Software Used:

GNS3 0.8.3.1
-use 3700 IOS as Router & DHCP
-use Ethernet switch to connect hosts
-use VirtualBox guest running on Ubuntu Linux server 12.04.2 LTS

http://shrubbery.net/tac_plus/

Installation:

1.Login as root and install dependencies such as tcp wrappers and compilation tools e.g. gcc, bison, flex, make

If you’re not sure if these packages are installed, you can use the command:

dpkg -s [packagename]

Sample:

root@freelinux:~# dpkg -s gcc bison flex

Package `gcc’ is not installed and no info is available.

Package `bison’ is not installed and no info is available.

Package `flex’ is not installed and no info is available.

To install:

root@freelinux:~# apt-get install gcc make flex \
 bison libwrap0-dev

2. Download the tacacs+ package on ftp://ftp.shrubbery.net/pub/tac_plus/. It’s good to read additional information or changes on http://shrubbery.net/tac_plus/.

Latest version as of this writing is tacacs+-F4.0.4.26

root@freelinux:~# wget \
ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz

3. uncompress the tarball file

root@ubuntu:~# tar zxvf tacacs+-F4.0.4.26.tar.gz

4. Build
check the INSTALL file first to see the installation guide

root@ubuntu:~/tacacs+-F4.0.4.26# less INSTALL
root@ubuntu:~/tacacs+-F4.0.4.26# ./configure

If you missed installing those dependecies, you will receive messages something like this:

configure: error: Could not find libwrap. You must first install tcp_wrappers.

So to resolve this, install the necessary packages.

# apt-get install libwrap0-dev

Libraries have been installed in:
/usr/local/lib

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR’
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH’ environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH’ environment variable
during linking
- use the `-Wl,-rpath -Wl,LIBDIR’ linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf’

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.

Configuration:

1. After extracting the files, default directory would be /usr/local/bin/

root@ubuntu:~/tacacs+-F4.0.4.26# ls /usr/local/bin/tac*
/usr/local/bin/tac_plus /usr/local/bin/tac_pwd

2. Read the manual page for the following:

$man tac_plus
$man tac_pwd

So basically,
tac_plus – tacacs plus daemon
tac_pwd – generate DES or MD5 encryption of a password

3. use tac_pwd to encrypt clear text passwords to make it more secure
e.g.
We want to use “password” to login the username freelinux and “enablepass” to go privilege mode

root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: password
VUjB99kC2IGws

root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: enablepass
HD.Hw0OHKmO/c

4. Setup config files

a.create tacacs directory under /etc

5. create the tac_plus.conf file

tac_plus.conf setup:
i. set the key

#tacacs key
key = "tackey"

ii. set the user accounts

#user details
#admin freelinuxtutorials@gmail.com
user = freelinux {
default service = permit
member = admingroup
login = des VUjB99kC2IGws
}

iii. set the group details

#group details
# admin group
group = admingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}

iv. set enable password

#Enable password setup for users:
user = $enable$ {
login = des HD.Hw0OHKmO/c
}

Note: This is how it looks like, get it here
v. set the location of the accounting file

accounting file = /var/log/tacacs/tac_plus.log

6. change permission

#chmod 600 /etc/tacacs/tac_plus.conf

Note: If along the way, if you encoutered such as below, then you need to create necessary links using ldconfig

tac_plus: error while loading shared libraries: libtacacs.so.1:
cannot open shared object file: No such file or directory

# vi /etc/ld.so.conf

add /usr/local/lib under /etc/ld.so.conf

 root@freelinux#ldconfig

7. Run the tacacs service

root@freelinux:/etc/tacacs# /etc/init.d/tac_plus start
Starting Tacacs+ server: tac_plus.

this tac_plus file, contents can be downloaded here

8. check if process running

root@freelinux:/etc/tacacs# netstat -na | grep 49
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN

——————–
Sample Cisco configuration

Configuring Cisco:

Cisco>en
Cisco#conf t
Cisco#service password-encryption
Cisco#tacacs-server host 192.168.56.10
Cisco#tacacs-server directed-request
Cisco#tacacs-server key tackey

Cisco#aaa new-model
Cisco#aaa authentication login default group tacacs+ local
Cisco#aaa authentication enable default group tacacs+ enable
Cisco#aaa authorization commands 1 default group tacacs+ local
Cisco#aaa authorization commands 15 default group tacacs+ local
Cisco#aaa accounting commands 0 default start-stop group tacacs+
Cisco#aaa accounting commands 1 default start-stop group tacacs+
Cisco#aaa accounting commands 7 default start-stop group tacacs+
Cisco#aaa accounting commands 15 default start-stop group tacacs+
Cisco#aaa accounting network 15 start-stop group tacacs+
Cisco#aaa accounting connection 15 start-stop group tacacs+

I will not go deeper into client configuration as it differs on devices and softwares by different vendors. Anyway, what has shown here is just the basic tacacs config that is proven working. Go try explore further the advance tacacs configuration. Enjoy!

