LinuxHelps.com

A blog for Linux Lovers.

Archive for the ‘Linux Administration’ Category

Posted by sibu on February 8, 2012

Verify the Certificates using openssl command

If you need to check the information within a Certificate, CSR or Private Key you can use following cmmans

  • Check a Certificate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr

  • Check a private key

openssl rsa -in privateKey.key -check

  • Check a certificate

openssl x509 -in certificate.crt -text -noout

  • Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn’t match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands..

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

  • All the certificates (including Intermediates) should be displayed

openssl s_client -connect www.paypal.com:443

Posted by sibu on June 28, 2009

How to Reset a Linux Box root password.

If the linux box protected with root password only.

Do a hard reboot on the machine and click on ‘e’ button to edit the boot like when you get the grub menu. Scrol down to the line which starts with kernel and hit ‘e’ again to edit and add ‘single’ (with out quotes) at the end and hit Enter. Now use ‘b’ to boot then you will get single user mode from where you can change the server root password.

If the linux box protected with a password for single user mode.

Few system require root password to boot into ‘single mode’ in that case try to edit the gurb boot line and add ‘init=/bin/bash’ at the end of kernel line. You will be redirected to a bash shell instead of init.

Now you may want to mount the root paritition with read/write permission.

mount –no remount,rw /

Then reset the password.

If the Grub is protected with a root password, then try booting from a LiveCD and open a root shell.  Execute fdisk –l to show the available disk partition. Mount the root paritition to /mnt

mount -o,rw /dev/hda1 /mnt

Make sure that you mount a root partition. Next change this partition as your root directory using following command

chroot /mnt

Now try to change the root password using passwd command.

Posted by sibu on May 24, 2009

Changing time zone linux

Change Time Zone

1. Logged in as root, check which timezone your machine is currently using by executing `date`. You’ll see something like Mon 17 Jan 2005 12:15:08 PM PST, PST in this case is the current timezone.

2.Change to the directory /usr/share/zoneinfo here you will find a list of time zone regions. Choose the most appropriate region, if you live in Canada or the US this directory is the “America” directory.

3. If you wish, backup the previous timezone configuration by copying it to a different location. Such as
mv /etc/localtime /etc/localtime-old

4. Create a symbolic link from the appropiate timezone to /etc/localtime. Example:
ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime

5. If you have the utility rdate, update the current system time by executing
/usr/bin/rdate -s time.nist.gov

6. Set the ZONE entry in the file /etc/sysconfig/clock file (e.g. “America/Los_Angeles”)

7. Set the hardware clock by executing:
/sbin/hwclock –systohc

How to Change Date and Time

You can change the date and time on linux machine using the date command
Eg: If you want to change the date to July 31, 11:16 pm then type as follows

date 07312316
If you want to change the year as well, you could type
“date 073123161998”

You can also use the following:

date -s “31 JULY 1998 23:16:00″

Posted by sibu on May 24, 2009

Disable SELinux for only Apache / httpd in Linux

You can disable Apache SELinux protection easily. Please keep in mind that by disabling SELinux for apache you are inviting more security related problems.

Disable Apache SELinux Protection

Open /etc/selinux/targeted/booleans file using a text editor:
# vi /etc/selinux/targeted/booleans
Append or modify value for httpd_disable_trans as follows:
httpd_disable_trans=1

Save and close the file.

Type the following two commands:
# setsebool httpd_disable_trans 1
# /etc/init.d/httpd restart

GUI tool to disable SELinux for Apache                                                                                                         Open a shell prompt
Type the command system-config-securitylevel
system-config-securitylevel &
Next select SELinux tab > click on Disable SELinux protection for httpd daemon checkbox > Save the changes
Finally restart httpd service:
# /etc/init.d/httpd restart

Posted by sibu on May 24, 2009

Difference between ‘mount’ and ‘mount -a’

There is a slight difference between the commands - “mount” and “mount -a”.

