Linux Ocean

Linux Commands for Beginning Server Administrators

Most new Linux administrator desire one easy to read list of the essential commands needed for daily server management and maintenance. I've updated my beginner administrators command list below in hopes that it will help you quickly become self sufficient in Linux server use.

Please feel free to share these commands. My only request is that you let others know where you got them so that I may be able to help them as well!

You may also benefit from more basic commands such as: beginner commands, more advanced commands, and file permissions.

Please consider running these administrator commands on occasion with the --help parameter to read through all of their options. For example try running the command: du --help

Also note that if a server command you run gives you an output that is far more than one single screen, you can use the option |more (referred to as pipe more). This will display the output one screen at a time. Press the space key for one page at a time, and the enter key for one line at a time. For example: ps -A |more

Beginner Server Administrator Commands

Summary Use

arp


Command mostly used for checking existing Ethernet connectivity and IP address

Most common use: arp

This command should be used in conjunction with the ifconfig and route commands. It is mostly useful for me to check a network card and get the IP address quick. Obviously there are many more parameters, but I am trying to share the basics of server administration, not the whole book of commands.

df


Display filesystem information

Most common use: df -h

Great way to keep tabs on how much hard disk space you have on each mounted file system. You should also review our other commands like file permissions here.

d


Display usage

Most common use, under a specific directory: du -a

Easily and quickly identify the size of files/programs in certain directories. A word of caution is that you should not run this command from the / directory. It will actually display size for every file on the entire Linux harddisk.

This command is also particularly handy if you are checking system resources. Although I provide a number of Linux networking related commands if you're interested.

find


Find locations of files/directories quickly across entire filesystem

Most common use: find / -name appname -type d -xdev

(replace the word appname with the name of a file or application like gimp)

This is a very powerful command and is best used when running as root or superuser. The danger is that you will potentially look across every single file on every filesystem, so the syntax is very important. The example shown allows you to search against all directories below / for the appname found in directories but only on the existing filesystem. It may sound complex but the example shown allows you to find a program you may need within seconds!

Other uses and more complex but beneficial functions include using the -exec or execute a command.
You may also try the commands: locate or try slocate

ifconfig


Command line tool to configure or check all network cards/interfaces

Most common uses: ifconfig and also ifconfig eth0 10.1.1.1

Using the plain ifconfig command will show you the details of all the already configured network cards or interfaces. This is a great way to get a check that your network hardware is working properly. You may also benefit from this review of server configuration. Using the many other options of ifconfig such as the one listed allows you to assign a particular interface a static IP address. I only show an example and not a real world command above. Also review some commands for file permissions here.. Your best bet, if you want to configure your network card using this command is to first read the manual pages. You access them by typing: man ifconfig

init


Allows you to change the server bootup on a specific runlevel

Most common use: init 5

This is a useful command, when for instance a servers fails to identify video type, and ends up dropping to the non-graphical boot-up mode (also called runlevel 3).

The server runlevels rely on scripts to basically start up a server with specific processes and tools upon bootup. Runlevel 5 is the default graphical runlevel for Linux servers. But sometimes you get stuck in a different mode and need to force a level. For those rare cases, the init command is a simple way to force the mode without having to edit the inittab file.

Of course, this command does not fix the underlying problem, it just provides a fast way to change levels as needed. For a more permanent correction to the runlevel, edit your /etc/inittab file to state: id:5:initdefault:

joe or nano


Easy to use command line editors that are often included with the major Linux flavors

Most common uses:
joe filename
nano filename

A real world example for you to get a better sense on how this works:
nano /etc/dhcp3/dhcpd.conf
This allows you to edit using nano the dhcpd.conf configuration file from the command line.

