Tuesday, December 29, 2009
Linux Commands for Beginning Server Administrators
			  Linux Commands for Beginning Server Administrators
Most new Linux administrator desire one easy to read list of the essential commands needed for daily server management and maintenance. I've updated my beginner administrators command list below in hopes that it will help you quickly become self sufficient in Linux server use.
Please feel free to share these commands. My only request is that you let others know where you got them so that I may be able to help them as well!
You may also benefit from more basic commands such as: beginner commands, more advanced commands, and file permissions.
Please consider running these administrator commands on occasion with the --help parameter to read through all of their options. For example try running the command: du --help
Also note that if a server command you run gives you an output that is far more than one single screen, you can use the option |more (referred to as pipe more). This will display the output one screen at a time. Press the space key for one page at a time, and the enter key for one line at a time. For example: ps -A |more
Beginner Server Administrator Commands
Summary Use
arp
Command mostly used for checking existing Ethernet connectivity and IP address
Most common use: arp
This command should be used in conjunction with the ifconfig and route commands. It is mostly useful for me to check a network card and get the IP address quick. Obviously there are many more parameters, but I am trying to share the basics of server administration, not the whole book of commands.
df
Display filesystem information
Most common use: df -h
Great way to keep tabs on how much hard disk space you have on each mounted file system. You should also review our other commands like file permissions here.
d
Display usage
Most common use, under a specific directory: du -a
Easily and quickly identify the size of files/programs in certain directories. A word of caution is that you should not run this command from the / directory. It will actually display size for every file on the entire Linux harddisk.
This command is also particularly handy if you are checking system resources. Although I provide a number of Linux networking related commands if you're interested.
find
Find locations of files/directories quickly across entire filesystem
Most common use: find / -name appname -type d -xdev
(replace the word appname with the name of a file or application like gimp)
This is a very powerful command and is best used when running as root or superuser. The danger is that you will potentially look across every single file on every filesystem, so the syntax is very important. The example shown allows you to search against all directories below / for the appname found in directories but only on the existing filesystem. It may sound complex but the example shown allows you to find a program you may need within seconds!
Other uses and more complex but beneficial functions include using the -exec or execute a command.
You may also try the commands: locate or try slocate
ifconfig
Command line tool to configure or check all network cards/interfaces
Most common uses: ifconfig and also ifconfig eth0 10.1.1.1
Using the plain ifconfig command will show you the details of all the already configured network cards or interfaces. This is a great way to get a check that your network hardware is working properly. You may also benefit from this review of server configuration. Using the many other options of ifconfig such as the one listed allows you to assign a particular interface a static IP address. I only show an example and not a real world command above. Also review some commands for file permissions here.. Your best bet, if you want to configure your network card using this command is to first read the manual pages. You access them by typing: man ifconfig
init
Allows you to change the server bootup on a specific runlevel
Most common use: init 5
This is a useful command, when for instance a servers fails to identify video type, and ends up dropping to the non-graphical boot-up mode (also called runlevel 3).
The server runlevels rely on scripts to basically start up a server with specific processes and tools upon bootup. Runlevel 5 is the default graphical runlevel for Linux servers. But sometimes you get stuck in a different mode and need to force a level. For those rare cases, the init command is a simple way to force the mode without having to edit the inittab file.
Of course, this command does not fix the underlying problem, it just provides a fast way to change levels as needed. For a more permanent correction to the runlevel, edit your /etc/inittab file to state: id:5:initdefault:
joe or nano
Easy to use command line editors that are often included with the major Linux flavors
Most common uses:
joe filename
nano filename
A real world example for you to get a better sense on how this works:
nano /etc/dhcp3/dhcpd.conf
This allows you to edit using nano the dhcpd.conf configuration file from the command line.
Maybe you are not up to speed on vi, or never learned how to use emacs? On most Linux flavors the text editor named joe or one named nano are available. These basic but easy to use editors are useful for those who need a text editor on the command line but don't know vi or emacs. Although, I do highly recommend that you learn and use Vi and Emacs editors as well. Regardless, you will need to use a command line editor from time to time. You can also use cat and more commands to list contents of files, but this is basic stuff found under the basic linux commands listing. Try: more filename to list contents of the filename.
netstat
Summary of network connections and status of sockets
Most common uses: netstat and also netstat |head and also netstat -r
Netstat command simply displays all sockets and server connections. The top few lines are usually most helpful regarding webserver administration. Therefore if you are doing basic webserver work, you can quickly read the top lines of the netstat output by including the |head (pipe and head commands). Using the -r option gives you a very good look at the network routing addresses. This is directly linked to the route command.
nslookup
Checks the domain name and IP information of a server
Most common use: nslookup www.hostname.com
You are bound to need this command for one reason or another. When performing server installation and configuration this command gives you the existing root server IP and DNS information and can also provide details from other remote servers. Therefore, it is also a very useful security command where you can lookup DNS information regarding a particular host IP that you may see showing up on your server access logs. Note there are some other commands like file permissions that may also help. There is a lot more to this command and using the man pages will get you the details by typing: man nslookup
ping
Sends test packets to a specified server to check if it is responding properly
Most common use: ping 10.0.0.0 (replace the 10.0.0.0 with a true IP address)
This is an extremely useful command that is necessary to test network connectivity and response of servers. It creates a series of test packets of data that are then bounced to the server and back giving an indication whether the server is operating properly.
It is the first line of testing if a network failure occurs. If ping works but for instance FTP does not, then chances are that the server is configured correctly, but the FTP daemon or service is not. However, if even ping does not work there is a more significant server connectivity issue… like maybe the wires are not connected or the server is turned off! The outcome of this command is pretty much one of two things. Either it works, or you get the message destination host unreachable. It is a very fast way to check even remote servers.
ps
Lists all existing processes on the server
Most common uses: ps and also ps -A |more
The simple command will list every process associated with the specific user running on the server. This is helpful in case you run into problems and need to for instance kill a particular process that is stuck in memory. On the other hand, as a system administrator, I tend to use the -A with the |more option. This will list every process running on the server one screen at a time. Read more of our commands on our reallylinux.com help page. I use ps to quickly check what others are goofing with on my servers and often find that I'm the one doing the dangerous goofing!
rm
Removes/deletes directories and files
Most common use: rm -r name (replace name with your file or directory name)
The -r option forces the command to also apply to each subdirectory within the directory. This will work for even non-empty directories. For instance if you are trying to delete the entire contents of the directory x which includes directories y and z this command will do it in one quick process. That is much more useful than trying to use the rmdir command after deleting files! Instead use the rm -r command and you will save time and effort. You may already have known this but since server administrators end up spending a lot of time making and deleting I included this tip!
route
Lists the routing tables for your server
Most common use: route -v
This is pretty much the exact same output as the command netstat -r. You can suit yourself which you prefer to run. I tend to type netstat commands a lot more than just route and so it applies less to my situation, but who knows, maybe you are going to love and use route the most!
shred
Deletes a file securely by overwriting its contents
Most common use: shred -v filename (replace filename with your specific file)
The -v option is useful since it provides extra view of what exactly the shred tool is doing while you wait. On especially BIG files this could take a bit of time. The result is that your file is so thoroughly deleted it is very unlikely to ever be retrieved again. This is especially useful when trying to zap important server related files that may include confidential information like user names or hidden processes. It is also useful for deleting those hundreds of love notes you get from some of the users on your server, another bonus of being a server administrator. :)
sudo
The super-user do command that allows you to run specific commands that require root access.
Most common use: sudo command (replace command with your specific one)
This command is useful when you are logged into a server and attempt a command that requires super-user or root privileges. In most cases, you can simply run the command through sudo, without having to log in as root. In fact, this is a very beneficial way to administer your server without daily use of the root login, which is potentially dangerous.
Note there are other commands for file permissions here. Below is a simple example of the sudo capabilities:
sudo cd /root
This command allows you to change directories to the /root without having to login as root. Note that you must enter the root password once, when running a sudo command.
top
Displays many system statistics and details regarding active processes
Most common use: top
This is a very useful system administrator tool that basically gives you a summary view of the system including number of users, memory usage, CPU usage, and active processes. Often during the course of a day when running multiple servers, one of my Xwindows workstations just displays the top command from each of the servers as a very quick check of their status and stability.
touch
Allows you to change the timestamp on a file.
Most common use: touch filename
Using the basic touch command, as above, will simply force the current date and time upon the specified file. This is helpful, but not often used.
However, another option that I've used in the past when administering servers, is to force a specific timestamp on a set of files in a directory. Read more of our commands on our reallylinux.com help page.
For instance, to force a specific date and time upon all files in a directory, type:
touch *
You can also force a specific date/time stamp using the -t option like this: touch -t200103041200.00 *
The command above will change all files in the current directory to take on the new date of March 4th, 2001 at noon. The syntax follows this pattern: YYYYMMDDhhmm.ss
YYYY represents the four digit year, then the two digit month, day, hour and minutes. You can even specify seconds as noted above. In any case, this is a useful way to control timestamps on any files on your server.
traceroute
Traces the existing network routing for a remote or local server
Most common use: traceroute hostname
(replace hostname with the name of your server such as reallylinux.com)
This is a very powerful network command that basically gives the exact route between your machine and a server. In some cases you can actually watch the network hops from country to country across an ocean, through data centers, etc. Read more of our commands on our reallylinux.com help page.
This comes in handy when trying to fix a network problem, such as when someone on the network can not get access to your server while others can. This can help identify the break or error along the network line. One strong note to you is not to misuse this command! When you run the traceroute everyone of those systems you see listed also sees YOU doing the traceroute and therefore as a matter of etiquette and respect this command should be used when necessary not for entertainment purposes. A key characteristic of gainfully employed server administrators: knowing when to use commands and when not to use them!
w
An extension of the who command that displays details of all users currently on the server
Most common uses: w
This is a very important system admin tool I use commonly to track who is on the server and what processes they are running. It is obviously most useful when run as a superuser.
The default setting for the w command is to show the long list of process details. You can also run the command w -s to review a shorter process listing, which is helpful when you have a lot of users on the server doing a lot of things! Remember that this is different than the who command that can only display users not their processes.
who
Tool used to monitor who is on the system and many other server related characteristics
Most common uses: who and also who -q and also who -b
The plain command just lists the names of users currently on the server. Using the -q option allows you to quickly view just the total number of users on the system. Using the -b option reminds you how long it has been since you rebooted that stable Linux server.
			  
			
 
		 
		  
