test

2008.03.22 04:49

rsync

Rsync updates the copies the files that have changed and even then only transfers the parts of those files that have changed. That is useful for saving bandwidth when backing up over the network. For safety, transfer between two machines is done via SSH. Rsync is especially good for backing up home directories.

The command for transfering to a remote machine is:

sudo rsync --delete -azvv -e ssh /home remoteuser@remotehost.remotedomain:./backupdirectory

-z compresses the data --delete deletes files that don't exist on the system being backed up. Maybe you want this, maybe not. -a preserves the date and times of the files (same as -t), descends recursively into all directories (same as -r), copies symlinks as symlinks (same as -l), preserves file permissions (same as -p), preserves groups (same as -g), preserves file ownership (same as -o), and preserves devices as devices (same as -D). -vv increases the verbosity of the reporting process

Allowing other users to run sudo

To add a new user to sudo, open the Users and Groups tool from System --> Administration menu. Then click on the user and then on properties. Choose the User Privileges tab. In the tab, find Executing system administration tasks and check that.

/!\ In the terminal this would be: sudo adduser $user admin, where you replace $user with the name of the user.




 

댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

연구실에서 실험 목적으로 ARP Proxy 동작이 필요했다. 기존에 사용하던 라우터 소프트웨어에서는 가능하지만 실제 리눅스와의 성능 비교를 위해서 리눅스 커널의 ARP Proxy기능이 필요한 것이다.

의외로 간단하다.

ARP Proxy기능이 필요한 NIC를 선택한 후

/proc/sys/net/ipv4/conf/eth#/proxy_arp에 1을 써주면 된다. 기본으로 0이다.

댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

  1. 2008.01.04 22:04 신고
    댓글 주소 수정/삭제 댓글
    이돼지 흥흥!!!
  2. 2008.01.23 19:52 신고
    댓글 주소 수정/삭제 댓글
    dhgkgkgkgkgkgkgkgk

삼바서버를 리눅스에 설치하고 윈도우에서 마운트할경우,,

리눅스에서 만든 한글파일을 윈도우에서 못 읽을 경우도 있고, 윈도우에서 만든 한글파일을 리눅스에서 못 읽는 경우가 있다.

이 때는 리눅스 시스템이 어떤 인코딩을 쓰는냐에 따라서 삼바설정을 적절하게 변경해주어야 한다.

리눅스 시스템이 eucKR일 경우
system is eucKR
unix charset    = CP949
dos  charset    = CP949
display charset = CP949

리눅스 시스템이 utf-8일 경우
system is utf-8
unix charset    = UTF-8
dos  charset    = CP949
display charset = UTF-8

이제 리눅스에서 utf-8을 씁시다!!

댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

kernel vga option table

HTML Code:
Colours 640x400 640x480 800x600 1024x768 1152x864 1280x1024 1600x1200
--------+--------------------------------------------------------------
4 bits | ? ? 770 ? ? ? ?
8 bits | 768 769 771 773 353 775 796
15 bits | ? 784 787 790 354 793 797
16 bits | ? 758 788 791 355 794 798
24 bits | ? 786 789 792 ? 795 799
32 bits | ? ? ? ? 356 ?

댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

Ubuntu Kernel Compile

1. 필요한 패키지들을 설치한다.
$ sudo apt-get install build-essential kernel-package ssh cvs ncurses*
 
2. 커널소스를 다운로드 받는다.

3. /usr/src에 압축을 푼다.

$ cd /usr/src/LINUXDIR
$patch -p0 -b < /usr/src/click/etc/PATCHFILE
4. 커널 옵션을 설정한다. 커널 최상위 디렉토리에서
$ sudo make menuconfig

5. 커널을 컴파일 한다. 커널 최상위 디렉토리에서
$ sudo make-kpkg --append-to-version="???" --revision="????" --intird buildpackage
이때 ???은 다른 커널과의 차별성을 두기위해서 또는 중복방지를 위해서 두는 것이다.
????는 변경번호(?)를 넣어주면 된다. 안주면 기본적으로 Custom-10.0.0(아마도) 가 된다.

