My thirsty for knowledge

Configuring NTP Client on Red Hat Linux

2009-09-24T03:02:00.000-07:00

To keep the server time accurate, we must have to synchronize with any of the available time server in local or internet, here I am describing the steps to synchronize time with locally configured NTP server in the network.

Open the ntp.conf file in any of the text editor (VI, nano etc)

vi /etc/ntp.conf ( add local NTP server ip address)

server 192.168.X.X # local clock

vi /etc/ntp/step-tickers (add your ntp server ip address)

192.168.X.X

service ntpd start

chkconfig --level 2345 ntpd on

What if, time to be updated only once, use this command, ntp service must be stopped before running this command.

ntpdate 192.168.X.X (IP address of NTP server)

tail -f vs less +F

2009-07-23T02:25:00.001-07:00

When I was fist seen this command, I was thinking ohhhh god why I haven't seen this command long time back, this could have make my life much more easier.

tail -f /var/log/messages

The main advantages of tail -f is that, you can monitor logs real time it will keep on appending logs as it goes, but what if I have found one error and want to look back what went wrong, I have to quit the tail and open the file in VI or with less.

There comes the advantage of less +F, you can monitor logs real time it will keep on appending logs as it goes, and if I found error I can execute ctrl+c to stop appending real time log and can go back and check what went wrong, once I verified and can again start appending log by executing capital F

less +F /var/log/messages

This does the same thing as tail -f but it will also show the entire file, just press ctrl + c to navigate around the log file. When you want to view the log in real time again just type a capital F.

Configuring iSCSI initiator on Red Hat Linux 4 and 5

2009-06-04T04:54:00.000-07:00

I was configuring iSCSI initiator in one of our Red Hat Linux 4 server, couple of weeks ago, after a day's work at last I became successful. Ohhh thank GOD. Last week again I have asked to configure iSCSI on Red Hat Linux 5 server I was cool, I already did this on RHEL 4, but after installing the package on RHEL 5 and looking at configuration file takes my breath away, a completely new configuration file not even able to compare with RHEL4. Ohhhh GOD help me. Again after a days work I was successful sharing my work with you guys it may helpful to you.

Configuring iSCSI initiator in Red Hat Enterprise Server 4

iSCSI (Internet Small Computer System Interface)

Concepts

Initiator

An initiator functions as an iSCSI client. An initiator typically serves the same purpose to a computer as a SCSI bus adapter would, except that instead of physically cabling SCSI devices (like hard drives and tape changers), an iSCSI initiator sends SCSI commands over an IP network. An initiator falls into two broad types:

Software initiator

A software initiator uses code to implement iSCSI. Typically, this happens in a kernel-resident device driver that uses the existing network card (NIC) and network stack to emulate SCSI devices for a computer by speaking the iSCSI protocol. Software initiators are available for most mainstream operating systems, and this type is the most common mode of deploying iSCSI on computers.

Hardware initiator

A hardware initiator uses dedicated hardware, typically in combination with software (firmware) running on that hardware, to implement iSCSI. A hardware initiator mitigates the overhead of iSCSI and TCP processing and Ethernet interrupts, and therefore may improve the performance of servers that use iSCSI.

Target

iSCSI refers to a storage resource located on an iSCSI server (more generally, one of potentially many instances of iSCSI running on that server) as a "target". An iSCSI target usually represents hard disk storage. As with initiators, software to provide an iSCSI target is available for most mainstream operating systems.
Common deployment scenarios for an iSCSI target include:

Storage array

In a data center or enterprise environment, an iSCSI target often resides in a large storage array, such as a NetApp filer or an EMC Corporation NS-series computer appliance. A storage array usually provides distinct iSCSI targets for numerous clients.[1]

Software target

In a smaller or more specialized setting, mainstream server operating systems (like Linux, Solaris or Windows Server 2008) and some specific-purpose operating systems (like NexentaStor, StarWind iSCSI Target, FreeNAS, iStorage Server, OpenFiler or FreeSiOS) can provide iSCSI target's functionality.

Addressing

Special names refer to both iSCSI initiators and targets. iSCSI provides three name-formats:

iSCSI Qualified Name (IQN)
Format: iqn.yyyy-mm.{reversed domain name} (e.g. iqn.2001-04.com.acme:storage.tape.sys1.xyz) (Note: there is an optional colon with arbitrary text afterwards. This text is there to help better organize or label resources.)