		 Most new Linux administrator desire one easy to read list of the essential commands needed for daily server management and maintenance. I've updated my beginner administrators command list below in hopes that it will help you quickly become self sufficient in Linux server use.
Please feel free to share these commands. My only request is that you let others know where you got them so that I may be able to help them as well!
You may also benefit from more basic commands such as: beginner commands, more advanced commands, and file permissions.
Please consider running these administrator commands on occasion with the --help parameter to read through all of their options. For example try running the command: du --help
Also note that if a server command you run gives you an output that is far more than one single screen, you can use the option |more (referred to as pipe more). This will display the output one screen at a time. Press the space key for one page at a time, and the enter key for one line at a time. For example: ps -A |more
Beginner Server Administrator Commands
Summary Use
arp
Command mostly used for checking existing Ethernet connectivity and IP address
Most common use: arp
This command should be used in conjunction with the ifconfig and route commands. It is mostly useful for me to check a network card and get the IP address quick. Obviously there are many more parameters, but I am trying to share the basics of server administration, not the whole book of commands.
df
Display filesystem information
Most common use: df -h
Great way to keep tabs on how much hard disk space you have on each mounted file system. You should also review our other commands like file permissions here.
d
Display usage
Most common use, under a specific directory: du -a
Easily and quickly identify the size of files/programs in certain directories. A word of caution is that you should not run this command from the / directory. It will actually display size for every file on the entire Linux harddisk.
This command is also particularly handy if you are checking system resources. Although I provide a number of Linux networking related commands if you're interested.
find
Find locations of files/directories quickly across entire filesystem
Most common use: find / -name appname -type d -xdev
(replace the word appname with the name of a file or application like gimp)
This is a very powerful command and is best used when running as root or superuser. The danger is that you will potentially look across every single file on every filesystem, so the syntax is very important. The example shown allows you to search against all directories below / for the appname found in directories but only on the existing filesystem. It may sound complex but the example shown allows you to find a program you may need within seconds!
Other uses and more complex but beneficial functions include using the -exec or execute a command.
You may also try the commands: locate or try slocate
ifconfig
Command line tool to configure or check all network cards/interfaces
Most common uses: ifconfig and also ifconfig eth0 10.1.1.1
Using the plain ifconfig command will show you the details of all the already configured network cards or interfaces. This is a great way to get a check that your network hardware is working properly. You may also benefit from this review of server configuration. Using the many other options of ifconfig such as the one listed allows you to assign a particular interface a static IP address. I only show an example and not a real world command above. Also review some commands for file permissions here.. Your best bet, if you want to configure your network card using this command is to first read the manual pages. You access them by typing: man ifconfig
init
Allows you to change the server bootup on a specific runlevel
Most common use: init 5
This is a useful command, when for instance a servers fails to identify video type, and ends up dropping to the non-graphical boot-up mode (also called runlevel 3).
The server runlevels rely on scripts to basically start up a server with specific processes and tools upon bootup. Runlevel 5 is the default graphical runlevel for Linux servers. But sometimes you get stuck in a different mode and need to force a level. For those rare cases, the init command is a simple way to force the mode without having to edit the inittab file.
Of course, this command does not fix the underlying problem, it just provides a fast way to change levels as needed. For a more permanent correction to the runlevel, edit your /etc/inittab file to state: id:5:initdefault:
joe or nano
Easy to use command line editors that are often included with the major Linux flavors
Most common uses:
joe filename
nano filename
A real world example for you to get a better sense on how this works:
nano /etc/dhcp3/dhcpd.conf
This allows you to edit using nano the dhcpd.conf configuration file from the command line.
Maybe you are not up to speed on vi, or never learned how to use emacs? On most Linux flavors the text editor named joe or one named nano are available. These basic but easy to use editors are useful for those who need a text editor on the command line but don't know vi or emacs. Although, I do highly recommend that you learn and use Vi and Emacs editors as well. Regardless, you will need to use a command line editor from time to time. You can also use cat and more commands to list contents of files, but this is basic stuff found under the basic linux commands listing. Try: more filename to list contents of the filename.
netstat
Summary of network connections and status of sockets
Most common uses: netstat and also netstat |head and also netstat -r
Netstat command simply displays all sockets and server connections. The top few lines are usually most helpful regarding webserver administration. Therefore if you are doing basic webserver work, you can quickly read the top lines of the netstat output by including the |head (pipe and head commands). Using the -r option gives you a very good look at the network routing addresses. This is directly linked to the route command.
nslookup
Checks the domain name and IP information of a server
Most common use: nslookup www.hostname.com
You are bound to need this command for one reason or another. When performing server installation and configuration this command gives you the existing root server IP and DNS information and can also provide details from other remote servers. Therefore, it is also a very useful security command where you can lookup DNS information regarding a particular host IP that you may see showing up on your server access logs. Note there are some other commands like file permissions that may also help. There is a lot more to this command and using the man pages will get you the details by typing: man nslookup
ping
Sends test packets to a specified server to check if it is responding properly
Most common use: ping 10.0.0.0 (replace the 10.0.0.0 with a true IP address)
This is an extremely useful command that is necessary to test network connectivity and response of servers. It creates a series of test packets of data that are then bounced to the server and back giving an indication whether the server is operating properly.
It is the first line of testing if a network failure occurs. If ping works but for instance FTP does not, then chances are that the server is configured correctly, but the FTP daemon or service is not. However, if even ping does not work there is a more significant server connectivity issue… like maybe the wires are not connected or the server is turned off! The outcome of this command is pretty much one of two things. Either it works, or you get the message destination host unreachable. It is a very fast way to check even remote servers.
ps
Lists all existing processes on the server
Most common uses: ps and also ps -A |more
The simple command will list every process associated with the specific user running on the server. This is helpful in case you run into problems and need to for instance kill a particular process that is stuck in memory. On the other hand, as a system administrator, I tend to use the -A with the |more option. This will list every process running on the server one screen at a time. Read more of our commands on our reallylinux.com help page. I use ps to quickly check what others are goofing with on my servers and often find that I'm the one doing the dangerous goofing!
rm
Removes/deletes directories and files
Most common use: rm -r name (replace name with your file or directory name)
The -r option forces the command to also apply to each subdirectory within the directory. This will work for even non-empty directories. For instance if you are trying to delete the entire contents of the directory x which includes directories y and z this command will do it in one quick process. That is much more useful than trying to use the rmdir command after deleting files! Instead use the rm -r command and you will save time and effort. You may already have known this but since server administrators end up spending a lot of time making and deleting I included this tip!
route
Lists the routing tables for your server
Most common use: route -v
This is pretty much the exact same output as the command netstat -r. You can suit yourself which you prefer to run. I tend to type netstat commands a lot more than just route and so it applies less to my situation, but who knows, maybe you are going to love and use route the most!
shred
Deletes a file securely by overwriting its contents
Most common use: shred -v filename (replace filename with your specific file)
The -v option is useful since it provides extra view of what exactly the shred tool is doing while you wait. On especially BIG files this could take a bit of time. The result is that your file is so thoroughly deleted it is very unlikely to ever be retrieved again. This is especially useful when trying to zap important server related files that may include confidential information like user names or hidden processes. It is also useful for deleting those hundreds of love notes you get from some of the users on your server, another bonus of being a server administrator. :)
sudo
The super-user do command that allows you to run specific commands that require root access.
Most common use: sudo command (replace command with your specific one)
This command is useful when you are logged into a server and attempt a command that requires super-user or root privileges. In most cases, you can simply run the command through sudo, without having to log in as root. In fact, this is a very beneficial way to administer your server without daily use of the root login, which is potentially dangerous.
Note there are other commands for file permissions here. Below is a simple example of the sudo capabilities:
sudo cd /root
This command allows you to change directories to the /root without having to login as root. Note that you must enter the root password once, when running a sudo command.
top
Displays many system statistics and details regarding active processes
Most common use: top
This is a very useful system administrator tool that basically gives you a summary view of the system including number of users, memory usage, CPU usage, and active processes. Often during the course of a day when running multiple servers, one of my Xwindows workstations just displays the top command from each of the servers as a very quick check of their status and stability.
touch
Allows you to change the timestamp on a file.
Most common use: touch filename
Using the basic touch command, as above, will simply force the current date and time upon the specified file. This is helpful, but not often used.
However, another option that I've used in the past when administering servers, is to force a specific timestamp on a set of files in a directory. Read more of our commands on our reallylinux.com help page.
For instance, to force a specific date and time upon all files in a directory, type:
touch *
You can also force a specific date/time stamp using the -t option like this: touch -t200103041200.00 *
The command above will change all files in the current directory to take on the new date of March 4th, 2001 at noon. The syntax follows this pattern: YYYYMMDDhhmm.ss
YYYY represents the four digit year, then the two digit month, day, hour and minutes. You can even specify seconds as noted above. In any case, this is a useful way to control timestamps on any files on your server.
traceroute
Traces the existing network routing for a remote or local server
Most common use: traceroute hostname
(replace hostname with the name of your server such as reallylinux.com)
This is a very powerful network command that basically gives the exact route between your machine and a server. In some cases you can actually watch the network hops from country to country across an ocean, through data centers, etc. Read more of our commands on our reallylinux.com help page.
This comes in handy when trying to fix a network problem, such as when someone on the network can not get access to your server while others can. This can help identify the break or error along the network line. One strong note to you is not to misuse this command! When you run the traceroute everyone of those systems you see listed also sees YOU doing the traceroute and therefore as a matter of etiquette and respect this command should be used when necessary not for entertainment purposes. A key characteristic of gainfully employed server administrators: knowing when to use commands and when not to use them!
w
An extension of the who command that displays details of all users currently on the server
Most common uses: w
This is a very important system admin tool I use commonly to track who is on the server and what processes they are running. It is obviously most useful when run as a superuser.
The default setting for the w command is to show the long list of process details. You can also run the command w -s to review a shorter process listing, which is helpful when you have a lot of users on the server doing a lot of things! Remember that this is different than the who command that can only display users not their processes.
who
Tool used to monitor who is on the system and many other server related characteristics
Most common uses: who and also who -q and also who -b
The plain command just lists the names of users currently on the server. Using the -q option allows you to quickly view just the total number of users on the system. Using the -b option reminds you how long it has been since you rebooted that stable Linux server.
Linux Firewalls using IPTables
			  Linux Firewalls using IPTables
This beginner article provides details with regard to the basics of setting up a Linux firewall using the iptables tool. It's important to note that configuring firewalls is slightly different depending on which flavour you use.
 
If you are just starting out and need to enable a firewall on your Linux system, I suggest you try a basic tool such as lokkit (which is available in major flavours including Fedora/RedHat and Ubuntu). It is a very simple tool that walks you through a configuration. To use this, run the command: gnome-lokkit
For more information or to download the tool, you may visit: http://www.linux.org.uk/apps/lokkit.shtml
You may also be interested in a graphical tool, rather than using the command line to make changes to the iptables. If you prefer a graphical tool, there are many available on the Internet. Start with a visit to freshmeat.net.
Introduction to iptables
For those who don't know or are not aware, iptables is the Linux tool that controls network packets, allowing you to perform very fine grained control of network related transactions through a set of rules. The tool itself has been around for quite a while, and is based on Rusty Russell's excellent work.
But before you start creating rules using the iptables command, you also need to be aware that any rules you create will be lost if a server restart occurs. For this reason, most server administrators apply the set of iptable commands they use into a bash script that runs each time the server is restarted. With some flavours, you can also run a command set like this: service iptables save. This ensures that your configuration is saved and is automatically loaded upon bootup.
Getting started
To use iptables, you apply rules to network packets that are either inbound (INPUT), outbound (OUTPUT), or being forwarded through your server (FORWARD). This is very important to understand.
To view the rules that are currently applied to your server, type the command: iptables -L
Basics of iptables
Creating properly functioning firewall rules is dependent upon your knowledge of what your server is doing.
For a secure server, it is best to establish rules that will DENY all incoming traffic. Once you do so, then you can make explicit rules that only allow exceptions such as for port 80 requests. This is far more comprehensive than trying to filter out things you want to block, because you could miss something important such as one open port that will be used to attack your server.
It is also beneficial to use iptables in conjunction with a hardware firewall, since this provides several levels of security and reduces the possibility that you missed something in your configuration.
Remember, that you can get all syntax details using the command: man iptables
Using firewall rules
Let's look at three sample rules and their core parts. Remember that some of the longer command lines wrap on the column, so make sure you type the entire command, not just the single line.
iptables -P INPUT DROP
This rule is very easy to understand and highly secure. It initiates the iptables tool, then sets a Policy (-P) for all inbound (INPUT) packets. The policy is to drop them all (DROP). Nice and secure. Note that you can only apply a policy to built in commands for iptables.
iptables -A INPUT -i lo -j ACCEPT
This rule is a bit more useful, in that it allows network traffic to occur on your local interface. Note that the append option (-A) is used, because this is not part of the built in policies. The new rule is appended to all inbound (INPUT) packets that are going to the interface (-i) local (lo). The rule is to allow all these packets (-j ACCEPT). Often if you run into problems with configuring installed applications, it begins with ensuring you allow local host connectivity, as shown.
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
This command also appends (-A) a rule to all inbound (INPUT) packets that are coming through the ethernet card interface (-i eth0). But it only applies to packets that use the TCP protocol (-p tcp). It is specific to any such packets going to the designated port 80 (--dport 80), and is set to allow them to pass (-j ACCEPT).
If you put all three of these rules together into one script you have:
1.
a server that will block every inbound connection
2.
but it allows for internal host connectivity through local
3.
while it also allows port 80 tcp requests that are inbound to also go through
Notice that you can also get finer grain control by designating a specific IP. For example:
iptables -A INPUT -d 196.1.1.2 -i eth0 -p tcp --dport 80 -j ACCEPT
Sample Script
The options are truly limitless, but you need to be careful. Below is a basic script you may find useful for beginning your firewall rule settings. When copying this script remember the longer commands are broken into several lines:
#!/bin/bash
#
# iptables firewall settings for linux server
#
### DEFAULT POLICY
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
### ESSENTIAL RULES
# Allow internal host packets on local interface
iptables -A INPUT -i lo -j ACCEPT
### PROTOCOL LEVEL RULES
# Allow PORT 80 TCP packets on ethernet interface
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
# LOG ALL OTHER PACKETS
# Logging for any failed packets for troubleshooting use
iptables -A INPUT -j LOG --log-prefix "INPUT: "
Hopefully this brief introduction to firewalls helps you identify key rules that can make a more secure server. In the next issue, I will share the list of the most essential system administrator commands.
			  
			
 
		 
			  This beginner article provides details with regard to the basics of setting up a Linux firewall using the iptables tool. It's important to note that configuring firewalls is slightly different depending on which flavour you use.
If you are just starting out and need to enable a firewall on your Linux system, I suggest you try a basic tool such as lokkit (which is available in major flavours including Fedora/RedHat and Ubuntu). It is a very simple tool that walks you through a configuration. To use this, run the command: gnome-lokkit
For more information or to download the tool, you may visit: http://www.linux.org.uk/apps/lokkit.shtml
You may also be interested in a graphical tool, rather than using the command line to make changes to the iptables. If you prefer a graphical tool, there are many available on the Internet. Start with a visit to freshmeat.net.
Introduction to iptables
For those who don't know or are not aware, iptables is the Linux tool that controls network packets, allowing you to perform very fine grained control of network related transactions through a set of rules. The tool itself has been around for quite a while, and is based on Rusty Russell's excellent work.
But before you start creating rules using the iptables command, you also need to be aware that any rules you create will be lost if a server restart occurs. For this reason, most server administrators apply the set of iptable commands they use into a bash script that runs each time the server is restarted. With some flavours, you can also run a command set like this: service iptables save. This ensures that your configuration is saved and is automatically loaded upon bootup.
Getting started
To use iptables, you apply rules to network packets that are either inbound (INPUT), outbound (OUTPUT), or being forwarded through your server (FORWARD). This is very important to understand.
To view the rules that are currently applied to your server, type the command: iptables -L
Basics of iptables
Creating properly functioning firewall rules is dependent upon your knowledge of what your server is doing.
For a secure server, it is best to establish rules that will DENY all incoming traffic. Once you do so, then you can make explicit rules that only allow exceptions such as for port 80 requests. This is far more comprehensive than trying to filter out things you want to block, because you could miss something important such as one open port that will be used to attack your server.
It is also beneficial to use iptables in conjunction with a hardware firewall, since this provides several levels of security and reduces the possibility that you missed something in your configuration.
Remember, that you can get all syntax details using the command: man iptables
Using firewall rules
Let's look at three sample rules and their core parts. Remember that some of the longer command lines wrap on the column, so make sure you type the entire command, not just the single line.
iptables -P INPUT DROP
This rule is very easy to understand and highly secure. It initiates the iptables tool, then sets a Policy (-P) for all inbound (INPUT) packets. The policy is to drop them all (DROP). Nice and secure. Note that you can only apply a policy to built in commands for iptables.
iptables -A INPUT -i lo -j ACCEPT
This rule is a bit more useful, in that it allows network traffic to occur on your local interface. Note that the append option (-A) is used, because this is not part of the built in policies. The new rule is appended to all inbound (INPUT) packets that are going to the interface (-i) local (lo). The rule is to allow all these packets (-j ACCEPT). Often if you run into problems with configuring installed applications, it begins with ensuring you allow local host connectivity, as shown.
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
This command also appends (-A) a rule to all inbound (INPUT) packets that are coming through the ethernet card interface (-i eth0). But it only applies to packets that use the TCP protocol (-p tcp). It is specific to any such packets going to the designated port 80 (--dport 80), and is set to allow them to pass (-j ACCEPT).
If you put all three of these rules together into one script you have:
1.
a server that will block every inbound connection
2.
but it allows for internal host connectivity through local
3.
while it also allows port 80 tcp requests that are inbound to also go through
Notice that you can also get finer grain control by designating a specific IP. For example:
iptables -A INPUT -d 196.1.1.2 -i eth0 -p tcp --dport 80 -j ACCEPT
Sample Script
The options are truly limitless, but you need to be careful. Below is a basic script you may find useful for beginning your firewall rule settings. When copying this script remember the longer commands are broken into several lines:
#!/bin/bash
#
# iptables firewall settings for linux server
#
### DEFAULT POLICY
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
### ESSENTIAL RULES
# Allow internal host packets on local interface
iptables -A INPUT -i lo -j ACCEPT
### PROTOCOL LEVEL RULES
# Allow PORT 80 TCP packets on ethernet interface
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
# LOG ALL OTHER PACKETS
# Logging for any failed packets for troubleshooting use
iptables -A INPUT -j LOG --log-prefix "INPUT: "
Hopefully this brief introduction to firewalls helps you identify key rules that can make a more secure server. In the next issue, I will share the list of the most essential system administrator commands.
Friday, December 18, 2009
Linux System Setup
			  Linux System Setup
Linux Filesystem Access Types
For a list of programs used to work with filesystems, see the section "Making amd Managing Filesystems". To access other filesystems you must first create them or determine what is currently on your computer. This example assumes you already have filesystems on your computer such as DOS, Windows, or Other Linux partitions you want to access.
1. Use one of two methods to determine what partitions are on each drive
1. Type "fdisk /dev/hda" for drive 1, "fdisk /dev/hdb" for drive2. then type p to see a list of each partition. Type q to exit.
2. An alternate method to do this step assuming you can boot to the filesystem using LILO is:
1. Type "less /etc/lilo.conf"
2. Look for the label used by lilo to select dos, such as "dos" and use the associated device. The line on my system is "other=/dev/hda1" so I will use device "/dev/hda1". The disadvantage here is that this method will not allow determination of file systems with no operating system such as partitions that hold data.
2. Make directories for mount points for each of the other filesystems. For another Linux install such as Debian or Slackware, Type "mkdir /debian" or "mkdir /slackw" For a foreign operating system partition such as DOS or Windows98, "type "mkdir /dos" or "mkdir /win98".
3. Type "mount –t msdos /dev/hda1 /dos" where /dev/hda1 is where the dos partition is. Type "mount /dev/hda4 /win98" to mount the windows filesystem or mount "/dev/hda3 /slackw". Your filesystems may be on other partitions than those shown in examples here.
4. You can unmount when done: "umount /dev/hda1", however the exit scripts unmounts all file systems when the system is shutdown.
 