The post Installation and Setup of Free Tacacs+ server in Linux appeared first on Free Linux Tutorials.

http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.6.8.tar.bz2

The post Linux Kernel 3.6.8 is released! appeared first on Free Linux Tutorials.

Users can login remotely to Secure Shell(SSH) server using public/private key without typing the password. This can put added security on your boxes as it reduces password cracking attempts. Aside from that, it will give convenience to users especially if running scripts that require SCP or SFTP transfers.

These are the steps on doing this:

1. Generate a public/private key pair on the client to identify on the servers. It can be protected with password/passphrase or choose not to have

ssh-keygen -t rsa

[darwin@freelinuxclient ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/darwin/.ssh/id_rsa):
Created directory ‘/home/darwin/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/darwin/.ssh/id_rsa.
Your public key has been saved in /home/darwin/.ssh/id_rsa.pub.
The key fingerprint is:
ec:e2:2c:72:f4:0d:a2:ce:83:5a:b1:f3:ee:e1:f3:9f darwin@freelinuxclient
[darwin@freelinuxclient ~]$

It will create two files under your .ssh folder

ls -la ~/.ssh/

[darwin@freelinuxclient ~]$ ls -la ~/.ssh/
total 16
drwx—— 2 darwin darwin 4096 Nov  2 23:30 .
drwx—— 3 darwin darwin 4096 Nov  2 23:29 ..
-rw——- 1 darwin darwin 1743 Nov  2 23:30 id_rsa
-rw-r–r– 1 darwin darwin  410 Nov  2 23:30 id_rsa.pub

id_rsa = private key
id_rsa.pub = public key (it’s the one you are going to upload on the server)

2. Set permission on private key

[darwin@freelinuxclient ~]$ chmod 700 ~/.ssh/
[darwin@freelinuxclient ~]$ chmod 600 ~/.ssh/id_rsa

Normally, the correct permission is already set by default but it’s better to do this esp. if “StrictModes” is set yes on your sshd_config.

3. Upload the id_rsa.pub or public key to server

$scp ~/.ssh/id_rsa.pub user@server:

[darwin@freelinuxclient .ssh]$scp /home/darwin/.ssh/id_rsa.pub darwin@freelinuxserver:~/

4. Add to the authorized keys

cat id_rsa.pub >> ~/.ssh/authorized_keys

[darwin@freelinuxclient ~]$ ssh darwin@freelinuxserver
darwin@freelinuxserver’s password:
[darwin@freelinuxserver]$ cat id_rsa.pub >> ~/.ssh/authorized_keys
Testing:
SSH to the server, if password is provided during the generation of client key pairs, it will ask during

[darwin@freelinuxclient ~]$ ssh darwin@freelinuxserver
Enter passphrase for key ‘/home/darwin/.ssh/id_rsa’:
[darwin@freelinuxserver ~]$

If no passphrase provided, then access would be direct:

[darwin@freelinuxclient ~]$ ssh darwin@freelinuxserver
[darwin@freelinuxserver ~]$

Additional Notes:

1. Make sure public key authentication is enabled (should be enabled by default)
[darwin@freelinuxserver ~]#vi /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes

2. SSH usually comes  with the “ssh-copy-id” utility that will install the id_rsa.pub to the server’s authorized keys.

ssh-copy-id -i .ssh/id_rsa.pub user@server

[darwin@freelinuxclient ~]$ ssh-copy-id -i .ssh/id_rsa.pub darwin@freelinuxserver
15
darwin@freelinuxserver’s password:
Now try logging into the machine, with “ssh ‘darwin@freelinuxserver’”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[darwin@freelinuxclient ~]$
3. To disable password authentication, item a is recommended

a. disable via the /etc/ssh/sshd_config

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

b. lock user account on the server, key authentication will still work

[root@freelinuxserver ~]# passwd -l darwin
Locking password for user darwin.
passwd: Success
[root@freelinuxserver ~]#