Maybe you are not up to speed on vi, or never learned how to use emacs? On most Linux flavors the text editor named joe or one named nano are available. These basic but easy to use editors are useful for those who need a text editor on the command line but don't know vi or emacs. Although, I do highly recommend that you learn and use Vi and Emacs editors as well. Regardless, you will need to use a command line editor from time to time. You can also use cat and more commands to list contents of files, but this is basic stuff found under the basic linux commands listing. Try: more filename to list contents of the filename.

netstat


Summary of network connections and status of sockets

Most common uses: netstat and also netstat |head and also netstat -r

Netstat command simply displays all sockets and server connections. The top few lines are usually most helpful regarding webserver administration. Therefore if you are doing basic webserver work, you can quickly read the top lines of the netstat output by including the |head (pipe and head commands). Using the -r option gives you a very good look at the network routing addresses. This is directly linked to the route command.

nslookup


Checks the domain name and IP information of a server

Most common use: nslookup www.hostname.com

You are bound to need this command for one reason or another. When performing server installation and configuration this command gives you the existing root server IP and DNS information and can also provide details from other remote servers. Therefore, it is also a very useful security command where you can lookup DNS information regarding a particular host IP that you may see showing up on your server access logs. Note there are some other commands like file permissions that may also help. There is a lot more to this command and using the man pages will get you the details by typing: man nslookup

ping


Sends test packets to a specified server to check if it is responding properly

Most common use: ping 10.0.0.0 (replace the 10.0.0.0 with a true IP address)

This is an extremely useful command that is necessary to test network connectivity and response of servers. It creates a series of test packets of data that are then bounced to the server and back giving an indication whether the server is operating properly.

It is the first line of testing if a network failure occurs. If ping works but for instance FTP does not, then chances are that the server is configured correctly, but the FTP daemon or service is not. However, if even ping does not work there is a more significant server connectivity issue… like maybe the wires are not connected or the server is turned off! The outcome of this command is pretty much one of two things. Either it works, or you get the message destination host unreachable. It is a very fast way to check even remote servers.

ps


Lists all existing processes on the server

Most common uses: ps and also ps -A |more

The simple command will list every process associated with the specific user running on the server. This is helpful in case you run into problems and need to for instance kill a particular process that is stuck in memory. On the other hand, as a system administrator, I tend to use the -A with the |more option. This will list every process running on the server one screen at a time. Read more of our commands on our reallylinux.com help page. I use ps to quickly check what others are goofing with on my servers and often find that I'm the one doing the dangerous goofing!

rm


Removes/deletes directories and files

Most common use: rm -r name (replace name with your file or directory name)

The -r option forces the command to also apply to each subdirectory within the directory. This will work for even non-empty directories. For instance if you are trying to delete the entire contents of the directory x which includes directories y and z this command will do it in one quick process. That is much more useful than trying to use the rmdir command after deleting files! Instead use the rm -r command and you will save time and effort. You may already have known this but since server administrators end up spending a lot of time making and deleting I included this tip!

route


Lists the routing tables for your server

Most common use: route -v

This is pretty much the exact same output as the command netstat -r. You can suit yourself which you prefer to run. I tend to type netstat commands a lot more than just route and so it applies less to my situation, but who knows, maybe you are going to love and use route the most!

shred


Deletes a file securely by overwriting its contents

Most common use: shred -v filename (replace filename with your specific file)

The -v option is useful since it provides extra view of what exactly the shred tool is doing while you wait. On especially BIG files this could take a bit of time. The result is that your file is so thoroughly deleted it is very unlikely to ever be retrieved again. This is especially useful when trying to zap important server related files that may include confidential information like user names or hidden processes. It is also useful for deleting those hundreds of love notes you get from some of the users on your server, another bonus of being a server administrator. :)

sudo


The super-user do command that allows you to run specific commands that require root access.

Most common use: sudo command (replace command with your specific one)

This command is useful when you are logged into a server and attempt a command that requires super-user or root privileges. In most cases, you can simply run the command through sudo, without having to log in as root. In fact, this is a very beneficial way to administer your server without daily use of the root login, which is potentially dangerous.