6. 이제 /usr/src에 패키지들이 생겼을 것이다. 필요한 것을 설치한다.
$ sudo dpkg -i "something you want"

7 재부팅 한다... ㅋㅋㅋ

커널 패닉일 경우,,, 원인을 찾아서 다시 컴파일 해야한다.
Good Luck~~

댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

SSH Root Login

This is not a major issue, as even OpenBSD ships with root login permitted (though the documentation suggests removing it), and Ubuntu does not ship with root enabled by default. However, in many environments it is standard procedure to create a root account, even if it is never used. If a root account is created, and you are running sshd, edit the /etc/ssh/sshd_config file and replace the following line:

PermitRootLogin no






"su" program available to non-admin users

This is not a problem itself, but if there are accounts with weak passwords on the system, then malicious non-admin users (or malicious software they are using) might use su to gain access to such accounts. To deny non-admin users access to "su", type this in a terminal:

sudo chown root:admin /bin/su
sudo chmod 04750 /bin/su



Instructions

Create a new file by using your favorite text editor. For Ubuntu/Gnome users you can use gedit, and for Kubuntu/KDE users you can use Kate. Also available via the command line are various other text editors that you can use. The file you create, name it apt-security-updates and place it in the directory /etc/cron.weekly/. Enter the following text into the apt-security-updates files:

#! /bin/sh
echo "**************" >> /var/log/apt-security-updates
date >> /var/log/apt-security-updates
aptitude update >> /var/log/apt-security-updates
aptitude upgrade -o Aptitude::Delete-Unused=false --assume-yes --target-release dapper-security >> /var/log/apt-security-updates
echo "Security updates (if any) installed"

Depending on your Ubuntu release, replace "dapper" with your release, for example "edgy".

Once you are complete, you want to make the file executable for root. So via the command line/terminal type the following line:

sudo chmod u=rwx,g=rx,o=rx /etc/cron.weekly/apt-security-updates















댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

Debian Linux Server Security Checklist

File system Security

There are certain files whose presence in the Linux file system can present a security risk and should be remedied as soon as possible.

When the SUID (set user ID) or SGID (set group ID) bits are set on an executable, that program executes with the UID or GID of owner of the file, as opposed to the user executing it. This means that all executables with SUID bit set and are owned by root are executed with the UID of root. This situation is a security risk and should be minimized unless the program is designed for this risk.

To find all files on your file system that have the SUID or SGID bit set, execute:

# find / -path /proc –prune –o –type f –perm +6000 -ls

It is good practice to generate a list of SUID or SGID files on your server as soon as possible, and re-run the above command on a regular basis to ensure new binaries with unsafe permissions are not being added to your server.

World-writable files are a security risk as well. World-writable files and directories are dangerous since it allows anyone to modify them. World-writable directories allow anyone to add or delete files.

To find all world-writable files and directories, execute:

# find / -path /proc –prune –o –perm -2 ! –type 1 –ls

Another file permission issue are files not owned by any user or group. While this is not technically a security vulnerability, an audited system should not contain any unowned files. This is to prevent the situation where a new user is assigned a previous user’s UID, so now the previous owner’s files, if any, are all owned by the new user.

To find all files that are not owned by any user or group, execute:

# find / -path /proc –prune –o –nouser –o –nogroup

Network Security

To get a list of listening network ports, run the following:

# netstat –tulp

Disable any ports that are not necessary. To do so, kill the PID shown by netstat. The only port that your server must be listening on is SSH (22/tcp). Other ports that will need to be listening depend upon the specific purpose of your dedicated server. Note that by killing the PID of the process you are not preventing your server from starting the same service again on bootup. To disable services, see below.

In order to see what programs your server is launching on startup, execute the following:

# chkconfig –list |grep on (Redhat systems)

# ls –l /etc/rc2.d/S* | cut –d/ -f6 (Debian systems)

This command will show you which programs are to be executed in which run levels. In Redhat, full multiuser mode is 3. To disable a service permanently, issue the following:

# chkconfig <service_name> off

To disable any service in Debian, simply execute the following:

# rm –f /etc/rc2.d/S*<service_name>

Please note that the above commands do not actually disable the service, they simply prevent the service from being executed on startup.

