CentOS _ Nix World

20
« Older Entries Archive for the ‘CentOS’ category Linux Server Hardening Security Tips May 9th, 2011 Like Be the first of your friends to like this. Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system. #1: Encrypt Data Communication All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates. 1. Use scp, ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home directory using special sshfs and fuse tools. 2. GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories. 3. Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entire session is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third-party interception. Another option is FileZilla – a cross-platform client that supports FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP). 4. OpenVPN is a cost-effective, lightweight SSL VPN. 5. Lighttpd SSL (Secure Server Layer) Https Configuration And Installation 6. Apache SSL (Secure Server Layer) Https (mod_ssl) Configuration And Installation #1.1: Avoid Using FTP, Telnet, And Rlogin / Rsh Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service: # yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve #2: Minimize Software to Minimize Vulnerability Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages. # yum list installed # yum list packageName # yum remove packageName OR # dpkg –list # dpkg –info packageName # apt-get remove packageName #3: One Network Service Per System or VM Instance Run different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including other services such as MySQL, e-mail server and so on. See how to install Virtualization software: Nix World CentOS | Nix World http://onaxer.com/blog/blog/category/centos/ 1 of 20 6/17/2011 11:17 AM

Transcript of CentOS _ Nix World

Page 1: CentOS _ Nix World

« Older Entries

Archive for the ‘CentOS’ category

Linux Server Hardening Security TipsMay 9th, 2011

Like Be the first of your friends to like this.

Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The systemadministrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for defaultinstallation of Linux system.

#1: Encrypt Data Communication

All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.1. Use scp, ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home directory using special sshfs andfuse tools.2. GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for allkind of public key directories.3. Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entiresession is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third-party interception. Anotheroption is FileZilla – a cross-platform client that supports FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP).4. OpenVPN is a cost-effective, lightweight SSL VPN.5. Lighttpd SSL (Secure Server Layer) Https Configuration And Installation6. Apache SSL (Secure Server Layer) Https (mod_ssl) Configuration And Installation

#1.1: Avoid Using FTP, Telnet, And Rlogin / Rsh

Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on thesame network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), whichadds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service:# yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve#2: Minimize Software to Minimize VulnerabilityDo you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPMpackage manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages.# yum list installed# yum list packageName# yum remove packageNameOR# dpkg –list# dpkg –info packageName# apt-get remove packageName

#3: One Network Service Per System or VM InstanceRun different network services on separate servers or VM instance. This limits the number of other services that can be compromised. Forexample, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including otherservices such as MySQL, e-mail server and so on. See how to install Virtualization software:

Nix World

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

1 of 20 6/17/2011 11:17 AM

Page 2: CentOS _ Nix World

• Install and Setup XEN Virtualization Software on CentOS Linux 5• How To Setup OpenVZ under RHEL / CentOS Linux

#4: Keep Linux Kernel and Software Up to DateApplying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, andalso allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible. Again, use the RPMpackage manager such as yum and/or apt-get and/or dpkg to apply all security updates.# yum updateOR# apt-get update && apt-get upgradeYou can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all securityupdates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications.

#5: Use Linux Security Extensions

Linux comes with various security patches which can be used to guard against misconfigured or compromised programs. If possible use SELinuxand other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of securitypolicies for Linux kernel.

#5.1: SELinuxI strongly recommend using SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary AccessControl (DAC), an application or process running as a user (UID or SUID) has the user’s permissions to objects such as files, sockets, and otherprocesses. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See theofficial Redhat documentation which explains SELinux configuration.

#6: User Accounts and Strong Password PolicyUse the useradd / usermod commands to create and maintain user accounts. Make sure you have a good and strong password policy. Forexample, a good password includes at least 8 characters long and mixture of alphabets, number, special character, upper & lower alphabets etc.Most important pick a password you can remember. Use tools such as “John the ripper” to find out weak users passwords on your server.Configure pam_cracklib.so to enforce the password policy.

#6.1: Password AgingThe chage command changes the number of days between password changes and the date of the last password change. This information is usedby the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for theshadow password suite including password aging configuration. To disable password aging, enter:chage -M 99999 userNameTo get password expiration information, enter:chage -l userNameFinally, you can also edit the /etc/shadow file in the following fields:{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:Where,1. Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed tochange his/her password.2. Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).3. Warn : The number of days before password is to expire that user is warned that his/her password must be changed.4. Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.I recommend chage command instead of editing the /etc/shadow by hand:# chage -M 60 -m 7 -W 7 userNameRecommend readings:• Linux: Force Users To Change Their Passwords Upon First Login• Linux turn On / Off password expiration / aging• Lock the user password• Search for all account without password and lock them• Use Linux groups to enhance security

#6.2: Restricting Use of Previous Passwords

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

2 of 20 6/17/2011 11:17 AM

Page 3: CentOS _ Nix World

You can prevent all users from using or reuse same old passwords under Linux. The pam_unix module parameter remember can be used toconfigure the number of previous passwords that cannot be reused.

#6.3: Locking User Accounts After Login FailuresUnder Linux you can use the faillog command to display faillog records or to set login failure limits. faillog formats the contents of the failure logfrom /var/log/faillog database / log file. It also can be used for maintains failure counters and limits.To see failed login attempts, enter:

faillogTo unlock an account after login failures, run:faillog -r -u userNameNote you can use passwd command to lock and unlock accounts:# lock accountpasswd -l userName# unlocak accountpasswd -u userName#6.4: How Do I Verify No Accounts Have Empty Passwords?Type the following command# awk -F: ‘($2 == “”) {print}’ /etc/shadowLock all empty password accounts:# passwd -l accountName

#6.5: Make Sure No Non-Root Accounts Have UID Set To0Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:# awk -F: ‘($3 == “0″) {print}’ /etc/passwdYou should only see one line as follows:root:x:0:0:root:/root:/bin/bashIf you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

#7: Disable root LoginNever ever login as root user. You should use sudo to execute root level commands as and when required. sudo does greatly enhances thesecurity of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.

