bigfile but saveas another compressed file(smallfile.Z).

uncompress
uncompress smallfile.Z

gzip
gzip bigfile     <--------- compress bigfile to be bigfile.gz
gzip -9 bigfile     <--------- compress bigfile to be bigfile.gz, -9 is best quality but slowest, -1 is the fastest but low compress, default is -6.
gzip -c bigfile > smallfile.gz      <--------- unchange bigfile but save as another compressed file(smallfile.gz).

gunzip
gunzip smallfile.gz     <--------- extract the gz file
gunzip -c smallfile.gz > file     <--------- extract smallfile.gz to a file,and don't smallfile.gz

zcat
zcat smallfile.gz     <---------see the file content without unzip

bzip2, bunzip2, bzcat

bzip2 default compress level 2
the usage is like gzip, gunzip, zcat
(Hints: gzip is better than compress, bzip2 is the best)

tar
option:
-c               create, write tarfile
-t                list content
-z               use gzip compress
-j               use bzip2 compress
-x              extract or restore
-v              view progress
-p              Restore the named files to their original modes, and ACLs if applicable

Example
tar -cf testfolder.tar /path/to/testfolder         <---------------Create tar file
tar -xvf testfolder.tar -C /path/to/folder         <-----------Extract tar file to another folder

Tar & gzip
tar -zpcvf testfolder.tar.gz /path/to/testfolder     <----------Tar and gzip a folder
tar -zpcvf testfolder.tar.gz --exclude=/path/to/testfolder/subfolder1 /path/to/testfolder     <----------Tar and gzip a folder except subfolder1
tar -zxvf testfolder.tar.gz -C /path/to/folder     <----------Extract the file to another
tar -ztf testfolder.tar.gz     <----------View the content

Tar & bzip2

tar -jpcvf testfolder.tar.bz2 /path/to/testfolder     <----------Tar and gzip a folder
tar -jpcvf testfolder.tar.bz2 --exclude=/path/to/testfolder/subfolder1 /path/to/testfolder     <----------Tar and bzip2 a folder except subfolder1
tar -jxvf testfolder.tar.bz2 -C /path/to/folder     <----------Extract the file to another
tar -jtf testfolder.tar.bz2     <----------View the content

dump
for example: lets backup the partition /boot
dump -S /boot                   <---------------------Show how many size will be used
dump -0uf /home/myfolder/boot.dump /boot   <-----------dump the whole partition, 0 is compress level, u means update record to /etc/dumpupdate, f is specify the file name
dump -0j -f /home/myfolder/boot.dump /boot   <-----------bump the whole partition with bzip2 compress.

restore
restore -tf /home/myfolder/boot.dump <---------------- View the dump file content
restore -rf /home/myfolder/boot.dump <---------------- Restore with dump file.

Change process priority - nice and renice

2010-01-20T22:30:00.000+08:00

Nice number
• Range: -20 ~ +19
• User process default: 0
• + no. lower the priority
• - no. raise the priority
• Only root can lower the no.
• Don’t assign +no. to fg jobs -- sluggish

Syntax
• Just nice shows current priority
• nice [-n no.] [command]
• nice [-no.] [command]
• Normal user: no. = 1~19
• Root: no. = -20~19
• Not specified no.: default to 10

Examples

[law@localhost ~]$ nice seq 1000000&
Using default nice# 10 to reduce priority

[law@localhost ~]$ nice -n -10 vi /etc/hosts.deny
Start vi at high priority (-10)

renice
Modify nice no. of a running program
Syntax:
Renice [+|-]nicenumber [option] targets

Examples
[law@localhost ~]$ renice 19 501
Lower process 501's priority
[law@localhost ~]$ renice -10 -u law -p 501
Increase all law's process and process 501

Checking system status

2010-01-20T22:22:00.000+08:00

ps aux             <----show all process
ps auxf             <----show all process as tree format
ps a -l             <----here -l means long format, see detail

pstree             <----show process as tree format
pstree -p             <----display with pid
pstree -H 1974             <----high light the 1974 process

top
top -d 2             <----Change data with 2 second.
top -b -n 2 > /home/ray/topresult     <----run top 2 times and redirect the result to a file
in top interface:
press q is exit
press M is sort by memory
press < or > means sort by previous or next column

free -m              <----Check memory status

netstat -ntlp             <----Show the network status, here "l" means those listening process

vmstat 2             <----Check CPU status, take snapshot with 2 seconds
vmstat 2 4            <----Check CPU status, take snapshot with 2 seconds and do it 4 times
vmstat -d             <----Show disk read write status

df -h             <----Show harddisk space size

runlevel             <----Show previous and current runlevel

Linux command - cut, sed, awk

2010-01-19T18:33:00.000+08:00

Cut

cut -c 1-7 f1 will output the first 7 characters in each line of file 'f1'.

cut -c 2,4-7,10- f1 will output the character 2, characters 4 – 7, characters 10 until the end of line in each line of file 'f1'.

cut -f 1,4,5 f1 will output 'fields' 1, 4 and 5 in file 'f1'. The fields are assumed to be separated by tab in 'f1'.

cut -d ' ' -f 1,4,5 f1 will output 'fields' 1, 4 and 5 in file 'f1'. The fields are assumed to be separated by a single space in 'f1'.

Sed

Let's make a test file
ls -l /etc > testsed

"d" means delete
sed '1,4d' testsed
sed '/yum/d' testsed
sed '/yum/!d' testsed

"s" is replace, -n means hide the other output, p is display
sed -n 's/pass/xxxxx/p' testsed

Awk
Make another file to test awk
ps aux > testawk

Show column 11
awk '{print $11}' testawk

awk '/sbin/{print $2,$11}' testawk

ps aux 各欄位的意義

2010-01-18T23:40:00.000+08:00

在 ps aux 顯示的項目中，各欄位的意義為：

* USER：該 process 屬於那個使用者帳號的？
* PID ：該 process 的程序識別碼。
* %CPU：該 process 使用掉的 CPU 資源百分比；
* %MEM：該 process 所佔用的實體記憶體百分比；
* VSZ ：該 process 使用掉的虛擬記憶體量 (Kbytes)
* RSS ：該 process 佔用的固定的記憶體量 (Kbytes)
* TTY ：該 process 是在那個終端機上面運作，若與終端機無關則顯示 ?，另外， tty1-tty6 是本機上面的登入者程序，若為 pts/0 等等的，則表示為由網路連接進主機的程序。
* STAT：該程序目前的狀態，狀態顯示與 ps -l 的 S 旗標相同 (R/S/T/Z)
* START：該 process 被觸發啟動的時間；
* TIME ：該 process 實際使用 CPU 運作的時間。
* COMMAND：該程序的實際指令為何？

Fine tune your VM - Extend vm disk size in Linux

2010-01-18T17:25:00.000+08:00

Step1: Login with admin, shutdown your PC

Step2: Eg: Extend your vm to 40GB
vmware-vdiskmanager -x 40GB winxp.vmdk
Then your disk space would be expanded, but the free space is not assigned to your system.