1. When you type “mount”, it will display the output of the file “/etc/mtab“.

For example,

# mount
/dev/sda5 on / type ext3 (rw,usrquota)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/sda1 on /boot type ext3 (rw)
none on /dev/shm type tmpfs (rw)
/dev/sda7 on /home type ext3 (rw,usrquota)
/dev/sda8 on /tmp type ext3 (rw,noexec,nosuid)
/dev/sda3 on /usr type ext3 (rw,usrquota)
/dev/sda2 on /var type ext3 (rw,usrquota)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
/tmp on /var/tmp type none (rw,noexec,nosuid,bind)

The content of the file “/etc/mtab” is:

# cat /etc/mtab
/dev/sda5 / ext3 rw,usrquota 0 0
none /proc proc rw 0 0
none /sys sysfs rw 0 0
none /dev/pts devpts rw,gid=5,mode=620 0 0
usbfs /proc/bus/usb usbfs rw 0 0
/dev/sda1 /boot ext3 rw 0 0
none /dev/shm tmpfs rw 0 0
/dev/sda7 /home ext3 rw,usrquota 0 0
/dev/sda8 /tmp ext3 rw,noexec,nosuid 0 0
/dev/sda3 /usr ext3 rw,usrquota 0 0
/dev/sda2 /var ext3 rw,usrquota 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0
/tmp /var/tmp none rw,noexec,nosuid,bind 0 0

2. When you type the command “mount -a”, it will take the output of the file “/etc/fstab“.

# cat /etc/fstab

# This file is edited by fstab-sync - see ‘man fstab-sync’ for details
LABEL=/ / ext3 defaults,usrquota 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 0 0
LABEL=/home /home ext3 defaults,usrquota 1 2
none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
LABEL=/tmp /tmp ext3 defaults 1 2
LABEL=/usr /usr ext3 defaults,usrquota 1 2
LABEL=/var /var ext3 defaults,usrquota 1 2
LABEL=SWAP-sda6 swap swap pri=0,defaults 0 0

Note: The file “/etc/mtab” has the entries of temporary partitions such as USB drive. But, the file “/etc/fstab” has the entries of mounted partitions in the server.

Posted by sibu on May 24, 2009

Core Dump files..

A core file is created when a program terminates unexpectedly, due to a bug, or a violation of the operating system’s or hardware’s protection mechanisms. The operating system kills the program and creates a core file that programmers can use to figure out what went wrong. It contains a detailed description of the state that the program was in when it died. If would like to determine what program a core file came from, use the file command, like this: $ file core That will tell you the name of the program that produced the core dump. You may want to write the maintainer(s) of the program, telling them that their program dumped core. To Enable or Disable Core Dumps you must use the ulimit command in bash, the limit command in tcsh, or the rlimit command in ksh. See the appropriate manual page for details. This setting affects all programs run from the shell (directly or indirectly), not the whole system. If you wish to enable or disable core dumping for all processes by default, you can change the default setting in /usr/include/linux/sched.h. Refer to definition of INIT_TASK, and look also in /usr/include/linux/resource.h. PAM support optimizes the system’s environment, including the amount of memory a user is allowed. In some distributions this parameter is configurable in the /etc/security/limits.conf file.

Whether or not the operating system creates core files is controlled by the ulimit command. To see the current ulimit setting for core files, do the following:


#ulimit -c
0

or
#ulimit -a
core file size (blocks, -c) 1000000
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
pending signals (-i) 1024
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 4096
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 14335
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

If you don’t want core files at all, set “ulimit -c 0″ in your startup files. That’s the default on many systems; in /etc/profile you may find

ulimit -S -c 0 > /dev/null 2>&1

If you DO want core files, you need to reset that in your own .bash_profile:

ulimit -c 50000

would allow core files but limit them to 50,000 bytes.

The ulimit command sets limits on the resource available to the bash shell. The -c parameter controls the size of core files. The value 0 indicates that core files are not created. To enable core file creation, increase the size limit of core files to a number greater than zero. For example:

#ulimit -c 50000

You may also check in the file /etc/csh.cshrc for the following:

limit coredumpsize 0

This will limit the size of the largest core dump that will be created to 0 bytes.