Note there are other commands for file permissions here. Below is a simple example of the sudo capabilities:
sudo cd /root
This command allows you to change directories to the /root without having to login as root. Note that you must enter the root password once, when running a sudo command.

top


Displays many system statistics and details regarding active processes

Most common use: top

This is a very useful system administrator tool that basically gives you a summary view of the system including number of users, memory usage, CPU usage, and active processes. Often during the course of a day when running multiple servers, one of my Xwindows workstations just displays the top command from each of the servers as a very quick check of their status and stability.

touch


Allows you to change the timestamp on a file.

Most common use: touch filename

Using the basic touch command, as above, will simply force the current date and time upon the specified file. This is helpful, but not often used.

However, another option that I've used in the past when administering servers, is to force a specific timestamp on a set of files in a directory. Read more of our commands on our reallylinux.com help page.

For instance, to force a specific date and time upon all files in a directory, type:
touch *

You can also force a specific date/time stamp using the -t option like this: touch -t200103041200.00 *
The command above will change all files in the current directory to take on the new date of March 4th, 2001 at noon. The syntax follows this pattern: YYYYMMDDhhmm.ss

YYYY represents the four digit year, then the two digit month, day, hour and minutes. You can even specify seconds as noted above. In any case, this is a useful way to control timestamps on any files on your server.

traceroute


Traces the existing network routing for a remote or local server

Most common use: traceroute hostname

(replace hostname with the name of your server such as reallylinux.com)

This is a very powerful network command that basically gives the exact route between your machine and a server. In some cases you can actually watch the network hops from country to country across an ocean, through data centers, etc. Read more of our commands on our reallylinux.com help page.

This comes in handy when trying to fix a network problem, such as when someone on the network can not get access to your server while others can. This can help identify the break or error along the network line. One strong note to you is not to misuse this command! When you run the traceroute everyone of those systems you see listed also sees YOU doing the traceroute and therefore as a matter of etiquette and respect this command should be used when necessary not for entertainment purposes. A key characteristic of gainfully employed server administrators: knowing when to use commands and when not to use them!

w


An extension of the who command that displays details of all users currently on the server

Most common uses: w

This is a very important system admin tool I use commonly to track who is on the server and what processes they are running. It is obviously most useful when run as a superuser.

The default setting for the w command is to show the long list of process details. You can also run the command w -s to review a shorter process listing, which is helpful when you have a lot of users on the server doing a lot of things! Remember that this is different than the who command that can only display users not their processes.

who


Tool used to monitor who is on the system and many other server related characteristics

Most common uses: who and also who -q and also who -b

The plain command just lists the names of users currently on the server. Using the -q option allows you to quickly view just the total number of users on the system. Using the -b option reminds you how long it has been since you rebooted that stable Linux server.

Linux Firewalls using IPTables
This beginner article provides details with regard to the basics of setting up a Linux firewall using the iptables tool. It's important to note that configuring firewalls is slightly different depending on which flavour you use.

If you are just starting out and need to enable a firewall on your Linux system, I suggest you try a basic tool such as lokkit (which is available in major flavours including Fedora/RedHat and Ubuntu). It is a very simple tool that walks you through a configuration. To use this, run the command: gnome-lokkit

For more information or to download the tool, you may visit: http://www.linux.org.uk/apps/lokkit.shtml

You may also be interested in a graphical tool, rather than using the command line to make changes to the iptables. If you prefer a graphical tool, there are many available on the Internet. Start with a visit to freshmeat.net.

Introduction to iptables

For those who don't know or are not aware, iptables is the Linux tool that controls network packets, allowing you to perform very fine grained control of network related transactions through a set of rules. The tool itself has been around for quite a while, and is based on Rusty Russell's excellent work.

