Suresh Kumar Pakalapati's Linux Administration

Tuesday, September 7, 2010

NFS Client - Server Configuration

NFS - Network File Service - is a System V managed service which is basically used to serve files from a remote computer to your local machine. It consists of two parts; the server part and the client part.

The Server Configuration:

Two main RPM packages are needed to configure NFS as a server on your RedHat machine:

portmap - needed because NFS server is an RPC (Remote Procedure Call) service.

nfs-utils - Which contains the essential files and utilities like the exportfs, showmount, scripts installed in the /etc/rc.d/init.d/ directories like nfs etc which form a part of the NFS server.

The NFS server software is depended on three facilities for its work:

portmap : Which maps the calls made from the other machines to the correct RPC service.
nfs (in kernel): Translates NFS requests into requests on the local filesystem and
rpc.mountd : Which mounts and unmounts filesystems.

All the above three run as daemons and are started at boot time from the portmap and nfs System V initialization scripts. See /etc/rc.d/init.d/ directory.

To verify that these services are running, do eaither of the following:

# rpcinfo -p

# service nfs status
# service portmap status

To verify that these services are running on a remote server (say myserver), do:

# rpcinfo -p myserver

Once you have made sure the above services are running, the next step is to decide which all directories and filesystems are to be made available for sharing across the network via NFS.

This is listed in the /etc/exports file.

#FILE: /etc/exports
/engineering *.myserver.com(ro,sync) otherserver.india.com(rw,sync)
/root/presentations macmot.dc.com(rw,sync)
/sales 192.168.10.0/255.255.255.0(sync)

The above listing is a part of my /etc/exports file. Each line contains one exported directory and its access permissions. For example, the first line exports the /engineering directory to all the clients in the 'myserver.com' domain with read-only access and 'otherserver.india.com' with read-write access. And the data is synchronized on to the disk on each access. The third line shows that you can also give a valid IP address/subnet mask to specify a range of addresses to which the particular directory is exported.

Note: You can use wild cards like * and ? for the purpose. Care should be taken to see that the options are not seperated from the hostnames with white space. If white space exists between a hostname and an option, it is treated as two distinct export destinations and the option will apply to a "world export".

Another thing of significance is that all entries in the /etc/exports are exported with root_squashingturned on. This ensures that a person having root access on a remote machine is not given root accessto the files in the server machine.This can be negated by using the no_root_squash option.

Once you have finished editing the /etc/exports file, you have to make the NFS server read the/etc/exports file. This you can do eaither by rebooting the machine or you can run the command :

# exportfs -a

This exports all the shares listed in the /etc/exports file to the NFS server. You have to run this command each time you make changes to the /etc/exports file.
You can check the proper operation of your NFS server by running eaither of the two commands:

# exportfs -v

# service nfs status

Client side configuration :

The main job here is to mount the NFS share exported by the remote computer (let us sayserver_one). This can be achieved by a few different ways:

Specify it in the /etc/fstab file.
Use the autofs daemon to mount NFS shares on demand and unmount them when idle.
You can mount the NFS shares manually as root, using the mount command.

But before that, you have to know which are the directories exported by the remote NFS server. This is achieved by the command:

# showmount -e

Where hostname is the remote NFS server hostname. When you mount an exported directory from an NFS server, you can access it as if it were local to your machine.

#File: /etc/fstab
server_one:/sales /mnt/pub nfs defaults 0 0

The above listing shows that the /sales directory from the NFS server server_one is mounted locally at/mnt/pub directory. The /etc/rc.d/init.d/netfs script will mount any network filesystems that are configured to be mounted at boot time such as the /etc/fstab listing above.

Some NFS specific options that can be used with mount or in /etc/fstab include:

rsize=8192 and wsize=8192 - will speed up NFS thoughtput considerably.
soft - Processes return with an error on a failed I/O attempt.
hard - will block a process that tries to access an unreachable share.
intr - allows NFS requests to be interrupted or killed if the server is unreachable.
nolock - Disables file locking (lockd) and allows interpolation with older NFS servers.