4. If you need to change or add key pair’s passphrase, use the -p option

 ssh-keygen -p

[darwin@freelinuxclient ~]$ ssh-keygen -p
Enter file in which the key is (/home/darwin/.ssh/id_rsa):
Enter old passphrase:
Key has comment ‘/home/darwin/.ssh/id_rsa’
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

5. You can use “DSA” as SSH2 authentication key. DSA authenticates or signs faster,but slower in verification. To do this:

ssh-keygen -t dsa

This will create two files, id_dsa & id_dsa.pub.

6. Once imported as public key, it’s recommended to delete it from the server

rm id_rsa.pub

[darwin@freelinuxserver ~]#rm id_rsa.pub

The post SSH authentication via Public/Private keys appeared first on Free Linux Tutorials.

For this tutorial, we are going to demonstrate steps on securing your OpenSSH which is a free version of the SSH protocol suite.

Note: Steps 1-9 can be done by  tweaking your sshd_config and do ssh service restart after changes to take effect.

1. Use SSH Protocol 2
Use SSH version 2 (SSH2) only as it offers more performance, flexibility and security than SSH1.
-To verify what SSH protocol version you are running, check your /etc/ssh/sshd_config and look for the line “Protocol”,

[root@freelinux ~]# vi /etc/ssh/sshd_config

Protocol 2

[root@freelinux ~]# /etc/init.d/sshd restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]

2. Disable direct root SSH logins
-disable direct logging in as root via ssh. This is like inviting hackers to brute force your root password.
It’s recommend to login as a normal user and then after that, just use su or sudo if want to execute priviledge commands.

PermitRootLogin no

3. Enable a SSH warning banner
You can display a warning banner before login to require acknowledgment of the contents. This can be done by defining under sshd_config

a. Create a Banner on any location. e.g. /etc/freelinux

[root@freelinux~]# vi /etc/freelinux
###############################################################
AUTHORIZED USERS ONLY
All login attempts will be logged!!!
###############################################################

b. Edit /etc/ssh/sshd_config. Locate the line containing “Banner”, uncomment and specify the file location
vi /etc/ssh/sshd_config

# no default banner path

Banner /etc/freelinux

c. Restart ssh service

[root@freelinux~]# service sshd restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]

d. Test:
@ssh client
login as: darwin
###############################################################
AUTHORIZED USERS ONLY
All login attempts will be logged!!!
###############################################################
darwin@10.0.2.100′s password:
Last login: Fri Oct 19 18:19:12 2012 from 10.0.2.2

4. Disable empty passwords
To disable empty password, edit /etc/ssh/sshd_config and make sure this line below is uncommented

PermitEmptyPasswords no

5. Disable Host-based authentication
It is not recommended that hosts always agreed to trust one another

HostbasedAuthentication no

6. Configure Idle Timeout
Let say you want the system to log out users after 15 mins of idling. Then you can set this:

[root@freelinux~]# vi /etc/ssh/sshd_config

ClientAliveInterval 300
ClientAliveCountMax 3

where:

This will give a timeout of 15 minutes (300 secs X 3)
ClientAliveInterval – timeout in seconds.
ClientAliveCountMax – total number of checkalive message sent by the ssh server without getting any response from the ssh client

Also,  you can do this 15 minute timeout:
ClientAliveInterval 900
ClientAliveCountMax 0

Additional Tip: This is slightly different with “TMOUT” variable that will terminate the shell if no activity for N seconds
# export TMOUT=N

[root@freelinux~]# export TMOUT=60

7. Limit SSH LoginGraceTime
By default, sshd will allow a connected user that has not begun the authentication process for a period 2 minutes (120 secs) for a grace time. It’s recommended to shorten this time to protect from brute force attacks.

LoginGraceTime 30

8. Change ssh port number
The advantage of this is somehow protects your box against automated attacks or malicious scripts that is trying to get in via ssh default port 22.

Port 35286

9. Limit or Permit only specific users or groups to login
All users by default is allowed to access your box. But you have the options to allow or deny few users or groups. This can be done in either of this way.