#8: Physical Server SecurityYou must protect Linux servers physical console access. Configure the BIOS and disable the booting from external devices such as DVDs / CDs/ USB pen. Set BIOS and grub boot loader password to protect these settings. All production boxes must be locked in IDCs (Internet DataCenter) and all persons must pass some sort of security checks before accessing your server. See also:• 9 Tips To Protect Linux Servers Physical Console Access.

#9: Disable Unwanted ServicesDisable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the systemstart-up. Type the following command to list all services which are started at boot time in run level # 3:# chkconfig –list | grep ’3:on’To disable service, enter:# service serviceName stop# chkconfig serviceName off

#9.1: Find Listening Network PortsUse the following command to list all open ports and associated programs:netstat -tulpnORnmap -sT -O localhostnmap -sT -O server.example.comUse iptables to close open ports or stop all unwanted network services using above service and chkconfig commands.

#9.2: See Also• update-rc.d like command on Redhat Enterprise / CentOS Linux.

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

3 of 20 6/17/2011 11:17 AM

Page 4: CentOS _ Nix World

• Ubuntu / Debian Linux: Services Configuration Tool to Start / Stop System Services.• Get Detailed Information About Particular IP address Connections Using netstat Command.

#10: Delete X WindowsX Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable andremove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system,enter:# yum groupremove “X Window System”

#11: Configure Iptables and TCPWrappersIptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall tofilter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access toInternet. You can prevent many denial of service attacks with the help of Iptables:• Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit).• How to: Linux Iptables block common attack.• psad: Linux Detect And Block Port Scan Attacks In Real Time.

#12: Linux Kernel /etc/sysctl.conf Hardening/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample/etc/sysctl.conf:# Turn on execshieldkernel.exec-shield=1kernel.randomize_va_space=1# Enable IP spoofing protectionnet.ipv4.conf.all.rp_filter=1# Disable IP source routingnet.ipv4.conf.all.accept_source_route=0# Ignoring broadcasts requestnet.ipv4.icmp_echo_ignore_broadcasts=1net.ipv4.icmp_ignore_bogus_error_messages=1# Make sure spoofed packets get loggednet.ipv4.conf.all.log_martians = 1

#13: Separate Disk PartitionsSeparation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems aremounted on separate partitions:• /usr• /home• /var and /var/tmp• /tmpCreate septate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options:1. noexec – Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).2. nodev – Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).3. nosuid – Do not set SUID/SGID access on this partition (prevent the setuid bit).Sample /etc/fstab entry to to limit user access on /dev/sda5 (ftp server root directory):/dev/sda5 /ftpdata ext3 defaults,nosuid,nodev,noexec 1 2

#13.1: Disk QuotasMake sure disk quota is enabled for all users. To implement disk quotas, use the following steps:1. Enable quotas per file system by modifying the /etc/fstab file.2. Remount the file system(s).3. Create the quota database files and generate the disk usage table.4. Assign quota policies.5. See implementing disk quotas tutorial for further details.

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

4 of 20 6/17/2011 11:17 AM

Page 5: CentOS _ Nix World

#14: Turn Off IPv6Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) andprovides many benefits. Currently there are no good tools out which are able to check a system over network for IPv6 security issues. MostLinux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unlessnetwork configuration requires it, disable IPv6 or configure Linux IPv6 firewall:• RedHat / Centos Disable IPv6 Networking.• Debian / Ubuntu And Other Linux Distros Disable IPv6 Networking.• Linux IPv6 Howto – Chapter 19. Security.• Linux IPv6 Firewall configuration and scripts are available here.

#15: Disable Unwanted SUID and SGID BinariesAll SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can usesuch file. It is a good idea to find all such files. Use the find command as follows:#See all set user id files:find / -perm +4000# See all group id filesfind / -perm +2000# Or combine both in a single commandfind / \( -perm -4000 -o -perm -2000 \) -printfind / -path -prune -o -type f -perm +6000 -ls

You need to investigate each reported file. See reported file man page for further details.

#15.1: World-Writable FilesAnyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits setfiles:find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -printYou need to investigate each reported file and either set correct user and group permission or remove it.

#15.2: Noowner FilesFiles not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a validuser and a valid groupfind /dir -xdev \( -nouser -o -nogroup \) -printYou need to investigate each reported file and either assign it to an appropriate user and group or remove it.

#16: Use A Centralized Authentication ServiceWithout a centralized authentication system, user auth data becomes inconsistent, which may lead into out-of-date credentials and forgottenaccounts which should have been deleted in first place. A centralized authentication service allows you maintaining central control over Linux /UNIX account and authentication data. You can keep auth data synchronized between servers. Do not use the NIS service for centralizedauthentication. Use OpenLDAP for clients and servers.

#16.1: KerberosKerberos performs authentication as a trusted third party authentication service by using cryptographic shared secret under the assumption thatpackets traveling along the insecure network can be read, modified, and inserted. Kerberos builds on symmetric-key cryptography and requires akey distribution center. You can make remote login, remote copy, secure inter-system file copying and other high-risk tasks safer and morecontrollable using Kerberos. So, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwordsby monitoring network traffic are effectively thwarted. See how to setup and use Kerberos.