For example:

# mount -t nfs -o rsize=8192,wsize=8192,soft,rw server_one:/sales /mnt/sales

The kernel automounter facility, autofs, provides the ability to mount the NFS shares on demand and unmount them when they are idle in a way that is transparent to the end user. Check whether you have the autofs RPM installed in your machine. Then turn it on using the command:

# chkconfig autofs on

Now edit the file /etc/auto.master to mirror your configuration. Check man auto.master for the details of the syntax. Lastly start the autofs service:

# service autofs start

Note: You have to restart the autofs daemon each time you make changes to the/etc/auto.master file. Now you have successfully configured the NFS server and client.

Saturday, September 4, 2010

Windows admin IQ test

Question 1: The Windows OS architecture is highly modular and built on two layers. One layer is called User Mode. What is the other layer called?

Correct Answer: Kernel Mode

The Kernel Mode includes the HAL and Executive Services and is the lower layer of the modular architecture used in Windows.

Question 2: What X.500- and LDAP-based technology did Microsoft introduce into its domain structure with the release of Windows Server 2000?

Correct Answer: Active Directory

Microsoft based its domain structure off the X.500 and LDAP standards for directory services and calls it Active Directory.

Question 3: Which of the following monitors the performance of SQL, Exchange, and other Microsoft server apps?

Correct Answer: System Center Operations Manager (SCOM), formerly MOM

Microsoft Operations Manager was first released in 2000, and it has been enhanced over the years until the latest version 2005. It was then added into the System Center line of server applications and released as System Center Operations Manager (SCOM), although its primary purpose -- performance and event monitoring -- hasn't changed.

Question 4: Which company employed Ray Ozzie immediately before he came to Microsoft?

Correct Answer: Groove Networks

Ray Ozzie began his career at Data General Corp. and later worked for Lotus Development. Iris Associates, which Ozzie formed in 1984, developed Lotus Notes (sold by Lotus). Ozzie later formed Groove Networks, which was acquired by Microsoft in 2005. In June 2006, Ozzie took over the role of chief software architect from Bill Gates.

Question 5: A blast from Microsoft cert exams past: What has been the traditional method to get any Windows system to perform better (and is apparently still the method if you're running Windows Vista)?

Correct Answer: Add more RAM

While it is true, any one of the options above would enhance performance to some degree. This question harkens to the days of certification mania, which left the world with a slew of paper-MCSEs -- and a handful of real ones. Adding more RAM was a common solution for providing Windows with a performance boost.

Question 6: Originally code-named Monad, what is Microsoft's latest extensible command-line shell and scripting language?

Correct Answer: PowerShell

PowerShell is more than the future of the Windows command line; in some products, it is the present. For Exchange Server 2007, SQL 2008, and several other applications, PowerShell is the new and improved method of performing tasks through the command line. Using a set of intuitive commands called cmdlets (pronounced command-let), an administrator can accomplish anything needed with the association application.

Question 7: In The Road Ahead, Bill Gates explains the secret of binary code conversion. Assuming you were paying attention, express the 32-bit binary 11000000.10101000.00001010.00000001 in dotted-decimal formation.

Correct Answer: 192.168.10.1

It may have been a while since you had to perform binary-to-decimal calculations, but it's essential to understanding TCP/IP. Bill explains the conversion well, but once you get into subnetting, you may want to pick up a more IP-focused book.

Question 8: Windows 95 books buzzed about making changes to the Windows Registry. From an administrative perspective, which of the following will assist you to enforce registry settings, without permanently altering or "tattooing" the registry?

Correct Answer: Group Policy

Introduced with Windows 2000, Group Policy took over where System Policy Editor left off. It allows you to make registry enhancements by overlaying but not permanently altering the registry of the user's machine with the new settings.

Question 9: Which of the following Office 2007 servers provides business intelligence through dashboards, scorecards, predictive analysis, and the like?

Correct Answer: PerformancePoint Server 2007

Focused on the BI sector, PerformancePoint Server 2007 combines legacy Microsoft technology, such as Excel, SQL, and SharePoint, with recent acquisitions, notably ProClarity.

Question 10: Windows Server 2008 introduces a minimal installation option, known chiefly as "Windows without Windows." What is the official moniker of this option?

Correct Answer: Server Core

Server Core's low-maintenance installation limits Server 2008's functionality, providing a more secure environment due to a reduced attack surface and limited GUI.

Question 11: Fill in the blanks: To create a VPN in Windows NT 4.0, you would use the ____ protocol, which has been made obsolete in modern Windows VPNs through the use of the _____ protocol and IPSec.