The following line in /etc/fstab will cause the system upon bootup to mount an msdos partition on /dev/hda1 on the directory /dos:
/dev/hda1 /dos vfat defaults 0 0
This works because one of the startup script files "/etc/rc.sysinit" includes a line "mount -a -t nonfs,smbfs,ncpfs,proc". This command mounts all filesystems listed in the file "/etc/fstab". You could set the filesystem type to msdos. Read the file, /usr/src//linux/fs/filesystems.c to find a list of supported filesystems with your kernel. The file /etc/mtab and /proc/mounts each keep a record of currently mounted filesystems on your system. Read the mount man page for more information.
Another useful command is "hdparm -g /dev/hda" which is used to determine hard drive geometry (sectors, heads, cylinders).
Mounting other partitions or operating systems at startup
To mount other partitions at startup modify the "/etc/fstab" file. Each line in the file refers to a different filesystem. Fields are separated by whitespace. The primary filesystems must be mounted first, so they must be in correct order. Your native partition for the system you are running should be listed first. The fields are as follows:
1. The name of the device such as "/dev/hda1"
2. The mount point. Use "/" for root. Other typical mount points are "/dos" for DOS, "swap" or "none" for the swap partition, and "/mnt/floppy" for "/dev/fd0" (the floppy drive).
3. The type of filesystem. They are: mini, ext, ext2(linux native), xiafs, msdos, hpfs, ntfs, fat32, iso9660(CD-ROM), nfs, swap (for swap space).
4. The mount options for use with the filesystem. Each filesystem type has different mount options. Read the mount man page to see possible options. ro= read only, user- allows normal users to mount the device.
5. The frequency the filesystem needs to be dumped (backed up) by the dump command. For ext2, normally make it 1, for others make it 0. 0 or nothing means it is not dumped. If 1, it is backed up during a system backup.
6. A number telling the order in which the filesystems should be checked at reboot time by the fsck program. Your root should be 1, others are in ascending order or 0 to not be checked.
To determine your hard drive's partitions and see what each partition holds which operating system, you may use the fdisk program. Just make sure you don't change your disk information. You can use the 'p' command to see a list of current partitions, then you can add them to your fstab file. Note: In order for the mount to succeed, you must have created the mount point subdirectory (except for root).
I like to install multiple copies of Linux on one computer for three reasons.
1. The second copy can serve as a backup to the first. If I totally screw up one copy of Linux, by changing kernels, etc, I can still get to the filesystem from the other system and straighten out my problems.
2. I can learn about other linux packages.
3. If a compile of a package fails on one system such as Redhat, I can try it on another system such as Slackware and it will probably work.
The fstab file
A typical /etc/fstab file:
/dev/hda2 / ext2 defaults 1 1
/dev/hdb1 /data auto defaults 0 0
/dev/hda1 /dos vfat defaults 0 0
/dev/hda3 /slackw ext2 defaults 0 0
/dev/hda4 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy ext2 noauto,owner 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
These are the options:
* defaults - Use the default options of rw, suid, dev,exec,auto, nouser, and async.
* auto - Auto detect the type of filesystem.
* noauto - The -a option will not mount the filesystem.
* owner
* ro - Read only
* rw - Read and write allowed
* user - Users have permission to mount this filesystem
* users - Allows a user to mount and another user to unmount the filesystem
The /proc directory is required for tracking processes in memory (RAM). The directories /data, /dos, and /slackw in this example must exist or their mounts will fail. The entries for the floppy and cdrom allow them to be automatically dismounted if they are mounted during shutdown. The option, "noauto" in their entries, keeps these devices from being mounted at startup.
Note:
If you install an OS that wipes LILO, you can use the fdisk utility to toggle the bootable flag (change the boot partition). This can help, if the OS that wiped LILO can toggle this partition to a Linux filesystem.
			  
			
 
		 
		  
		 Linux Filesystem Access Types
For a list of programs used to work with filesystems, see the section "Making amd Managing Filesystems". To access other filesystems you must first create them or determine what is currently on your computer. This example assumes you already have filesystems on your computer such as DOS, Windows, or Other Linux partitions you want to access.
1. Use one of two methods to determine what partitions are on each drive
1. Type "fdisk /dev/hda" for drive 1, "fdisk /dev/hdb" for drive2. then type p to see a list of each partition. Type q to exit.
2. An alternate method to do this step assuming you can boot to the filesystem using LILO is:
1. Type "less /etc/lilo.conf"
2. Look for the label used by lilo to select dos, such as "dos" and use the associated device. The line on my system is "other=/dev/hda1" so I will use device "/dev/hda1". The disadvantage here is that this method will not allow determination of file systems with no operating system such as partitions that hold data.
2. Make directories for mount points for each of the other filesystems. For another Linux install such as Debian or Slackware, Type "mkdir /debian" or "mkdir /slackw" For a foreign operating system partition such as DOS or Windows98, "type "mkdir /dos" or "mkdir /win98".
3. Type "mount –t msdos /dev/hda1 /dos" where /dev/hda1 is where the dos partition is. Type "mount /dev/hda4 /win98" to mount the windows filesystem or mount "/dev/hda3 /slackw". Your filesystems may be on other partitions than those shown in examples here.
4. You can unmount when done: "umount /dev/hda1", however the exit scripts unmounts all file systems when the system is shutdown.
The following line in /etc/fstab will cause the system upon bootup to mount an msdos partition on /dev/hda1 on the directory /dos:
/dev/hda1 /dos vfat defaults 0 0
This works because one of the startup script files "/etc/rc.sysinit" includes a line "mount -a -t nonfs,smbfs,ncpfs,proc". This command mounts all filesystems listed in the file "/etc/fstab". You could set the filesystem type to msdos. Read the file, /usr/src//linux/fs/filesystems.c to find a list of supported filesystems with your kernel. The file /etc/mtab and /proc/mounts each keep a record of currently mounted filesystems on your system. Read the mount man page for more information.
Another useful command is "hdparm -g /dev/hda" which is used to determine hard drive geometry (sectors, heads, cylinders).
Mounting other partitions or operating systems at startup
To mount other partitions at startup modify the "/etc/fstab" file. Each line in the file refers to a different filesystem. Fields are separated by whitespace. The primary filesystems must be mounted first, so they must be in correct order. Your native partition for the system you are running should be listed first. The fields are as follows:
1. The name of the device such as "/dev/hda1"
2. The mount point. Use "/" for root. Other typical mount points are "/dos" for DOS, "swap" or "none" for the swap partition, and "/mnt/floppy" for "/dev/fd0" (the floppy drive).
3. The type of filesystem. They are: mini, ext, ext2(linux native), xiafs, msdos, hpfs, ntfs, fat32, iso9660(CD-ROM), nfs, swap (for swap space).
4. The mount options for use with the filesystem. Each filesystem type has different mount options. Read the mount man page to see possible options. ro= read only, user- allows normal users to mount the device.
5. The frequency the filesystem needs to be dumped (backed up) by the dump command. For ext2, normally make it 1, for others make it 0. 0 or nothing means it is not dumped. If 1, it is backed up during a system backup.
6. A number telling the order in which the filesystems should be checked at reboot time by the fsck program. Your root should be 1, others are in ascending order or 0 to not be checked.
To determine your hard drive's partitions and see what each partition holds which operating system, you may use the fdisk program. Just make sure you don't change your disk information. You can use the 'p' command to see a list of current partitions, then you can add them to your fstab file. Note: In order for the mount to succeed, you must have created the mount point subdirectory (except for root).
I like to install multiple copies of Linux on one computer for three reasons.
1. The second copy can serve as a backup to the first. If I totally screw up one copy of Linux, by changing kernels, etc, I can still get to the filesystem from the other system and straighten out my problems.
2. I can learn about other linux packages.
3. If a compile of a package fails on one system such as Redhat, I can try it on another system such as Slackware and it will probably work.
The fstab file
A typical /etc/fstab file:
/dev/hda2 / ext2 defaults 1 1
/dev/hdb1 /data auto defaults 0 0
/dev/hda1 /dos vfat defaults 0 0
/dev/hda3 /slackw ext2 defaults 0 0
/dev/hda4 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy ext2 noauto,owner 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
These are the options:
* defaults - Use the default options of rw, suid, dev,exec,auto, nouser, and async.
* auto - Auto detect the type of filesystem.
* noauto - The -a option will not mount the filesystem.
* owner
* ro - Read only
* rw - Read and write allowed
* user - Users have permission to mount this filesystem
* users - Allows a user to mount and another user to unmount the filesystem
The /proc directory is required for tracking processes in memory (RAM). The directories /data, /dos, and /slackw in this example must exist or their mounts will fail. The entries for the floppy and cdrom allow them to be automatically dismounted if they are mounted during shutdown. The option, "noauto" in their entries, keeps these devices from being mounted at startup.
Note:
If you install an OS that wipes LILO, you can use the fdisk utility to toggle the bootable flag (change the boot partition). This can help, if the OS that wiped LILO can toggle this partition to a Linux filesystem.
Linux Tips
			  Linux Tips
Multiple Virtual Terminal access
There are normally 6 virtual terminals in Linux, available by using Alt-F1 through Alt-F6. Each one can be logged in as a different user. There are normally 6 terminals available in X also, F7 through F12. The first X session will be on F7 (if on a local terminal), the second on F8, and so forth. If an X session is started from F1 and you also have an active session on F2, you can type Ctrl-Alt-F2 to go from the X session to the virtual console on F2. Also to get back to your X session, you can type Ctrl-Alt-F7. This example assumes that your terminals are setup in the standard manner with 6 virtual terminals that spawn the getty program available. You can check your setup by checking your /etc/inittab file. You should have lines like the following in your file.
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
See the section on init for further information on this file.
Linux Command line shortcuts
If typing a command on the command line, you can press before the command is complete and if there are enough characters for it to be unique, the system will finish the command for you. If it is not yet unique, and  is pressed twice, you will be given choices.
Pasting text in files
There is a cut and paste mouse utility that works with virtual consoles called gpm which runs as a daemon. To use it,
1. Move your mouse to the text you want to cut or paste
2. Hold the left mouse button down
3. Drag the mouse to the end of the selected text
4. Release the mouse button
5. If deleting text, just press the "DEL" key for your final step. If pasting text, move the text cursor to the location you want to paste to by switching terminals with function keys, using arrow keys, etc.
6. If pasting, press the right mouse button.
 
Viewing previously displayed text
Text that has scrolled off the top of the screen may be viewed again using the key combination. The Keys in the numbers section on the far right of the keypad do not work for this function, only the grey PgUp and PgDn keys just to the right of the  key. If you want other keys to perform this function, it would be necessary to map them for bash shell keymapping. Pressing any other key other than  or  will bring you back to the normal screen location.
			  
			      
 
		 
		  
		 Multiple Virtual Terminal access
There are normally 6 virtual terminals in Linux, available by using Alt-F1 through Alt-F6. Each one can be logged in as a different user. There are normally 6 terminals available in X also, F7 through F12. The first X session will be on F7 (if on a local terminal), the second on F8, and so forth. If an X session is started from F1 and you also have an active session on F2, you can type Ctrl-Alt-F2 to go from the X session to the virtual console on F2. Also to get back to your X session, you can type Ctrl-Alt-F7. This example assumes that your terminals are setup in the standard manner with 6 virtual terminals that spawn the getty program available. You can check your setup by checking your /etc/inittab file. You should have lines like the following in your file.
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
See the section on init for further information on this file.
Linux Command line shortcuts
If typing a command on the command line, you can press
Pasting text in files
There is a cut and paste mouse utility that works with virtual consoles called gpm which runs as a daemon. To use it,
1. Move your mouse to the text you want to cut or paste
2. Hold the left mouse button down
3. Drag the mouse to the end of the selected text
4. Release the mouse button
5. If deleting text, just press the "DEL" key for your final step. If pasting text, move the text cursor to the location you want to paste to by switching terminals with function keys, using arrow keys, etc.
6. If pasting, press the right mouse button.
Viewing previously displayed text
Text that has scrolled off the top of the screen may be viewed again using the
Basic Linux Devices
			  Basic Linux Devices
The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.
/dev/fd0 Floppy disk
/dev/hda1 IDE Hard drive 1, partition 1
/dev/hdb3 IDE Hard drive 2, partition 3
/dev/sda1 First SCSI interface (probably hard drive), device id 1
/dev/sdc3 First SCSI interface, device id 3
/dev/cdrom CD ROM drive
/dev/mouse Mouse device, sometimes a pointer to another device such as /dev/psaux, a ps/2 mouse driver.
primary IDE master /dev/hda
primary IDE slave /dev/hdb
secondary IDE master /dev/hdc
secondary IDE slave /dev/hdd
The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.
			  