#17: Logging and AuditingYou need to configure logging and auditing to collect all hacking and cracking attempts. By default syslog stores data in /var/log/ directory. Thisis also useful to find out software misconfiguration which may open your system to various attacks. See the following logging related articles:1. Linux log file locations.2. How to send logs to a remote loghost.3. How do I rotate log files?.4. man pages syslogd, syslog.conf and logrotate. for more Administering of Kerberos Database click here [http://onaxer.com/blog/blog/2011/04

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

5 of 20 6/17/2011 11:17 AM

Page 6: CentOS _ Nix World

/03/administering-the-kerberos-database/]

#17.1: Monitor Suspicious Log Messages With Logwatch / LogcheckRead your logs using logwatch or logcheck. These tools make your log reading life easier. You get detailed reporting on unusual items in syslogvia email. A sample syslog report:################### Logwatch 7.3 (03/24/06) ####################Processing Initiated: Fri Oct 30 04:02:03 2009Date Range Processed: yesterday( 2009-Oct-29 )Period is day.Detail Level of Output: 0Type of Output: unformattedLogfiles for Host: www-52.nixcraft.net.in##################################################################

——————— Named Begin ————————

**Unmatched Entries**general: info: zone XXXXXX.com/IN: Transfer started.: 3 Time(s)general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 3 Time(s)general: info: zone XXXXXX.com/IN: Transfer started.: 4 Time(s)general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 4 Time(s)

———————- Named End ————————-

——————— iptables firewall Begin ————————

Logged 87 packets on interface eth0From 58.y.xxx.ww – 1 packet to tcp(8080)From 59.www.zzz.yyy – 1 packet to tcp(22)From 60.32.nnn.yyy – 2 packets to tcp(45633)From 222.xxx.ttt.zz – 5 packets to tcp(8000,8080,8800)

———————- iptables firewall End ————————-

——————— SSHD Begin ————————

Users logging in through sshd:root:123.xxx.ttt.zzz: 6 times

———————- SSHD End ————————-

——————— Disk Space Begin ————————

Filesystem Size Used Avail Use% Mounted on/dev/sda3 450G 185G 241G 44% //dev/sda1 99M 35M 60M 37% /boot

———————- Disk Space End ————————-

###################### Logwatch End #########################(Note output is truncated)

#17.2: System Accounting with auditdThe auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules areread by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd youcan answers the following questions:1. System startup and shutdown events (reboot / halt).2. Date and time of the event.3. User respoisble for the event (such as trying to access /path/to/topsecret.dat file).4. Type of event (edit, access, delete, write, update file & commands).5. Success or failure of the event.

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

6 of 20 6/17/2011 11:17 AM

Page 7: CentOS _ Nix World

0 Comments and 1 Reaction »

0 Comments and 0 Reactions »

6. Records events that Modify date and time.7. Find out who made changes to modify the system’s network settings.8. Record events that modify user/group information.9. See who made changes to a file etc.See our quick tutorial which explains enabling and using the auditd service.

#18: Secure OpenSSH ServerThe SSH protocol is recommended for remote login and remote file transfer. However, ssh is open to many attacks. See how to secure OpenSSHserver:• Top 20 OpenSSH Server Best Security Practices.

#19: Install And Use Intrusion Detection SystemA network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of serviceattacks, port scans or even attempts to crack into computers by monitoring network traffic.It is a good practice to deploy any integrity checking software before system goes online in a production environment. If possible install AIDEsoftware before the system is connected to any network. AIDE is a host-based intrusion detection system (HIDS) it can monitor and analyses theinternals of a computing system.Snort is a software for intrusion detection which is capable of performing packet logging and real-time traffic analysis on IP networks.

#20: Protecting Files, Directories and EmailLinux offers excellent protections against unauthorized data access. File permissions and MAC prevent unauthorized access from accessing data.However, permissions set by the Linux are irrelevant if an attacker has physical access to a computer and can simply move the computer’s harddrive to another system to copy and analyze the sensitive data. You can easily protect files, and partitons under Linux using the following tools:• To encrypt and decrypt files with a password, use gpg command.• Linux or UNIX password protect files with openssl and other tools.• See how to encrypting directories with ecryptfs.• TrueCrypt is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux.• Howto: Disk and partition encryption in Linux for mobile devices.• How to setup encrypted Swap on Linux.

Posted in CentOS , Linux , SecurityTags: Linux Security Tips Linux Server Hardening Security Tips Security Tips in linux

How round a number in bash scriptApril 26th, 2011

Like Be the first of your friends to like this.

In a shell script – How do I round a decimal number (contained in a variable) to the nearest whole number?

var=2.5echo $var|awk ‘{print int($1+0.5)}’

Output is 2

Posted in CentOS , LinuxTags: How round a number in bash script round a number in bash script

Self-signed certificate in Glassfish Web ServerApril 14th, 2011

Like Be the first of your friends to like this.

Use keytool to generate, import, and export certificates. By default, keytool creates a keystore file in the directory where it is run. You can

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

7 of 20 6/17/2011 11:17 AM

Page 8: CentOS _ Nix World

find the keytool utility under the bin directory of java folder.

Note: – When you install Glassfish, it creates a default self-signed certificate as the server certificate. (localhost)

Delete exiting certificate :-Type the following command to delete the default self-signed certificate by issuing the following command.

keytool -delete -alias s1as -keystore keystore.jks -storepass <store_passwd>

Generate self signed certificateSteps 1:- Type the following command to create new certificate:keytool -genkey -alias test

Fill all the information to create the certificate.