Correct Answer: PPTP and L2TP

Older VPN tunnels were created through the Point-to-Point Tunneling Protocol, which did not encrypt the data. More modern methods use the Layer 2 Tunneling Protocol, which also does not provide encryption but instead relies on an encryption protocol.

Question 12: Windows NT was intended to be the successor of which OS, originally created by Microsoft and IBM?

Correct Answer: OS/2

Originally created by Microsoft and IBM, OS/2 was eventually carried forward by IBM when Microsoft parted ways to focus on the Windows API. Microsoft hired Dave Cutler from Digital Equipment Corp. to lead the development of Windows NT.

Question 13: To remain competitive with the online likes of Google and others, Microsoft is headed to the "cloud." What forthcoming cloud-based OS will allow Microsoft and its ISVs to develop and run Windows apps via the Web?

Correct Answer: Windows Azure

Announced at the Microsoft Professional Developers Conference this past October, Windows Azure and the Azure Services Platform will be based on Windows Server 2008 and Hyper-V to provide a framework for developers to create applications that run "in the cloud," giving end-users greater access to apps via the Internet.

Question 14: Which of the following companies has had a long-term relationship with Microsoft to provide remote access solutions such as MetaFrame Server, Presentation Server, and now XenApp?

Correct Answer: Citrix Systems

Microsoft and Citrix have a long-standing history that dates back to the early '90s. Citrix was given access to the Windows NT 3.51 source code to develop WinFrame. With NT 4, it licensed technology to Microsoft to create Terminal Server Edition and developed aforementioned extension products MetaFrame Server, Presentation Server, and XenApp. (Note: Microsoft has its own Terminal Server solution included with Windows Server, with 2008 being the latest version).

Question 15: Which of the following browsers is not, and has never been, an Internet Explorer competitor?

Correct Answer: Spyglass Mosaic

Back around 1995, Spyglass Mosaic was licensed by Microsoft and became the underlying basis for Internet Explorer.

Question 16: Bundled with (or downloadable for) every Windows OS since Windows 98, this tool can modify startup programs, files, and services, as well as the boot process. You won't find it in the Programs menu, however. What is the name of this menu-absent tool?

Correct Answer: MSConfig (System Configuration)

MSConfig, the System Configuration Utility, is a tool that most users are unaware of, but all administrators are. In fact, it is considered the go-to tool for a variety of features.

Question 17: Which free Windows patch management tool allows admins to deploy the latest patches to their organization with the least amount of bandwidth?

Correct Answer: Windows Server Update Services (WSUS)

Whereas Windows Update provides the client side for updating systems, WSUS is the key to not having to utilize Internet bandwidth for each and every machine you are patching. Simply set up a WSUS server to download patches once, and see to it that your clients receive their updates. Heterogeneous environments, or those that use a variety of third-party apps, however, will require additional patch management products to keep your systems current.

Question 18: Assume you have a folder on a Windows Server shared to the Everyone group as Read access. Assume also that, on the local NTFS disk, the file provides Full Control to the Everyone group. Now, if User John attempts to access that folder remotely, what will his cumulative permissions be?

Correct Answer: Read

Remember, the permissions you have coming through the share are what you will have to match up to the permissions you have on the server. If User John could log in to the server directly, he would have Full Control, but being that the share is Read (broken down as Read and Execute), those are the permissions he is confined to using if the NTFS side permits.

Question 19: Windows Small Business Server 2008 is promising a number of changes from the R2 2003 flavor of SBS. Which of the following is not a true statement regarding SBS 2008's features?

Correct Answer: Offers a much better licensing structure for companies with fewer than 20 users

If you are up on your SBS licensing, you know the controversy surrounding the new pricing structure that charges more for the server itself and less for the CALs (client access licenses). Under the new structure, smaller shops (fewer than 20 people) will not benefit. However, businesses with more than 20 users will save money over the previous licensing solutions for Small Business Server. All of the other options are correct.

Question 20: On what product did Bill Gates and Paul Allen found Microsoft?

Correct Answer: Altair BASIC

As fans of The Pirates of Silicon Valley know, Bill Gates and Paul Allen -- after reading the January 1975 issue of Popular Electronics at Harvard University -- contacted MITS president Ed Roberts and told him they had an interpreter for his Altair 8800, which they called Altair BASIC. It was the first product the two created (completing it on the plane due to a forgotten bootstrap program) as MicroSoft.

Linux admin IQ test

Question 1: Which of the following companies has never offered its own branded version of Linux?