#[AllowUsers]

AllowUsers darwin tux

OR

#[DenyUsers]

DenyUsers user1 user2
DenyGroups group1 group2 group3

10. Update OpenSSH & OS
Make sure your Linux system is running the latest version for OpenSSH. SSH package version depends on your Linux distribution & OS version. Your distro will use the best or stable version for any packages, so if you want to upgrade to another version, you can do this via source package installation. It can be downloaded on OpenSSH official site http://www.openssh.com. Alternatively, you can do it by installing the latest rpm package or changing your repository, then use the yum.

For instance, if you are running CentOS 5.8 to check the current installed package and verify if there’s update, tr the following:

[root@freelinux~]# cat /etc/issue
CentOS release 5.8 (Final)
Kernel \r on an \m

[root@freelinux~]# rpm -qa | grep openssh
openssh-4.3p2-82.el5
openssh-clients-4.3p2-82.el5
openssh-server-4.3p2-82.el5

[root@freelinux~]# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

[root@freelinux~]# yum update openssh*
Loaded plugins: fastestmirror, security
Determining fastest mirrors
* base: mirror.nus.edu.sg
* extras: mirror.nus.edu.sg
* updates: mirror.nus.edu.sg
base                                                     | 1.1 kB     00:00
extras                                                   | 1.9 kB     00:00
extras/primary_db                                        | 171 kB     00:00
updates                                                  | 1.9 kB     00:00
updates/primary_db                                       | 828 kB     00:01
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update

11. Enforce access controls list by using TCP wrappers
TCP wrappers is used to restrict access to TCP services based on IP, hostname, network address etc. It supports SSH via the libwrap library. To check if your sshd is

dynamically linked against libwrap:

[root@freelinux~]# which sshd
/usr/sbin/sshd
[root@freelinux~]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib/libwrap.so.0 (0×00978000)

@/etc/syslog.conf
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

Configuration Files of TCP Wrapper

a. /etc/hosts.allow
b. /etc/hosts.deny

The file names are quite self-explanatory.
Access will be allowed when it matches an entry in the /etc/hosts.allow file
Access will be denied when it matches an entry in the /etc/hosts.deny file

But take note of the rules or points to consider
- access rules in hosts.allow are applied first
- rules in each file are read from the top down, so take note the order of rules
- changes in hosts.allow or hosts.deny will take effect immediately, no need to restart any services.
- access to service is permitted if no rules are found in either file
- use ‘#’ character to insert comments
- it uses this format

tcp_service : client_list [ : shell_command ]

where:
tcp_server – daemon process names
client_list – IP, hostnames, patterns, wildcards matching the client address or hostname

There are several patterns that you can use under client_list which we will not covering on this topic. But the recommended setting will be:
Deny anything not explicitly allowed and only Allow certain services.

[root@freelinux~]# cat /etc/hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
ALL: ALL

[root@freelinux~]# cat /etc/hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
sshd : freelinuxtutorials.com : allow
sshd: 192.168.0.192/255.255.255.240 : allow
sshd : 192.168.0.100 : allow

12. Configure iptables for added SSH security
It’s good to have your servers protected by hardwares or appliances such as security appliances, PIX, ASA etc. that will added more protection such as limiting TCP connections esp. on preventing dictionary attacks.
If you don’t have this, it’s a good thing this can be done also from your Linux server using iptables.

Sample iptables  to allow only specified host:
iptables -A INPUT -p tcp -m state –state NEW –source 172.16.0.101 –dport 35286 -j ACCEPT

Another example iptables rule:

iptables -N RULE1
iptables -A INPUT -p tcp –dport 35286 -m state –state NEW -j RULE1
iptables -A RULE1 -m recent –set –name SSH
iptables -A RULE1 -m recent –update –seconds 60 –hitcount 4 –name SSH -j DROP

where:
Line1: create a new chaing RULE1
Line2/3: allow incoming SSH connection on ssh port 35286 and it will pass through this chain
Line4: source IP should not be more than 3 attempts within 60 seconds, else packets will be dropped from that source IP

13.  Use Strong Passwords
As system administrator, you can set a criteria for users to have a strong passwords. To enforce password complexity on  your Linux boxes via  PAM (the “pluggable authentication module”)

[root@freelinux~]# cat /etc/pam.d/system-auth | grep password
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

Change to something like this:
password requisite pam_cracklib.so try_first_pass retry=3 minlength=12 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=4

where:

try_first_pass = sets the number of times a user can attempt to set a good password before it aborts
minlen = measure of complexity related to the password length
lcredit = minimum number of required lowercase letters
ucredit = minimum number of required uppercase letters
dcredit = minimum number of required digits
ocredit = minimum number of required other characters
difok = sets the number of characters that must be different from the previous passwords

Alternatively, you can use /etc/login.defs to set parameters such as password expiration, etc.
@/etc/login.defs

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5

14. Use Private/Public Keys for SSH authentication
If you decided not to do password authenticaton instead using of keys, then you can follow this tutorial.