Enter keystore password: p@ssw0rd!What is your first and last name?[Unknown]: Chandrawhat is the name of your organizational unit?[Unknown]: CompanyNamewhat is the name of your organization?[Unknown]: CompanyNamewhat is the name of your City or Locality?[Unknown]: GurgaonWhat is the name of your State or Province?[Unknown]: HRWhat is the two-letter country code for this unit?[Unknown]: INIs <CN=Chandra, OU=, O=CompanyName, L=Gurgaon, ST=HR, C=IN> correct?[no]: yes

Import certificateA certificate can be imported into a keystore using keytool. Type the following command to import the certificate:-keytool -storepass my-keystore-password() -alias test -import -file test.cer

Generate expired certificateSteps:

Default days is 7 and cant not be set 0 day. You need to specify at least 1 day to create.

keytool -genkey -alias test –validity 1

Generate certificate without trusted rootSteps:

Follow up the first step

Generate certificate with invalid CNSteps:

Follow up the first step and give the invalid CN whatever you want to keep while ask the keytool utility during the creating of certificate.

Note: – To change the location of certificate files – admin console.Always generate the certificate in the directory containing the keystore and truststore files, by default domain-dir/config.

Open the Glassfish admin console in the web browser.

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

8 of 20 6/17/2011 11:17 AM

Page 9: CentOS _ Nix World

0 Comments and 0 Reactions »

Login into glassfish admin console (http://localhost:4848 [http://localhost:4848/] ), Default uid and password: admin and adminadmin

a) In the Admin Console tree, select the Application Server node.

b) Select JVM Settings.

c) Click the JVM Options tab.

d) On the JVM Options page, add or modify the following values in the Value field to reflect the new location of the certificate files:

-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/path/ks-name-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/path/ts-name

e) Where ks-name is the keystore file name and ts-name is the trust store file name.

f) Click Save.

g) Restart the Application Server if Restart Required displays in the console.

Install certificate in GlassFish serverHere are the instructions for enabling GlassFish v2 as an SSL server when the application server is configured with the developerprofile.

Delete the default self-signed certificate by issuing the following command (note that the commands in this and subsequent steps are shownon multiple lines for formatting purposes):

1.

keytool -delete -alias s1as -keystore keystore.jks -storepass <store_passwd>

where <store_passwd> is the password for the keystore, for example, “mypass”. Note that s1as is the default alias of the GlassFish v2 keystore.

Generate a new key pair for the application server by issuing the following command:1.

keytool -genkeypair -keyalg <key_alg>-keystore keystore.jks -validity <val_days> -alias s1as

where <key_alg> is the algorithm to be used for generating the key pair, for example RSA, and <val_days> is the number of days that thecertificate should be considered valid, for example, 365.

Note that in addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and theprivate key in a new keystore entry identified by the alias.

It’s important to ensure that the name of the certificate matches the fully-qualified hostname of your site. If the names don’t match, clientsconnecting to the server will see a security alert stating that the name of the certificate does not match the name of the site. You should noticethat the name of the default self-signed certificate matches the fully-qualified hostname.

Generate a Certificate Signing Request (CSR) by issuing the following command:1.

keytool -certreq -alias s1as -file <certreq_file>-keystore keystore.jks -storepass <store_passwd>

where <certreq_file> is the file in which the CSR is stored, for example, s1as.csr, and <store_passwd> is the password for the keystore, forexample, changeit.

keytool -import -v -alias s1as -file s1as.cert -keystore keystore.jks -storepass <store_passwd>1.

When you import the certificate using the same original alias “s1as”, keytool treats it as a command to replace the original certificate with thecertificate obtained as reply to a CSR.

s1as (self-signed):

Owner: CN=chandra, OU=CompanyName, O=CompanyNamr, L=Gurgaon , ST=Haryana, C=INIssuer: CN=Chandra, OU=CompanyName, O=CompanyName, L=Gurgaon, ST=Haryana, C=INSerial number: 472acd34Valid from:

Posted in CentOS , Linux , Web ServersTags: Glassfish Glassfish Web Server self-signed certificate in Glassfish Web Server

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

9 of 20 6/17/2011 11:17 AM

Page 10: CentOS _ Nix World

Administering the Kerberos DatabaseApril 3rd, 2011

Like Be the first of your friends to like this.

Configuring a Kerberos 5 Server

To configure a basic Kerberos server, follow these steps:

1. Be sure that you have clock synchronization and DNS working on your server before configuring Kerberos 5. Pay particular attention totime synchronization between the Kerberos server and its various clients. If the server and client clocks are different by more than five minutes(this default amount is configurable in Kerberos 5), Kerberos clients will not be able to authenticate to the server. This clock synchronization isnecessary to prevent an attacker from using an old Kerberos ticket to masquerade as a valid user.

You should set up a Network Time Protocol (NTP) compatible client/server network even if you are not using Kerberos. Red Hat Linux includesthe ntp package for easy installation. See /usr/share/doc/ntp-<version-number>/index.htm for details on setting up Network Time Protocolservers and http://www.ntp.org/ for additional information on NTP.

2. Install the krb5-libs, krb5-server, and krb5-workstation packages on the dedicated machine which will run the KDC. This machine needs tobe very secure — if possible, it should not run any services other than the KDC (Kerberos Server/Key distribution Center).

#yum install krb5-libs krb5-server krb5-workstation

If you would like to use a graphical user interface utility to administrate Kerberos, you should also install the gnome-kerberos package. Itcontains krb5, a GUI tool for managing tickets.

3. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect your realm name and domain-to-realm mappings. Asimple realm can be constructed by replacing instances of EXAMPLE.COM and example.com with your domain name — being certain to keepuppercase and lowercase names in the correct format — and by changing the KDC from kerberos.example.com to the name of your Kerberosserver. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase. For full details on the formats ofthese files, see their respective man pages

[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log

[libdefaults]default_realm = manoj.COMdns_lookup_realm = falsedns_lookup_kdc = falseticket_lifetime = 24hforwardable = yes

[realms]manoj.COM = {kdc = manoj.com:88admin_server = manoj.com:749default_domain = manoj.com}

[domain_realm].manoj.com = manoj.COMmanoj.com = manoj.COM

[appdefaults]pam = {debug = falseticket_lifetime = 36000renew_lifetime = 36000forwardable = true

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

10 of 20 6/17/2011 11:17 AM

Page 11: CentOS _ Nix World

krb4_convert = false}

4. Create the database using the kdb5_util utility from a shell prompt:/usr/kerberos/sbin/kdb5_util create -s

5. The create command creates the database that will be used to store keys for your Kerberos realm. The -s switch forces creation of a stashfile in which the master server key is stored. If no stash file is present from which to read the key, the Kerberos server (krb5kdc) will prompt theuser for the master server password (which can be used to regenerate the key) every time it starts.

6. Edit the /var/kerberos/krb5kdc/kadm5.acl file. This file is used by kadmind to determine which principals have administrative access to theKerberos database and their level of access. Most organizations will be able to get by with a single line:

*/[email protected] * replace EXAMPLE.COM with your domain name like manoj.COM

Most users will be represented in the database by a single principal (with a NULL, or empty, instance, such as [email protected]). With thisconfiguration, users with a second principal with an instance of admin (for example, joe/[email protected]) will be able to wield fullpower over the realm’s Kerberos database. Once kadmind is started on the server, any user will be able to access its services by running kadminon any of the clients or servers in the realm. However, only users listed in the kadm5.acl file will be able to modify the database in any way,except for changing their own passwords.

Note:

The kadmin utility communicates with the kadmind server over the network, and they use Kerberos to handle authentication. Of course, youneed to create the first principal before you can connect to the server over the network to administer it. Create the first principal with thekadmin.local command, which is specifically designed to be used on the same host as the KDC and does not use Kerberos for authentication.

7. Type the following kadmin.local command at the KDC terminal to create the first principal:

#/usr/kerberos/sbin/kadmin.local -q “addprinc username/admin”

8. Start Kerberos using the following commands:/sbin/service krb5kdc start/sbin/service kadmin start/sbin/service krb524 start

[http://onaxer.com/blog/wp-content/uploads/2011/04/kerberos.jpg]

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

11 of 20 6/17/2011 11:17 AM

Page 12: CentOS _ Nix World

0 Comments and 1 Reaction »

[http://onaxer.com/blog/wp-content/uploads/2011/04/kerberos.jpg]

kadmind

The kadmind command starts the administrative server. This administrative server runs on Kerberos server that stores the Kerberos principal database and the policy database.The kadmind accepts password change request and remote requests to administer the information in these databases.

kadmind requires the following configuration files to be set for it to work:

kdc.conf

The KDC configuration file contains configuration information for the KDC and the KADM5 system.

keytab

kadmind requires a keytab containing the keys for the kadmin/admin and kadmin/changepw principals for every realm that kadmind will answer requests for. This admin keytabcan be created with the kadmin.local. The location of the keytab is determined by the admin keytab configuration variable present in the kdc.conf file.

ACL file

kadmind’s access control list (ACL) restricts it as to which principals are allowed to perform administration actions. The path of the ACL file is specified via the acl_fileconfiguration variable in the kdc.conf file.

kadmin and kadmin.localThese utilities provide a [] unified administration interface for the Kerberos database. Kerberos administrators use these utilities to create new users and services for the masterdatabase, and to modify information for the existing database entries.

Both the utilities provide for maintenance of Kerberos principals, policies, and [] service key tables (keytabs). These utilities exist as both a [] Kerberos client, ‘kadmin’and a[] local client, ‘kadmin.local‘.

The kadmin utility uses Kerberos authentication and an [] Remote Procedure Call (RPC) to operate securely from anywhere on the network.

The‘kadmin.local’ is intended to run directly on the KDC without any Kerberos authentication. Normal UNIX users cannot execute this command. Executing the kadmin.localcommand will display the kadmin.local prompt only if you are the root user.

Getting the kadmin to work

kadmin allows you to administer the Kerberos database remotely (and securely). If you just run kadmin, you may obtain an error message as shown below:

kadmin: Client not found in Kerberos database while initializing kadmin interface

To be able to use the kadmin interface, you need to register yourself as a database administrator.

Adding of users in the Kerberos database

Adding of users in the Kerberos database

/usr/kerberos/sbin/kadmin.local -q “addprinc manoj/admin”On the KDC machine, in kadmin.local, you can add the administrator role:kadmin.local: addprinc jar/adminEnter password for principal “jar/[email protected]”: <your_password>Re-enter password for principal “jar/[email protected]”: <your_password>Principal “jar/[email protected]” createdkadmin.local: quitNow you can access kadmin on the Kerberos server. For example,

/usr/kerberos/sbin/kadmin -p jar/adminPassword for jar/[email protected]:

In the Client Side/usr/kerberos/bin/kinit -p manoj/adminPassword for manoj/[email protected]:

Posted in CentOS , Linux , SecurityTags: Administering the Kerberos Database Kerberos Database Kerberos DB

Disk i/o & Performance Tuning Benchmarking Tool

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

12 of 20 6/17/2011 11:17 AM

Page 13: CentOS _ Nix World

1 Comment and 0 Reactions »

March 25th, 2011

Like Be the first of your friends to like this.