			
 
		 
		  
		 The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.
/dev/fd0 Floppy disk
/dev/hda1 IDE Hard drive 1, partition 1
/dev/hdb3 IDE Hard drive 2, partition 3
/dev/sda1 First SCSI interface (probably hard drive), device id 1
/dev/sdc3 First SCSI interface, device id 3
/dev/cdrom CD ROM drive
/dev/mouse Mouse device, sometimes a pointer to another device such as /dev/psaux, a ps/2 mouse driver.
primary IDE master /dev/hda
primary IDE slave /dev/hdb
secondary IDE master /dev/hdc
secondary IDE slave /dev/hdd
The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.
Init
			  Linux Init Program
The init program is the first program run after your kernel begins running. It is configured with the /etc/inittab file. By modifying your /etc/inittab file, you change your system configuration in the following areas:
1. Start up system run level.
2. Specify processes to be executed during system boot.
3. Specify processes to be run when the specified runlevel is entered.
4. Specify processes to be run on certain runlevels with actions like respawn so the process is restarted any time it terminates.
5. Specify certain actions or processes to be run if certain signals or user actions are indicated.
The previous section on LILO explained what runlevels are.
Below is an example inittab file with line numbers added on the left side for reference:
# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg,
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
1) id:3:initdefault:
# System initialization.
2) si::sysinit:/etc/rc.d/rc.sysinit
3) l0:0:wait:/etc/rc.d/rc 0
4) l1:1:wait:/etc/rc.d/rc 1
5) l2:2:wait:/etc/rc.d/rc 2
6) l3:3:wait:/etc/rc.d/rc 3
7) l4:4:wait:/etc/rc.d/rc 4
8) l5:5:wait:/etc/rc.d/rc 5
9) l6:6:wait:/etc/rc.d/rc 6
# Things to run in every runlevel.
10) ud::once:/sbin/update
# Trap CTRL-ALT-DELETE
11) ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
12) pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it.
13) pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
# Run gettys in standard runlevels
14) 1:2345:respawn:/sbin/mingetty tty1
15) 2:2345:respawn:/sbin/mingetty tty2
16) 3:2345:respawn:/sbin/mingetty tty3
17) 4:2345:respawn:/sbin/mingetty tty4
18) 5:2345:respawn:/sbin/mingetty tty5
19) 6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
# xdm is now a separate service
20) x:5:respawn:/etc/X11/prefdm -nodaemon
 
Line number 1 sets the runlevel to 3. Line numbers 3 through 9 will run the startup script /etc/rc.d/rc for the appropriate run level as selected on line 1. Line numbers 14 through 19 spawn login getty programs on 6 virtual terminals. Other lines perform such things as power management and trapping the CTRL-ALT-DEL keystrokes for shutdown. Please see the "How Linux Works CTDP Guide" for further information on the format of the inittab file and what the init program does.
			  
			
 
		 
		  
		 The init program is the first program run after your kernel begins running. It is configured with the /etc/inittab file. By modifying your /etc/inittab file, you change your system configuration in the following areas:
1. Start up system run level.
2. Specify processes to be executed during system boot.
3. Specify processes to be run when the specified runlevel is entered.
4. Specify processes to be run on certain runlevels with actions like respawn so the process is restarted any time it terminates.
5. Specify certain actions or processes to be run if certain signals or user actions are indicated.
The previous section on LILO explained what runlevels are.
Below is an example inittab file with line numbers added on the left side for reference:
# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg,
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
1) id:3:initdefault:
# System initialization.
2) si::sysinit:/etc/rc.d/rc.sysinit
3) l0:0:wait:/etc/rc.d/rc 0
4) l1:1:wait:/etc/rc.d/rc 1
5) l2:2:wait:/etc/rc.d/rc 2
6) l3:3:wait:/etc/rc.d/rc 3
7) l4:4:wait:/etc/rc.d/rc 4
8) l5:5:wait:/etc/rc.d/rc 5
9) l6:6:wait:/etc/rc.d/rc 6
# Things to run in every runlevel.
10) ud::once:/sbin/update
# Trap CTRL-ALT-DELETE
11) ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
12) pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it.
13) pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
# Run gettys in standard runlevels
14) 1:2345:respawn:/sbin/mingetty tty1
15) 2:2345:respawn:/sbin/mingetty tty2
16) 3:2345:respawn:/sbin/mingetty tty3
17) 4:2345:respawn:/sbin/mingetty tty4
18) 5:2345:respawn:/sbin/mingetty tty5
19) 6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
# xdm is now a separate service
20) x:5:respawn:/etc/X11/prefdm -nodaemon
Line number 1 sets the runlevel to 3. Line numbers 3 through 9 will run the startup script /etc/rc.d/rc for the appropriate run level as selected on line 1. Line numbers 14 through 19 spawn login getty programs on 6 virtual terminals. Other lines perform such things as power management and trapping the CTRL-ALT-DEL keystrokes for shutdown. Please see the "How Linux Works CTDP Guide" for further information on the format of the inittab file and what the init program does.
Apache Webserver Configuration
			  Apache Web Server
Introduction
The apache web server is called "httpd". The configuration files for it for many systems are in "/etc/httpd/conf". Their names are httpd.conf, srm.conf, access.conf, mime.types, and magic. The file srm.conf specifies the directory location of the root document with the "DocumentRoot" statement. The "DirectoryIndex" statement gives the name of the starting file. The file access.conf, is used to control user access to various html files. On my system, the initial startup file is "/home/httpd/html/index.html". Documentation is in /home/httpd/html/manual.
Apache Installation
There are many options that can be selected when installing Apache. Among them are selection of the modules to be compiled with the apache web server. This will be commented on at the appropriate installation step. In my installation, I installed Apache with PHP and mysql support. To get the Apache compile to work with mysql support, it was necessary for mysql to be installed from the source. When mysql was installed from binary, the apache compile failed. Here's the installation steps for installing Apache from a tarred and zipped source file:
1. Copy the source file to "/usr/src" or "/usr/local/src". The source file is called something like apache_1_3_19_tar.gz.
2. Type "cd /usr/src" or "cd /usr/local/src" depending on where you copied your file.
3. Type "tar xvzf apache_1_3_19_tar.gz" to decompress the source file. The directory, "apache_1.3.19" is created.
4. Type "ln -s apache_1.3.9 apache" to create a software link to the apache directory.
1. If installing PHP support with apache, copy the PHP source file "php-4_0_4pl1.tar.gz" from php.org to "/usr/src" or "/usr/local/src".
2. Type "tar xvzf php-4_0_4pl1.tar.gz" to decompress the source file.
5. Type "cd apache".
6. Documentation at the apache.org web site indicates to enter the "src" directory to perform the configuration and compile. However by reading the "INSTALL" files in the apache and apache/src directories, it can be done from inside the src directory or from the main apache directory. Either approach will work. There are various advantages and disadvantages to each approach. Compiling from inside the "src" directory allows easier module control by allowing the changing of the "Configuration" file. If done from the main directory, modules to be included or excluded from the default setting must be included on the command line. I have chosen to do the install using the "configure" file in the main directory since documentation indicates that some parameters may be overridden here and I am making no changes to the default included modules. If you want to install PHP support, there is a way to do it as documented in PHP INSTALL file, but I have not outlined that procedure here and have assumed you will be performing the install from the main directory if installing PHP. If you want to change the default modules by compiling in the "src" directory, follow the subset of instructions below.
1. Type "cd src".
2. Edit the file "Configuration" file.
3. Type "./Configure". I do not believe you can use the options "--sysconfdir" and "--logfiledir" to specify configuration and loglile locations as I have done below.
4. Skip the next step (Step 7).
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd". I have added the "--sysconfdir" option to set the location where the apache configuration files will be, and the "--logfiledir" option to set the location of where logging information is written for apache. If you are making changes to the default modules use the additional command line parameters "--enable-module=NAME" and "--disable-module="NAME" where "NAME" is the name of the module to be enabled or disabled. Read the "INSTALL" file in the main directory for more information here and read the "src/Configuration" file to see what the module names are. If installing PHP support follow the subset of instructions below.
1. Type "cd .."
2. Type "cd php-4.0.4pl1"
3. Type "./configure --with-mysql=/usr/local/mysql --with-apache=../apache --enable-track-vars". This assumes you've already installed mysql in the "/usr/local/mysql" directory.
4. Type "make".
5. Type "make install".
6. Type "cd ../apache".
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd --activate-module=src/modules/php4/libphp4.a"
8. Type "make". Note: When I did my install, I got a compile error related to the mysql installation. If you installed the binary version of mysql, you may need to install it from the source version.
9. Type "make install". If installing PHP support follow the subset of instructions below.
1. Type "cd ../php-4.0.4pl1".
2. Type "cp php.ini-dist /usr/local/lib/php.ini".
3. Edit "/etc/httpd/conf/httpd.conf" or "/etc/httpd/conf/srm.conf" and add the following line:
AddType application/x-httpd-php .php
 
Configuration
At this point it is time to set up the apache configuration by modifying the apache configuration files and setting apache to start automatically. The apache configuration files are:
1. httpd.conf - This is the main configuration file. It is used to specify where the document root for the web server is found, various server parameters, directory permissions, where mime types for files are found, and addition of application type definitions and the associated handler for each application.
2. srm.conf - This file is used to configure apache server directives. These directives are now recommended to be put in the httpd.conf file.
3. access.conf - This file is used to control directory access and who can access the directories. The directory access control is now recommended to be put in the httpd.conf file.
Specific configuration parameters:
* Specification of the document root where the HTML main web page, "index.html" should be found. This line should look like:
DocumentRoot "/home/httpd/html"
* Additional parameters including:
o ServerRoot - Specifies where the servers main directory is.
ServerRoot "/usr/local/apache"
o ErrorLog amd Loglevel- Specifies where the web server will keep its error log file and the level at which errors are kept. Loglevel options are debug, info, notice, warn, error, crit, alert, and emerg.
ErrorLog /var/log/httpd/error_log
LogLevel warn
o Keep alive - Specifies whether persistant connections are to be supported.
KeepAlive On
o KeepAlive Requests 100 - The maximum keep alive requests to be supported.
o KeepAliveTimeout 15 - The number of seconds the connection is kept alive if no additional requests are received from the client.
o The maximum and mininum number of servers that may be created to wait for client requests and the number of servers to start when the web server starts.
MinSpareServers 5
MaxSpareServers 10
StartServers 5
o MaxClients 150 - The maximum number of clients that may connect at one time to the web server.
o Port 80
o The user and group the web server is run as.
User nobody
Group nobody
* Directory permission entries are used to define various directory options and permissions. These entries appear similar to the following which defines the permissions for the document root directory:
      
Options FollowSymLinks
Allow Override None
      
Parameters include:
o AllowOverride
o AuthConfig
o FileInfo
o Limit
Options include:
o ExecCGI - Allows CGI programs in the directory to be executed.
o FollowSymLinks
o Includes
o Indexes
o MultiViews
o None - No options
o All - All options except MultiViews
* Permissions - Are set with statements such as:
Order deny, allow
Deny from all
or:
Order allow, deny
Allow from all
       and   tag pairs along with  and   tags are set with options such as:
o GET
o POST
o OPTIONS
o PROPFIND
* and   tag pairs can be set to limit access to specific file types the same as is done with directory entries above.
* CGI Driectory definition which defined what directory CGI application files are kept in and can be used to run these files. Other directories can be specified to allow the execution of CGI files if the ExecCGI option is specified in these directory entries.
      
Allow Override None
Options None
Order allow, deny
Allow from all
      
* AddType and Add handler statements. These statements allow file types and associated programs to handle these file types. You will linely need this set of entries to run PHP.
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
To run server parsed SHTML files you will need:
AddType text/html .shtml
AddHandler server-parsed .shtml
This is just a partial list of common apache web server options. For a more complete guide, including setting up virtual hosts, refer to the Apache web server documentation.
Getting user filled out form data from the web
There are many types of programs that can be written to do this:
1. Perl CGI scripts
2. Shell CGI scripts
3. PHP scripts that are scripts run on the server side when the page is requested. PHP code is embedded in the HTML page, but files are labeled with the .php extension.
4. Java Servlets
5. Compiled programs based on any language.
The CGI Environment:
The Web server fills in a standard list of environment variables when it runs. It writes to other environment variables when it is requested to. Since the Apache server always runs, anything it puts in the environment is readable by other programs, such as a Perl script program. This is possible as long as the other program knows the names of the variables to be read.
Terms:
* CGI - Common Gateway Interface. A set of rules (interface) for scripting and exchanging data over the web.
* SGML - Standard Generalized Markup Language. HTML is an application of this.
* URL - Universal Resource Locator. Includes protocol (HTTP, FTP, FILE, GOPHER), module name, path name of object.
* IIS - Microsoft's Internet Information Server (A web server for NT)
* IDC - Internet Database Connector
* ISAPI - Microsoft web programming (Internet Server Application Programming Interface)
			  
			
 