But very imp step is as follows:

First you hash the following line in /etc/profile.

ulimit -S -c 0 > /dev/null 2>&1

Then in the file /etc/security/limits.conf , add the following line:

root soft core 10000

as you can see below:

#
#

#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
root soft core 10000

Instead of root we can give any user as juni, junitha etc…. We will have to either reboot or log off for these changes to take effect. Only if we unhash it in /etc/profile ,we can change these.

You have more control of core files in /proc/sys/kernel/

For example, you can do eliminate the tagged on pid by

echo “0″ > /proc/sys/kernel/core_uses_pid

Core files will then just be named “core”. People do things like that so that a user can choose to put a non-writable file named “core” in directories where they don’t want to generate core dumps. That could be a directory (mkdir core) or a file (touch core;chmod 000 core). One way to limit core file generation is to create a directory called “core” with 000 permissions in the directory in which you expect a core dump to occur.
But perhaps more interesting is that you can do:

mkdir /tmp/corefiles
chmod 777 /tmp/corefiles
echo “/tmp/corefiles/core” > /proc/sys/kernel/core_pattern

All corefiles then get tossed to /tmp/corefiles (don’t change core_uses_pid if you do this).

Test this with a simple script:

# script that dumps core
kill -s SIGSEGV $$

Posted by sibu on May 24, 2009

Error : Maximum file limit has been reached

Many times we get an error called the maximum number of files that can be opened has reach the limit,
In order to resolve this, you will have to login as a root on your server and edit the file called /etc/sysctl.conf

vi /etc/sysctl.conf

Add the line there as

fs.file-max = 22992

Save and exit from the file.

In order to apply these changes run the command called

# sysctl -p

This will increase the maximum number of open files for your system

Posted by sibu on March 10, 2009

Rebuilding Rpmdb

Getting the following error while running up2date

rpmdb: Program version 4.2 doesn’t match environment version
error: db4 error(22) from dbenv->open: Invalid argument
error: cannot open Packages index using db3 - Invalid argument (22)
error: cannot open Packages database in /var/lib/rpm

Steps to resolve

1. Check for processes holding the rpm database open (usually in MUTEX/FUTEX states):

lsof | grep /var/lib/rpm

If it finds any, kill -9 them all.

2. Delete any temporary DB files:

rm -fv /var/lib/rpm/__*

3. Rebuild your RPM database:

rpm –rebuilddb -v -v

If you still have problems, a reboot is probably quickest, then repeat steps 2 and 3 above.

Posted by sibu on March 10, 2009

Wild card DNS

Edit the httpd.conf and go to the users entry.

EG:

ServerAlias domainname *.domainname.com

Change to:

ServerAlias domainname.com *.domainname.com

Edit the DNS Zone for the domain in question and add the following.

* CNAME domain.com.

Edit the /var/name/domain.com.db zone file and add the following:

* IN A x.x.x.x

Where you replace the ‘x.x.x.x’ with the correct IP. (wildcard DNS can also be a CNAME record pointing to the domain name)

You then need to edit the httpd.conf file and change the ‘ServerName’ directive to the domain name (without the ‘www’ in front) and change the ‘ServerAlias’ directive to *.domain.com. Save and restart Apache.

To test ping asdflkj.domain.com, you should get an IP response.

Posted by sibu on March 10, 2009

Screen Command

Using screen command we can run multiple full-screen pseudo-terminals from one real terminal, and letting you manipulate and save your screen input and output, copy and paste between windows, etc.

1)Create a screen using the command
#screen -S sibu

2)Close the shell without logout

3)Open a new shell

4)Type screen -ls

[root@cochin1 ~]# screen -ls
There are screens on:
16921.123sn (Dead ???)
3981.name (Attached)
5002.sibu (Attached)

Remove dead screens with ’screen -wipe’.
3 Sockets in /tmp/screens/S-root.

5)You can login to that screen using the command screen -r ’screen name’

[root@cochin1 ~]# screen -r 5002.sibu
There is a screen on:
5002.sibu (Attached)