Disk i/o & Performance Tuning Benchmarking Tool

Dstat is a flexible replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features. Dstatis handy for monitoring systems during performance tuning tests, disk i/o, benchmarks or troubleshooting.

Dstat allows you to view all of your system resources in real-time, you can eg. compare disk utilization in combination with interrupts from yourIDE controller, or compare the network bandwidth numbers directly with the disk throughput (in the same interval).

Dstat gives you detailed selective information in columns and clearly indicates in what degree and unit the output is displayed. And mostimportantly, it makes it very easy to write plugins to collect your own counters and extend in ways you never expected.

Features

* Combines vmstat, iostat, ifstat, netstat information and more* Shows stats in exactly the same timeframe* Enable/order counters as they make most sense during analysis/troubleshooting* Modular design* Written in python so easily extendable for the task at hand* Easy to extend, add your own counters (please contribute those)* Includes many external plugins to show how easy it is to add counters* Can summarize grouped block/network devices and give total numbers* Can show interrupts per device* Very accurate timeframes, no timeshifts when system is stressed* Shows exact units and limits conversion mistakes* Indicate different units with different colors* Show intermediate results when delay > 1* Allows to export CSV output, which can be imported in Gnumeric and Excel to make graphs

Here are the existing plugins

[server@manoj ~]# dstat –listinternal:aio, cpu, cpu24, disk, disk24, disk24old, epoch, fs, int, int24, io, ipc, load, lock,mem, net, page, page24, proc, raw, socket, swap, swapold, sys, tcp, time, udp, unix,vm/usr/share/dstat:battery, battery-remain, cpufreq, dbus, disk-recsize, disk-tps, disk-util, dstat,dstat-cpu, dstat-ctxt, dstat-mem, fan, freespace, gpfs, gpfs-ops, helloworld,innodb-buffer, innodb-io, innodb-ops, lustre, mem-adv, memcache-hits, mysql-io,mysql-keys, mysql5-cmds, mysql5-conn, mysql5-io, mysql5-keys, net-packets, nfs3,nfs3-ops, nfsd3, nfsd3-ops, ntp, pcap-ssh, postfix, power, proc-count, proc-count2,proc-count3, qmail, rpc, rpcd, sendmail, snooze, squid, test, thermal, top-bio,top-bio-adv, top-childwait, top-cpu, top-cpu-adv, top-cpu2, top-cpu3, top-cputime,top-cputime-avg, top-int, top-io, top-io-adv, top-latency, top-latency-avg, top-mem,top-oom, top-tcp-ports, utmp, vm-memctl, vmk-hba, vmk-int, vmk-nic, vz-cpu, vz-io,vz-ubc, wifi

You can see the detailed dstat – Linux man page http://dag.wieers.com/home-made/dstat/dstat.1.html [http://dag.wieers.com/home-made/dstat/dstat.1.html] and http://linux.die.net/man/1/dstat [http://linux.die.net/man/1/dstat]

Posted in CentOS , FileSystem , LinuxTags: benchmarks or troubleshooting. disk i/o Disk i/o & Performance Tuning Disk i/o & Performance Tuning Benchmarking Tool iostat netstat and ifstat. Dstat vmstat

Some examples of using LINUX/UNIX find commandMarch 13th, 2011

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

13 of 20 6/17/2011 11:17 AM

Page 14: CentOS _ Nix World

0 Comments and 0 Reactions »

Like Be the first of your friends to like this.

Introduction

The find command allows the Linux/Unix users to process a set of files and/or directories in a file subtree.

You can specify the following:

* where to search (pathname)* what type of file to search for (-type: directories, data files, links)* how to process the files (-exec: run a process against a selected file)* the name of the file(s) (-name)* perform logical operations on selections (-o and -a)

Search for file with a specific name in a set of files (-name)

find . -name “manoj.conf” -print

This command will search in the current directory and all sub directories for a file named manoj.conf.

Note: The -print option will print out the path of any file that is found with that name. In general -print wil print out the path of any file thatmeets the find criteria.

How to apply a unix command to a set of file (-exec).

find . -name “manoj.conf” -exec chmod o+r ‘{}’ \;

This command will search in the current directory and all sub directories. All files named manoj.conf will be processed by the chmod -o+rcommand. The argument ‘{}’ inserts each found file into the chmod command line. The \; argument indicates the exec command line has ended.

The end results of this command is all manoj.conf files have the other permissions set to read access (if the operator is the owner of the file).

How to apply a complex selection of files (-o and -a).

find /usr/src -not \( -name “*,v” -o -name “.*,v” \) ‘{}’ \; -print

This command will search in the /usr/src directory and all sub directories. All files that are of the form ‘*,v’ and ‘.*,v’ are excluded. Importantarguments to note are:

* -not means the negation of the expression that follows* \( means the start of a complex expression.* \) means the end of a complex expression.* -o means a logical or of a complex expression.In this case the complex expression is all files like ‘*,v’ or ‘.*,v’

The above example is shows how to select all file that are not part of the RCS system. This is important when you want go through a source treeand modify all the source files.

How to search for a string in a selection of files (-exec grep …).

find . -exec grep “www.athabasca” ‘{}’ \; -print

This command will search in the current directory and all sub directories. All files that contain the string will have their path printed to standardoutput.