		 
			  Introduction
The apache web server is called "httpd". The configuration files for it for many systems are in "/etc/httpd/conf". Their names are httpd.conf, srm.conf, access.conf, mime.types, and magic. The file srm.conf specifies the directory location of the root document with the "DocumentRoot" statement. The "DirectoryIndex" statement gives the name of the starting file. The file access.conf, is used to control user access to various html files. On my system, the initial startup file is "/home/httpd/html/index.html". Documentation is in /home/httpd/html/manual.
Apache Installation
There are many options that can be selected when installing Apache. Among them are selection of the modules to be compiled with the apache web server. This will be commented on at the appropriate installation step. In my installation, I installed Apache with PHP and mysql support. To get the Apache compile to work with mysql support, it was necessary for mysql to be installed from the source. When mysql was installed from binary, the apache compile failed. Here's the installation steps for installing Apache from a tarred and zipped source file:
1. Copy the source file to "/usr/src" or "/usr/local/src". The source file is called something like apache_1_3_19_tar.gz.
2. Type "cd /usr/src" or "cd /usr/local/src" depending on where you copied your file.
3. Type "tar xvzf apache_1_3_19_tar.gz" to decompress the source file. The directory, "apache_1.3.19" is created.
4. Type "ln -s apache_1.3.9 apache" to create a software link to the apache directory.
1. If installing PHP support with apache, copy the PHP source file "php-4_0_4pl1.tar.gz" from php.org to "/usr/src" or "/usr/local/src".
2. Type "tar xvzf php-4_0_4pl1.tar.gz" to decompress the source file.
5. Type "cd apache".
6. Documentation at the apache.org web site indicates to enter the "src" directory to perform the configuration and compile. However by reading the "INSTALL" files in the apache and apache/src directories, it can be done from inside the src directory or from the main apache directory. Either approach will work. There are various advantages and disadvantages to each approach. Compiling from inside the "src" directory allows easier module control by allowing the changing of the "Configuration" file. If done from the main directory, modules to be included or excluded from the default setting must be included on the command line. I have chosen to do the install using the "configure" file in the main directory since documentation indicates that some parameters may be overridden here and I am making no changes to the default included modules. If you want to install PHP support, there is a way to do it as documented in PHP INSTALL file, but I have not outlined that procedure here and have assumed you will be performing the install from the main directory if installing PHP. If you want to change the default modules by compiling in the "src" directory, follow the subset of instructions below.
1. Type "cd src".
2. Edit the file "Configuration" file.
3. Type "./Configure". I do not believe you can use the options "--sysconfdir" and "--logfiledir" to specify configuration and loglile locations as I have done below.
4. Skip the next step (Step 7).
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd". I have added the "--sysconfdir" option to set the location where the apache configuration files will be, and the "--logfiledir" option to set the location of where logging information is written for apache. If you are making changes to the default modules use the additional command line parameters "--enable-module=NAME" and "--disable-module="NAME" where "NAME" is the name of the module to be enabled or disabled. Read the "INSTALL" file in the main directory for more information here and read the "src/Configuration" file to see what the module names are. If installing PHP support follow the subset of instructions below.
1. Type "cd .."
2. Type "cd php-4.0.4pl1"
3. Type "./configure --with-mysql=/usr/local/mysql --with-apache=../apache --enable-track-vars". This assumes you've already installed mysql in the "/usr/local/mysql" directory.
4. Type "make".
5. Type "make install".
6. Type "cd ../apache".
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd --activate-module=src/modules/php4/libphp4.a"
8. Type "make". Note: When I did my install, I got a compile error related to the mysql installation. If you installed the binary version of mysql, you may need to install it from the source version.
9. Type "make install". If installing PHP support follow the subset of instructions below.
1. Type "cd ../php-4.0.4pl1".
2. Type "cp php.ini-dist /usr/local/lib/php.ini".
3. Edit "/etc/httpd/conf/httpd.conf" or "/etc/httpd/conf/srm.conf" and add the following line:
AddType application/x-httpd-php .php
Configuration
At this point it is time to set up the apache configuration by modifying the apache configuration files and setting apache to start automatically. The apache configuration files are:
1. httpd.conf - This is the main configuration file. It is used to specify where the document root for the web server is found, various server parameters, directory permissions, where mime types for files are found, and addition of application type definitions and the associated handler for each application.
2. srm.conf - This file is used to configure apache server directives. These directives are now recommended to be put in the httpd.conf file.
3. access.conf - This file is used to control directory access and who can access the directories. The directory access control is now recommended to be put in the httpd.conf file.
Specific configuration parameters:
* Specification of the document root where the HTML main web page, "index.html" should be found. This line should look like:
DocumentRoot "/home/httpd/html"
* Additional parameters including:
o ServerRoot - Specifies where the servers main directory is.
ServerRoot "/usr/local/apache"
o ErrorLog amd Loglevel- Specifies where the web server will keep its error log file and the level at which errors are kept. Loglevel options are debug, info, notice, warn, error, crit, alert, and emerg.
ErrorLog /var/log/httpd/error_log
LogLevel warn
o Keep alive - Specifies whether persistant connections are to be supported.
KeepAlive On
o KeepAlive Requests 100 - The maximum keep alive requests to be supported.
o KeepAliveTimeout 15 - The number of seconds the connection is kept alive if no additional requests are received from the client.
o The maximum and mininum number of servers that may be created to wait for client requests and the number of servers to start when the web server starts.
MinSpareServers 5
MaxSpareServers 10
StartServers 5
o MaxClients 150 - The maximum number of clients that may connect at one time to the web server.
o Port 80
o The user and group the web server is run as.
User nobody
Group nobody
* Directory permission entries are used to define various directory options and permissions. These entries appear similar to the following which defines the permissions for the document root directory:
Options FollowSymLinks
Allow Override None
Parameters include:
o AllowOverride
o AuthConfig
o FileInfo
o Limit
Options include:
o ExecCGI - Allows CGI programs in the directory to be executed.
o FollowSymLinks
o Includes
o Indexes
o MultiViews
o None - No options
o All - All options except MultiViews
* Permissions - Are set with statements such as:
Order deny, allow
Deny from all
or:
Order allow, deny
Allow from all
o GET
o POST
o OPTIONS
o PROPFIND
*
* CGI Driectory definition which defined what directory CGI application files are kept in and can be used to run these files. Other directories can be specified to allow the execution of CGI files if the ExecCGI option is specified in these directory entries.
Allow Override None
Options None
Order allow, deny
Allow from all
* AddType and Add handler statements. These statements allow file types and associated programs to handle these file types. You will linely need this set of entries to run PHP.
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
To run server parsed SHTML files you will need:
AddType text/html .shtml
AddHandler server-parsed .shtml
This is just a partial list of common apache web server options. For a more complete guide, including setting up virtual hosts, refer to the Apache web server documentation.
Getting user filled out form data from the web
There are many types of programs that can be written to do this:
1. Perl CGI scripts
2. Shell CGI scripts
3. PHP scripts that are scripts run on the server side when the page is requested. PHP code is embedded in the HTML page, but files are labeled with the .php extension.
4. Java Servlets
5. Compiled programs based on any language.
The CGI Environment:
The Web server fills in a standard list of environment variables when it runs. It writes to other environment variables when it is requested to. Since the Apache server always runs, anything it puts in the environment is readable by other programs, such as a Perl script program. This is possible as long as the other program knows the names of the variables to be read.
Terms:
* CGI - Common Gateway Interface. A set of rules (interface) for scripting and exchanging data over the web.
* SGML - Standard Generalized Markup Language. HTML is an application of this.
* URL - Universal Resource Locator. Includes protocol (HTTP, FTP, FILE, GOPHER), module name, path name of object.
* IIS - Microsoft's Internet Information Server (A web server for NT)
* IDC - Internet Database Connector
* ISAPI - Microsoft web programming (Internet Server Application Programming Interface)
Wednesday, December 9, 2009
Linux Files and File Permission
Linux files are setup so access to them is controlled. There are three types of access:
read
write
execute
Each file belongs to a specific user and group. Access to the files is controlled by user, group, and what is called other. The term, other, is used to refer to someone who is not the user (owner) of the file, nor is the person a member of the group the file belongs to. When talking about setting permissions for "other" users to use, it is commonly referred to as setting the world execute, read, or write bit since anyone in the world will be able to perform the operation if the permission is set in the other category.
File names and permission characters
File names can be up to 256 characters long with "-", "_", and "." characters along with letters and numbers.
When a long file listing is done, there are 10 characters that are shown on the left that indicate type and permissions of the file. File permissions are shown according to the following syntax example: drwerwerwe
There are a total of 10 characters in this example, as in all Linux files. The first character indicates the type of file, and the next three indicate read, write, and execute permission for each of the three user types, user, group and other. Since there are three types of permission for three users, there are a total of nine permission bits. The table below shows the syntax: 1 2 3 4 5 6 7 8 9 10
File User Permissions Group Permissions Other Permissions
Type Read Write Execute Read Write Execute Read Write Execute
d r w e r w e r w e
Character 1 is the type of file: - is ordinary, d is directory, l is link.
Characters 2-4 show owner permissions. Character 2 indicates read permission, character 3 indicates write permission, and character 4 indicates execute permission.
Characters 5-7 show group permissions. Character 5=read, 6=write, 7=execute
Characters 8-10 show permissions for all other users. Character 8=read, 9=write, 10=execute
There are 5 possible characters in the permission fields. They are:
r = read - This is only found in the read field.
w = write - This is only found in the write field.
x = execute - This is only found in the execute field.
s = setuid - This is only found in the execute field.
If there is a "-" in a particular location, there is no permission. This may be found in any field whether read, write, or execute field.
Examples
Type "ls -l" and a listing like the following is displayed: total 10
drwxrwxrwx 4 george team1 122 Dec 12 18:02 Projects
-rw-rw-rw- 1 george team1 1873 Aug 23 08:34 test
-rw-rw-rw- 1 george team1 1234 Sep 12 11:13 datafile
Which means the following: Type and # of Files's File's Size in Date of last Filename
Permission field Links Owner Group Bytes modification
| | | | | | |
drwxrwxrwx 4 george team1 122 Dec 12 18:02 Projects
The fields are as follows:
Type field: The first character in the field indicates a file type of one of the following:
d = directory
l = symbolic link
s = socket
p = named pipe
- = regular file
c= character (unbuffered) device file special
b=block (buffered) device file special
Permissions are explained above.
Links: The number of directory entries that refer to the file. In our example, there are four.
The file's owner in our example is George.
The group the file belongs to. In our example, the group is team1.
The size of the file in bytes
The last modification date. If the file is recent, the date and time is shown. If the file is not in the current year, the year is shown rather than time.
The name of the file.
Set User Identification Attribute
The file permissions bits include an execute permission bit for file owner, group and other. When the execute bit for the owner is set to "s" the set user ID bit is set. This causes any persons or processes that run the file to have access to system resources as though they are the owner of the file. When the execute bit for the group is set to "s", the set group ID bit is set and the user running the program is given access based on access permission for the group the file belongs to. The following command:
chmod +s myfile
sets the user ID bit on the file "myfile". The command:
chmod g+s myfile
sets the group ID bit on the file "myfile".
The listing below shows a listing of two files that have the group or user ID bit set.
-rws--x--x 1 root root 14024 Sep 9 1999 chfn
-rwxr-sr-x 1 root mail 12072 Aug 16 1999 lockfile
The files chfn and lockfile are located in the directory "/usr/bin". The "s" takes the place of the normal location of the execute bit in the file listings above. This special permission mode has no meaning unless the file has execute permission set for either the group or other as well. This means that in the case of the lockfile, if the other users (world execute) bit is not set with permission to execute, then the user ID bit set would be meaningless since only that same group could run the program anyhow. In both files, everyone can execute the binary. The first program, when run is executed as though the program is the root user. The second program is run as though the group "mail" is the user's group.
For system security reasons it is not a good idea to set many program's set user or group ID bits any more than necessary, since this can allow an unauthorized user privileges in sensitive system areas. If the program has a flaw that allows the user to break out of the intended use of the program, then the system can be compromised.
Directory Permissions
There are two special bits in the permissions field of directories. They are:
s - Set group ID
t - Save text attribute (sticky bit) - The user may delete or modify only those files in the directory that they own or have write permission for.
Save text attribute
The /tmp directory is typically world-writable and looks like this in a listing:
drwxrwxrwt 13 root root 4096 Apr 15 08:05 tmp
Everyone can read, write, and access the directory. The "t'' indicates that only the user (and root, of course) that created a file in this directory can delete that file.
To set the sticky bit in a directory, do the following:
chmod +t data
This option should be used carefully. A possible alternative to this is
Create a directory in the user's home directory to which he or she can write temporary files.
Set the TMPDIR environment variable using each user's login script.
Programs using the tempnam(3) function will look for the TMPDIR variable and use it, instead of writing to the /tmp directory.
Directory Set Group ID
If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.
This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called spcprj and add the users Kathy and Mark to the group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy and Mark although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.
The following command will set the GID bit on a directory:
chmod g+s spcprjdir
The directory listing of the directory "spcprjdir":
drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir
The "s'' in place of the execute bit in the group permissions causes all files written to the directory "spcprjdir" to belong to the group "spcprj" .
Examples
Below are examples of making changes to permissions:chmod u+x myfile Gives the user execute permission on myfile.
chmod +x myfile Gives everyone execute permission on myfile.
chmod ugo+x myfile Same as the above command, but specifically specifies user, group and other.
chmod 400 myfile Gives the user read permission, and removes all other permission. These permissions are specified in octal, the first char is for the user, second for the group and the third is for other. The high bit (4) is for read access, the middle bit (2) os for write access, and the low bit (1) is for execute access.
chmod 764 myfile Gives user full access, group read and write access, and other read access.
chmod 751 myfile Gives user full access, group read and execute permission, and other, execute permission.
chmod +s myfile Set the setuid bit.
chmod go=rx myfile Remove read and execute permissions for the group and other.
Below are examples of making changes to owner and group:chown mark test1 Changes the owner of the file test1 to the user Mark.
chgrp mark test1 Changes the file test1 to belong to the group "mark".
Note: Linux files were displayed with a default tab value of 8 in older Linux versions. That means that file names longer than 8 may not be displayed fully if you are using an old Linux distribution. There is an option associated with the ls command that solves this problem. It is "-T". Ex: "ls al -T 30" to make the tab length 30.
Umask Settings
The umask command is used to set and determine the default file creation permissions on the system. It is the octal complement of the desired file mode for the specific file type. Default permissions are:
777 - Executable files
666 - Text files
These defaults are set allowing all users to execute an executable file and not to execute a text file. The defaults allow all users can read and write the file.
The permission for the creation of new executable files is calculated by subtracting the umask value from the default permission value for the file type being created. An example for a text file is shown below with a umask value of 022:
666 Default Permission for text file
-022 Minus the umask value
-----
644 Allowed Permissions
Therefore the umask value is an expression of the permissions the user, group and world will not have as a default with regard to reading, writing, or executing the file. The umask value here means the group the file belongs to and users other than the owner will not be able to write to the file. In this case, when a new text file is created it will have a file permission value of 644, which means the owner can read and write the file, but members of the group the file belongs to, and all others can only read the file. A long directory listing of a file with these permissions set is shown below.
-rw-r--r-- 1 root workgrp 14233 Apr 24 10:32 textfile.txt
A example command to set the umask is:
umask 022
The most common umask setting is 022. The /etc/profile script is where the umask command is usually set for all users.
Red Hat Linux has a user and group ID creation scheme where there is a group for each user and only that user belongs to that group. If you use this scheme consistently you only need to use 002 for your umask value with normal users.
Finding Files in Linux
Finding Files in Linux
There are three good methods of finding files in linux:
The slocate database
The whereis command
The find command
The slocate database
To use the locate command, you will need to have a slocate database set up on your system. On many systems it is updated periodically by the cron daemon. Try the slocate command to see if it will work on your system:
locate whereis 
Will list all files that contain the string "whereis". If that command did not work you will need to run the command:
slocate -u 
This command will build the slocate database which will allow you to use the locate command. This command will take a few minutes to run.
The whereis command
This command will locate binary (or executable) programs and their respective man pages. The command:
whereis linuxconf 
will find all binaries and manpages with the name linuxconf.
The find command
The following are examples of the find command: find /home -user mark Will find every file under the directory /home owned by the user mark.
find /usr -name *spec Will find every file under the directory /usr ending in ".spec".
find /var/spool -mtime +40 Will find every file under the directory /var/spool that has data older than 40 days.
Find is a very powerful program and very useful for finding files with various characteristics. For more information, read the man page about find by typing "man find".
Locating man pages by subject
There is a keyword option in the man command that can be used to find man pages that have specific words in their descriptions. An example is:
man -k process 
to find all man pages that talk about processes. Use the command:
man -k process |grep kernel
to find information on kernel processes. An equivalent command is the apropos command as follows:
apropos process 
The which command
The which(1) program is a useful command for finding the full path of the executable program that would be executed if the name of the executable program is entered on the command line. The command:
which startx 
Will show the full path of the startx command that will be run if "startx" is entered on the command line when an X session is started.
Basic Unix Commands
			  Basic Unix Commands
A
alias Create an alias
apropos Search Help manual pages (man -k)
apt-get Search for and install software packages (Debian)
aspell Spell Checker
awk Find and Replace text, database sort/validate/index
B
bash GNU Bourne-Again SHell
bc Arbitrary precision calculator language
bg Send to background
break Exit from a loop
builtin Run a shell builtin
bzip2 Compress or decompress named file(s)
C
cal Display a calendar
case Conditionally perform a command
cat Display the contents of a file
cd Change Directory
cfdisk Partition table manipulator for Linux
chgrp Change group ownership
chmod Change access permissions
chown Change file owner and group
chroot Run a command with a different root directory
cksum Print CRC checksum and byte counts
clear Clear terminal screen
cmp Compare two files
comm Compare two sorted files line by line
command Run a command - ignoring shell functions
continue Resume the next iteration of a loop
cp Copy one or more files to another location
cron Daemon to execute scheduled commands
crontab Schedule a command to run at a later time
csplit Split a file into context-determined pieces
cut Divide a file into several parts
D
date Display or change the date & time
dc Desk Calculator
dd Convert and copy a file, write disk headers, boot records
ddrescue Data recovery tool
declare Declare variables and give them attributes
df Display free disk space
diff Display the differences between two files
diff3 Show differences among three files
dig DNS lookup
dir Briefly list directory contents
dircolors Colour setup for `ls'
dirname Convert a full pathname to just a path
dirs Display list of remembered directories
du Estimate file space usage
E
echo Display message on screen
egrep Search file(s) for lines that match an extended expression
eject Eject removable media
enable Enable and disable builtin shell commands
env Environment variables
ethtool Ethernet card settings
eval Evaluate several commands/arguments
exec Execute a command
exit Exit the shell
expect Automate arbitrary applications accessed over a terminal
expand Convert tabs to spaces
export Set an environment variable
expr Evaluate expressions
F
false Do nothing, unsuccessfully
fdformat Low-level format a floppy disk
fdisk Partition table manipulator for Linux
fg Send job to foreground
fgrep Search file(s) for lines that match a fixed string
file Determine file type
find Search for files that meet a desired criteria
fmt Reformat paragraph text
fold Wrap text to fit a specified width.
for Expand words, and execute commands
format Format disks or tapes
free Display memory usage
fsck File system consistency check and repair
ftp File Transfer Protocol
function Define Function Macros
G
gawk Find and Replace text within file(s)
getopts Parse positional parameters
grep Search file(s) for lines that match a given pattern
groups Print group names a user is in
gzip Compress or decompress named file(s)
H
hash Remember the full pathname of a name argument
head Output the first part of file(s)
history Command History
hostname Print or set system name
I
id Print user and group id's
if Conditionally perform a command
ifconfig Configure a network interface
ifdown Stop a network interface
ifup Start a network interface up
import Capture an X server screen and save the image to file
install Copy files and set attributes
J
join Join lines on a common field
K
kill Stop a process from running
L
less Display output one screen at a time
let Perform arithmetic on shell variables
ln Make links between files
local Create variables
locate Find files
logname Print current login name
logout Exit a login shell
look Display lines beginning with a given string
lpc Line printer control program
lpr Off line print
lprint Print a file
lprintd Abort a print job
lprintq List the print queue
lprm Remove jobs from the print queue
ls List information about file(s)
lsof List open files
M
make Recompile a group of programs
man Help manual
mkdir Create new folder(s)
mkfifo Make FIFOs (named pipes)
mkisofs Create an hybrid ISO9660/JOLIET/HFS filesystem
mknod Make block or character special files
more Display output one screen at a time
mount Mount a file system
mtools Manipulate MS-DOS files
mv Move or rename files or directories
N
netstat Networking information
nice Set the priority of a command or job
nl Number lines and write files
nohup Run a command immune to hangups
nslookup Query Internet name servers interactively
O
open Open a file in its default application
op Operator access
P
passwd Modify a user password
paste Merge lines of files
pathchk Check file name portability
ping Test a network connection
popd Restore the previous value of the current directory
pr Prepare files for printing
printcap Printer capability database
printenv Print environment variables
printf Format and print data
ps Process status
pushd Save and then change the current directory
pwd Print Working Directory
Q
quota Display disk usage and limits
quotacheck Scan a file system for disk usage
quotactl Set disk quotas
R
ram ram disk device
rcp Copy files between two machines.
read read a line from standard input
readonly Mark variables/functions as readonly
renice Alter priority of running processes
remsync Synchronize remote files via email
return Exit a shell function
rm Remove files
rmdir Remove folder(s)
rsync Remote file copy (Synchronize file trees)
S
screen Multiplex terminal, run remote shells via ssh
scp Secure copy (remote file copy)
sdiff Merge two files interactively
sed Stream Editor
select Accept keyboard input
seq Print numeric sequences
set Manipulate shell variables and functions
sftp Secure File Transfer Program
shift Shift positional parameters
shopt Shell Options
shutdown Shutdown or restart linux
sleep Delay for a specified time
slocate Find files
sort Sort text files
source Run commands from a file `.'
split Split a file into fixed-size pieces
ssh Secure Shell client (remote login program)
strace Trace system calls and signals
su Substitute user identity
sudo Execute a command as another user
sum Print a checksum for a file
symlink Make a new name for a file
sync Synchronize data on disk with memory
T
tail Output the last part of files
tar Tape ARchiver
tee Redirect output to multiple files
test Evaluate a conditional expression
time Measure Program running time
times User and system times
touch Change file timestamps
top List processes running on the system
traceroute Trace Route to Host
trap Run a command when a signal is set(bourne)
tr Translate, squeeze, and/or delete characters
true Do nothing, successfully
tsort Topological sort
tty Print filename of terminal on stdin
type Describe a command
U
ulimit Limit user resources
umask Users file creation mask
umount Unmount a device
unalias Remove an alias
uname Print system information
unexpand Convert spaces to tabs
uniq Uniquify files
units Convert units from one scale to another
unset Remove variable or function names
unshar Unpack shell archive scripts
until Execute commands (until error)
useradd Create new user account
usermod Modify user account
users List users currently logged in
uuencode Encode a binary file
uudecode Decode a file created by uuencode
V
v Verbosely list directory contents (`ls -l -b')
vdir Verbosely list directory contents (`ls -l -b')
vi Text Editor
vmstat Report virtual memory statistics
W
watch Execute/display a program periodically
wc Print byte, word, and line counts
whereis Report all known instances of a command
which Locate a program file in the user's path.
while Execute commands
who Print all usernames currently logged in
whoami Print the current user id and name (`id -un')
Wget Retrieve web pages or files via HTTP, HTTPS or FTP
X
xargs Execute utility, passing constructed argument list(s)
yes Print a string until interrupted
. Run a command script in the current shell
### Comment / Remark
			  