Step3: List your registered vm, check the ID
vmware-vim-cmd vmsvc/getallvms

Step4: Poweron your vm
vmware-vim-cmd vmsvc/power.on 96

Step5: If you the vm is windows, then go to computer manager to assign the free space to C: or D: as you like.
To expand system driver (such as C: which holding winxp) then you may need to do it with thrid party partition tools. Here you can get more information: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004071

Fedora 12 enable root login in GUI

2010-01-10T14:08:00.000+08:00

1. edit /etc/pam.d/gdm and /etc/pam.d/gdm-password
2. Add comment(#) to the following line
# auth required pam_succeed_if.so user != root quiet

editor - vi

2010-01-07T18:49:00.001+08:00

.vi 的操作模式
==============
        vi 提供兩種操作模式：輸入模式(insert mode)和指令模式(command mode)
        。當使用者進入 vi 後，即處在指令模式下，此刻鍵入之任何字元皆被視為
        指令。在此模式下可進行刪除、修改等動作。若要輸入資料，則需進入輸入
        模式。

.輸入模式
=========
        如何進入輸入模式
                a (append)      由游標之後加入資料。
                A               由該行之末加入資料。
                i (insert)      由游標之前加入資料。
                I               由該行之首加入資料。
                o (open)        新增一行於該行之下供輸入資料之用。
                O               新增一行於該行之上供輸入資料之用。

如何離開輸入模式
                《ESC》 結束輸入模式。

.指令模式
=========
游標之移動
        h       向左移一個字元。
        j       向上移一個字元。
        k       向下移一個字元。
        l       向右移一個字元。
        0       移至該行之首
        $       移至該行之末。
        ^       移至該行的第一個字元處。
        H       移至視窗的第一列。
        M       移至視窗的中間那列。
        L       移至視窗的最後一列。
        G       移至該檔案的最後一列。
        +       移至下一列的第一個字元處。
        -       移至上一列的第一個字元處。
        (       移至該句之首。 (註一)
        )       移至該句之末。
        {       移至該段落之首。 (註二)
        }       移至該段落之末。
        nG      移至該檔案的第 n 列。
        n+      移至游標所在位置之後的第 n 列。
        n-      移至游標所在位置之前的第 n 列。
        <Ctrl><g>       會顯示該行之行號、檔案名稱、檔案中最末行之行號、游標
                        所在行號佔總行號之百分比。

註一：句子(sentence)在vi中是指以『！』、『.』或『？』結束的一串字。
        註二：段落(paragraph)在vi中是指以空白行隔開的文字。

.視窗的移動
===========
        <Ctrl><f>       視窗往下捲一頁。
        <Ctrl><b>       視窗往上捲一頁。
        <Ctrl><d>       視窗往下捲半頁。
        <Ctrl><u>       視窗往上捲半頁。
        <Ctrl><e>       視窗往下捲一行。
        <Ctrl><y>       視窗往上捲一行。

.刪除、複製及修改指令介紹 (此單元較少使用)
=========================
        d(delete)、c(change)和y(yank)這一類的指令在 vi 中的指令格式為：
        Operator + Scope = command
        (運算子)   (範圍)
        運算子：
        d       刪除指令。刪除資料，但會將刪除資料複製到記憶體緩衝區。
        y       將資料(字組、行列、句子或段落)複製到緩衝區。
        p       放置(put)指令，與 d 和 y 配和使用。可將最後delete或yank的資
                料放置於游標所在位置之行列下。
        c       修改(change)指令，類似delete與insert的組和。刪除一個字組、句
                子等之資料，並插入新鍵資料。

範圍：
        e       由游標所在位置至該字串的最後一個字元。
        w       由游標所在位置至下一個字串的第一個字元。
        b       由游標所在位置至前一個字串的第一個字元。
        $       由游標所在位置至該行的最後一個字元。
        0       由游標所在位置至該行的第一個字元。
        )       由游標所在位置至下一個句子的第一個字元。
        (       由游標所在位置至該句子的第一個字元。
        {       由游標所在位置至該段落的最後一個字元。
        }       由游標所在位置至該段落的第一個字元。

整行動作
        dd      刪除整行。
        D       以行為單位，刪除游標後之所有字元。
        cc      修改整行的內容。
        yy      yank整行，使游標所在該行複製到記憶體緩衝區。

.刪除與修改
===========
        x       刪除游標所在該字元。
        X       刪除游標所在之前一字元。
        dd      刪除游標所在該行。
        r       用接於此指令之後的字元取代(replace)游標所在字元。
                如： ra 將游標所在字元以 a 取代之。
        R       進入取代狀態，直到《ESC》為止。
        s       刪除游標所在之字元，並進入輸入模式直到《ESC》。
        S       刪除游標所在之該行資料，並進入輸入模式直到《ESC》。

.搬移與複製
==========
        利用 delete 及 put 指令可完成資料搬移之目的。
        利用 yank 及 put 指令可完成資料複製之目的。
        yank 和 delete 可將指定的資料複製到記憶體緩衝區，而藉由 put 指令
        可將緩衝區內的資料複製到螢幕上。
        例：
        搬移一行        ‧在該行執行 dd
                        ‧游標移至目的地
                        ‧執行 p
        複製一行        ‧在該行執行 yy
                        ‧游標移至目的地
                        ‧執行 p

.指令重複
=========
        在指令模式中，可在指令前面加入一數字 n，則此指令動作會重複執行 n
        次。
        例：
        刪除10行                ‧10dd
        複製10行                ‧10yy
                                ‧游標移至目的地
                                ‧p
        指標往下移10行  ‧10j

.取消前一動作(Undo)
===================
        即復原執行上一指令前的內容。

u       恢復最後一個指令之前的結果。
        U       恢復游標該行之所有改變。

.搜尋
=====
        在vi中可搜尋某一字串，使游標移至該處。

/字串           往游標之後尋找該字串。
        ?字串           往游標之前尋找該字串。
        n               往下繼續尋找下一個相同的字串。
        N               往上繼續尋找下一個相同的字串。

.資料的連接
===========
        J       句子的連接。將游標所在之下一行連接至游標該行的後面。

若某行資料太長亦可將其分成兩行，只要將游標移至分開點，進入輸入模式
        (可利用 a、i等指令)再按《Enter》即可。

.環境的設定
===========
        ：set nu                設定資料的行號。
        ：set nonu              取消行號設定。
        ：set ai                自動內縮。
        ：set noai              取消自動內縮。

自動內縮(automatic indentation)
        在編輯文件或程式時，有時會遇到需要內縮的狀況，『：set ai』即提供自
        動內縮的功能，用下例解釋之：
        ‧vi test
        ‧(進入編輯視窗後)
          this is the test for auto indent
          《Tab》start indent           ← ：set ai (設自動內縮)
          《Tab》data
          《Tab》data
          《Tab》data                   ← ：set noai (取消自動內縮)
        the end of auto indent.
        ‧註：<Ctrl><d> 可刪除《Tab》字元。

.ex指令
=======
        讀寫資料
        ：w                     將緩衝區的資料寫入磁碟中。
        ：10,20w test   將第10行至第20行的資料寫入test檔案。
        ：10,20w>>test  將第10行至第20行的資料加在test檔案之後。
        ：r test                將test檔案的資料讀入編輯緩衝區的最後。

刪除、複製及搬移
        ：10,20d                刪除第10行至第20行的資料。
        ：10d                   刪除第10行的資料。
        ：%d                    刪除整個編輯緩衝區。
        ：10,20co30             將第10行至第20行的資料複製至第30行之後。
        ：10,20mo30             將第10行至第20行的資料搬移至第30行之後。

字串搜尋與取代
        s(substitute)指令可搜尋某行列範圍。
        g(global)指令則可搜尋整個編輯緩衝區的資料。
        s指令以第一個滿足該條件的字串為其取代的對象，若該行有數個滿足該條
        件的字串，也僅能取代第一個，若想取代所有的字串則需加上g參數。
        ：1,$s/old/new/g                將檔案中所有的『old』改成『new』。
        ：10,20s/^/   /         將第10行至第20行資料的最前面插入5個空白。
        ：%s/old/new/g          將編輯緩衝區中所有的『old』改成『new』。

.恢復編輯時被中斷的檔案
=======================
        在編輯過程中，若系統當掉或連線中斷，而緩衝區的資料並還未
        被寫回磁碟時，當再度回到系統，執行下列指令即可回復中斷前
        的檔案內容。
        %vi -r filename

.編輯多個檔案
=============
        vi亦提供同時編輯多個檔案的功能，方法如下：
        %vi file1 file2 ..