But before you start creating rules using the iptables command, you also need to be aware that any rules you create will be lost if a server restart occurs. For this reason, most server administrators apply the set of iptable commands they use into a bash script that runs each time the server is restarted. With some flavours, you can also run a command set like this: service iptables save. This ensures that your configuration is saved and is automatically loaded upon bootup.

Getting started

To use iptables, you apply rules to network packets that are either inbound (INPUT), outbound (OUTPUT), or being forwarded through your server (FORWARD). This is very important to understand.

To view the rules that are currently applied to your server, type the command: iptables -L

Basics of iptables

Creating properly functioning firewall rules is dependent upon your knowledge of what your server is doing.

For a secure server, it is best to establish rules that will DENY all incoming traffic. Once you do so, then you can make explicit rules that only allow exceptions such as for port 80 requests. This is far more comprehensive than trying to filter out things you want to block, because you could miss something important such as one open port that will be used to attack your server.

It is also beneficial to use iptables in conjunction with a hardware firewall, since this provides several levels of security and reduces the possibility that you missed something in your configuration.

Remember, that you can get all syntax details using the command: man iptables

Using firewall rules

Let's look at three sample rules and their core parts. Remember that some of the longer command lines wrap on the column, so make sure you type the entire command, not just the single line.

iptables -P INPUT DROP

This rule is very easy to understand and highly secure. It initiates the iptables tool, then sets a Policy (-P) for all inbound (INPUT) packets. The policy is to drop them all (DROP). Nice and secure. Note that you can only apply a policy to built in commands for iptables.

iptables -A INPUT -i lo -j ACCEPT

This rule is a bit more useful, in that it allows network traffic to occur on your local interface. Note that the append option (-A) is used, because this is not part of the built in policies. The new rule is appended to all inbound (INPUT) packets that are going to the interface (-i) local (lo). The rule is to allow all these packets (-j ACCEPT). Often if you run into problems with configuring installed applications, it begins with ensuring you allow local host connectivity, as shown.

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

This command also appends (-A) a rule to all inbound (INPUT) packets that are coming through the ethernet card interface (-i eth0). But it only applies to packets that use the TCP protocol (-p tcp). It is specific to any such packets going to the designated port 80 (--dport 80), and is set to allow them to pass (-j ACCEPT).

If you put all three of these rules together into one script you have:

1.
a server that will block every inbound connection
2.

but it allows for internal host connectivity through local
3.

while it also allows port 80 tcp requests that are inbound to also go through

Notice that you can also get finer grain control by designating a specific IP. For example:

iptables -A INPUT -d 196.1.1.2 -i eth0 -p tcp --dport 80 -j ACCEPT

Sample Script

The options are truly limitless, but you need to be careful. Below is a basic script you may find useful for beginning your firewall rule settings. When copying this script remember the longer commands are broken into several lines:

#!/bin/bash

#

# iptables firewall settings for linux server

#

### DEFAULT POLICY

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

### ESSENTIAL RULES

# Allow internal host packets on local interface

iptables -A INPUT -i lo -j ACCEPT

### PROTOCOL LEVEL RULES

# Allow PORT 80 TCP packets on ethernet interface

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

# LOG ALL OTHER PACKETS

# Logging for any failed packets for troubleshooting use

iptables -A INPUT -j LOG --log-prefix "INPUT: "

Hopefully this brief introduction to firewalls helps you identify key rules that can make a more secure server. In the next issue, I will share the list of the most essential system administrator commands.

Linux System Setup

Linux Filesystem Access Types

For a list of programs used to work with filesystems, see the section "Making amd Managing Filesystems". To access other filesystems you must first create them or determine what is currently on your computer. This example assumes you already have filesystems on your computer such as DOS, Windows, or Other Linux partitions you want to access.