			
 
		 
		  
		 A
alias Create an alias
apropos Search Help manual pages (man -k)
apt-get Search for and install software packages (Debian)
aspell Spell Checker
awk Find and Replace text, database sort/validate/index
B
bash GNU Bourne-Again SHell
bc Arbitrary precision calculator language
bg Send to background
break Exit from a loop
builtin Run a shell builtin
bzip2 Compress or decompress named file(s)
C
cal Display a calendar
case Conditionally perform a command
cat Display the contents of a file
cd Change Directory
cfdisk Partition table manipulator for Linux
chgrp Change group ownership
chmod Change access permissions
chown Change file owner and group
chroot Run a command with a different root directory
cksum Print CRC checksum and byte counts
clear Clear terminal screen
cmp Compare two files
comm Compare two sorted files line by line
command Run a command - ignoring shell functions
continue Resume the next iteration of a loop
cp Copy one or more files to another location
cron Daemon to execute scheduled commands
crontab Schedule a command to run at a later time
csplit Split a file into context-determined pieces
cut Divide a file into several parts
D
date Display or change the date & time
dc Desk Calculator
dd Convert and copy a file, write disk headers, boot records
ddrescue Data recovery tool
declare Declare variables and give them attributes
df Display free disk space
diff Display the differences between two files
diff3 Show differences among three files
dig DNS lookup
dir Briefly list directory contents
dircolors Colour setup for `ls'
dirname Convert a full pathname to just a path
dirs Display list of remembered directories
du Estimate file space usage
E
echo Display message on screen
egrep Search file(s) for lines that match an extended expression
eject Eject removable media
enable Enable and disable builtin shell commands
env Environment variables
ethtool Ethernet card settings
eval Evaluate several commands/arguments
exec Execute a command
exit Exit the shell
expect Automate arbitrary applications accessed over a terminal
expand Convert tabs to spaces
export Set an environment variable
expr Evaluate expressions
F
false Do nothing, unsuccessfully
fdformat Low-level format a floppy disk
fdisk Partition table manipulator for Linux
fg Send job to foreground
fgrep Search file(s) for lines that match a fixed string
file Determine file type
find Search for files that meet a desired criteria
fmt Reformat paragraph text
fold Wrap text to fit a specified width.
for Expand words, and execute commands
format Format disks or tapes
free Display memory usage
fsck File system consistency check and repair
ftp File Transfer Protocol
function Define Function Macros
G
gawk Find and Replace text within file(s)
getopts Parse positional parameters
grep Search file(s) for lines that match a given pattern
groups Print group names a user is in
gzip Compress or decompress named file(s)
H
hash Remember the full pathname of a name argument
head Output the first part of file(s)
history Command History
hostname Print or set system name
I
id Print user and group id's
if Conditionally perform a command
ifconfig Configure a network interface
ifdown Stop a network interface
ifup Start a network interface up
import Capture an X server screen and save the image to file
install Copy files and set attributes
J
join Join lines on a common field
K
kill Stop a process from running
L
less Display output one screen at a time
let Perform arithmetic on shell variables
ln Make links between files
local Create variables
locate Find files
logname Print current login name
logout Exit a login shell
look Display lines beginning with a given string
lpc Line printer control program
lpr Off line print
lprint Print a file
lprintd Abort a print job
lprintq List the print queue
lprm Remove jobs from the print queue
ls List information about file(s)
lsof List open files
M
make Recompile a group of programs
man Help manual
mkdir Create new folder(s)
mkfifo Make FIFOs (named pipes)
mkisofs Create an hybrid ISO9660/JOLIET/HFS filesystem
mknod Make block or character special files
more Display output one screen at a time
mount Mount a file system
mtools Manipulate MS-DOS files
mv Move or rename files or directories
N
netstat Networking information
nice Set the priority of a command or job
nl Number lines and write files
nohup Run a command immune to hangups
nslookup Query Internet name servers interactively
O
open Open a file in its default application
op Operator access
P
passwd Modify a user password
paste Merge lines of files
pathchk Check file name portability
ping Test a network connection
popd Restore the previous value of the current directory
pr Prepare files for printing
printcap Printer capability database
printenv Print environment variables
printf Format and print data
ps Process status
pushd Save and then change the current directory
pwd Print Working Directory
Q
quota Display disk usage and limits
quotacheck Scan a file system for disk usage
quotactl Set disk quotas
R
ram ram disk device
rcp Copy files between two machines.
read read a line from standard input
readonly Mark variables/functions as readonly
renice Alter priority of running processes
remsync Synchronize remote files via email
return Exit a shell function
rm Remove files
rmdir Remove folder(s)
rsync Remote file copy (Synchronize file trees)
S
screen Multiplex terminal, run remote shells via ssh
scp Secure copy (remote file copy)
sdiff Merge two files interactively
sed Stream Editor
select Accept keyboard input
seq Print numeric sequences
set Manipulate shell variables and functions
sftp Secure File Transfer Program
shift Shift positional parameters
shopt Shell Options
shutdown Shutdown or restart linux
sleep Delay for a specified time
slocate Find files
sort Sort text files
source Run commands from a file `.'
split Split a file into fixed-size pieces
ssh Secure Shell client (remote login program)
strace Trace system calls and signals
su Substitute user identity
sudo Execute a command as another user
sum Print a checksum for a file
symlink Make a new name for a file
sync Synchronize data on disk with memory
T
tail Output the last part of files
tar Tape ARchiver
tee Redirect output to multiple files
test Evaluate a conditional expression
time Measure Program running time
times User and system times
touch Change file timestamps
top List processes running on the system
traceroute Trace Route to Host
trap Run a command when a signal is set(bourne)
tr Translate, squeeze, and/or delete characters
true Do nothing, successfully
tsort Topological sort
tty Print filename of terminal on stdin
type Describe a command
U
ulimit Limit user resources
umask Users file creation mask
umount Unmount a device
unalias Remove an alias
uname Print system information
unexpand Convert spaces to tabs
uniq Uniquify files
units Convert units from one scale to another
unset Remove variable or function names
unshar Unpack shell archive scripts
until Execute commands (until error)
useradd Create new user account
usermod Modify user account
users List users currently logged in
uuencode Encode a binary file
uudecode Decode a file created by uuencode
V
v Verbosely list directory contents (`ls -l -b')
vdir Verbosely list directory contents (`ls -l -b')
vi Text Editor
vmstat Report virtual memory statistics
W
watch Execute/display a program periodically
wc Print byte, word, and line counts
whereis Report all known instances of a command
which Locate a program file in the user's path.
while Execute commands
who Print all usernames currently logged in
whoami Print the current user id and name (`id -un')
Wget Retrieve web pages or files via HTTP, HTTPS or FTP
X
xargs Execute utility, passing constructed argument list(s)
yes Print a string until interrupted
. Run a command script in the current shell
### Comment / Remark
Linux Directory Structure
			  Linux Directory Structure
Note: Files are grouped according to purpose. Ex: commands, data files, documentation.
Parts of a Unix directory tree. See the FSSTND standard (Filesystem standard)
/ Root
|---root The home directory for the root user
|---home Contains the user's home directories
| |----ftp Users include many services as listed here
| |----httpd
| |----samba
| |----user1
| |----user2
|---bin Commands needed during bootup that might be needed by normal users
|---sbin Like bin but commands are not intended for normal users. Commands run by LINUX.
|---proc This filesystem is not on a disk. Exists in the kernels imagination (virtual). This directory
| | Holds information about kernel parameters and system configuration.
| |----1 A directory with info about process number 1. Each process
| has a directory below proc.
|---usr Contains all commands, libraries, man pages, games and static files for normal
| | operation.
| |----bin Almost all user commands. some commands are in /bin or /usr/local/bin.
| |----sbin System admin commands not needed on the root filesystem. e.g., most server
| | programs.
| |----include Header files for the C programming language. Should be below /user/lib for
| | consistency.
| |----lib Unchanging data files for programs and subsystems
| |----local The place for locally installed software and other files.
| |----man Manual pages
| |----info Info documents
| |----doc Documentation for various packages
| |----tmp
| |----X11R6 The X windows system files. There is a directory similar to usr below this
| | directory.
| |----X386 Like X11R6 but for X11 release 5
|---boot Files used by the bootstrap loader, LILO. Kernel images are often kept here.
|---lib Shared libraries needed by the programs on the root filesystem
| |----modules Loadable kernel modules, especially those needed to boot the system after
| disasters.
|---dev Device files for devices such as disk drives, serial ports, etc.
|---etc Configuration files specific to the machine.
| |----skel When a home directory is created it is initialized with files from this directory
| |----sysconfig Files that configure the linux system for networking, keyboard, time, and more.
|---var Contains files that change for mail, news, printers log files, man pages, temp files
| |----file
| |----lib Files that change while the system is running normally
| |----local Variable data for programs installed in /usr/local.
| |----lock Lock files. Used by a program to indicate it is using a particular device or file
| |----log Log files from programs such as login and syslog which logs all logins,
| | logouts, and other system messages.
| |----run Files that contain information about the system that is valid until the system is
| | next booted
| |----spool Directories for mail, printer spools, news and other spooled work.
| |----tmp Temporary files that are large or need to exist for longer than they should in
| | /tmp.
| |----catman A cache for man pages that are formatted on demand
|---mnt Mount points for temporary mounts by the system administrator.
|---tmp Temporary files. Programs running after bootup should use /var/tmp.
			  