當第一個檔案編修完成後，可利用『：w』將該緩衝區存檔，而後
        再利用 『：n』載入下一個檔案。

Basic file management commands

2009-12-30T16:30:00.000+08:00

Command Purpose
cd      Sets location in filesystem
ls      Displays contents of directory
file    Determines file’s type
cat     Displays file’s contents
more    Displays file’s contents one screen at a time
less    Displays file’s contents one screen at a time
wc      Shows character, word, and line counts
head    Displays first few lines of a file
tail    Displays last few lines of a file
touch Changes file’s timestamp; create an empty file
cp      Copies a file
dd      Copies a file from one device to another
mv      Changes a file’s name or location in the filesystem
rm      Deletes a file
mkdir   Creates a directory
rmdir   Deletes a directory

cd
Example:
$ cd /home/hadden/letters <---using absolute path
$ cd letters <---using relative path
$ pwd
/home/hadden/letters/Aug
$ cd
$ pwd
/home/hadden
=====================================
file
The file utility enables you to get information about the contents of a file without having to examine the file directly.
The syntax for file is
file [options] filename
Example
$ file home
home: directory
======================================

cat
The cat (concatenate file) command can be used to create new files; however, it is primarily used to send the contents of one or more files to your display or other output device. cat’s functionality can be increased by using either > or >>.
Example:
To create a new file, type
$ cat > newfilename
file contents
Ctrl-D

To display the contents of one or more files to the standard output, type
$ cat file1 file2

To combine multiple files into one, type
cat file1 file2 file3 > newfile

To add the contents of file1 to the end of file2, type
$ cat file1 >> file2
==============================
wc
The output appears as the number of lines, number of words, number of characters, and filename
Example:
$ wc /etc/passwd
33 45 1564/etc/passwd

==================================

head and tail
Like their names imply, these two commands let you look at either the beginning or end
of one or more files.
Example:
To show the first seven line of the file
$ head -7 /etc/passwd
To show the last five line of the file.
$ tail -5 /var/log/messages
if no option, default is 10 line.
=======================================
touch
touch is used to change the date and time of the last access or modification. The syntax is
touch [options] [date] filename
If the file does not exist, touch will create a new file of 0 length. If no date or time is specified, the current system time is used.

touch -d '14:24' file1
================================================

cp
The cp command copies both files and directories. The copy operation will overwrite any existing file with the same name, so be careful. To prevent this, you can use the -b (backup target file) or the -i (interactive) option.
To recursively copy one directory’s contents to another, use either the -r or -R option. This also will recursively copy the directory structure.
For example:
cp -r /home/peter /root

================================================
dd
The dd (device to device copy) is a special kind of copy utility.

example:
full hard disk copy
dd if=/dev/hdx of=/path/to/image

Restore Backup of hard disk copy
dd if=/path/to/image of=/dev/hdx
=============================

mv
The mv command is used to rename or move files to another location on the directory tree.

The syntax for mv is
mv [option] [source file] [target file]
=============================

rm
The rm command can be used to remove individual or multiple files and directories. After a file has been deleted, it is gone, so use it cautiously.
Use the -i option to require confirmation before files are deleted.
Otherwise, you might be left with a nonbootable system. The -f option will force deletion of write-protected files.

Be careful when you do this
rm -rf myfolder
=============================

mkdir
The mkdir command is used to create one or more directories. If no options are used, the parent directory must exist to create a child directory, as in the following examples
mkdir testing
mkdir testing/child

It also can create the parent and child directories in a single command by using the -p option.
mkdir -p testing/parent/child
============================

rmdir
The rmdir command will delete only empty directories.

Use the parent (-p) option to remove directory hierarchies.
rmdir -p testing/parent/child
This command deletes the child directory only. If there are more subdirectories in the parent directory, they will not be deleted.

However, if you type
rmdir -p testing/parent/*
all empty subdirectories of the directory parent will be deleted.
===================================

Linux simple shell commands

2009-12-30T10:44:00.000+08:00

Linux commands general format:
command [-option] parameter1 parameter2 ...

startx - start x window system ()

init 3 - 關閉圖形介面, 進入純文字介面的環境

uname - 顯示linux kernel版本
[root@localhost ~]# uname -r
2.6.31.9-174.fc12.i686

shutdown - 關閉系統

[root@localhost ~]# shutdown -h now         <---現在關閉系統

[root@localhost ~]# shutdown -r +1          <---一分鐘後reboot

pwd - 顯示所在目錄位置

ls - 顯示當前目錄檔案

man - 顯示指令說明

cat,more,less - 顯示檔案內容

echo - 在螢幕上面顯示變數
[root@localhost ~]# echo $PATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
[root@localhost ~]# myname=ray <---等號兩邊不能直接接空白字元
[root@localhost ~]# echo $myname ray

env - 觀察環境變數與常見環境變數說明

set - 觀察所有變數 (含環境變數與自訂變數)

export - 自訂變數轉成環境變數

history - 顯示執行過的指令

Linux Bootup Process

2009-12-28T16:58:00.000+08:00

1. Hardware poweron
   > hardware test, load BIOS
   > Find boot device (harddisk, cdrom, usb...)

2. Load harddisk & Boot loader (GRUB)
   > Execute boot loader in MBR
   > Boot menu select OS
   > The MBR then needs to know which partitions on the disk have boot loader code specific to their operating systems in their boot sectors and then attempts to boot one of them.

3. Load kernel
   > Load kernel into memory
   > Detect hardware and load the driver
   > pass control on to the kernel

4. Kernel init task
   > Establish memory management
   > detects the type of CPU
   > any additional functionality

5. Run the /sbin/init program
   > system check
   > verify the integrity of the file systems
   > start vital programs for operating system to function properly.
   > Inspects the /etc/inittab file to determine operation mode or runlevel
   > launch process depend on runlevel

6. System initialization
   > run /etc/rc.d/rc.sysinit

7. Init run level service

8. Init run file in /etc/rc.d/rc.local

9. Init prepare login environment and wait user login

Linux的各種Distribution分析

2009-12-15T09:53:00.000+08:00

ref.: http://www.lawtw.com/article.php?template=article_content&parent_path=,1,777,&article_category_id=817&job_id=4602&article_id=4565

Redhat==Linux忠實擁護著==半封閉式的Open Source

台灣目前沒有自行研發的Linux Distribution，根據調查，使用率最高的是RedHat Linux，引用國內Linufab的調查資料所知，使用Linux的人52%都使用Redhat，因此Redhat相對性的應用性產品最多，其中 RedHat所研發出來的RPM套件機制更是廣泛被各大Linux Distribution所使用，但是事實上RedHat並非是最好的Distribution，因為其在軟體的安裝上需要各軟體套件高度的相依性 (package dependence)：，常造成一般使用著極大的困擾〈可以參考以下網址http://pc510.ev.ncku.edu.tw/~vbird /linux_redhat7.2/37command_5rpmtarball.html〉，且由於RedHat內含了非標準的系統核心修補程式，這會讓使用者自行設定系統的時候遇到困難，支援RedHat的軟體不管是商業或非商業軟體最多，這當然是其他Distribution所比不上的優勢。還有一點就是台灣的非營利性組織CLE專門針對RedHat做繁體中文化的工作。更重要的是當你遇到問題能夠替你解決問題的人也越多。

