Apr 22

CentOS 5.4 released

By jason Linux/Unix Oprating system No Comments »

Almost two months after RHEL5.4, Centos 5.4 was released on the 21st October. This version includes various changes into the virtualization field and it includes support for KVM (kernel-based virtual machine) hypervisor and the Xen hypervisor.

Also this release features many bug fixes and security updates, and should be an easy upgrade for users running centos5.x:
yum update

For the full list of packages changed/added please see the centos5.4 release notes: http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.4

Tagged with:
Apr 06

how to resolve kernel: printk: xxx messages suppressed

By jason Linux/Unix Oprating system No Comments »

I find a lot of error log on my proxy server:

Jan 22 22:57:37 streams1 kernel: printk: 1 messages suppressed.
Jan 22 23:00:04 streams1 kernel: printk: 1 messages suppressed.
Jan 22 23:00:09 streams1 kernel: printk: 1 messages suppressed.
Jan 22 23:00:13 streams1 kernel: printk: 3 messages suppressed.
Jan 22 23:00:20 streams1 kernel: printk: 2 messages suppressed.
Jan 22 23:00:25 streams1 kernel: printk: 3 messages suppressed.
Jan 22 23:00:29 streams1 kernel: printk: 2 messages suppressed.
Jan 22 23:00:34 streams1 kernel: printk: 2 messages suppressed.
Jan 22 23:00:45 streams1 kernel: printk: 3 messages suppressed.

It’s normal after I change kernel parameters.

1.ip_conntrack_tcp_timeout

echo 180 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

2. ip_conntrack_max
echo 262144 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

3.gc_stale_time
echo 120   > /proc/sys/net/ipv4/neigh/default/gc_stale_time

4.gc_thresh1
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1

5.gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2

6.gc_thresh3
echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

Tagged with:
Mar 18

linux Problem with Lilo Boot Loader

By jason Linux/Unix Oprating system No Comments »

Lately, we installed additional memory on our Debian (lenny) servers and installed ‘bigmem’ kernel for our 32-bit systems to recognize more than 3GB of ram. Bigmem kernel installations went fine on servers with Grub as their boot loader – most of them uses Grub. But on one machine with Lilo as boot loader, it didn’t boot on bigmem kernel and below was the entry on /etc/lilo.conf.

# Boot up Linux by default.
default=Linux

image=/vmlinuz
label=Linux
read-only
# restricted
# alias=1
initrd=/initrd.img
image=/vmlinuz.old
label=LinuxOLD
read-only
optional
# restricted
# alias=2
initrd=/initrd.img.old

From this config I don’t see the details of which kernel is the old one and the bigmem. I also tried to set the default to kernel with “LinuxOLD” label but it points to the same kernel (not the bigmem). I solved my problem by modifying the /etc/lilo.conf config as follows:

# image=/vmlinuz
image=/boot/vmlinuz-2.6.26-2-686-bigmem
initrd=/boot/initrd.img-2.6.26-2-686-bigmem
label=Linux
read-only
# restricted
# alias=1
#initrd=/initrd.img

NOTE: Don’t forget to test first your changes on the /etc/lilo.conf by running ‘lilo’ command – this will verify your changes.

Tagged with:
Mar 17

OpenOffice VBA Macro Restrictions Remote Security Bypass Vulnerability

By jason Linux/Unix Oprating system No Comments »

Version: 

Ubuntu Ubuntu Linux 9.10 sparc
Ubuntu Ubuntu Linux 9.10 powerpc
Ubuntu Ubuntu Linux 9.10 lpia
Ubuntu Ubuntu Linux 9.10 i386
Ubuntu Ubuntu Linux 9.10 amd64
Ubuntu Ubuntu Linux 9.04 sparc
Ubuntu Ubuntu Linux 9.04 powerpc
Ubuntu Ubuntu Linux 9.04 lpia
Ubuntu Ubuntu Linux 9.04 i386
Ubuntu Ubuntu Linux 9.04 amd64
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu Ubuntu Linux 8.10 amd64
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
SuSE OpenOffice for Windows 0
S.u.S.E. SUSE Linux Enterprise Desktop 10 SP3
S.u.S.E. SUSE Linux Enterprise Desktop 10 SP2
S.u.S.E. SLED 11
S.u.S.E. SLE SDK 10 SP3
S.u.S.E. SLE SDK 10 SP2
S.u.S.E. SLE 11
S.u.S.E. openSUSE 11.2
S.u.S.E. openSUSE 11.1
S.u.S.E. openSUSE 11.0
S.u.S.E. Novell Linux Desktop 9
OpenOffice OpenOffice 3.1.1
OpenOffice OpenOffice 3.1
OpenOffice OpenOffice 2.4.3
OpenOffice OpenOffice 2.4.2
OpenOffice OpenOffice 2.4.1
OpenOffice OpenOffice 2.3.1
OpenOffice OpenOffice 2.3
OpenOffice OpenOffice 2.2.1
OpenOffice OpenOffice 2.2
OpenOffice OpenOffice 2.0.4
OpenOffice OpenOffice 2.0.3 -1
OpenOffice OpenOffice 2.0.3
OpenOffice OpenOffice 2.0.2
OpenOffice OpenOffice 2.0.1
OpenOffice OpenOffice 2.0 Beta
OpenOffice OpenOffice 3.2
OpenOffice OpenOffice 2.4
OpenOffice OpenOffice 2.2
OpenOffice OpenOffice 2.1
Debian Linux 5.0 sparc
Debian Linux 5.0 s/390
Debian Linux 5.0 powerpc
Debian Linux 5.0 mipsel
Debian Linux 5.0 mips
Debian Linux 5.0 m68k
Debian Linux 5.0 ia-64
Debian Linux 5.0 ia-32
Debian Linux 5.0 hppa
Debian Linux 5.0 armel
Debian Linux 5.0 arm
Debian Linux 5.0 amd64
Debian Linux 5.0 alpha
Debian Linux 5.0
Debian Linux 4.0 sparc
Debian Linux 4.0 s/390
Debian Linux 4.0 powerpc
Debian Linux 4.0 mipsel
Debian Linux 4.0 mips
Debian Linux 4.0 m68k
Debian Linux 4.0 ia-64
Debian Linux 4.0 ia-32
Debian Linux 4.0 hppa
Debian Linux 4.0 armel
Debian Linux 4.0 arm
Debian Linux 4.0 amd64
Debian Linux 4.0 alpha
Debian Linux 4.0