1. Use one of two methods to determine what partitions are on each drive
1. Type "fdisk /dev/hda" for drive 1, "fdisk /dev/hdb" for drive2. then type p to see a list of each partition. Type q to exit.
2. An alternate method to do this step assuming you can boot to the filesystem using LILO is:
1. Type "less /etc/lilo.conf"
2. Look for the label used by lilo to select dos, such as "dos" and use the associated device. The line on my system is "other=/dev/hda1" so I will use device "/dev/hda1". The disadvantage here is that this method will not allow determination of file systems with no operating system such as partitions that hold data.
2. Make directories for mount points for each of the other filesystems. For another Linux install such as Debian or Slackware, Type "mkdir /debian" or "mkdir /slackw" For a foreign operating system partition such as DOS or Windows98, "type "mkdir /dos" or "mkdir /win98".
3. Type "mount –t msdos /dev/hda1 /dos" where /dev/hda1 is where the dos partition is. Type "mount /dev/hda4 /win98" to mount the windows filesystem or mount "/dev/hda3 /slackw". Your filesystems may be on other partitions than those shown in examples here.
4. You can unmount when done: "umount /dev/hda1", however the exit scripts unmounts all file systems when the system is shutdown.



The following line in /etc/fstab will cause the system upon bootup to mount an msdos partition on /dev/hda1 on the directory /dos:

/dev/hda1 /dos vfat defaults 0 0

This works because one of the startup script files "/etc/rc.sysinit" includes a line "mount -a -t nonfs,smbfs,ncpfs,proc". This command mounts all filesystems listed in the file "/etc/fstab". You could set the filesystem type to msdos. Read the file, /usr/src//linux/fs/filesystems.c to find a list of supported filesystems with your kernel. The file /etc/mtab and /proc/mounts each keep a record of currently mounted filesystems on your system. Read the mount man page for more information.

Another useful command is "hdparm -g /dev/hda" which is used to determine hard drive geometry (sectors, heads, cylinders).

Mounting other partitions or operating systems at startup

To mount other partitions at startup modify the "/etc/fstab" file. Each line in the file refers to a different filesystem. Fields are separated by whitespace. The primary filesystems must be mounted first, so they must be in correct order. Your native partition for the system you are running should be listed first. The fields are as follows:

1. The name of the device such as "/dev/hda1"
2. The mount point. Use "/" for root. Other typical mount points are "/dos" for DOS, "swap" or "none" for the swap partition, and "/mnt/floppy" for "/dev/fd0" (the floppy drive).
3. The type of filesystem. They are: mini, ext, ext2(linux native), xiafs, msdos, hpfs, ntfs, fat32, iso9660(CD-ROM), nfs, swap (for swap space).
4. The mount options for use with the filesystem. Each filesystem type has different mount options. Read the mount man page to see possible options. ro= read only, user- allows normal users to mount the device.
5. The frequency the filesystem needs to be dumped (backed up) by the dump command. For ext2, normally make it 1, for others make it 0. 0 or nothing means it is not dumped. If 1, it is backed up during a system backup.
6. A number telling the order in which the filesystems should be checked at reboot time by the fsck program. Your root should be 1, others are in ascending order or 0 to not be checked.

To determine your hard drive's partitions and see what each partition holds which operating system, you may use the fdisk program. Just make sure you don't change your disk information. You can use the 'p' command to see a list of current partitions, then you can add them to your fstab file. Note: In order for the mount to succeed, you must have created the mount point subdirectory (except for root).

I like to install multiple copies of Linux on one computer for three reasons.

1. The second copy can serve as a backup to the first. If I totally screw up one copy of Linux, by changing kernels, etc, I can still get to the filesystem from the other system and straighten out my problems.
2. I can learn about other linux packages.
3. If a compile of a package fails on one system such as Redhat, I can try it on another system such as Slackware and it will probably work.