Correct Answer: IBM

Even SCO briefly offered its own Linux product. Big Blue, despite being an enthusiastic Linux backer, has always partnered with other distributors instead of packaging its own version of the OS.

Question 2: What is one reason why you might want to install the GRUB boot loader instead of LILO?

Correct Answer: You want to boot from a network

LILO supports a wide variety of boot configurations, but you'll need the more modern GRUB if you want to boot from a network.

Question 3: Which of the following software packages will not help you to run Windows software on a Linux system?

Correct Answer: Samba

While Samba emulates Microsoft's SMB networking protocol, it only lets Linux systems connect to Windows servers. It won't actually help you run Windows software.

Question 4: What is a "shebang"?

Correct Answer: A unique sequence of characters that indicates the start of a shell script

Short for "shell bang," shebang is a hash or pound sign (#) followed by an exclamation mark (!), known in Unix parlance as a "bang."

Question 5: Which of the following Linux distributions is least like the others?

Correct Answer: Novell Suse Linux Enterprise

CentOS, Fedora, and Oracle all base their Linux distributions on the Red Hat Enterprise Linux source code base. Suse follows its own path.

Question 6: Which of the following versions of the Linux kernel is likely to be the most stable on supported hardware?

Correct Answer: 2.4

In the past, odd-numbered kernels were development releases and were therefore considered unstable; kernel Version 2.7 doesn't even exist yet. Version 2.4 is the only stable production release on the list.

Question 7: What distinguishes the Gentoo Linux installation procedure from that of most other distributions?

Correct Answer: It builds most of the system from source code.

A comprehensive Gentoo system can take a long time to install because it builds custom versions of the software from your own specifications.

Question 8: Which of the following companies has not released open source Linux drivers for its graphics hardware?

Correct Answer: Nvidia

Although most of the competition has released open source drivers for at least some of their graphics chips, Nvidia has remained a staunch holdout.

Question 9: What is SELinux?

Correct Answer: A set of kernel modifications developed by the National Security Agency

If you need a hardened OS, SELinux offers security that's good enough for the U.S. government.

Question 10: Which of the following source code version control systems will you need to use if you want to contribute code to the Linux kernel?

Correct Answer: Git

Linus Torvalds created git for Linux kernel development after key contributors objected to BitKeeper's license terms.

Question 11: The current Linux kernel source tree includes approximately how many lines of C++ code?

Correct Answer: Fewer than 500,000

Besides the fact that Linux was started before good free C++ compilers were available, Linus Torvalds is no fan of C++. Standard C and assembly language make up 99.71 percent of the kernel.

Question 12: Who among the following has never contributed any source code to the Linux kernel?

Correct Answer: Richard M. Stallman

Stallman thinks the name should be GNU/Linux, because the kernel doesn't function as an OS without supporting code developed by the Free Software Foundation. But Stallman has never actually written code for the kernel itself.

Question 13: If you needed to work primarily with very large multimedia files, which of the following file systems would offer the best performance?

Correct Answer: XFS

Originally developed by Silicon Graphics, XFS offers smooth data transfer and handles large files very efficiently, either of which would be a boon to multimedia production.

Question 14: Of the following, which is the most widely used GUI windowing system among major enterprise Linux distributions?

Correct Answer: X.org

Trick question! Of the software projects listed, only X.org is a windowing system. The others are desktop environments that run on top of X.org.

Question 15: What is the main benefit of the noatime mount option for Linux file systems?

Correct Answer: It improves performance by reducing the frequency of disk writes

Normally, Linux will update the time stamp on a file every time it is accessed. With the noatimeoption, the kernel will update files only when their contents are changed.

Question 16: Which of the following virtualization technologies allows Windows virtual machines to run on a Linux system?

Correct Answer: Xen

Most of the virtualization software listed can only launch other instances of Linux. Xen can support Windows virtual machines also, provided your processor supports Intel VT or AMD-V technology.

Question 17: In Linux parlance, what is a "binary blob"?

Correct Answer: A driver that is loaded into the kernel as a binary object, for which no source code is available

The Linux community is divided over the practice of running closed source code as part of the Linux kernel, but when hardware vendors refuse to release their specifications, it's often the only option.

Question 18: Of the following Linux distributions, which does not use RPM as its primary software distribution package format?