User Security

The first thing you should take stock of are the users with unlocked accounts. Users with unlocked accounts are allowed to login if assigned a valid shell, and should be kept to a minimum.

To get a list of unlocked users, execute the following:

# egrep –v ‘.*:\*|:!' /etc/shadow|awk -F: '{print $1}'

If you do not recognize any user returned by the above command, check to see if that user owns any files by executing:

# find / -path /proc -prune -o -user <user_name> -ls

If the user does not own any files, or files that will not hinder the stability of your server, delete the user by executing:

# userdel –r <user_name>

TCP/IP Hardening

All of the following lines and values should be added to the file /etc/sysctl.conf if you want to enable or disable the feature mentioned. You will need to restart your system for these changes to take effect.

TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1
Disable IP Source Routing net.ipv4.conf.all.accept_source_route = 0
Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0
IP Spoofing Protection net.ipv4.conf.all.rp_filter = 1
Ignoring Broadcasts Request net.ipv4.icmp_echo_ignore_broadcasts=1
Bad Error Message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1

System Security

One of the most important things you can do to protect your server is implementing very basic access control. Access control can eliminate a majority of the risk involved in running out of date services on the Internet.

In order to implement an effective access control policy on your dedicated server, you will need the following pieces of information:

- The IP address or addresses of your Internet connection. For some, this may be one static address, while for others it is a pool of addresses. If you have more than one Internet connection, please be sure to get ALL the IP addresses you could be assigned at any time. You may need to contact your Internet Service Provider for this information.

SSH

While we do not recommend anybody running outdated software, especially something as crucial as SSH, a not insignificant portion of the risks involved in running an outdated SSH server can be mitigated by only allowing certain IP networks to access your SSH server.

# $IPTABLES –A INPUT –p tcp –dport 22 –s X.X.X.X/NN –j ACCEPT

The above line will allow TCP packets destined for port 22 to be accepted if and only if the source of the packets are within the network denoted in X.X.X.X/NN. If you have more than one Internet connection, or have multiple networks, simply add another line, replacing X.X.X.X/NN with the proper values.

Control Panel Software

If your server is running a control panel, you can also improve your security by implementing an access control policy on the control panel administrative port.

Plesk: $IPTABLES –A INPUT –p tcp –dport 8443 –s X.X.X.X/NN –j ACCEPT
Ensim: $IPTABLES –A INPUT –p tcp –dport 19638 –s X.X.X.X/NN –j ACCEPT
Cpanel: $IPTABLES –A INPUT –p tcp –dport 2082 –s X.X.X.X/NN –j ACCEPT

FTP Server

Another service you may want to implement an access control policy on is FTP. If you, or a small handful of people are the only allowed users to FTP into your dedicated server, then you will certainly benefit.

$IPTABLES –A INPUT –p tcp –s X.X.X.X/NN –dport 20 –syn –j ACCEPT

$IPTABLES –A INPUT –p tcp –s X.X.X.X/NN –dport 21 –syn –j ACCEPT

Note that both of the above lines must be executed for each source network.

For more information regarding the use of iptables on your Linux based dedicated server, please look over our iptables tutorial.

댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

윈도우 설치씨디로 부팅해서 repair옵션을 선택하고 recovery console을 실행시킨 다음에 'FIXMBR' 을 쳐 주면 윈도우 부트로더가 MBR에 다시 설치됩니다.
출처 - 클리앙의 나우테스 님

댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

EUC-KR 인코딩된 문서를 UTF-8로
$ iconv -f euc-kr -t utf-8 file_euckr > file_utf8

댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

find . -type f -exec perl -pi -e 's/jbdlug/jb01dlug/g' {} \;

댓글을 달아주세요:: 네티켓은 기본, 스팸은 사절

BLOG main image
by jinsto

공지사항

카테고리

분류 전체보기 (58)
My thinking (10)
Travel story (5)
Linux tips (12)
Financial tech. (1)
Books (5)
개인 (1)
Studing English (16)