Description:
Bugtraq ID:38245
CVE:CVE-2010-0136

OpenOffice is prone to a remote security-bypass vulnerability.

An attacker can exploit this issue to bypass intended restrictions on macro code,
which may allow the attacker to obtain sensitive information or launch further 
attacks.

Details on this issue are not available. We will update this BID as more 
information emerges.
Tagged with:
Mar 14

rhel/centos x86_64 and i386 packages mess

By jason Linux/Unix Oprating system No Comments »

Anyone running centos/rhel x86_64 systems has probably noticed that redhat has a strange way to install a mix of i386 and x86_64 rpms on such a systems. This is how redhat is using the 64bit architecture in a mixed way to be able to support also i386 applications. This is completely different from how for example debian does this where you will not see by default any i386 libraries or duplicate applications installed (you can install and use ia32 libraries for compatibility reasons but the user is in full control on this process). The way how this works in rhel is confusing; let’s take a simple example (the commands are taken from a clean centos5.3 install with the base packages selected): let’s see what version of ncurses we have on the system:
rpm -qa | grep ncurses
ncurses-5.5-24.20060715
ncurses-5.5-24.20060715
what? why is this listed twice? hmm… Running: rpm -qi ncurses-5.5-24.20060715 will also list the package twice (but doesn’t show the difference). We can assume one is i386 and one is x86_64 right? but we can’t see this.

To overcome this issue, and at least have rpm report the proper versions we have to add in our rpmmacros file a new line like: “%_query_all_fmt %%{name}-%%{version}-%%{release}.%%{arch}” that will add to the rpm output the architecture and allow us to see the this:

cat >> ~/.rpmmacros
%_query_all_fmt %%{name}-%%{version}-%%{release}.%%{arch}

and now running the same command will return a more intuitive and meaningful:

rpm -qa | grep ncurses

ncurses-5.5-24.20060715.x86_64

ncurses-5.5-24.20060715.i386

This doesn’t fix anything in how yum will install duplicate programs or libraries, but at least it will allow us to see the full name of the packages in rpm commands. Theoretically people should be able to add into yum.conf (this is the default anyway, so you might have it already):

exactarch=1

and yum will install by default the packages of the arch it is running on (x86_64 in our case). Still, this will not prevent i386 dependencies to show up and be installed. In case you want to completely ignore other arch packages add in the [main] section of /etc/yum.conf to exclude all 32bit packages,:

exclude=*.i386 *.i586 *.i686

and this will completely exclude them completely from yum operations. Please use this with care, and only if you have a full understanding of the implications to exclude those packages.

Even if you don’t exclude the 32bit packages as shown above, it is a good idea to add the arch to all yum operations (like install, remove, etc.), like:

yum install ncurses.x86_64

Hopefully you found this post useful, and have now a better understanding on how rhel/centos use the i368 and x86_64 packages and libraries with rpm and yum on a 64bit installation.

Tagged with:
Mar 10

CentOS 5.4 released

By jason Linux/Unix Oprating system No Comments »

Almost two months after RHEL5.4, Centos 5.4 was released on the 21st October. This version includes various changes into the virtualization field and it includes support for KVM (kernel-based virtual machine) hypervisor and the Xen hypervisor.