15. Patch OpenSSH to latest security fix
As long as you have the latest updates or patches installed on your Linux distribution, that should be enough to tell that you are fully patched.
To check the changelog for the openssh rpm, use the command below. It will show you various patches

[root@freelinux~]# rpm -q –changelog openssh | more
* Wed Jan 04 2012 Petr Lautrbach <plautrba@redhat.com> 4.3p2-82
- improve RNG seeding from /dev/random (#681291,#708056)

* Fri Dec 02 2011 Petr Lautrbach <plautrba@redhat.com> 4.3p2-81
- make ssh(1)’s ConnectTimeout option apply to both the TCP connection and
SSH banner exchange (#750725)

The post Securing your OpenSSH server in Linux appeared first on Free Linux Tutorials.

On this tutorial, we are going to use the syslogd/sysklogd server which is a multi-platform and proven stable software.

[Syslog Server]

1.verify if the sysklogd package is installed.

[root@freelinux ~]# rpm -qa | grep sysklogd
sysklogd-1.4.1-46.el5

2. start the syslog daemon

[root@freelinux ~]# service syslog start
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]

3. verify if the process is running

[root@freelinux ~]# ps -ef | grep syslog
root      2174     1  0 17:53 ?        00:00:00 syslogd -m 0
root      2180  2110  0 17:54 pts/1    00:00:00 grep syslog
[root@freelinux ~]# ls -la /var/run | grep syslog
-rw——-  1 root  root     5 Oct  9 17:53 syslogd.pid

4. configure the syslog

configuration files:
/etc/sysconfig/syslog
/etc/syslog.conf

Add the “-r” options to enable logging from the remote machines

[root@freelinux ~]# cat /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables ‘MARK’ messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS=”-r -m 0″
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with ‘ksymoops’
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS=”-x”
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for “group” and “other”.

5. Restart the syslog service

[root@freelinux ~]# service syslog restart
Shutting down kernel logger: [  OK  ]
Shutting down system logger: [  OK  ]
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]

[Client devices]

configuration file: /etc/syslog.conf

a. Linux servers

[root@freelinux ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

*.* @172.16.0.100

# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

b. Cisco/Motorola devices

Cisco#configure terminal
Cisco#logging facility local6
Cisco#logging 172.16.0.49

c. Juniper OS
darwin@Juniper> configure
Entering configuration mode

{master}[edit]
darwin@Juniper#
darwin@Juniper#  set system syslog host a.a.a.a facility-override local6 any any
darwin@Juniper#commit synch

darwin@Juniper#show configuration

host 172.16.0.100 {
any any;
facility-override local6;
}

d. Unix

# @(#)B.11.11_LR
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug              /var/adm/syslog/mail.log
*.info;mail.none;local1.none;local2.none;local5.none;local6.none;local7.none    /var/adm/syslog/syslog.log
*.alert                 /dev/console
#*.alert                        root
*.emerg                 *
local4.info             /var/adm/syslog/fw.log
local6.info             /var/adm/syslog/cisco.log

e. Windows

There’s no way to directly configure the syslog clients or send your event log messages to syslog server. You have to use syslog clients such as Snare & winlogd which I will not cover on this tutorial. Alternative way, is send your event logs as snmp traps by configuring your SNMP service & using the event to trap translator or “evntwin” command.

Additional Tips:

1. To make syslogd, re-read its configuration file, send it a HANGUP  signal:
[root@freelinux ~]# kill -HUP `cat /var/run/syslog.pid`

2. Familiarize with syslog facility and severity levels. A good reference about this is Wiki http://en.wikipedia.org/wiki/Syslog. Sample syslog.conf is on the Config-Scripts Section to show how this will be very useful for system administrators.