If you want to just find each file then pass it on for processing use the -q grep option. This finds the first occurrence of the search string. It thensignals success to find and find continues searching for more files.

find . -exec grep -q “www.manoj” ‘{}’ \; -print

This command is very important for process a series of files that contain a specific string. You can then process each file appropriately. Anexample is find all html files with the string “www.manoj.com”. You can then process the files with a sed script to change those occurrances of“www.manoj.com” with “manoj.manoj.com”.

Posted in CentOS , LinuxTags: find command find command examples How to find string in side file linux find command Some examples of using LINUX/UNIX find command

How to Install and Configure Cacti

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

14 of 20 6/17/2011 11:17 AM

Page 15: CentOS _ Nix World

March 4th, 2011

Like Be the first of your friends to like this.

Cacti is a complete frontend to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQLdatabase. Required softwares to install Cacti.

You need to install the following software to install cacti.

a) MySQL Server : Store cacti datab) NET-SNMP server – SNMP (Simple Network Management Protocol) is a protocol used for network management.c) PHP with net-snmp module – Access SNMP data using PHP.d) Apache / lighttpd / ngnix webserver : Web server to display graphs created with PHP and RRDTOOL.

Install the software

You can install the softwares using yum command. Run the following:-

# yum install mysql-server mysql php-mysql php-pear php-common php-gd php-devel php php-mbstring php-cli php-snmp php-pear-Net-SMTPphp-mysql httpd

Configure MySQL server

Setting up root password:-# mysqladmin -u root password NEWPASSWORD

Create cacti MySQL database# mysql -u root -p -e ‘create database cacti’

Create a user name cacti with a password your password, then enter

Login to mysql# mysql -u root –p

mysql> GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY ‘your password’;mysql> FLUSH privileges;mysql> \q

Intall snmpd

Type the following command to install net-snmpd# yum install net-snmp-utils php-snmp net-snmp-libs

To configure snmpd, open the snmpd.conf configuration file.

# vi /etc/snmp/snmpd.confAnd modify the conafiguration file. As see below.com2sec local localhost publicgroup MyRWGroup v1 localgroup MyRWGroup v2c localgroup MyRWGroup usm localview all included .1 80access MyRWGroup “” any noauth exact all all nonesyslocation Unknown (edit /etc/snmp/snmpd.conf)syscontact Root (configure /etc/snmp/snmp.local.conf)pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat

Save and closed the configuration file and start the snmp service. Type the following.

# /etc/init.d/snmpd start# chkconfig snmpd on

Install cacti

Update the repository:

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

15 of 20 6/17/2011 11:17 AM

Page 16: CentOS _ Nix World

# yum install cacti

Install cacti tables

Type the following command to find out cacti.sql path:# rpm -ql cacti | grep cacti.sql

Sample output:/usr/share/doc/cacti-0.8.7d/cacti.sql

Type the following command to install cacti tables (you need to type the cacti user password):

# mysql -u cacti -p cacti < /usr/share/doc/cacti-0.8.7d/cacti.sql

Configure cacti database string:-Open /var/www/cacti/include# config.php

Modify the following changes as follows:/* make sure these values refect your actual database/host/user/password */

$database_type = “mysql”;$database_default = “cacti”;$database_hostname = “localhost”;$database_username = “cacti”;$database_password = “your password”;$database_port = “3306″;

Configure httpd for cacti.Update allow from line, set to your LAN subnet to allow access to cacti:Open /etc/httpd/conf.d/cacti.conf file

# vi /etc/httpd/conf.d/cacti.confAlias /cacti/ /var/www/cacti/

<Directory /var/www/cacti/>DirectoryIndex index.phpOptions -IndexesAllowOverride allorder deny,allowallow from 172.16.0.0/16 #your network addressAddType application/x-httpd-php .phpphp_flag magic_quotes_gpc onphp_flag track_vars on</Directory>

After changed start the httpd:-

# /etc/init.d/httpd start

Setup cacti cronjob

Open /etc/cron.d/cacti file# vi /etc/cron.d/cacti

Uncomment the line:*/5 * * * * cacti /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1

Save and closed the file after uncomment.

Now cacti is ready, you can run the cacti type the following:-

http://Cacti_IP_Address/cacti/

or http://xx.xx.xx.xx/cacti

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

16 of 20 6/17/2011 11:17 AM

Page 17: CentOS _ Nix World

0 Comments and 0 Reactions »

0 Comments and 0 Reactions »

0 Comments and 0 Reactions »

0 Comments and 0 Reactions »

Note: The default username and password for cacti is admin / admin.

Posted in CentOS , Linux , Monitoring , Monitoring ToolsTags: Cacti Installation How to Install and Configure Cacti how to install cacti in centOS how to install cacti in Linux

No package ‘libpcre’ foundMarch 3rd, 2011

Like Be the first of your friends to like this.

I was getting “No package ‘libpcre’ found” error during Varnish compiling, so fixed it by installing gcc lib. using below command

yum install gcc* -y

Posted in CentOS , Linux , VarnishTags: libpcre not found

How Quickly find what directories are using up space on your disk in LinuxMarch 2nd, 2011

Like Be the first of your friends to like this.

The df -h command will tell you disk usage from a mount-point perspective, but the command du tells you from a directory perspective. Use thecommand:

du -h / –max-depth=1

To show disk usage for each individual directory on the system, or go lower down to see usage on a particular directory:

du -h /var/log –max-depth=1

To exclude some folder during the disk space check, you can use below command, it will show disk usage for each individual directory on thecurrent directory in which you are going to run the command except manoj folder

du -h –max-depth=1 –exclude=manoj *

Posted in CentOS , LinuxTags: du command how check disk uses

find and replace string in viMarch 2nd, 2011

Like Be the first of your friends to like this.