Mandrake===新手的Linux==全開放式的Open Source

Linux Mandrake 發行套件是由 MandrakeSoft 公司所發行的。該公司是在一九九八年由一群 Linux 狂熱者所共同組成，並且努力朝向讓 Linux 易於使用的目標前進。為了達到這個目標，Mandrake 提供了一個極佳的圖形介面安裝程式。
Mandrake是這一年來最紅的Linux Distribution，其標榜的就是可以跟視窗比美的簡易安裝過程，安裝的過程是所有的Distribution中最容易安裝且最容易做系統多重分割的喔，而且畫面也最精緻，也許跟這Distribution是法國人發明的原因，所以多了一點法國人的浪費，除此之外他的中文化也做得最好，Mandrake 著重卓面用戶，在安裝及使用上比較簡單，及採用比較多圖形介面，所以對於新手來說是一個不錯的選擇，如果你是想使用Mandrake作為替代 Windows的系統，推薦你使用Mandrake，但是由於Mandrake是根據RedHat作修改，因此RedHat的缺點Mandrake不只有，Mandrake更是把它發揚光大，比如rpm的問題，沒有辦法很好的處理隨插即用ISA卡。不過由於它是屬於全開放式的Open Source Liinux ，所以它的軟體研發跟更新速度是非常的快。

Debian==進階的LInux==穩定性的Open Source

Debian 於一九九三年八月十六日誕生，主要是希望能提供一個穩定且無問題的 Linux Distribution。Debian 並無企業的支持，完全是由很多的研發人員自行研發，Debian出名在於其穩定性，主要是由於其利用了外掛認證模組讓眾多的研發人員可以處理軟體認證的問題，也相對的保障了Debian的穩定性。
問題在於Debian完全是純文字安裝介面，初學著不適合使用這Distribution，甚至連分割都只有類似fdisk的工具，無法自動分割，因此 Debian實在不適合初學著使用，而且由於其講求穩定性，因此該Distribution的核心跟軟體總是比較舊。提到Debian就要提到其最著名的更新軟體==APT，這軟體是由Debian所研發，其最突出的功能就是能夠非常完整的解決RPM相依性和更新軟體的問題，這軟體能夠良好的解決各 Linux Distribution軟體的安裝和更新問題。

Suse==歐洲的LInux==良好的系統架構跟資料庫

提到歐洲的Linux Distribution，RedHat根本不夠看，Susse才是大哥大，SuSe是由德國S.u.S.E. Gmbh於五年前開始發展S.u.S.E. Linux 4.2 是其第一個Distribution，SuSe的優點在於其跟很多的資料庫大廠甲骨文以及 IBM 這類資料庫廠商達成合作夥伴關係，讓他們的資料庫產品能夠在 SuSE Linux 發行套件上面順暢地運作，因此其穩定性跟強調資料庫的特性讓其在歐洲極受歡迎，Debian」的軟體資料庫應該說是是眾家Linux中最完整的，從來源、作者、ftp、www、patch、管理者都有詳細的記錄，安裝系統也考慮的比RPM來得週到，許多的Distribution都會借用Debian系統設計的觀念，「Debian」提供「Intel」、「Alpha」、「Motorola 68K」、「Sun SPARC」等眾多版本；此外也正在對「ARM」、「MIPS」、「Sun UltraSPARC」、「GNU Hurd」、「Beowulf」做支援，不僅系統穩定支援也多，對於XWindows的支援也有它的一套。「Debian」使用族群主要在Linux的進階族群，商業氣息目前不高，銷量並不像其它Distribution那麼好，但其潛在商業價值非常地高。

OpenLinux==Caldera完全封閉極度商業化 Open Sources

唯一有在台灣設立分公司的 Linux開發公司，這個月宣佈Caldera OpenLinux 將更改為 SCO Linux powered by UnitedLinux ，Caldera Open Unix 將更改為 SCO UnixWare ，Caldera 夥伴計劃更改為 TeamSCO ，Caldera 全球服務更改為 SCO 全球服務，同時提供Linux 跟 Unix服務。
OpenLinux在台灣推廣最為積極，不僅設立公司而且跟翔威資訊還有聯成電腦合作開發認證課程合作，因此有不少的公司採用該系統，不過由於該公司採用封閉式的方式開發Open Linux所以軟體跟核心的更新速度極漫，不是很受開放性社群的歡迎，但是由於其封閉式的特性使得該公司對於核心的掌握跟軟體的穩定性提供了極佳的保障，這也是為何它是除了RedHat外賣得最好的Distribution。

Cache 50 Windows logins for better availability (快取的網域登入資訊)

2009-12-01T09:42:00.000+08:00

ref.: http://support.microsoft.com/kb/172931

快取 Windows 記憶體前一個使用者的登入資訊在本機，以便如果在更新登入嘗試時無法使用登入伺服器，它們可以登入。

快取登入資訊由下列機碼控制:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"cachedlogonscount"="0 - 50"

Virtualization - VMLite XP Mode

2009-11-25T14:06:00.000+08:00

ref.: http://www.vmlite.com/index.php/products/vmlite-xp-mode

Provides similar functions as Virtual PC and Windows XP Mode from Microsoft
No requirement for hardware-assisted virtualization, namely, it runs without VT-x or AMD-v
Provides seamless integration with host desktop to run applications from Windows XP virtual machine
Host files can be accessed from within the XP Mode virtual machine easily
Control-C/V can be used to copy files and other contexts between host and vm, between different vms.
Support 3rd party virtual machine images: VMDK, VHD, VDI, HDD
Runs on any PC with Windows XP and above as host operating systems
Highly performed, XP Mode boots in 20 seconds
Supports XP, Vista, Windows 7, 2003 server, 2008 server as guest, for example, you can run Windows 7 on XP to have similar integration features
Supports Virtual Application Mode - if you start a vm application from host Start menu, this program is launched within a special context, called "Virtual Application Mode", where My Documents, My Desktop, and other special shell folders will be redirected to the host. For example, if you launch XP Mode Word from host Start menu, you will see green borders, and when you save a new document to My Documents, it will be actually saved to your host My Documents folder.

Ubuntu pppoe dialup problem with Network Manager

2009-11-07T13:44:00.001+08:00

Step1: ensure eth is ready
Step2: >sudo service network-manager stop
Step3: >sudo pppoeconf
Step4(optional): add nameserver to /etc/resolv.conf

Mozilla Firefox & Thunderbird remove master password

2009-11-03T17:25:00.001+08:00

Method 1: Go to Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\xxxxxxx.default and rename key3.db to key3.db.bak

Method 2: run the url chrome://pippki/content/resetpassword.xul and press the reset buttom.
For thunderbird, you can evaluate the url in Tools>Error console.

IDS vs. IPS Explained

2009-10-01T16:01:00.001+08:00

Layered security is the key to protecting any size network, and for most companies, that means deploying both intrusion detection systems (IDS) and intrusion prevention systems (IPS). When it comes to IPS and IDS, it?s not a question of which technology to add to your security infrastructure ? both are required for maximum protection against malicious traffic. In fact, vendors are increasingly combining the two technologies into a single box.

IDS
At its most basic, an IDS device is passive, watching packets of data traverse the network from a monitoring port, comparing the traffic to configured rules, and setting off an alarm if it detects anything suspicious. An IDS can detect several types of malicious traffic that would slip by a typical firewall, including network attacks against services, data-driven attacks on applications, host-based attacks like unauthorized logins, and malware like viruses, Trojan horses, and worms. Most IDS products use several methods to detect threats, usually signature-based detection, anomaly-based detection, and stateful protocol analysis.