Correct Answer: Ubuntu

Ubuntu has its roots in Debian, which has its own package format. The rest all use the format invented by Red Hat.

Question 19: Which of the following companies is among the top 10 corporate contributors to the Linux kernel, according to the Linux Foundation?

Correct Answer: Intel

All of the companies named have contributed a significant amount of code to the kernel. But of the four, Intel tops the list, having been responsible for about 4 percent of recent code changes.

Question 20: Who is Larry Ewing?

Correct Answer: The creator of "Tux the penguin," the official Linux mascot

Ewing drew the affable avian with the first version of the GIMP, back in 1996.

Tuesday, August 31, 2010

Rhce Notes By Suresh Kumar Pakalapati

RH253
=====

Pam :- As linked to, and configured in /etc/pam.d/programname.

libwrap :- As linked to libwrap so or managed by so linked.

Uid:-

Gid:-

Service:
Chkconfig:
Xinetd:
system-config-services

Network:-

chkconfig --level 35 httpd on
chkconfig --list httpd

service httpd start
service httpd stop
service httpd lists

/etc/sysconfig/network-scripts/ifcfg-* for network interfaces
/etc/sysconfig/* for most others
/usr/share/doc/initscripts-*/sysconfig.txt

system-config-network [Device,Gateway,StaticRoute,DNS,Hostname]
system-config-network-tui[Device,Gateway]

ifup
ifdown

Virtual:-

libvirt
virt-manager
virt-install
virsh start domain
virsh shutdown/reboot/destroy domain
virsh suspend/resume domain
virsh shave domain state-file
virsh autostart domain
virsh console domain
virsh list

xm create -c domain
xentop

Yum: -

/var/ftp/pub/gls/server.repo
cd /etc/yum.repos.d/
cp rhel-debuginfo.repo errata.repo
vi errata.repo
[errata]
name = updates repository
baseurl = ftp://instructor.example.com/pub/errata
enabled=1
gpgcheck=0

Yum Commads:-

yum list updates
yum install firefox
yum localinstall firefox.rpm
yum groupinstall packagegroup
yum remove package
yum update package
yum list all
yum list (installed,available,update)
yum grouplist
yum groupinfo packagegroup
yum info package
yum search searchterm
yum provides filename [ yum provides /usr/sbin/sendmail]

/dev/random
/dev/urandom
cat /dev/random

Open SSL:-

keypair: - openssl genrsa -out server1.key.pem 1024
   openssl req -new -key server1.key.pem -out server1.csr.pem

Selfsigned: - openssl req -new -key server1.key.pem -out server1.crt.pem -x509

Ssh:-

ssh-keygen -t dsa
ssh-keygen -t rsa

/etc/hosts.allow
/etc/hosts.deny

vi /etc/hosts.allow
sshd: 192.168.0.114

openssh-client, openssh-server

/usr/sbin/sshd
/etc/init.d/sshd
/etc/ssh/sshd-config , /etc/ssh/* , ~/.ssh/*

openssh-ashpass, tcp-wrappers

Client:- /etc/ssh/ssh-config /usr/bin/ssh

Server:- /etc/ssh/sshd-config
   protocol 2
   Listenaddress 22 [192.168.0.114:22]
   permitRootLogin
   Banner /etc/issue.net
   AllowTCPForwarding=Yes
   Gatewayports=Yes

ssh -L 3000:192.168.0.114:25 -N 192.168.0.5
ssh -R 3001:192.168.0.114:25 -N 192.168.0.5

ssh-copy-id user@host
.ssh/authorized_keys

rpm --verify packagename
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat*
rpm --checksig pkgname

gpg --import RPM-GPG-KEY
rpm --checksig package-file-name

vnc-server
vncserver
vncviewer localhost:9901

ssh-keygen -t dsa
ssh-copy-id -i ~/.ssh/id_dsa.pub serverX

ssh student@serverX id
ssh-keygen -p -f ~/.ssh/id_dsa

yum -y install vnc vnc-server

/etc/termcap
gpg -c /tmp/termcap

openssl x509 -in example-ca.crt -text | less

Selinux:-

Enforcing, Permissive, Disabled

/etc/sysconfig/selinux

system-config-securitylevel
getenforce & setenforce 0|1
kernel selinux=0|1 or enforcing=0|1

Permissive:- mode is used for trouble shooting or development it logs policy violations but does not prevent
   programs from running [0].