3.You can verify messages if it’s being logged in your syslog or if you want to test your /etc/syslog.conf, you can use the “logger” command

e.g.
@/etc/syslog.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

[root@freelinux ~]# logger -p user.info “Test Message”
[root@freelinux ~]# tail /var/log/messages
Oct 11 21:25:39 localhost root: Test Message

The post Configure Centralized Syslog server in Linux & setup syslog clients on different platforms appeared first on Free Linux Tutorials.

1.Identify which interface you want to listen to

[root@freelinux tmp]# ifconfig 

eth0 Link encap:Ethernet HWaddr 08:00:27:72:24:E6
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe72:24e6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:942 errors:0 dropped:0 overruns:0 frame:0
TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:78095 (76.2 KiB) TX bytes:198882 (194.2 KiB)
Interrupt:10 Base address:0xd020

2. Run “tcpdump” command with the following options. For instance, you want to monitor the DNS packets.Run:

tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53 

[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2657 packets captured
2938 packets received by filter
0 packets dropped by kernel

Verify:

# ls -l /tmp
-rw-r--r-- 1 root wheel 1386926 Sep 24 14:39 freelinux.pcap

where as:

-s 0 –> capture byte to its maximum (65535) or it’s full lenght
-ni –> listen on which interface. Then -n option is used so not to convert host addresses to names.
-w –> create the file
port –> to indicate the port number, e.g. 53 which pertains to dns
-X –> Print each packet (minus its link level header) in hex and ASCII
-vvv –> Even more verbose output

Other samples:
[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 portrange 67-68
[root@freelinux tmp]# tcpdump -ni eth1 -s0 -w hostlinux.pcap host 8.8.8.8 &

Note: you can do Ctrl+C to terminate the task, or if run in background, kill the process if finished as it will consume some hard disk space and some CPU resources.

3. Now open the wireshark program. It’s a GUI-based program, so viewing is easier and flexible.

Enjoy!

The post Quick Tip: Use tcpdump in Linux to capture network packets and view in wireshark appeared first on Free Linux Tutorials.

Here are some ways to change your timezone depending on your Linux distribution:

for RHEL/CENTOS:

Assuming you have the default or current timezone as UTC and you would like to change it to Singapore timezone

[root@freelinux etc]# date
Thu Sep 6 23:15:06 UTC 2012 
[root@freelinux etc]# rm /etc/localtime

Note: All timezones can be found under the directory /usr/share/zoneinfo

Link the Singapore file under the Asia to the /etc/localtime

#cd /etc
#ln -s /usr/share/zoneinfo/Asia/Singapore localtime
#date
Fri Sep 7 07:17:20 SGT 2012 

This localtime symbolic links can be overwritten when you execute tzdata-update which will based from /etc/sysconfig/clock settings configured

Example:
current date in Singapore time, you execute the tzdata-update, it will read the /etc/sysconfig/clock file

[root@freelinux etc]# cat /etc/sysconfig/clock
ZONE="Asia/Seoul"
UTC=true
ARC=false
[root@freelinux etc]# date
Fri Sep 7 07:26:12 SGT 2012
[root@freelinux etc]# tzdata-update
[root@freelinux etc]# date
Fri Sep 7 08:26:20 KST 2012

For Ubuntu/Debian, the above method will also work. But it also has some commands to make you life easier, see items 1 & 2

1. A simple way to change your timezone is using the “tzconfig” command which will prompt you with a list of region and cities. It will a simple way to update the link /etc/localtime to point to the correct timezone in /usr/share/zoneinfo

[root@freelinux etc]# tzconfig

2.Another way is using the command “dpkg-reconfigure tzdata”. It will be a menu-based type of configuration screen.

[root@freelinux etc]# dpkg-reconfigure tzdata

3. Another method which will work with other distribution as well is via the TZ environment variable

[root@freelinux ~]# date
Fri Sep 7 07:46:09 SGT 2012
[root@freelinux ~]# export TZ=Asia/Manila
[root@freelinux ~]# date
Fri Sep 7 07:46:30 PHT 2012 

4. Another way is via “tzselect” command

[root@freelinux ~]# tzselect 

The post Quick tip: Change Timezone in Linux in different ways appeared first on Free Linux Tutorials.