IPS
At its most basic, an IPS has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they?re sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to the target from the user account, IP address, or other attribute associated with that attacker, or by blocking all access to the targeted host, service, or application.

In addition, an IPS can respond to a detected threat in two other ways. It can reconfigure other security controls, such as a firewall or router, to block an attack. Some IPS devices can even apply patches if the host has particular vulnerabilities. In addition, some IPS can remove the malicious contents of an attack to mitigate the packets, perhaps deleting an infected attachment from an email before forwarding the email to the user.

Setup Openssl + freeRADIUS

2009-09-29T10:34:00.000+08:00

Openssl Ceritification Step

1. Create ca certification by openssl
#cd /etc/ssl/
#/usr/lib/ssl/misc/CA.pl -newca -- ubuntu directory
or
#/usr/share/ssl/misc/CA.pl -newca -- opensuse directory

CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
..........++++++
writing new private key to './CA/private/cakey.pem'
Enter PEM pass phrase: 12345
Verifying - Enter PEM pass phrase: 12345
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taipei
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:QMI
Organizational Unit Name (eg, section) []:DQA
Common Name (eg, YOUR name) []:rootca
Email Address []:bryan.yu@qmitw.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: don't need to input
An optional company name []: don't need to input
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: 12345

Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
91:23:c3:97:8a:c5:d8:e5
Validity
Not Before: Mar 17 14:38:09 2008 GMT
Not After : Mar 17 14:38:09 2011 GMT
Subject:
countryName = TW
stateOrProvinceName = LinKou
organizationName = QMI
organizationalUnitName = DQA
commonName = rootca
emailAddress = bryan.yu@qmitw.com
X509v3 extensions:
X509v3 Subject Key Identifier:
FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
X509v3 Authority Key Identifier:
keyid:FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
DirName:/C=TW/ST=LinKou/O=QMI/OU=DQA/CN=rootca/emailAddress=
bryan.yu@qmitw.com
serial:91:23:C3:97:8A:C5:D8:E5

X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Mar 17 14:38:09 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

2. Let's start to create a server certificate signing request using OpenSSL's req command:

#openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf

3. Next step, let's use our CA key to sign the request by using OpenSSL's ca command:

#openssl ca -config ./openssl.cnf -policy policy_anything -out server_cert.pem -infiles ./server_req.pem

4. Open your signed certificate with the text editor ( example: vi ) of your choice and delete everything before the line -----BEGIN CERTIFICATE-----. Concatenate it and your key into a single file, like this:

#cat server_key.pem server_cert.pem > server_keycert.pem

5. We need to create a client certificate signing request now. The OpenSSL command to do this is similar to that used to create server certificates:

#openssl req -new -keyout client_key.pem -out client_req.pem -days 730 -config ./openssl.cnf

6. Next step -- we sign the client certificate's signing request:

#openssl ca -config ./openssl.cnf -policy policy_anything -out client_cert.pem -infiles ./client_req.pem

7. If your certificate is to be used by Windows XP or Vista client, you need to do one more step.
You need to convert the certificate file(s) to a PKCS12-format file, with this command:

#openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts

8. Before we dive into FreeRADIUS' configuration files, we need to create two files that FreeRADIUS must have in order to use TLS. The first is a Diffie-Hellman parameters file, or dh file, which is used for negotiating TLS session keys. To create a dh file, issue this command:

#openssl dhparam -check -text -5 512 -out dh

9. The second file you need is a data file that contains a random bitstream that also is used in TLS operations. Do not simply stick the current timestamp or any other similarly nonrandom string into a file called random, as is suggested in at least one WPA procedure I've seen on the Internet. Rather, use the kernel's high-quality random number generator. Run this command:

#dd if=/dev/urandom of=random count=2

FreeRadius Configuration Step

1. Check permission of radius directory and then modify parameter what you need in radiusd.conf
#cd /etc/raddb/
#vi radiusd.conf

2. Changes in eap.conf

eap {
default_eap_type = tls
tls {
# The following parameters tell radiusd where to
# find its certs and keys, plus dh & random files:
private_key_password = 12345
private_key_file = /etc/ssl/server_keycert.pem
certificate_file = /etc/ssl/server_keycert.pem
CA_file = /etc/ssl/CA/cacert.pem
dh_file = /etc/ssl/dh
random_file = /etc/ssl/random
}
}

3. Access Point Entry in clients.conf

client 192.168.1.1/32 {
secret = 12345678
shortname = test ap
}

Configuring Windows XP Clients Step

And that brings us to configuring a Windows XP wireless client to use your newly WPA-enabled access point. This being a Linux magazine, I'm not going to describe this process in painstaking detail-for that you can see section 4.3 of Ken Roser's HOWTO, listed in the on-line Resources. In summary, you need to:

1. Run the command mmc from Start --> Run

2. In Microsoft Management Console, select File?Add/Remove Snap-in, add the Certificates snap-in and set it to manage certificates for My user account and, on the next screen, only for the Local computer.

3. Copy your CA (cacert.pem) certificate to your Windows system's hard drive, for example, to C:\cacert.pem.

4. From within MMC, expand Console Root and Certificates - Current User and right-click on Trusted Root Certification Authorities. In the pop-up menu, select All Tasks-->Import. Tell the subsequent wizard to import the file C:\cacert.pem and to store it in Trusted Root Certification Authorities.

5. Copy your client certificate/key file to your Windows system, for example, to C:\client_cert.p12.

6. From within MMC?Console Root?Certificates, expand Personal and right-click on Certificates. In the pop-up menu, select All Tasks-->Import. Tell the subsequent wizard to import the file C:\client_cert.p12.

7. The certificate-import wizard then prompts you for the certificate's passphrase. In the same dialog, it offers the option to enable strong private key protection. Unfortunately, enabling this breaks WPA, so be sure to leave this option unchecked. Also, leave the option to mark this key as exportable unchecked--you're better off backing up the password-protected file you just imported rather than allowing the imported nonprotected version to be exportable.

RADIUS Issues

2009-09-24T23:17:00.000+08:00

Response authenticator based Shared Secret Attack
Attacker observes a valid access request packet and the associated return packet(access-accept/access-reject packet), then launch offline exhaustive attack on the shared secret.
They can guess shared secret by pre-compute MD5(Code+ID+length+RequestAuth+Attributes) and resume the hash once.

User-Password Attribute Based Shared Secret Attack

Attacker observes the traffic and try to authenticate to client with a known password, and capture the resulting Access-Request packet and XOR the User-password attribute with the password they provided to client. This results in the value of MD5(S+RA). RA is known in the client request packet, so attacker can launch offline exhaustive attack to get shared secret.

User-Password Based Password Attack
As the previous attack method, attacker can get the value of MD5(S+RA), and replay the modified access request packet as pretending a client. If server dosen't impose user based rate limits, this will allow the attacker to get the correct password.

Request Authenticator Based Attacks
The security of RADIUS depends on the generation of the RA(Request Authenticator) field, but a lot of implementations using poor PRNG(pseudo random number generation) to generate the RA. If the client uses a PRNG that repeats values (or has a short cycle), the protocol ceases to provide the intended level of protection.

These attacks require the attacker to cause client to produce a particular identifier value. An attacker can insert a series of extra requests to the client, forcing the desired identifier. Even if the identifier were not generated in a readily attackable way, it would still only increase the work factor by 256 times.

Passive User-Password Compromise Through Repeated Request Authenticator
Build dictionary RA--User Password Attribure
If the attacker can sniff the traffic between the RADIUS client and the RADIUS server, they can passively produce a dictionary of Request Authenticators, and the associated (protected) User-Password attributes. If the attacker observes a repeated Request Authenticator, they can remove any influence of the Shared Secret from the first 16 octets of the passwords by XORing the first 16 octets of the protected passwords together. This yields the first 16 octets of the two (now unprotected) user passwords XORed together.