Also this release features many bug fixes and security updates, and should be an easy upgrade for users running centos5.x:
yum update

For the full list of packages changed/added please see the centos5.4 release notes: http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.4

Tagged with:
Mar 08

Tunning Kernel Parameters Improving Linux Network Performance

By jason Linux/Unix Oprating system No Comments »

By tunning kernel parameters can improve linux socket io performance.  The settings for sysctl.conf below apply for Fedora, RedHat, Centos OS as well as other Linux flavors. These settings will improve your server network performance and some little protection against ddos attacks as well.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 400

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Lower syn retry rates
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

Tagged with:
Mar 07

Linux Check Disk Space with the Commands du and df

By jason Linux/Unix Oprating system 2 Comments »

To get a summary of the available and used disk space on your Linux system is to type in the df command in a terminal window. The command df stands for "disk filesystem". With the -h option (df -h) it shows the disk space in "human readable" form, which in this case means, it gives you the units along with the numbers.

The output of the df command is a table with four columns. The first column contains the file system path, which can be a reference to a hard disk or another storage device, or a file system connected through the network. The second column shows the capacity of that file system. The third column shows the available space, and the last column shows the path on which that file system is mounted. The mount point is the place in the directory tree where you can find and access the that file system.

The du command on the other hand shows the disk space used by the files and directories in the current directory. Again the -h option (df -h) makes the output easier to comprehend.

By default, the du command lists all subdirectories to show how much disk space each has occupied. This can be avoided with the -s option (df -h -s). This only shows a summary. Namely the combined disk space used by all subdirectories. If you want to show the disk usage of a directory (folder) other than the current directory, you simply put that directory name as the last argument. For example: du -h -s website, where "website" would be a subdirectory of the current directory.

Tagged with:
Mar 05

Install DHCP-SERVER in Linux Debian

By jason Linux/Unix Oprating system 2 Comments »

 

Installing  DHCP Server in debian linux is not that hard actually…

I assume you have the following configuration on your host:

2 internal nics:
eth0 (For internal  )
eth1 (for internet)

1. Setting up your eth0 for dhcp use

The most important thing you need to do is configuring static ip adresses.

I will use the following IP adress 192.168.10.x as my ip-adress range.

We type the following command: nano /etc/network/interfaces

And be sure the settings are the same as below:

auto eth0
iface eth0 inet static
address 192.168.10.1
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

restart the network interface type:


/etc/init.d/networking restart

And press enter.

2. Install and configure the dhcp server

If you have completed the step above we are going to install the dhcp and configure it.

First lets install the module:

apt-get install dhcp3-server

After a while it gives a blue screen with a warning. Just press enter and let him install.

When it finished installing the server will not start. We need to bind him to a interface and give a IP range to lease.

2.1 Binding the interface

Enter the following command

nano /etc/default/dhcp3-server

Press enter

Edit the following line

INTERFACES=”"
To
INTERFACES=”eth1″

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

2.2 configuring the DHCP Release

We are at the final step and after that we have a full DHCP Server Running!

We are not going to use the default config file of the dhcp server however we are going to keep a copy of the config file.

go to the following directory:

cd /etc/dhcp3/

Make a backup copy of the following config file by typing the following command:

cp dhcpd.conf dhcpd.old.conf

And press Enter.

Now remove the file that you have backuped

rm dhcpd.conf

We make the new dhcpd.conf in this step as I promised type:

nano dhcpd.conf

Now  copy/paste the following data into the file

subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.10 192.168.10.100;
option domain-name-servers 192.168.1.1;
option domain-name “Failserver.nl”;
option netbios-name-servers 192.168.10.1;
option routers 192.168.10.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
default-lease-time 86400;
max-lease-time 676800;
}

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

Now restart the DHCP3 server

/etc/init.d/dhcp3-server restart

Tagged with:
Mar 04

Linux software RAID 5 very slow

By jason Linux/Unix Oprating system 1 Comment »

Here I am going to tell about  Linux software RAID. If it’s very slow,you can test it with my way, hope it can help you.
So I had a ASUS P6T motherboard which has Intel ICH10R raid controller, 3x 1 Tb SATA 2 HDDs and Intel Core i7 920 processor. So I wanted to install Fedora 10 on that machine.
After configuring RAID 5 in the BIOS I booted the Fedora 10 installation DVD to start the installation. BUT! Suddenly I saw that Anaconda see 3 separate hard drives instead of 1 RAID device. After some googleing I figured out that my motherboard don’t have real RAID controller. Instead it is fakeraid controller. It is just software raid which software is located in BIOS. So I decided to use linux software raid, because it is definitely better than the from ASUS.
So installed Fedora 10 with linux software RAID 5 with LUKS encryption. After installation machine started to work very slowly. I thought it so because of the encryption, but after some googleing I understood that the encryption can’t slow down the machine that way. The thing was when you newly create RAID 5 array it needs to build the 3rd hard drive and it take a lot of time. It took from me approximately 4 hours to finish that operation on 1 Tb hard drives. You can check the rebuild status at any time invoking one of the following commands:

# cat /proc/mdstat

or

# mdadm --detail /dev/md0

After rebuild was over and after some tunings , I had ~90 Mb/s write and ~200 Mb/s read.

Tuning parameters was:

echo 32768 > /sys/block/md0/md/stripe_cache_size
blockdev --setra 65536 /dev/md0
Tagged with:
Previous Entries
preload preload preload