For you to remember the syntax, issue the command “date” first

[root@freelinux ~]# date 
Mon Aug 20 18:30:29 SGT 2012

Let say you want to change it to Sept 6, 2012, 3pm, just follow the pattern above

[root@freelinux ~]# date 090615002012
Thu Sep  6 15:00:00 SGT 2012

where as:
09 = month (September)
06 = day
15 = hour
00 = min
2012 = year

Now it’s set, as simple as that:
[root@freelinux ~]# date
Thu Sep  6 15:00:01 SGT 2012

Another example, you want it to change to 20th of December, 2012, 10:45pm

[root@freelinux ~]# date 122022452012
Thu Dec 20 22:45:00 SGT 2012

Viola!!!

[root@freelinux ~]# date
Thu Dec 20 22:45:03 SGT 2012

Now if you want to challenge yourself, then you can use this as well:
Using our example date above, use the date command with –set or -s options

[root@freelinux ~]# date -s "6 Sept 2012 15:00:00"
Thu Sep  6 15:00:00 SGT 2012

Extra tip: To set the hardware clock to the current system time, use:

[root@freelinux ~]# hwclock  --systohc

If the other way around, to set the system time from the hardware clock

[root@freelinux ~]# hwclock --hctosys

The post Quick tip: Set date and time in Linux appeared first on Free Linux Tutorials.

1. Verify if snmp package is installed, there are few ways

[root@localhost ~]# rpm -qa | grep snmp

[root@localhost ~]# snmpwalk
-bash: snmpwalk: command not found

[root@localhost ~]# ls /etc/snmp*
ls: /etc/snmp*: No such file or directory

This mean net-snmp package is not installed yet

2. Install net-snmp & net-snmp-utils package via yum or up2date

CentOS/Fedora:
[root@localhost ~]# yum install net-snmp net-snmp-utils
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirror.usonyx.net
* extras: mirror.usonyx.net
* updates: mirror.usonyx.net
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package net-snmp.i386 1:5.3.2.2-17.el5_8.1 set to be updated
–> Processing Dependency: libsensors.so.3 for package: net-snmp
—> Package net-snmp-utils.i386 1:5.3.2.2-17.el5_8.1 set to be updated
–> Running transaction check
—> Package lm_sensors.i386 0:2.10.7-9.el5 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package              Arch       Version                    Repository     Size
================================================================================
Installing:
net-snmp             i386       1:5.3.2.2-17.el5_8.1       updates       703 k
net-snmp-utils       i386       1:5.3.2.2-17.el5_8.1       updates       191 k
Installing for dependencies:
lm_sensors           i386       2.10.7-9.el5               base          511 k

Transaction Summary
================================================================================
Install       3 Package(s)
Upgrade       0 Package(s)

Total download size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): net-snmp-utils-5.3.2.2-17.el5_8.1.i386.rpm        | 191 kB     00:00
(2/3): lm_sensors-2.10.7-9.el5.i386.rpm                  | 511 kB     00:01
(3/3): net-snmp-5.3.2.2-17.el5_8.1.i386.rpm              | 703 kB     00:01
——————————————————————————–
Total                                           408 kB/s | 1.4 MB     00:03
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing     : lm_sensors                                               1/3
Installing     : net-snmp                                                 2/3
Installing     : net-snmp-utils                                           3/3

Installed:
net-snmp.i386 1:5.3.2.2-17.el5_8.1  net-snmp-utils.i386 1:5.3.2.2-17.el5_8.1

Dependency Installed:
lm_sensors.i386 0:2.10.7-9.el5

Complete!

RHEL:
up2date -v -i net-snmp-utils net-snmp

3. Configure /etc/snmp/snmpd.conf, basic config would be specifying the community string. You can use any text editor like vi or use echo command

[root@localhost ~]# echo rocommunity freelinuxtutorials >> /etc/snmp/snmpd.conf

4. Restart snmp service

[root@localhost ~]# service snmpd restart
Stopping snmpd: [FAILED]
Starting snmpd: [  OK  ]

5. Check snmpd if it’s working using snmp utilities like snmpwalk. You should get an output something like this:

[root@localhost ~]# snmpwalk -v2c -c freelinuxtutorials localhost
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 2012 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (356) 0:00:03.56

Quick tip:

To make sure snmpd will start on boot, use chkconfig command
Sample:
[root@localhost init.d]# ls -l /etc/rc3.d/ | grep snmpd
lrwxrwxrwx 1 root root 15 Aug 29 15:56 K50snmpd -> ../init.d/snmpd

[root@localhost init.d]# chkconfig snmpd on
[root@localhost init.d]# ls -l /etc/rc3.d/ | grep snmpd
lrwxrwxrwx 1 root root 15 Aug 29 15:57 S50snmpd -> ../init.d/sn

Notice snmpd changed from K50 to S50, meaning snmpd will start on boot. Enjoy!