Enforcing:- is the default mode [1].

user:role:type:sensitivity:category

ps -z
ls -z
ps -zc syslogd,bash
ls -zd /etc/ /etc/aliases

chcon -R -t public_content_t/mydata/html
semanage fcontext -a-t
restorecon -vvFR /html/
ls -z anakondaks.cfg

getsebool -a | grep named
getsebool named_write_master_zones

setsebool named_write_master_zones on
getsebool named_write_master_zones

setsebool -P named_write_master_zones on

setrouble shootd
sealert -a
sealert -b
sealert -l

Selinux Modes : genenforce , setenforce
Security Contexts : ps -z , ls -z , semanage, restorecon
Selinux Booleans : getsebool, Setsebool
Troubleshooting tools : settroubleshootd, sealert

NTP :-

ntpq -c pe
vi /etc/ntp.conf

ps -zc ntpd
getsebool -a | grep ntp
setsebool -p ntpd_disable_trans off
ntpq -c pe
rpm -ql ntp | grep ntp conf
restorecon -v /etc/ntp.conf

IPTABLES :-

system-config-securitylevel-tui

filtering in the kernel   network(3)(4) & (2) (data-link) layer

filter: the main packet filtering is performed in this table
nat:
mangle:    special effects
conntrack: stateful prerouting & output

                                                      Filter      Nat        Mangle
INPUT                                           X X
FORWARD                                   X X
OUTPUT                                       X X X
PREROUTING X X
POSTROUTING X X

* Prerouting :- forward --> input --> output --> postrouting
   echo "1" > /proc/sys/net/ipv4/ip_forward

* DROP,ACCEPT,LOG,REJECT

Iptables -t filter -AINPUT -s 192.168.0.1 -J DROP
   |                   |                          |
   V                 V                        V
                            Chain         Part of the rule     Target part of the rule
iptables -t filter -nvl --line-numbers
iptales -A INPUT -s 192.168.0.114 -J DROP

ip & network { -s 192.168.0/24
   { -d 192.168.0.1

network interface { -i lo
   { -o eth1

Criteria canbe inverted with '!' { -i eth0 -s '!' 192.168.0.0/24

iptables -I INPUT -s 192.168.0.0/24 -J ACCEPT
iptables -I OUTPUT -o eth0 -d 192.168.0.0/24 -J ACCEPT
iptables -I INPUT -i lo -J ACCEPT

-p tcp --dport 80
-p udp --sport 53
-p icmp --icmp-type host-unreachable

iptables -I INPUT -p tcp -s 192.168.0.1 --sport 123 -d 192.168.0.2 --dport 1024: -J ACCEPT

iptables -I INPUT -p icmp --icmp-type echo-request -J DROP

iptables -I INPUT -p icmp --icmp-type -J destination-unreachable -J ACCEPT

ACCEPT, DROP, REJECT, Flush (-F)
Zero byte packet counter (-z [chain])
-N (adds chain)
-X (delets chain)

iptables -t nat -F POSTROUTING
iptables -P INPUT      DROP
iptables -A INPUT -J DROP
iptables -A INPUT -J REJECT

NEW, ESTABLISHED, RELARED, INVALID

/proc/net/ip_conntrack
/proc/sys/net/ipv4/ip_conntrack
/proc/sys/net/ipv4/netfilter/ip_conntrack_*
ip_conntrack_ftp
ip_conntrack_tftp
ip_nat_ftp
ip_nat_tftp

/etc/sysconfig/iptables-config

iptables_modules = "ip_con---tftp ip_nat_ftp"

iptables -A INPUT -m state --state ESTABLISHED, RELATED -J ACCEPT

iptables -A INPUT -m state --state NEW -p tcp --dprot 25 -J ACCEPT
iptables -A INPUT -m state --state NEW -J DROP

DNAT

Inbond: -   iptables -t NAT -A PREROUTING -p tcp --dport 80 -J DNAT --to-dest 192.168.0.114