			
 
		 
		  
		 Note: Files are grouped according to purpose. Ex: commands, data files, documentation.
Parts of a Unix directory tree. See the FSSTND standard (Filesystem standard)
/ Root
|---root The home directory for the root user
|---home Contains the user's home directories
| |----ftp Users include many services as listed here
| |----httpd
| |----samba
| |----user1
| |----user2
|---bin Commands needed during bootup that might be needed by normal users
|---sbin Like bin but commands are not intended for normal users. Commands run by LINUX.
|---proc This filesystem is not on a disk. Exists in the kernels imagination (virtual). This directory
| | Holds information about kernel parameters and system configuration.
| |----1 A directory with info about process number 1. Each process
| has a directory below proc.
|---usr Contains all commands, libraries, man pages, games and static files for normal
| | operation.
| |----bin Almost all user commands. some commands are in /bin or /usr/local/bin.
| |----sbin System admin commands not needed on the root filesystem. e.g., most server
| | programs.
| |----include Header files for the C programming language. Should be below /user/lib for
| | consistency.
| |----lib Unchanging data files for programs and subsystems
| |----local The place for locally installed software and other files.
| |----man Manual pages
| |----info Info documents
| |----doc Documentation for various packages
| |----tmp
| |----X11R6 The X windows system files. There is a directory similar to usr below this
| | directory.
| |----X386 Like X11R6 but for X11 release 5
|---boot Files used by the bootstrap loader, LILO. Kernel images are often kept here.
|---lib Shared libraries needed by the programs on the root filesystem
| |----modules Loadable kernel modules, especially those needed to boot the system after
| disasters.
|---dev Device files for devices such as disk drives, serial ports, etc.
|---etc Configuration files specific to the machine.
| |----skel When a home directory is created it is initialized with files from this directory
| |----sysconfig Files that configure the linux system for networking, keyboard, time, and more.
|---var Contains files that change for mail, news, printers log files, man pages, temp files
| |----file
| |----lib Files that change while the system is running normally
| |----local Variable data for programs installed in /usr/local.
| |----lock Lock files. Used by a program to indicate it is using a particular device or file
| |----log Log files from programs such as login and syslog which logs all logins,
| | logouts, and other system messages.
| |----run Files that contain information about the system that is valid until the system is
| | next booted
| |----spool Directories for mail, printer spools, news and other spooled work.
| |----tmp Temporary files that are large or need to exist for longer than they should in
| | /tmp.
| |----catman A cache for man pages that are formatted on demand
|---mnt Mount points for temporary mounts by the system administrator.
|---tmp Temporary files. Programs running after bootup should use /var/tmp.
VSFTPD Server Configuration
			  Introduction
The File Transfer Protocol (FTP) is used as one of the most common means of copying files between servers over the Internet. Most web based download sites use the built in FTP capabilities of web browsers and therefore most server oriented operating systems usually include an FTP server application as part of the software suite. Linux is no exception.
This chapter will show you how to convert your Linux box into an FTP server using the default Very Secure FTP Daemon (VSFTPD) package included in Fedora.
FTP Overview
FTP replies on a pair of TCP ports to get the job done. It operates in two connection channels as I'll explain:
FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection.
FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server.
In addition to these channels, there are several varieties of FTP.
Types of FTP
From a networking perspective, the two main types of FTP are active and passive. In active FTP, the FTP server initiates a data transfer connection back to the client. For passive FTP, the connection is initiated from the FTP client.
From a user management perspective there are also two types of FTP: regular FTP in which files are transferred using the username and password of a regular user FTP server, and anonymous FTP in which general access is provided to the FTP server using a well known universal login method.
Take a closer look at each type.
Active FTP
The sequence of events for active FTP is:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection.
Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client.
Thus the ls listing that you asked for comes back over the port 20 to high port connection, not the port 21 control connection.
FTP active mode therefore transfers data in a counter intuitive way to the TCP standard, as it selects port 20 as it's source port (not a random high port that's greater than 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.
Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.
Passive FTP
Passive FTP works differently:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection.
Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.
Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because client always initiates the required connections, passive FTP works better for clients protected by a firewall.
As Windows defaults to active FTP, and Linux defaults to passive, you'll probably have to accommodate both forms when deciding upon a security policy for your FTP server.
Regular FTP
By default, the VSFTPD package allows regular Linux users to copy files to and from their home directories with an FTP client using their Linux usernames and passwords as their login credentials.
VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you to restrict the addition of new files to your system to authorized personnel.
The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as everyone either has to get a unique Linux user account or has to use a shared username and password. Anonymous FTP allows you to avoid this difficulty.
 
Anonymous FTP
Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s and uploading diagnostic information for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured Linux username and password, anonymous FTP requires only a username of anonymous and your email address for the password. Once logged in to a VSFTPD server, you automatically have access to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.
As seen in Chapter 6, "Installing Linux Software", using anonymous FTP as a remote user is fairly straight forward. VSFTPD can be configured to support user-based and or anonymous FTP in its configuration file which you'll see later.
Problems With FTP And Firewalls
FTP frequently fails when the data has to pass through a firewall, because firewalls are designed to limit data flows to predictable TCP ports and FTP uses a wide range of unpredictable TCP ports. You have a choice of methods to overcome this.
Note: The Appendix II, "Codes, Scripts, and Configurations", contains examples of how to configure the VSFTPD Linux firewall to function with both active and passive FTP.
 
Client Protected By A Firewall Problem
Typically firewalls don't allow any incoming connections at all, which frequently blocks active FTP from functioning. With this type of FTP failure, the active FTP connection appears to work when the client initiates an outbound connection to the server on port 21. The connection then appears to hang, however, as soon as you use the ls, dir, or get commands. The reason is that the firewall is blocking the return connection from the server to the client (from port 20 on the server to a high port on the client). If a firewall allows all outbound connections to the Internet, then passive FTP clients behind a firewall will usually work correctly as the clients initiate all the FTP connections.
Solution
Table 15-1 shows the general rules you'll need to allow FTP clients through a firewall:
Client Protected by Firewall - Required Rules for FTPMethod Source Address Source Port Destination Address Destination Port Connection Type
Allow outgoing control connections to server
Control Channel FTP client / network High1 FTP server2 21 New
FTP server2 21 FTP client/ network High Established3
Allow the client to establish data channels to remote server
Active FTP FTP server 2 20 FTP client / network High New
FTP client / network High FTP server 2 20 Established3
Passive FTP FTP client / network High FTP server 2 High New
FTP server 2 High FTP client / network High Established 3
1 Greater than 1024.
2 In some cases, you may want to allow all Internet users to have access, not just a specific client server or network.
3 Many home-based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.
Server Protected By A Firewall Problem
Typically firewalls don't let any connections come in at all. When a an incorrectly configured firewall protects an FTP server, the FTP connection from the client doesn't appear to work at all for both active and passive FTP.
Solution
Rules needed to allow FTP servers through a firewall.Method Source Address Source Port Destination Address Destination Port Connection Type
Allow incoming control connections to server
Control Channel FTP client / network 2 High1 FTP server 21 New
FTP server 21 FTP client / network 2 High Established3
Allow server to establish data channel to remote client
Active FTP FTP server 20 FTP client / network 2 High New
FTP client / network 2 High FTP server 20 Established3
Passive FTP FTP client / network 2 High FTP server High New
FTP server High FTP client / network 2 High Established 3
1 Greater than 1024.
2 In some cases, you may want to allow all Internet users to have access, not just a specific client server or network.
3Many home-based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.
How To Download And Install VSFTPD
Most Linux software products are available in a precompiled package format. Downloading and installing packages isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail. It is best to use the latest version of VSFTPD.
When searching for the file, remember that the VSFTPD packages' filename usually starts with the word vsftpd followed by a version number, as in vsftpd-1.2.1-5.i386.rpm for Redhat/Fedora or vsftpd_2.0.4-0ubuntu4_i386.deb for Ubuntu.
 
How To Get VSFTPD Started
With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using these commands:
[root@bigboy tmp]# /etc/init.d/vsftpd start
[root@bigboy tmp]# /etc/init.d/vsftpd stop
[root@bigboy tmp]# /etc/init.d/vsftpd restart
With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command.
[root@bigboy tmp]# chkconfig vsftpd on
With Ubuntu / Debian the sysv-rc-conf command can be used like this:
root@u-bigboy:/tmp# sysv-rc-conf on
Note: In RedHat Linux version 8.0 and earlier, VSFTPD operation is controlled by the xinetd process, which is covered in Chapter 16, "Telnet, TFTP, and xinetd". You can find a full description of how to configure these versions of Linux for VSFTPD in Appendix III, "Fedora Version Differences."
Testing the Status of VSFTPD
You can always test whether the VSFTPD process is running by using the netstat -a command which lists all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected output.
[root@bigboy root]# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN
[root@bigboy root]#
If VSFTPD wasn't running, there would be no output at all.
The vsftpd.conf File
VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you'll have to restart VSFTPD each time you edit the file in order for the changes to take effect. The file may be located in either the /etc or the /etc/vsftpd directories depending on your Linux distribution.
This file uses a number of default settings you need to know about.
VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of anonymous and a password that's the same as their email address, I would suggest turning this off. The configuration file's anonymous_enable directive can be set to no to disable this feature. You'll also need to simultaneously enable local users to be able to log in by removing the comment symbol (#) before the local_enable instruction.
If you enable anonymous FTP with VSFTPD, remember to define the root directory that visitors will visit. This is done with the anon_root directive.
anon_root=/data/directory
VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be changed by modifying the anon_upload_enable directive shown later.
VSFTPD doesn't allow anonymous users to create directories on your FTP server. You can change this by modifying the anon_mkdir_write_enable directive.
VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xferlog_file directive.
By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive. There is always the risk with anonymous FTP that users will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your /var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated partition.
The configuration file is fairly straight forward as you can see in the snippet below where we enable anonymous FTP and individual accounts simultaneously.
# Allow anonymous FTP?
anonymous_enable=YES
...
# The directory which vsftpd will try to change
# into after an anonymous login. (Default = /var/ftp)
anon_root=/data/directory
...
# Uncomment this to allow local users to log in.
local_enable=YES
...
# Uncomment this to enable any form of FTP write command.
# (Needed even if you want local users to be able to upload files)
write_enable=YES
...
# Uncomment to allow the anonymous FTP user to upload files. This only
# has an effect if global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
...
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
...
# Activate logging of uploads/downloads.
xferlog_enable=YES
...
# You may override where the log file goes if you like.
# The default is shown below.
xferlog_file=/var/log/vsftpd.log
...
To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line.
Other vsftpd.conf Options
There are many other options you can add to this file:
Limiting the maximum number of client connections (max_clients)
Limiting the number of connections by source IP address (max_per_ip)
The maximum rate of data transfer per anonymous login. (anon_max_rate)
The maximum rate of data transfer per non-anonymous login. (local_max_rate)
Descriptions on this and more can be found in the vsftpd.conf man pages.
FTP Security Issues
FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted.
The /etc/vsftpd.ftpusers File
For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security.
Anonymous Upload
If you want remote users to write data to your FTP server, then you should create a write-only directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are:
[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload
FTP Greeting Banner
Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to determine the type of system you have. The directive in this file is.
ftpd_banner= New Banner Here
Using SCP As Secure Alternative To FTP
One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection. Secure Copy (SCP) and Secure FTP (SFTP) provide encryption and could be considered as an alternative to FTP for trusted users. SCP does not support anonymous services, however, a feature that FTP does support.
Troubleshooting FTP
You should always test your FTP installation by attempting to use an FTP client to log in to your FTP server to transfer sample files.
The most common sources of day-to-day failures are incorrect usernames and passwords.
Initial setup failures could be caused by firewalls along the path between the client and server blocking some or all types of FTP traffic. Typical symptoms of this are either connection timeouts or the ability to use the ls command to view the contents of a directory without the ability to either upload or download files. Follow the firewall rule guidelines to help overcome this problem. Connection problems could also be the result of typical network issues outlined in Chapter 4, "Simple Network Troubleshooting".
Tutorial
FTP has many uses, one of which is allowing numerous unknown users to download files. You have to be careful, because you run the risk of accidentally allowing unknown persons to upload files to your server. This sort of unintended activity can quickly fill up your hard drive with illegal software, images, and music for the world to download, which in turn can clog your server's Internet access and drive up your bandwidth charges.
FTP Users with Only Read Access to a Shared Directory
In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps:
1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:
# Allow anonymous FTP?
anonymous_enable=NO
2) Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this:
# Uncomment this to allow local users to log in.
local_enable=YES
3) Start VSFTP.
[root@bigboy tmp]# service vsftpd start
4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of ftp-users for the remote users
[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs
5) Make the directory accessible to the ftp-users group.
[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs
6) Add users, and make their default directory /home/ftp-docs
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2
[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4
7) Copy files to be downloaded by your users into the /home/ftp-docs directory
8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*
Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don't want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no:
write_enable = NO
Remember, you must restart VSFTPD for the configuration file changes to take effect.
Sample Login Session To Test Functionality
Here is a simple test procedure you can use to make sure everything is working correctly:
1) Check for the presence of a test file on the ftp client server.
[root@smallfry tmp]# ll
total 1
-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile
[root@smallfry tmp]#
2) Connect to bigboy via FTP
[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): user1
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
As expected, we can't do an upload transfer of testfile to bigboy.
ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)
553 Could not create file.
ftp>
But we can view and download a copy of the VSFTPD RPM located on the FTP server bigboy.
ftp> ls
227 Entering Passive Mode (192,168,1,100,35,173)
150 Here comes the directory listing.
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
226 Directory send OK.
ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp
local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-1.i386.rpm
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)
ftp> exit
221 Goodbye.
[root@smallfry tmp]#
As expected, anonymous FTP fails.
[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@smallfry tmp]#
Now that testing is complete, you can make this a regular part of your FTP server's operation.
Conclusion
FTP is a very useful software application that can have enormous benefit to a Web site or to collaborative computing in which files need to be shared between business partners. Although insecure, it is universally accessible, because FTP clients are a part of all operating systems and Web browsers. If data encryption security is of great importance to you, then you should probably consider SCP as a possible alternative.
			  