The post Install and Configure SNMP client on Linux appeared first on Free Linux Tutorials.

FreeTDS Website: http://www.freetds.org/ choose FreeTDS source distribution

Compile parameter: –prefix=/usr/local/freetds –enable-msdblib

Then, copy /etc/ld.so.conf, to /usr/local/freetds/lib; and then run ldconfig

Step 2. Change /usr/local/freetds/etc/freetds.conf

[sql2k]

host = your.mssql.server.ip
port = 1433
client charset = cp950
tds version = 8.0

b. tds version: 4.2 (for MS SQL Server 6.x); 7.0 (for 7.x); 8.0 (for 2000)

Step 3. Test FreeTDS connect to MS SQL Server

#cd /usr/local/freetds/bin
#./tsql -S sql2k -U sa
1> use mydatabase
2> select * from mytable
3> go

it shows mytable if success

quit tsql:

1>    quit

Step 4. Recompile PHP Source

PHP website: http://www.php.net/

Before you re compile, please use php run echo phpinfo(); check the existing configure parameter, and then add  –with-mssql=/usr/local/freetds

example:

./configure ‘–prefix=/usr/local/php_4.3.10′ ‘–localstatedir=/var’ ‘–disable-debug’ ‘–enable-pic’ ‘–disable-rpath’ ‘–enable-inline-
optimization’ ‘–with-bz2′ ‘–with-db4=/usr’ ‘–with-curl’ ‘–with-exec-dir=/usr/bin’ ‘–with-freetype-dir=/usr’ ‘–with-png-dir=/usr’ ‘–with-gd’ ‘–enable-gd-native-ttf’ ‘–without-gdbm’ ‘–with-gettext’ ‘–with-ncurses’ ‘–with-gmp’ ‘–with-iconv’ ‘–with-jpeg-dir=/usr’ ‘–with-
openssl’ ‘–with-png’ ‘–with-pspell’ ‘–with-regex=system’ ‘–with-xml’ ‘–with-expat-dir=/usr’ ‘–with-dom’ ‘–with-dom-xslt=/usr’ ‘–with-dom-exslt=/usr’ ‘–with-xmlrpc=shared’ ‘–with-pcre-
regex=/usr’ ‘–with-zlib’ ‘–with-layout=GNU’ ‘–enable-bcmath’ ‘–enable-exif’ ‘–enable-ftp’ ‘–enable-magic-quotes’ ‘–enable-safe-mode’ ‘–enable-sockets’ ‘–enable-sysvsem’ ‘–enable-sysvshm’ ‘–enable-track-vars’ ‘–enable-trans-sid’ ‘–enable-yp’ ‘–enable-wddx’ ‘–with-pear=/usr/share/pear’ ‘–with-imap=shared’ ‘–with-imap-ssl’ ‘–with-kerberos’ ‘–with-ldap=shared’ ‘–with-mysql’ ‘–with- pgsql=shared’ ‘–with-snmp’ ‘–with-snmp=shared’ ‘–enable-ucd-snmp-hack’ ‘–with-unixODBC’ ‘–enable-memory-limit’ ‘–enable-bcmath’ ‘–enable-shmop’ ‘–enable-calendar’ ‘–enable-dbx’ ‘– enable-dio’ ‘–enable-mcal’ ‘–enable-mbstring’ ‘–enable-mbstr-enc-trans’ ‘–enable-mbregex’ ‘–with-apxs2=/usr/sbin/apxs’ ‘–with-mssql=/usr/local/freetds’

After compile?installation, cp php.ini-dist /prefix/lib/php.ini

Step 5. Startup Apache HTTP Server for testing

Sample Code:

<?php

mssql_connect(‘sql2k’,’sa’,”);
mssql_select_db(‘mydatabase’);
$rs = mssql_query(‘select * from mytable’);
list($column01) = mssql_fetch_row($rs);
echo $column01;
?>

It show mytable if success.

The post Quick tip: how to connect linux php applications to MSSQL via freetds appeared first on Free Linux Tutorials.