Extended Unique Identifier (EUI)

Format: eui.{EUI-64 bit address} (e.g. eui.02004567A425678D)
T11 Network Address Authority (NAA)
Format: naa.{NAA 64 or 128 bit identifier} (e.g. naa.52004567BA64678D)
IQN format addresses occur most commonly. They are qualified by a date (yyyy-mm) because domain names can expire or be acquired by another entity.

Installation on Red Hat Linux 4

# rpm -ivh iscsi-initiator-utils-4.0.3.0-7.i386.rpm

IQN no of Red Hat Linux 4 Server (/etc/initiatorname.iscsi file)

Each iSCSI device on the network, be it initiator or target, has a unique iSCSI node name. Red Hat uses the iSCSI Qualified Name (IQN) format with the initiator that ships with Red Hat Enterprise Linux. In the IQN format, a node name consists of a predefined section, chosen based on the initiator manufacturer, and a unique device name section which is editable by the administrator.
Provide this IQN number to your IPSAN Administrator he will create and assign LUN to this IQN

Important

In any case, if the iqn number (iqn number will look like this iqn.1987-05.com.cisco:01.f9dbc6d6567) is not displayed in /etc/initiatorname.iscsi , you can generate the iqn number using iscsi-iname command and paste it on the /etc/initiatorname.iscsi

Configuration ( /etc/iscsi.conf)

Terms

To globally configure a CHAP username and password for initiator
authentication by the target(s), uncomment the following lines:

Outgoingusername is something we create at Target to authenticate the LUN assigned to this

OutgoingUsername=
OutgoingPassword=

To globally configure a CHAP username and password for target(s)
authentication by the initiator, uncomment the following lines:

IncomingUsername=
IncomingPassword=

Settings in config file ( /etc/iscsi.conf)

DiscoveryAddress=ipaddress or hostname of your IPSAN
OutgoingUsername=username created in targetserver for accssing this LUN
OutgoingPassword= password created in targetserver for accssing this LUN
LoginTimeout=15

Installation on Red Hat Linux 5

# rpm -ivh iscsi-initiator-utils-6.2.0.868-0.18.el5.i386.rpm

IQN no of Red Hat Linux 5 Server (/etc/iscsi/initiatorname.iscsi)

Important

In any case, if the iqn number (iqn number will look like this iqn.1987-05.com.cisco:01.f9dbc6d6567) is not displayed in /etc/iscsi/initiatorname.iscsi , you can generate the iqn number using iscsi-iname command and paste it on the /etc/iscsi/initiatorname.iscsi

Configuration ( /etc/iscsi/iscsid.conf)

Settings

# To enable CHAP authentication set node.session.auth.authmethod
# to CHAP. The default is None.
node.session.auth.authmethod = CHAP

# To set a CHAP username and password for initiator
# authentication by the target(s), uncomment the following lines:
node.session.auth.username = testuser
node.session.auth.password = testpassword

# To enable CHAP authentication for a discovery session to the target
# set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
discovery.sendtargets.auth.authmethod = CHAP

# To set a discovery session CHAP username and password for the initiator
# authentication by the target(s), uncomment the following lines:
discovery.sendtargets.auth.username = testuser
discovery.sendtargets.auth.password = testpassword

#service iscsi restart

Will get the output like this

Stopping iSCSI daemon:
iscsid dead but pid file exists [ OK ]
Turning off network shutdown. Starting iSCSI daemon: [ OK ]
[ OK ]
Setting up iSCSI targets: iscsiadm: No records found!
[ OK ]

Now discover the targets.

#iscsiadm -m discovery -t sendtargets -p 192.168.x.x ( IP address of Target)

# service iscsi restart

Will get like this
Logging out of session [sid: 1, target: iqn.1991-05.com.microsoft:aio1200-oracle-rac-target, portal: 192.168.x.x,3260]
Logout of [sid: 1, target: iqn.1991-05.com.microsoft:aio1200-oracle-rac-target, portal: 192.168.x.x,3260]: successful
Stopping iSCSI daemon:
iscsid dead but pid file exists [ OK ]
Turning off network shutdown. Starting iSCSI daemon: [ OK ]
[ OK ]
Setting up iSCSI targets: Logging in to [iface: default, target: iqn.1991-05.com.microsoft:aio1200-oracle-rac-target, portal: 192.168.251.10,3260]
Logging in to [iface: default, target: iqn.1991-05.com.microsoft:aio1200-oracle-rac-target, portal: 192.168.x.x,3260]

Important.