Active User-Password Compromise through Repeated Request Authenticators
Build dictionary RA--MD(S+RA)
Attacker authenticate many times using known passwords and intercept the generated Access-Request packets, extracting the RA and user-password attribute. Then XOR the known password with user-password attribute and be left with the MD5(S+RA) value. Finally, the attacker generates a dictionary of RA and associated MD5(S+RA) value.
Attacker can use this dictionary(RA--MD(S+RA)) to recover the first 16 octets from the protected region of the user password, since c1=p1 XOR MD5(S+RA).

Replay of Server Responses through Repeated Request Authenticators

Using dictionary RA--ID--associate server response

Attacker observe the client request, check RA and ID from the dictionary, then pretend as server the return the associate response to client.

DOS arising from the prediction of the Request Authenticators
Build dictionary predict RA values and associated server response, then response the client's valid request with access-reject packets, implement DOS.

RADIUS authentication procedure

2009-09-24T12:34:00.000+08:00

RADIUS packet is below (from the RFC):

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Code      |  Identifier   |            Length             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
|                         Authenticator                         |
|                                                               |
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-

The code establishes the type of RADIUS packet. The codes are:

Value	Description
1	Access-Request
2	Access-Accept
3	Access-Reject
4	Accounting-Request
5	Accounting-Response
11	Access-Challenge
12	Status-Server (experimental)
13	Status-Client (experimental)
255	Reserved

The identifier is a one octet value that allows the RADIUS client to match a RADIUS response with the correct outstanding request. it is usually implemented as a simple counter that is incremented for each request.
The attributes section is where an arbitrary number of attribute fields are stored. The only pertinent attributes for this discussion are the User-Name and User-Password attributes.

Initial client processing

The client creates an Access-Request RADIUS packet, including at least the User-Name and User-Password attributes.

The Access-Request packet's identifier field is generated by the client.

The Access-Request packet contains a 16 octet Request Authenticator in the authenticator field. This Request authenticator is a randomly chosen 16 octet string.

This packet is completely unprotected, except for the User-Password attribute, which is protected as follows:

c1 = p1 XOR MD5(S + RA)
c2 = p2 XOR MD5(S + c1)
.
.
.
cn = pn XOR MD5(S + cn-1)

The User-Password attribute contains c1+c2+...+cn, Where + denotes concatenation.

Here S is shared secret in server or client, RA is psuedo-random 128bit request authenticator, p1,p2 and so on is 16 octet block by breaking the password

Server processing

Extract the username and password using the same shared secret
Validate the account
Compute response authenticator which is MD5(code+ID+Length+RequestAuth+Attribute+secret), and send back the response packet to client

The server receives the RADIUS Access-Request packet and verifies the packet with shared secret first, it can go through a slightly modified version of the client's protection process on the User-Password attribute and obtain the unprotected password. It then uses its authentication database to validate the username and password. If the password is valid, the server creates an Access-Accept packet to send back to the client, otherwise, send back with Access-Reject packet. Both the Access-Accept packet and the Access-Reject packet use the same identifier value from the client's Access-Request packet, and put a Response Authenticator in the Authenticator field. The response authenticator = MD5(Code+ID+Length+RequestAuth+Attributes+Secret)

Client post processing

Match ID
Compute the Response Authenticator as the server performed
Check the code field for the result

When the client receives a response packet, it attempts to match it with an outstanding request using the identifier field, then verifies the Response Authenticator by performing the same Response Authenticator calculation the server performed, and then comparing the result with the Authenticator field.

If the client received a verified Access-Accept packet, the username and password are considered to be correct, and the user is authenticated.

Linux - Ubuntu general shortcut

2009-09-22T21:36:00.000+08:00

General keyboard shortcuts

Ctrl+A = Select all (In Documents, Firefox, Nautilus, etc, not Terminal)
Ctrl+C = Copy (In Documents, Firefox, Nautilus, etc, not Terminal)
Ctrl+V = Paste (In Documents, Firefox, Nautilus, etc, not Terminal)

Ctrl+N = New (Create a new document, not in terminal)
Ctrl+O = Open (Open a document, not in terminal)
Ctrl+S = Save (Save the current document, not in terminal)
Ctrl+P = Print (Print the current document, not in terminal)

Ctrl+E = Send To... (Send the current document to an email recipient or remote location, not in terminal)
Ctrl+W = Close (Close the current document, not in terminal)
Ctrl+Q = Quit (Quit the application, not in terminal)

Ctrl + Alt + F1 = Switch to the first virtual terminal
Ctrl + Alt + F2(F3)(F4)(F5)(F6) = Select the different virtual terminals
Ctrl + Alt + F7 = Switch to current terminal session with X

Ctrl+Alt++ = Switch to next X resolution (Depends of your X configuration)
Ctrl+Alt+- = Switch to previous X resolution (Depends of your X configuration)

Ctrl + Alt + Backspace = Kill X server

Alt+Tab = Switch between open programs
Printscrn = Print sreen

Command line / Terminal shortcuts

Ctrl+C = Kill process (Kill the current process in terminal, also used to copy elsewhere)
Ctrl+Z = Send process to background
Ctrl+D = Log out from the current terminal. In X, this may log you out after a shuting down the emulator.

Ctrl+A = Home (Move cursor to beginning of line)
Ctrl+E = End (Move cursor to end of line)
Tab = List available commands from typed letters (Ex: type iw and click tab, output = iwconfig iwevent iwgetid iwlist iwpriv iwspy)

Ctrl+U = Delete current line
Ctrl+K = Delete current line from cursor
Ctrl+W = Delete word before cursor in terminal (Terminal only, also used to close the current document elsewhere)

Arrows up and down = Browse command history
Ctrl+R = History search (Finds the last command matching the letters you type)

Shift+PageUp / PageDown = Scroll terminal output
Ctrl+L = Clears terminal output
Shift+insert = Paste

Create a custom keyboard shortcut
Method1:
shell>sudo apt-get install xbindkeys
shell>sudo apt-get install xbindkeys-config
shell>xbindkeys
shell>xbindkeys-config

Method2:
Using metacity (the default GNOME window manager)

1- Open GConf editor (Applications -> System Tools -> Configuration Editor), go to apps -> metacity -> keybinding_commands, and now choose a command, for my example I choose command_1. Edit command_1 writing xkill in order to run xkill (or every command you want to launch like in a terminal).

2- In the same directory go to global_keybindings. Edit command_1 (or the command you choose in part 1) with the wanted shortcut like that : a (to use the windows key just edit the field with Super_L)

ref.:
http://ubuntuforums.org/showthread.php?t=50794
http://ubuntuforums.org/showthread.php?t=79560

OSPF

2009-09-20T22:18:00.000+08:00

1. Hello - Hello packets are used to establish and maintain adjacency with other OSPF routers. The hello protocol is discussed in detail in the next topic.

2. DBD - The Database Description (DBD) packet contains an abbreviated list of the sending router's link-state database and is used by receiving routers to check against the local link-state database.

3. LSR - Receiving routers can then request more information about any entry in the DBD by sending a Link-State Request (LSR).

4. LSU - Link-State Update (LSU) packets are used to reply to LSRs as well as to announce new information. LSUs contain seven different types of Link-State Advertisements (LSAs). LSUs and LSAs are briefly discussed in a later topic.