To perform a find and replace with all entries of a file, enter the colon to invoke Esc. from vi. Then, from there, enter

:%s/find_string/replace_string/g

For example:

%s/manoj/manoj chauhan/g

There are many other ways to do this, but I prefer this method.

Posted in CentOS , Linux , Regular ExpressionTags: find and replace in vi replacing string in vi vi editor

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

17 of 20 6/17/2011 11:17 AM

Page 18: CentOS _ Nix World

0 Comments and 0 Reactions »

0 Comments and 0 Reactions »

0 Comments and 0 Reactions »

How comment lines in viMarch 2nd, 2011

Like Be the first of your friends to like this.

If you need to comment the next 10 lines within vi, execute the command within the command mode::.,+10s/ /̂#

It will comment the next 10 lines, you can change the number accordingly.

Posted in CentOS , LinuxTags: How comment lines in vi using vi

How to Kill zombie processesMarch 2nd, 2011

Like Be the first of your friends to like this.

Kill those persistent and annoying zombie processes.ps -e -o ppid,stat | grep Z | cut -d” ” -f2 | xargs kill -9

Posted in CentOS , LinuxTags: Killing zombie processes zombie processes

How print series of numbers or letters using Bash LoopMarch 2nd, 2011

Like Be the first of your friends to like this.

Bash scripting is great tool in Linux for System Admin. Here is a quick trick to print a series of numbers (or letters) into a variable, and thus anargument of a script:

#!/bin/bashfor a in {1..18}doecho “The number $a”done

#!/bin/bashfor a in {a..z}doecho ” The letter $a ”done

Posted in CentOS , Linux , ScriptsTags: Bash for loops with a series of numbers or letters print series of numbers or letters using Bash Loop

Date ranges in the find commandFebruary 11th, 2011

Like Be the first of your friends to like this.

We can use the following options in the find command to find the specific files in the folder

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

18 of 20 6/17/2011 11:17 AM

Page 19: CentOS _ Nix World

0 Comments and 0 Reactions »

1 means 24 hours old-1 means less than 24 hours old+0 means more than 24 hours old+1 means more than 48 hours old

find /your_directory -mtime +1-exec rm -f {} \;

Posted in CentOS , LinuxTags: date ranges in the find command find command with date ranage

Linux Convert ext3 to ext4 File systemJanuary 31st, 2011

Like Be the first of your friends to like this.

Some time ago ext4 was released and available for Linux kernel. ext4 provides some additional benefits and perforce over ext3 file system. Youcan easily convert ext3 to ext4 file system. The next release of Fedora, 11, will default to the ext4 file system unless serious regressions are seen.In this quick tutorial you will learn about converting ext3 to ext4 file system.

ext4 Filesystem FeaturesThe ext4 filesystem has more features and generally better performance than ext3, which is showing its age in the Linux filesystem world.Features include:Delayed allocation & mballoc allocator for better on-disk allocation

* Sub-second timestamps* Space preallocation* Journal checksumming* Large (>2T) file support* Large (>16T) filesystem support* Defragmentation support

WARNING! Once you run following commands, the filesystem will no longer be mountable using the ext3. Please note that ext4 may have somebugs so do not use for production servers (wait for sometime watch Linux kernel mailing list for ext4 bugs). It’s recommended that you keep/boot in a ext3 partition for sometime.You need ext4 patch applied into kernel and compile kernel with ext4 support. Once done type the following command to convert an existingext3 filesystem to use ext4, type:# tune2fs -O extents,uninit_bg,dir_index /dev/dev-nameFor example convert /dev/sdb1 to ext4, enter:# cd /; umount /dev/sdb1# tune2fs -O extents,uninit_bg,dir_index /dev/sdb1Next run fsck, enter:# fsck -pf /dev/sdb1How do I mount ext4 partition?mount -t ext4 /dev/sdb1 /pathmount -t ext4 /dev/sdb1 /sharemount -t ext4 /dev/disk/by-uuid/YOUR-PARTITION-UUID /shareUse blkid to get UUID.How do I boot from ext4 (/boot)?If you have converted /boot file system (or / used for /boot), update /boot/grub.conf (/boot/grub/menu.lst). Open file and find out current kernelconfig file and append the following:rootfstype=ext4Here is sample config (note I’ve custom kernel names):

title Ubuntu 8.10, kernel 2.6.28.1-vmware-guest-serverroot (hd0,1)kernel /boot/vmlinuz-2.6.28.1-vmware-guest-server root=UUID=8c2da865-13f4-47a2-9c92-2f31738469e8 ro quiet splash rootfstype=ext4initrd /boot/initrd.img-2.6.28.1-vmware-guest-server

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

19 of 20 6/17/2011 11:17 AM

Page 20: CentOS _ Nix World

0 Comments and 0 Reactions »

« Older Entries

Back to Top

quiet

Save and close the file. And run update-grub:$ sudo update-grubNext, update your /etc/fstab file so that it can be mounted as ext4 file system:

UUID=41c22818-fbad-4da6-8196-c816df0b7aa8 /share ext4 defaults,errors=remount-ro,relatime 0 1

Finally, reboot the system:$ sudo reboot

Posted in CentOS , LinuxTags: Convert ext3 to ext4 File system ext4 File system

Valid XHTML 1.0 Transitional | Valid CSS 3

CentOS | Nix World http://onaxer.com/blog/blog/category/centos/

20 of 20 6/17/2011 11:17 AM