The fstab file

A typical /etc/fstab file:
/dev/hda2 / ext2 defaults 1 1
/dev/hdb1 /data auto defaults 0 0
/dev/hda1 /dos vfat defaults 0 0
/dev/hda3 /slackw ext2 defaults 0 0
/dev/hda4 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy ext2 noauto,owner 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0

These are the options:

* defaults - Use the default options of rw, suid, dev,exec,auto, nouser, and async.
* auto - Auto detect the type of filesystem.
* noauto - The -a option will not mount the filesystem.
* owner
* ro - Read only
* rw - Read and write allowed
* user - Users have permission to mount this filesystem
* users - Allows a user to mount and another user to unmount the filesystem

The /proc directory is required for tracking processes in memory (RAM). The directories /data, /dos, and /slackw in this example must exist or their mounts will fail. The entries for the floppy and cdrom allow them to be automatically dismounted if they are mounted during shutdown. The option, "noauto" in their entries, keeps these devices from being mounted at startup.

Note:
If you install an OS that wipes LILO, you can use the fdisk utility to toggle the bootable flag (change the boot partition). This can help, if the OS that wiped LILO can toggle this partition to a Linux filesystem.

Linux Tips
Multiple Virtual Terminal access

There are normally 6 virtual terminals in Linux, available by using Alt-F1 through Alt-F6. Each one can be logged in as a different user. There are normally 6 terminals available in X also, F7 through F12. The first X session will be on F7 (if on a local terminal), the second on F8, and so forth. If an X session is started from F1 and you also have an active session on F2, you can type Ctrl-Alt-F2 to go from the X session to the virtual console on F2. Also to get back to your X session, you can type Ctrl-Alt-F7. This example assumes that your terminals are setup in the standard manner with 6 virtual terminals that spawn the getty program available. You can check your setup by checking your /etc/inittab file. You should have lines like the following in your file.

1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

See the section on init for further information on this file.

Linux Command line shortcuts

If typing a command on the command line, you can press before the command is complete and if there are enough characters for it to be unique, the system will finish the command for you. If it is not yet unique, and is pressed twice, you will be given choices.
Pasting text in files

There is a cut and paste mouse utility that works with virtual consoles called gpm which runs as a daemon. To use it,

1. Move your mouse to the text you want to cut or paste
2. Hold the left mouse button down
3. Drag the mouse to the end of the selected text
4. Release the mouse button
5. If deleting text, just press the "DEL" key for your final step. If pasting text, move the text cursor to the location you want to paste to by switching terminals with function keys, using arrow keys, etc.
6. If pasting, press the right mouse button.


Viewing previously displayed text

Text that has scrolled off the top of the screen may be viewed again using the key combination. The Keys in the numbers section on the far right of the keypad do not work for this function, only the grey PgUp and PgDn keys just to the right of the key. If you want other keys to perform this function, it would be necessary to map them for bash shell keymapping. Pressing any other key other than or will bring you back to the normal screen location.

# posted by gsc @ 3:44 PM 0 Comments

Basic Linux Devices

The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.
/dev/fd0 Floppy disk
/dev/hda1 IDE Hard drive 1, partition 1
/dev/hdb3 IDE Hard drive 2, partition 3
/dev/sda1 First SCSI interface (probably hard drive), device id 1
/dev/sdc3 First SCSI interface, device id 3
/dev/cdrom CD ROM drive
/dev/mouse Mouse device, sometimes a pointer to another device such as /dev/psaux, a ps/2 mouse driver.

primary IDE master /dev/hda
primary IDE slave /dev/hdb
secondary IDE master /dev/hdc
secondary IDE slave /dev/hdd


The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.

Linux Init Program

The init program is the first program run after your kernel begins running. It is configured with the /etc/inittab file. By modifying your /etc/inittab file, you change your system configuration in the following areas:

1. Start up system run level.
2. Specify processes to be executed during system boot.
3. Specify processes to be run when the specified runlevel is entered.
4. Specify processes to be run on certain runlevels with actions like respawn so the process is restarted any time it terminates.
5. Specify certain actions or processes to be run if certain signals or user actions are indicated.

The previous section on LILO explained what runlevels are.