Outbond:- iptables -t NAT -A OUTPUT -p tcp --dport 80 -J DNAT --to-dest 192.168.0.200:3128

iptables -t NAT -A PREROUTING -i eth1 -p tcp --dport 80 -J DNAT --to-dest 192.168.0.114 --to-dest
192.168.0.115 --to-dest 192.168.0.116

iptables -t NAT -A PREROUTING -i -p tcp --dport 2201 -J DNAT --to-dest 192.168.0.1:22

iptables -t NAT -A OUTPUT -p tcp --dport 80 -J DNAT --to-dest 192.168.0.200:3128

SNAT

iptables -t NAT -A POSTROUTING -o eth0 -J MASQUERADE
iptables -t NAT -A POSTROUTING -J SNAT --to-source 1.2.3.45
iptables -t NAT -A POSTROUTING -J SNAT --to-source 1.2.3.45-1.2.3.55
iptables -t NAT -A POSTROUTING -J SNAT --to-source 1.2.3.45:1234-1334

iptables-save
iptables-restore
service iptables save

vi /etc/sysconfig/iptables

*filter
: INPUT DROP [573:46163]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [641:68532]
-A INPUT -i lo -J ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -J ACCEPT
-A INPUT -p tcp -m tcp --dport    22   -J ACCEPT
-A INPUT -p tcp -m tcp --dport    25   -S 192.168.0.114 -J ACCEPT
-A INPUT -p tcp -m tcp --dport    53   -J ACCEPT
-A INPUT -p udp -m udp --dport   53   -J ACCEPT
-A INPUT -p udp -m udp --dport 123   -S 192.168.0.114 -J ACCEPT
-A INPUT -p icmp -J ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -J REJECT --reject-with tcp-reset
COMMIT

vi /etc/modprobe.conf
alias net-pf-log off
alias ipv6 off

iptables -N class-rules
iptables -A input -J call-rules

service iptables save
-A class-rules -i lo -j accept
                      -p icmp -j accept
                      -p udp --dport 631 -j accept
                      -p tcp   --dport 631 -j accept
                      -m state --state Established,related -j accept
                      -p tcp --dport 22 -j accept
                      -j LOG
                      -j reject --reject-with icmp-host-prohibited

TCP-WRAPPERS

libwrap.so
ldd   $(which sshd) | grep libwrap

vi /etc/hosts.allow
vi /etc/hosts.deny
ALL
EXCEPT

vi /etc/hosts.allow
sshd: ALL EXCEPT   192.168.0.114

vi /etc/hosts.deny
sshd: ALL

vi /etc/hosts.allow
vsftpd: 192.168.0.1
in.telnetd, portmap: 192.168.0.8

vi /etc/hosts.deny
ALL: nkindia.com EXCEPT mail.nkindia.com
vsftpd, portmap: ALL
sshd: 192.168.0.   EXCEPT 192.168.0.4

vi /etc/xinetd.conf

defaults
{
enabled = yes
instances = 50
per-source = 10
v6only = no
log-type = syslog daemon info
log-on-failure = host
log-on-success = PID   Host Duration Exit
CPS = 50 10
banner = /some/file
}
includedir    /etc/xinetd.d

NSS

vi   /etc/nsswitch.conf
getent
passwd: files nis ldap

PAM
/lib/security/pam modules
/etc/security
/etc/pam.d/
/etc/securitty

vi /etc/pam.d/login
auth required pam-securetty.so

pam_unix.so
pam_securetty.so
pam_deny.so
pam_permit.so

vi /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed.so uid>=500 quit
auth required pam_deny.so

pam_krb5.so
pam_ldap.so
pam_smb_auth.so
pam_winbind.so

vi /etc/security/limits.conf

HTTP

httpd, httpd-level, httpd-manual
/usr/sbin/httpd
/etc/init.d/httpd
80/tcp   443/tcp (https)
/etc/httpd/*    ,    /var/www/*
system-config-httpd   ,   mod_ssl

Min & Max   Spare Servers
Logfile Configuration
Host name lookup in logs
Loaded modules
Virtual hosts
user and group.

UserDir public_html

Mimetype
Add type   application/x-httpd-php .phtml
AddType text/html .htm

DirectoryIndex index.html default.htm

restorecon -R /home/
/sbin/restorecon   ~/public_html

Virtual Host

Name Virtual Host 192.168.0.100:80

Servername Virtl.com
DocumentRoot /virtl

ServerAlias www.virt2.com   www2.virt2.com

Options Followsymlinks
Allowoverride None

Options -Indexes
Allowoverride   AuthConfig

Order Allow,Deny
Allow from example.com
Deny from   station2.example.com station3.example.com