5. LSAck - When an LSU is received, the router sends a Link-State Acknowledgement (LSAck) to confirm receipt of the LSU.

OSPF router initial procedure

Sending Hello packets on all OSPF-enabled interfaces to determine if there are any neighbors on those links. OSPF Hello packets are sent as multicast to an address reserved for ALLSPFRouters at 224.0.0.5 (By default, OSPF Hello packets are sent every 10 seconds on multiaccess and point-to-point segments and every 30 seconds on non-broadcast multiaccess (NBMA) segments (Frame Relay, X.25, ATM). )
Before two routers can form an OSPF neighbor adjacency, they must agree on three values: Hello interval, Dead interval, and network type.
Send Link-state updates (LSUs) to advertise routing information. An LSU packet can contain 11 different types of Link-State Advertisements (LSAs).

LSA type: 1 Router LSAs
type 2 Network LSAs
type 3 or 4 Summary LSAs
type 5 Autonomous System Extrenal LSAs
type 6 Multicast OSPF LSAs
type 7 Defined for Not-So-Stubby Areas
type 8 External Attributes LSA for BGP
type 9,10,11 Opaque LSAs

Each OSPF router maintains a link-state database containing the LSAs received from all other routers. Once a router has received all of LSAs and built its local link-state database.
OSPF uses Dijkstra's shortest path first (SPF) algorithm to create an SPF tree.
The SPF tree is then used to populate the IP routing table with the best paths to each network.

Eigrp - what happens after network command is issued

2009-09-16T23:07:00.000+08:00

Here is EIGRP message

As soon as you configure network command on eigrp, following things happen in the given order:

Step 1. Hellos are sent.

Step 2. Receive Update.

Step 3. Run the dual and install the best route for the network learned in 2nd step.

Step 4. Send update about that interface.

An important observation here is that first of all, the above 4 steps are executed for directly connected networks.

You must be knowing this..i guess..

But notice their order..

Suppose there are two routers R1 and R2 connected via a serial link

Suppose there is a fast ethernet on each of the router R1 and R2..

Let the serial interfaces be named as R1S and R2S.

Let the fast ethernet interfaces be named as R1F and R2F

So R1 and R2 are connected via R1S and R2S...

As soon as u configure the network command, following things happen on Router R1..

a) Hello sent to R1F

b) Received update from R1F about that network

c) Run Dual and calculate the best path with the available data and feasible successor for the network learnt in step b. Enter the successor in routing table.

So you see, although local networks are already in the routing table, yet DUAL recalculates the best path and recreate the routing table with that network ..

d) Send update about network of R1F

"" At this stage ROUTING TABLE IS CREATED ( With one fastethernet network )...although Hellos are YET TO BESENT TO serial interface R1S. """

e) Hello sent to R1S

f) Received update from R1S about that network

g) Run Dual and calculate the best path and feasible successor for the network learnt in step f. Enter the successor in routing table.

h) Send update about network of R1S

After the above steps, neighbour adjancency is established with R2 if all the parameters are okay..

SO IT MEANS HELLOS ARE NOT IMMEDIATELY SENT ON ALL THE APPROPRIATE INTERFACES..

It is sent on one interface and then above 4 steps get executed in the above order.

Then hello is sent on 2nd interface and then again above 4 steps get executed in the given order.

Similar process goes on for the other interfaces that are enabled for receiving and sending EIGRP updates.

So routing table is created (though it is not complete) BEFORE hellos are sent out all the appropriate interfaces.

ref.:https://cisco.hosted.jivesoftware.com/message/5596

Sample IPTABLES configuration for workstation

2009-09-16T00:32:00.000+08:00

# /etc/sysconfig/iptables
#
# IPTABLES sample config file for workstation
#
# Make sure you fix the appropriate <IPADDR> sections below, and add
# duplicate entries as necessary (with different IPADDR's of course)

# created by Bryan Cardillo
# modified by Daniel Widyono

# default policy - deny
#
# allow unrestricted icmp (should be tightened)
# allow in/out dns to name servers
# allow in/out ntp to ntp servers
# allow unrestricted ssh out
# allow ssh in from designated hosts
# allow unrestricted in/out from internal interfaces
# allow amanda server to contact and backup local filesystems
# allow http, https access out
# allow lpr client out
# allow ftp client out

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]



# LOGGING / DEBUGGING
-N accept-n-log
-A accept-n-log -j LOG --log-level 4 --log-prefix "accept-n-log:"
-A accept-n-log -j ACCEPT
-N drop-n-log
-A drop-n-log -j LOG --log-level 4 --log-prefix "drop-n-log:"
-A drop-n-log -j DROP



# internal interfaces
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT



# all outgoing
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT



# icmp
-A INPUT -p icmp -j ACCEPT



# ssh client
-A INPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT



# http client
-A INPUT -p tcp -m tcp --sport http --dport 1024: -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport https --dport 1024: -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport webcache --dport 1024: -m state --state ESTABLISHED -j ACCEPT



# lpr client
-A INPUT -p tcp -m tcp --sport printer -m state --state ESTABLISHED -j ACCEPT



# ftp client (active and passive)
-A INPUT  -p tcp -m tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
-A INPUT  -p tcp -m tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT  -p tcp -m tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT


# IMAP+SSL
-A INPUT  -p tcp -m tcp --sport imaps -m state --state ESTABLISHED -j ACCEPT


# auth service (identd), for tcp_wrapper'ed services which insist on checking
# Note: it might be possible to just have -A INPUT -j DENY instead, haven't
# tried that yet
-A INPUT  -p tcp -m tcp --dport auth  -m state --state NEW,ESTABLISHED -j ACCEPT


# Outbound SMTP / e-mail
-A INPUT  -p tcp -m tcp --sport smtp  -m state --state ESTABLISHED -j ACCEPT


# ntp client
# These entries need to match /etc/ntp.conf server entries (see also
# the restrict entries in ntp.conf if you are restricting all by default)
-A INPUT -s <IPADDR> -p udp -m udp --sport 123 -j ACCEPT



# dns client
# These entries need to match /etc/resolv.conf nameserver entries (if you
# use DHCP, you'll need to modify /etc/init.d/iptables to dynamically create
# these entries, or else open port 53 to a range of IP addresses)
-A INPUT -s <IPADDR> -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT



# amanda client (Yuck! This should be cleaned up and debugged some more)
-A INPUT -s <IPADDR> -p udp -m udp --dport amanda -j ACCEPT
-A INPUT -s <IPADDR> -p tcp -m tcp --dport 1024: -j ACCEPT
# debug any straggling issues
-A INPUT -s <IPADDR> -j accept-n-log
-A OUTPUT -d <IPADDR> -p udp -j accept-n-log



# rsync client (not typically needed, but just another simple example)
# -A INPUT -p tcp -m tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT



# ssh server (one entry for each allowable client/subnet)
-A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG --log-prefix "iptables(ssh connection): "
-A INPUT -s <IPADDR> -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT



# http server (Obviously commented out by default)
# -A INPUT -p tcp -m tcp --sport 1024: --dport http -m state --state NEW,ESTABLISHED -j ACCEPT
# -A INPUT -p tcp -m tcp --sport 1024: --dport https -m state --state NEW,ESTABLISHED -j ACCEPT
# -A INPUT -p tcp -m tcp --sport 1024: --dport webcache -m state --state NEW,ESTABLISHED -j ACCEPT



# smtp server (Obviously commented out by default)
# -A INPUT -p tcp -m tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT
# -A INPUT -p tcp -m tcp --sport auth -m state --state ESTABLISHED -j ACCEPT



# debugging (or to help add new services / clients)
# -A INPUT -m state --state ESTABLISHED,RELATED -j accept-n-log
# -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j accept-n-log



# debugging (or to find stray virii / rider programs)
# -A OUTPUT -p tcp -j drop-n-log

ref.:http://www.liniac.upenn.edu/sysadmin/security/iptables.html

RIP Timers

2009-09-12T18:59:00.000+08:00

RIP uses four different kinds of timers to regulate its performance:

Route update timer   Sets the interval (typically 30 seconds) between periodic routing updates
in which the router sends a complete copy of its routing table out to all neighbors.

