20 Feb 2008 Script to customize a linux install
This is a simple bash script I whipped together to make som custom changes on our linux installations, it can be used as a kickstart post-configuration file for RedHat RHEL4 and RHEL5 installations.
#!/bin/bash # Enable daily updates of the locate database perl -pi -e 's/DAILY_UPDATE=no/DAILY_UPDATE=yes/' /etc/updatedb.conf # Customize login banners echo "Authorized users only. All activity may be monitored and reported" >> /etc/motd echo "Authorized users only. All activity may be monitored and reported" >> /etc/issue.net # Disable SELinux (this should be changed back when any problems with it has been fixed) #perl -pi -e 's/^SELINUX=.*$/SELINUX=Disabled/' /etc/selinux/config # Configure tcp wrappers host access to allow only ssh access cat <> /etc/hosts.allow ALL:localhost sshd:ALL EOF cat < > /etc/hosts.deny ALL:ALL EOF
Posted by Hans-Henry Jakobsen
22 Jan 2008 Use local DNS name and IP from DHCP
For Red Hat Linux if you receive your IP address from a DHCP server, you may update the local DNS name by adding the following line to the correct ifcfg file in /etc/sysconfig/network-scripts, such as ifcfg-eth0 or ifcfg-eth1:
DHCP_HOSTNAME="myhostname.example.com"
If you are running Debian, edit /etc/network/interfaces as follows (adding the hostname line)
iface eth0 inet dhcp
hostname mybox.mydomain.com
This is useful when your IP-address resolves to more than one hostname.
Posted by Hans-Henry Jakobsen
15 Jan 2008 Allow NFS through iptables on a RedHat system
This post describes how you can configure your RedHat Enterprise WS 4 NFS system behind a iptables firewall to be available for clients outside the firewall on a permanent basis.
Symptom
NFS relies on portmap to assign the ports on which it will listen. One side effect of this is that the ports are randomly assigned, so each time NFS is restarted the ports will change. This can make it difficult to run an NFS server behind a firewall which only allows access to specific ports on the system.
Solution
The first step is to assign a permanent port number to each of the NFS services (rquotad, mountd, statd, and lockd). While they can use any unused ports greater than 1024, it is recommended that you first consult the file /etc/services to find a valid unused port range. The following examples use the range 10000-10005.
The majority of the ports are configured through the file /etc/sysconfig/nfs. You will need to create this file if it does not exist. It should look similar to the following example:
# NFS port numbers STATD_PORT=10002 STATD_OUTGOING_PORT=10003 MOUNTD_PORT=10004 RQUOTAD_PORT=10005
The lockd service is configured differently from the others because it is compiled as a kernel module. To set the port which lockd uses, add these options in the /etc/sysconfig/nfs file:
LOCKD_UDPPORT=30001 LOCKD_TCPPORT=30001
where “30001″ can be replaced with any port that is available and can be assigned for use.
After these configuration changes, you can view the port assignments with the command rpcinfo -p
# rpcinfo -p | awk -F " " '{print $3 ", " $4 ", " $5}' | sort | uniq
proto, port,
tcp, 111, portmapper
tcp, 2049, nfs
tcp, 32771, nlockmgr
tcp, 800, rquotad
tcp, 814, mountd
udp, 111, portmapper
udp, 2049, nfs
udp, 32768, nlockmgr
udp, 797, rquotad
udp, 811, mountd
At this point, the ports will remain the same when NFS is restarted. The following is a list of ports which need to be opened on the firewall:
proto, port, tcp, 10004, mountd tcp, 10005, rquotad tcp, 111, portmapper tcp, 2049, nfs tcp, 32771, nlockmgr udp, 10004, mountd udp, 10005, rquotad udp, 111, portmapper udp, 2049, nfs udp, 32768, nlockmgr
You can now open these ports on the firewall to allow remote clients to mount a share on the server. If you are using iptables, the following commands can be used to add inbound/outbound rules to allow access to these ports.
This is an excerp of my /etc/sysconfig/iptables file. It allows NFS connections from IP address 192.168.0.10 but doesn’t restrict traffic out.
-A RH-Firewall-1-INPUT -s 192.168.0.10 -p tcp -m tcp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.10 -p udp -m udp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.10 -p tcp -m tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.10 -p udp -m udp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.10 -p tcp -m tcp --dport 10000 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.10 -p udp -m udp --dport 10001 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.10 -p tcp -m tcp --dport 10002:10005 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.10 -p udp -m udp --dport 10002:10005 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp -j LOG --log-prefix "Reject Traffic " --log-level 6 -A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp -j REJECT --reject-with icmp-port-unreachable
This post is a modified example of the solution from RedHat Knowledgebase Article ID 5928.
Tags: iptables, NFS, RedHat, rpcinfo
Posted by Hans-Henry Jakobsen
07 Dec 2007 Rotate logs manually
Today I had to manually rotate a couple of logs since they had generated a filesize of over 1.8GB of pure text.
This was done by issuing the command
logrotate /etc/syslog.d/file_to_be_rotated
In my case I had to rotate my firewall log /var/log/firewall described in a custom made file, /etc/logrotate.d/firewall
logrotate -v -f /etc/logrotate.d/firewall
-v Verbose logging
-f Force rotation of logs even if not needed
Tags: Fedora, logrotate, RedHat
Posted by Hans-Henry Jakobsen
26 Nov 2007 Query RPM database/packages and list their architecture
If you use the –queryformat argument with rpm it is possible to query RPMs for different architectures installed
# rpm -qa --queryformat %{NAME}-%{VERSION}-%{ARCH}\\n | grep dbus-glib | sort
Result
dbus-glib-0.22-12.EL.5-i386
dbus-glib-0.22-12.EL.5-x86_64
This can also be used in one of my previous posts: Remove duplicate packages when querying the rpm database.
Tags: Fedora, RedHat, rpm, sort
Posted by Hans-Henry Jakobsen