* service httpd configtest
* apachectl configtest
* httpd -t

/etc/httpd/conf/httpd.conf
/etc/httpd/conf/ssl.conf

AuthName "Bob's Secret Stuff"
AuthType    basic
AuthUserFile /home/bob/.htpasswd
require user    bob

AuthName "Bob's Secret Stuff"
AuthType   basic
AuthUserFile /etc/httpd/conf/.htpasswd
AuthGroupFile /etc/httpd/conf/.htgroup

require group staff

require user bob

ScriptAlias   /cgi-bin/    /path/cgi-bin/

mod_perl
mod_php
mod_speling

ssl : - /etc/httpd/confd/ssl.conf
certificate : - /etc/pki/tls/certs/your_host.crt
private key: - /etc/pki/tls/private/your_host.key

/etc/pki/tls/certs/makefile
make testcert
make certreq

SQUID

Monday, August 30, 2010

25+ Ways to Download Youtube Videos Easilyt

Youtube one of Biggest and Best video files sharing websitewhich has giant collection of videos library. So you can get almost any song, music video or even movies to watch or better, download.

Web Services / Bookmarklets for Downloading Youtube Videos

SaveVid: with this service online, download videos from YouTube is a real snap. You type the address of the movie to download, you click on the "Download" button and you’re done. Can also be used via bookmarklet (a bookmark special) and allows you to download the video in HD.
KeepVid : Download and save videos directly from Youtube, Google, Metacafe, Putfile and more. Simply copy and paste.
KeepHD.Com to Download High Definition Videos from Youtube.
Vixy: Another very practical service on the Web that lets you download videos from YouTube and convert on the fly them. It can create AVI with audio to mp3, mov for Mac, MP4 for portable players and 3GP cell phones.
Kick YouTube: here you can search and download YouTube videos in various formats, audio /video. Also works by simply adding the prefix "kick" before "youtube" in the URL of the videoyou want to download.
AbcYoutube : Free and very easy to use online YouTube downloader that literally makes YouTube video conversion and download as easy as abc. You simply need to enter “abc” in front of the URL of any YouTube video
All-in-one video Bookmarklet: you drag it into your browser bookmarks bar, select it while watching the movie to download and you’re done.
Zamzar is an online file format conversion site which can do a lot more than just converting YouTube videos to another format and downloading them to your hard drive thus doing a great job so, highly recommended.

Youtube Video Download Applications (Windows)

Orbit Downloader: popular download manager for free. Among its many features is also the one that lets you download videos from YouTube with just one click. It performs its job very well and integrates with all major browsers.
Real Player: the historian multimedia player in the latest versions can also download videos from YouTube quickly and easily, directly from your browser.
Keepv is a desktop downloader as well as a converter, which can convert the downloaded videos from flv to avi, mov, mp4, or 3gp formats.
VideoSlurp: very practical program with built-in browser that allows you to download movies from YouTube with just one click.
VideoGet boasts being able to download video clips from more than 100 video sharing websites. We haven’t tested all of them, so we’re just going to take their word for it. It’s a deskop application with a nice, simple interface, and a solid number of options.
Tube Sucker lets you batch download 1000′s of videos of your favorite artist from youtube.com. It also includes a batch converter to convert files to the format of your choice.

Firefox Addon Extensions to Download Videos from Youtube

Video Download Helper: a must-have. Not only allows you to download videos from YouTube but also to convert them to flight and to download any media item on the webpage you visit.
1-Click YouTube Video Download: The name is eloquent enough, no?
Fast downloads YouTube: very practical for downloading videos from YouTube, including by the results of research and when videos are embedded on other sites.
Easy YouTube Video Downloader: brings up a couple of extra buttons in the view page of the YouTube video so you can download them with one single click.
NetVideoHunter – Download videos and music from almost any Youtube-like video sharing site.

Youtube Downloader Extensions for Chrome

Three best chrome extensions with the same functionality. They allow you to download YouTube videos in various formats, including HD.

UserScript (Greasemonkey) for Downloading From Youtube

YouTube Enhancer: script that allows you to not only download videos from youtube, but also to change the size of the player online, to disable the Autoplay and very Grim.
YouTube Video Download: script in Italian, as its official description says, will get any videos from YouTube.com, including people with 1080p (high quality ‘) and is designed to be lightweight and unobtrusive. It works without contacting any external site.
YouTube Video Download: allows you to download videos from youtube in various qualities, up to HD (when available), with a single click.