Route invalid timer   Determines the length of time that must elapse (180 seconds) before a
router determines that a route has become invalid. It will come to this conclusion if it hasn’t
heard any updates about a particular route for that period. When that happens, the router will
send out updates to all its neighbors letting them know that the route is invalid.

Holddown timer   This sets the amount of time during which routing information is sup-
pressed. Routes will enter into the holddown state when an update packet is received that indi-
cated the route is unreachable. This continues either until an update packet is received with a
better metric or until the holddown timer expires. The default is 180 seconds.

Route flush timer   Sets the time between a route becoming invalid and its removal from the
routing table (240 seconds). Before it’s removed from the table, the router notifies its neigh-
bors of that route’s impending demise. The value of the route invalid timer must be less than
that of the route flush timer. This gives the router enough time to tell its neighbors about the
invalid route before the local routing table is updated.

ref.: Cisco Certified Network Associate Study Guide

Virtual(portable) desktop for XP - using MojoPAC

2009-09-11T11:00:00.001+08:00

Installation:
Step 1: go to the site http://www.mojopac.com/ and download mojopac
Step 2: When install the mojopac, you can select the locatation(C:, D: or removable USB) to install the virtual XP

When you finish the installation, you can find the mojo.exe, execute it to launch your virtual XP.
If you installed to other location, you can copy whole mojo directory to usb drive or other pc, so that you not need to install again.

Cisco router password recovery

2009-09-09T22:38:00.000+08:00

step 1: press Ctrl+Break once the router boot up

step 2:
rommon 1>confreg 0x2142
rommon 2>reset

======================================================
remark:
0x2000 is boot default ROM software
0x0040 is ignore NVRAM
the last 2 is to specifies default boot file name

Router default register is 0x2102, you can check it by "sh version"

Ubuntu 9.04 on intel GMA500 configuration

2009-09-09T21:57:00.000+08:00

sudo apt-get update
sudo apt-get dist-upgrade

sudo vi /etc/apt/sources.list.d/ubuntu-mobile.list
deb http://ppa.launchpad.net/ubuntu-mobile/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/ubuntu-mobile/ppa/ubuntu jaunty main
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C6598A30
Now that your Ubuntu-Mobile Key is added do the Following.

The Following Packages need to be Installed Most are Dependences.
* psb-firmware - Binary firmware for the Poulsbo (psb) 3D X11 driver
* psb-modules - Kernel module built for -generic or -lpia kernel
* psb-kernel-source - Kernel module for the Poulsbo (psb) 2D X11 driver
* psb-kernel-headers - Kernel module headers for the Poulsbo (psb) 2D X11 driver
* xpsb-glx - X11 drivers for Poulsbo (psb) 3D acceleration
* poulsbo-driver-3d - Metapackage for the 3D Poulsbo (psb) X11 driver.
* poulsbo-driver-2d - Metapackage for the 2D Poulsbo (psb) X11 driver.

sudo apt-get update
sudo apt-get install poulsbo-driver-2d poulsbo-driver-3d psb-firmware
sudo apt-get install psb-kernel-source

sudo cp /etc/X11/xorg.conf /etc/X11/xorg.conf.bak

sudo vi /etc/X11/xorg.conf

############################
Section "Monitor"
Identifier "Configured Monitor"
EndSection

Section "Screen"
Identifier "Default Screen"
Monitor "Configured Monitor"
Device "Configured Video Device"
EndSection

Section "Device"
Identifier "Configured Video Device"
Option "AccelMethod" "EXA"
#Option "DRI" "off"
Option "IgnoreACPI" "yes"
Option "MigrationHeuristic" "greedy"
EndSection

Section "ServerFlags"
Option "DontZap" "False"
EndSection
##########################

Ray's IT notes

CA management - tinyca

Juniper screen OS debug transaction flow

RHEL6 disable ipv6

Delete comment using grep

use esxcli kill stunk vm in ESXi 4.1

Delete comment using grep

Samba join domain win2008 + squid authentication with ntlm_auth

EtherChannel config

Desktop enhancement - Macubuntu

Free accounting system - Features | GnuCash

Many many icons - NounProject

Extending LVM disks in Linux using Vmware virtual disks

vmware esx update command

Using Local Group Policy Editor for security issue

Improve VMware Console Mouse Experience with Windows Server 2008

vmware-vmrc example

VM migrate with vSphere client

Creating a DVD Slideshow Using Imagination

Windows Server Domain and Forest Functional Levels

ICMP Security Failures Messages

Install X server via YUM on Redhat/CentOS

Migrate user accounts from linux server to another linux server

Linux delete large number files (argument list too large when using rm)

Online Diagram Software

Data Recovery with Linux

Full backup NTFS partition using Linux

Ubuntu Document search

Tomcat5 + Apache on Centos

Clamav install with yum in Centos

Apache htaccess Digest Authentication config

Apache+SSL in Centos

Apache htaccess simple config

vmware remote console on firefox 3.6.x problem

Windows startup no desktop screen -- explorer.exe don't startup

sql 2008 server express installation fail - Performance counter registry hive consistency

Ubuntu 內的千千靜聽 － amarok

Debian/Ubuntu inter-vlan configuration

iptables in NAT (MASQUERADE, SNAT, DNAT)

iptables general configuration

vsftpd simple config

Install a VNC Server in Ubuntu

No Password login - SSH

Step 1: Create public and private keys using ssh-key-gen on local-host

Step 2: Copy the public key to remote-host using ssh-copy-id

Step 3: Login to remote-host without entering the password

ref.: http://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-ssh-copy-id/

Apache+SSL in Debian Quick Setup

Simple logrotate - make your log file archieve

Journaled quota

Journaled quota

RPM command example

Recommended application and installation for new Ubuntu user

Linux - Compression and Uncompression Example

Change process priority - nice and renice

Checking system status

Linux command - cut, sed, awk

ps aux 各欄位的意義

Fine tune your VM - Extend vm disk size in Linux

Fedora 12 enable root login in GUI

editor - vi

Basic file management commands

Linux simple shell commands

Linux Bootup Process

Linux的各種Distribution分析

Cache 50 Windows logins for better availability (快取的網域登入資訊)

Virtualization - VMLite XP Mode

Ubuntu pppoe dialup problem with Network Manager

Mozilla Firefox & Thunderbird remove master password

IDS vs. IPS Explained

Setup Openssl + freeRADIUS

RADIUS Issues

RADIUS authentication procedure

Linux - Ubuntu general shortcut

OSPF

Eigrp - what happens after network command is issued

Sample IPTABLES configuration for workstation

# LOGGING / DEBUGGING

# internal interfaces

# all outgoing

Ubuntu 內的千千靜聽－ amarok

# auth service (identd), for tcp_wrapper'ed services which insist on checking
# Note: it might be possible to just have -A INPUT -j DENY instead, haven't
# tried that yet

# ntp client
# These entries need to match /etc/ntp.conf server entries (see also
# the restrict entries in ntp.conf if you are restricting all by default)

# dns client
# These entries need to match /etc/resolv.conf nameserver entries (if you
# use DHCP, you'll need to modify /etc/init.d/iptables to dynamically create
# these entries, or else open port 53 to a range of IP addresses)