			
 
The File Transfer Protocol (FTP) is used as one of the most common means of copying files between servers over the Internet. Most web based download sites use the built in FTP capabilities of web browsers and therefore most server oriented operating systems usually include an FTP server application as part of the software suite. Linux is no exception.
This chapter will show you how to convert your Linux box into an FTP server using the default Very Secure FTP Daemon (VSFTPD) package included in Fedora.
FTP Overview
FTP replies on a pair of TCP ports to get the job done. It operates in two connection channels as I'll explain:
FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection.
FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server.
In addition to these channels, there are several varieties of FTP.
Types of FTP
From a networking perspective, the two main types of FTP are active and passive. In active FTP, the FTP server initiates a data transfer connection back to the client. For passive FTP, the connection is initiated from the FTP client.
From a user management perspective there are also two types of FTP: regular FTP in which files are transferred using the username and password of a regular user FTP server, and anonymous FTP in which general access is provided to the FTP server using a well known universal login method.
Take a closer look at each type.
Active FTP
The sequence of events for active FTP is:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection.
Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client.
Thus the ls listing that you asked for comes back over the port 20 to high port connection, not the port 21 control connection.
FTP active mode therefore transfers data in a counter intuitive way to the TCP standard, as it selects port 20 as it's source port (not a random high port that's greater than 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.
Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.
Passive FTP
Passive FTP works differently:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection.
Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.
Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because client always initiates the required connections, passive FTP works better for clients protected by a firewall.
As Windows defaults to active FTP, and Linux defaults to passive, you'll probably have to accommodate both forms when deciding upon a security policy for your FTP server.
Regular FTP
By default, the VSFTPD package allows regular Linux users to copy files to and from their home directories with an FTP client using their Linux usernames and passwords as their login credentials.
VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you to restrict the addition of new files to your system to authorized personnel.
The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as everyone either has to get a unique Linux user account or has to use a shared username and password. Anonymous FTP allows you to avoid this difficulty.
Anonymous FTP
Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s and uploading diagnostic information for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured Linux username and password, anonymous FTP requires only a username of anonymous and your email address for the password. Once logged in to a VSFTPD server, you automatically have access to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.
As seen in Chapter 6, "Installing Linux Software", using anonymous FTP as a remote user is fairly straight forward. VSFTPD can be configured to support user-based and or anonymous FTP in its configuration file which you'll see later.
Problems With FTP And Firewalls
FTP frequently fails when the data has to pass through a firewall, because firewalls are designed to limit data flows to predictable TCP ports and FTP uses a wide range of unpredictable TCP ports. You have a choice of methods to overcome this.
Note: The Appendix II, "Codes, Scripts, and Configurations", contains examples of how to configure the VSFTPD Linux firewall to function with both active and passive FTP.
Client Protected By A Firewall Problem
Typically firewalls don't allow any incoming connections at all, which frequently blocks active FTP from functioning. With this type of FTP failure, the active FTP connection appears to work when the client initiates an outbound connection to the server on port 21. The connection then appears to hang, however, as soon as you use the ls, dir, or get commands. The reason is that the firewall is blocking the return connection from the server to the client (from port 20 on the server to a high port on the client). If a firewall allows all outbound connections to the Internet, then passive FTP clients behind a firewall will usually work correctly as the clients initiate all the FTP connections.
Solution
Table 15-1 shows the general rules you'll need to allow FTP clients through a firewall:
Client Protected by Firewall - Required Rules for FTPMethod Source Address Source Port Destination Address Destination Port Connection Type
Allow outgoing control connections to server
Control Channel FTP client / network High1 FTP server2 21 New
FTP server2 21 FTP client/ network High Established3
Allow the client to establish data channels to remote server
Active FTP FTP server 2 20 FTP client / network High New
FTP client / network High FTP server 2 20 Established3
Passive FTP FTP client / network High FTP server 2 High New
FTP server 2 High FTP client / network High Established 3
1 Greater than 1024.
2 In some cases, you may want to allow all Internet users to have access, not just a specific client server or network.
3 Many home-based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.
Server Protected By A Firewall Problem
Typically firewalls don't let any connections come in at all. When a an incorrectly configured firewall protects an FTP server, the FTP connection from the client doesn't appear to work at all for both active and passive FTP.
Solution
Rules needed to allow FTP servers through a firewall.Method Source Address Source Port Destination Address Destination Port Connection Type
Allow incoming control connections to server
Control Channel FTP client / network 2 High1 FTP server 21 New
FTP server 21 FTP client / network 2 High Established3
Allow server to establish data channel to remote client
Active FTP FTP server 20 FTP client / network 2 High New
FTP client / network 2 High FTP server 20 Established3
Passive FTP FTP client / network 2 High FTP server High New
FTP server High FTP client / network 2 High Established 3
1 Greater than 1024.
2 In some cases, you may want to allow all Internet users to have access, not just a specific client server or network.
3Many home-based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.
How To Download And Install VSFTPD
Most Linux software products are available in a precompiled package format. Downloading and installing packages isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail. It is best to use the latest version of VSFTPD.
When searching for the file, remember that the VSFTPD packages' filename usually starts with the word vsftpd followed by a version number, as in vsftpd-1.2.1-5.i386.rpm for Redhat/Fedora or vsftpd_2.0.4-0ubuntu4_i386.deb for Ubuntu.
How To Get VSFTPD Started
With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using these commands:
[root@bigboy tmp]# /etc/init.d/vsftpd start
[root@bigboy tmp]# /etc/init.d/vsftpd stop
[root@bigboy tmp]# /etc/init.d/vsftpd restart
With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command.
[root@bigboy tmp]# chkconfig vsftpd on
With Ubuntu / Debian the sysv-rc-conf command can be used like this:
root@u-bigboy:/tmp# sysv-rc-conf on
Note: In RedHat Linux version 8.0 and earlier, VSFTPD operation is controlled by the xinetd process, which is covered in Chapter 16, "Telnet, TFTP, and xinetd". You can find a full description of how to configure these versions of Linux for VSFTPD in Appendix III, "Fedora Version Differences."
Testing the Status of VSFTPD
You can always test whether the VSFTPD process is running by using the netstat -a command which lists all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected output.
[root@bigboy root]# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN
[root@bigboy root]#
If VSFTPD wasn't running, there would be no output at all.
The vsftpd.conf File
VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you'll have to restart VSFTPD each time you edit the file in order for the changes to take effect. The file may be located in either the /etc or the /etc/vsftpd directories depending on your Linux distribution.
This file uses a number of default settings you need to know about.
VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of anonymous and a password that's the same as their email address, I would suggest turning this off. The configuration file's anonymous_enable directive can be set to no to disable this feature. You'll also need to simultaneously enable local users to be able to log in by removing the comment symbol (#) before the local_enable instruction.
If you enable anonymous FTP with VSFTPD, remember to define the root directory that visitors will visit. This is done with the anon_root directive.
anon_root=/data/directory
VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be changed by modifying the anon_upload_enable directive shown later.
VSFTPD doesn't allow anonymous users to create directories on your FTP server. You can change this by modifying the anon_mkdir_write_enable directive.
VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xferlog_file directive.
By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive. There is always the risk with anonymous FTP that users will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your /var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated partition.
The configuration file is fairly straight forward as you can see in the snippet below where we enable anonymous FTP and individual accounts simultaneously.
# Allow anonymous FTP?
anonymous_enable=YES
...
# The directory which vsftpd will try to change
# into after an anonymous login. (Default = /var/ftp)
anon_root=/data/directory
...
# Uncomment this to allow local users to log in.
local_enable=YES
...
# Uncomment this to enable any form of FTP write command.
# (Needed even if you want local users to be able to upload files)
write_enable=YES
...
# Uncomment to allow the anonymous FTP user to upload files. This only
# has an effect if global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
...
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
...
# Activate logging of uploads/downloads.
xferlog_enable=YES
...
# You may override where the log file goes if you like.
# The default is shown below.
xferlog_file=/var/log/vsftpd.log
...
To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line.
Other vsftpd.conf Options
There are many other options you can add to this file:
Limiting the maximum number of client connections (max_clients)
Limiting the number of connections by source IP address (max_per_ip)
The maximum rate of data transfer per anonymous login. (anon_max_rate)
The maximum rate of data transfer per non-anonymous login. (local_max_rate)
Descriptions on this and more can be found in the vsftpd.conf man pages.
FTP Security Issues
FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted.
The /etc/vsftpd.ftpusers File
For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security.
Anonymous Upload
If you want remote users to write data to your FTP server, then you should create a write-only directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are:
[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload
FTP Greeting Banner
Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to determine the type of system you have. The directive in this file is.
ftpd_banner= New Banner Here
Using SCP As Secure Alternative To FTP
One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection. Secure Copy (SCP) and Secure FTP (SFTP) provide encryption and could be considered as an alternative to FTP for trusted users. SCP does not support anonymous services, however, a feature that FTP does support.
Troubleshooting FTP
You should always test your FTP installation by attempting to use an FTP client to log in to your FTP server to transfer sample files.
The most common sources of day-to-day failures are incorrect usernames and passwords.
Initial setup failures could be caused by firewalls along the path between the client and server blocking some or all types of FTP traffic. Typical symptoms of this are either connection timeouts or the ability to use the ls command to view the contents of a directory without the ability to either upload or download files. Follow the firewall rule guidelines to help overcome this problem. Connection problems could also be the result of typical network issues outlined in Chapter 4, "Simple Network Troubleshooting".
Tutorial
FTP has many uses, one of which is allowing numerous unknown users to download files. You have to be careful, because you run the risk of accidentally allowing unknown persons to upload files to your server. This sort of unintended activity can quickly fill up your hard drive with illegal software, images, and music for the world to download, which in turn can clog your server's Internet access and drive up your bandwidth charges.
FTP Users with Only Read Access to a Shared Directory
In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps:
1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:
# Allow anonymous FTP?
anonymous_enable=NO
2) Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this:
# Uncomment this to allow local users to log in.
local_enable=YES
3) Start VSFTP.
[root@bigboy tmp]# service vsftpd start
4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of ftp-users for the remote users
[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs
5) Make the directory accessible to the ftp-users group.
[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs
6) Add users, and make their default directory /home/ftp-docs
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2
[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4
7) Copy files to be downloaded by your users into the /home/ftp-docs directory
8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*
Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don't want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no:
write_enable = NO
Remember, you must restart VSFTPD for the configuration file changes to take effect.
Sample Login Session To Test Functionality
Here is a simple test procedure you can use to make sure everything is working correctly:
1) Check for the presence of a test file on the ftp client server.
[root@smallfry tmp]# ll
total 1
-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile
[root@smallfry tmp]#
2) Connect to bigboy via FTP
[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): user1
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
As expected, we can't do an upload transfer of testfile to bigboy.
ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)
553 Could not create file.
ftp>
But we can view and download a copy of the VSFTPD RPM located on the FTP server bigboy.
ftp> ls
227 Entering Passive Mode (192,168,1,100,35,173)
150 Here comes the directory listing.
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
226 Directory send OK.
ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp
local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-1.i386.rpm
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)
ftp> exit
221 Goodbye.
[root@smallfry tmp]#
As expected, anonymous FTP fails.
[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@smallfry tmp]#
Now that testing is complete, you can make this a regular part of your FTP server's operation.
Conclusion
FTP is a very useful software application that can have enormous benefit to a Web site or to collaborative computing in which files need to be shared between business partners. Although insecure, it is universally accessible, because FTP clients are a part of all operating systems and Web browsers. If data encryption security is of great importance to you, then you should probably consider SCP as a possible alternative.
Subscribe to Comments [Atom]