If you made any changes to the configuration file first remove the iqn from cache using this command

#iscsiadm -m node -T iqn.1991-05.com.microsoft:aio1200-oracle-rac-target -o delete

After issuing this command restart the iscsi to take effect the configuration you changed

#Service iscsi restart

After restarting the service discover again using

#iscsiadm -m discovery -t sendtargets -p 192.168.x.x (IP address of Target)

SSH to server without password using RSA key

2009-05-06T22:49:00.000-07:00

I came across a requirement for automatically logging into the server without entering password, This can done using the RSA

Simple Way (Better to try this)

Client (from where you want to access the server)

1.Run the following command on the client (from where you want to access the
server)
#ssh-keygen -t rsa

2.id_rsa and id_rsa.pub files will be created inside $HOME/.ssh

3.Copy id_rsa.pub to the server's .ssh directory (Create folder $HOME/.ssh in server if dosen't exist)

#scp $HOME/.ssh/id_rsa.pub user@server:/home/user/.ssh

Server

4.Change to /home/user/.ssh and create file authorized_keys containing id_rsa.pub content
#cd /home/user/.ssh
#cat id_rsa.pub >> authorized_keys

5.Change the authorized_keys permission to 644 (rw-r--r--)
#chmod 644 authorized_keys

6.Enable rsa authentication in /etc/ssh/sshd_config in both the machines (server and client)
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

7.Restart sshd service ( service sshd restart)

8.You can try ssh to the server from the client and no password will be needed
#ssh user@server

A much more complex way

In the server where you want to give access
#ssh-keygen –t rsa

Give password

This will create two files Private key and public key in $HOME/.ssh/id_rsa.pub and $HOME/.ssh/id_rsa

#scp /root/.ssh/id_rsa.pub test@192.168.*.*:/home/test/.ssh/
# scp /root/.ssh/id_rsa test@192.168.*.*:/home/test/.ssh/
#exec ssh-agent bash
#ssh-add /root/.ssh/id_rsa

Remote Side

Create a user
#Useradd test
#Passwd test
#su – test

$mkdir /home/test/.ssh
$chmod 700 .ssh
$cat /home/test/.ssh/id_rsa >> /home/test/.ssh/ authorized_keys (if ssh2 then use authorized_keys2)

$ exec ssh-agent bash
$ssh-add /root/.ssh/id_rsa

Allowing New port in Juniper Firewall SSG5

2009-05-06T22:33:00.000-07:00

I was digging for allowing a new port in Juniper SSG5 firewall, an entry level firewall which used for internet connection, after long R&D i was able to do that, and planning to share it with you
A step by step approach for more clarity

1.Internet explorer take http://192.168.x.x or https://192.168.x.x Userid: netscreen
and password

Step - I

Creating a port

1.Policy ->Policy elements ->Services -> Custom -> Click on New
a.Give service name abc(for which purpose you are opening port give
description of that ex- if you are opening port 1111 for abc give service
name abc)
b.Select Transport protocol -> TCP
c.Source port -> Low =0 High -> 65535 (default)
d.Destination port -> Low= 1111(the port you want to open ex-1111)
High=1111(the port you want to open ex-1111) low and high should be same

Step - II
Assigning new port to group

1.Policy -> Policy elements -> Services -> Group -> edit group1
a. Select the service name you have given from left side and add them

Red Hat Enterprise 5 Hardening

2009-05-06T21:24:00.000-07:00

Want to harden your Red Hat production server ????????????

Try this

www.redhat.com/promo/summit/2008/downloads/pdf/hardening-rhel5.pdf

Fail over using heartbeat

2009-05-05T23:38:00.000-07:00

You can configure any server DNS,DHCP,FTP etc for automatic fail over using heartbeat component, This is one of the great tool i have came across. Read the success stores here http://www.linux-ha.org/SuccessStories. download heartbeat http://www.linux-ha.org/ from here and start using