Below is an example inittab file with line numbers added on the left side for reference:

# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg,
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#

# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
1) id:3:initdefault:

# System initialization.
2) si::sysinit:/etc/rc.d/rc.sysinit

3) l0:0:wait:/etc/rc.d/rc 0
4) l1:1:wait:/etc/rc.d/rc 1
5) l2:2:wait:/etc/rc.d/rc 2
6) l3:3:wait:/etc/rc.d/rc 3
7) l4:4:wait:/etc/rc.d/rc 4
8) l5:5:wait:/etc/rc.d/rc 5
9) l6:6:wait:/etc/rc.d/rc 6

# Things to run in every runlevel.
10) ud::once:/sbin/update

# Trap CTRL-ALT-DELETE
11) ca::ctrlaltdel:/sbin/shutdown -t3 -r now

# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
12) pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"

# If power was restored before the shutdown kicked in, cancel it.
13) pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"


# Run gettys in standard runlevels
14) 1:2345:respawn:/sbin/mingetty tty1
15) 2:2345:respawn:/sbin/mingetty tty2
16) 3:2345:respawn:/sbin/mingetty tty3
17) 4:2345:respawn:/sbin/mingetty tty4
18) 5:2345:respawn:/sbin/mingetty tty5
19) 6:2345:respawn:/sbin/mingetty tty6

# Run xdm in runlevel 5
# xdm is now a separate service
20) x:5:respawn:/etc/X11/prefdm -nodaemon



Line number 1 sets the runlevel to 3. Line numbers 3 through 9 will run the startup script /etc/rc.d/rc for the appropriate run level as selected on line 1. Line numbers 14 through 19 spawn login getty programs on 6 virtual terminals. Other lines perform such things as power management and trapping the CTRL-ALT-DEL keystrokes for shutdown. Please see the "How Linux Works CTDP Guide" for further information on the format of the inittab file and what the init program does.

# posted by gsc @ 3:10 PM 0 Comments

Apache Web Server
Introduction

The apache web server is called "httpd". The configuration files for it for many systems are in "/etc/httpd/conf". Their names are httpd.conf, srm.conf, access.conf, mime.types, and magic. The file srm.conf specifies the directory location of the root document with the "DocumentRoot" statement. The "DirectoryIndex" statement gives the name of the starting file. The file access.conf, is used to control user access to various html files. On my system, the initial startup file is "/home/httpd/html/index.html". Documentation is in /home/httpd/html/manual.
Apache Installation

There are many options that can be selected when installing Apache. Among them are selection of the modules to be compiled with the apache web server. This will be commented on at the appropriate installation step. In my installation, I installed Apache with PHP and mysql support. To get the Apache compile to work with mysql support, it was necessary for mysql to be installed from the source. When mysql was installed from binary, the apache compile failed. Here's the installation steps for installing Apache from a tarred and zipped source file:

1. Copy the source file to "/usr/src" or "/usr/local/src". The source file is called something like apache_1_3_19_tar.gz.
2. Type "cd /usr/src" or "cd /usr/local/src" depending on where you copied your file.
3. Type "tar xvzf apache_1_3_19_tar.gz" to decompress the source file. The directory, "apache_1.3.19" is created.
4. Type "ln -s apache_1.3.9 apache" to create a software link to the apache directory.
1. If installing PHP support with apache, copy the PHP source file "php-4_0_4pl1.tar.gz" from php.org to "/usr/src" or "/usr/local/src".
2. Type "tar xvzf php-4_0_4pl1.tar.gz" to decompress the source file.
5. Type "cd apache".
6. Documentation at the apache.org web site indicates to enter the "src" directory to perform the configuration and compile. However by reading the "INSTALL" files in the apache and apache/src directories, it can be done from inside the src directory or from the main apache directory. Either approach will work. There are various advantages and disadvantages to each approach. Compiling from inside the "src" directory allows easier module control by allowing the changing of the "Configuration" file. If done from the main directory, modules to be included or excluded from the default setting must be included on the command line. I have chosen to do the install using the "configure" file in the main directory since documentation indicates that some parameters may be overridden here and I am making no changes to the default included modules. If you want to install PHP support, there is a way to do it as documented in PHP INSTALL file, but I have not outlined that procedure here and have assumed you will be performing the install from the main directory if installing PHP. If you want to change the default modules by compiling in the "src" directory, follow the subset of instructions below.
1. Type "cd src".
2. Edit the file "Configuration" file.
3. Type "./Configure". I do not believe you can use the options "--sysconfdir" and "--logfiledir" to specify configuration and loglile locations as I have done below.
4. Skip the next step (Step 7).
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd". I have added the "--sysconfdir" option to set the location where the apache configuration files will be, and the "--logfiledir" option to set the location of where logging information is written for apache. If you are making changes to the default modules use the additional command line parameters "--enable-module=NAME" and "--disable-module="NAME" where "NAME" is the name of the module to be enabled or disabled. Read the "INSTALL" file in the main directory for more information here and read the "src/Configuration" file to see what the module names are. If installing PHP support follow the subset of instructions below.
1. Type "cd .."
2. Type "cd php-4.0.4pl1"
3. Type "./configure --with-mysql=/usr/local/mysql --with-apache=../apache --enable-track-vars". This assumes you've already installed mysql in the "/usr/local/mysql" directory.
4. Type "make".
5. Type "make install".
6. Type "cd ../apache".
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd --activate-module=src/modules/php4/libphp4.a"
8. Type "make". Note: When I did my install, I got a compile error related to the mysql installation. If you installed the binary version of mysql, you may need to install it from the source version.
9. Type "make install". If installing PHP support follow the subset of instructions below.
1. Type "cd ../php-4.0.4pl1".
2. Type "cp php.ini-dist /usr/local/lib/php.ini".
3. Edit "/etc/httpd/conf/httpd.conf" or "/etc/httpd/conf/srm.conf" and add the following line:

AddType application/x-httpd-php .php


Configuration

At this point it is time to set up the apache configuration by modifying the apache configuration files and setting apache to start automatically. The apache configuration files are:

1. httpd.conf - This is the main configuration file. It is used to specify where the document root for the web server is found, various server parameters, directory permissions, where mime types for files are found, and addition of application type definitions and the associated handler for each application.
2. srm.conf - This file is used to configure apache server directives. These directives are now recommended to be put in the httpd.conf file.
3. access.conf - This file is used to control directory access and who can access the directories. The directory access control is now recommended to be put in the httpd.conf file.

Specific configuration parameters:

* Specification of the document root where the HTML main web page, "index.html" should be found. This line should look like:

DocumentRoot "/home/httpd/html"
* Additional parameters including:
o ServerRoot - Specifies where the servers main directory is.

ServerRoot "/usr/local/apache"
o ErrorLog amd Loglevel- Specifies where the web server will keep its error log file and the level at which errors are kept. Loglevel options are debug, info, notice, warn, error, crit, alert, and emerg.

ErrorLog /var/log/httpd/error_log
LogLevel warn
o Keep alive - Specifies whether persistant connections are to be supported.

KeepAlive On
o KeepAlive Requests 100 - The maximum keep alive requests to be supported.
o KeepAliveTimeout 15 - The number of seconds the connection is kept alive if no additional requests are received from the client.
o The maximum and mininum number of servers that may be created to wait for client requests and the number of servers to start when the web server starts.

MinSpareServers 5
MaxSpareServers 10
StartServers 5
o MaxClients 150 - The maximum number of clients that may connect at one time to the web server.
o Port 80
o The user and group the web server is run as.

User nobody
Group nobody
* Directory permission entries are used to define various directory options and permissions. These entries appear similar to the following which defines the permissions for the document root directory:


Options FollowSymLinks
Allow Override None


Parameters include:
o AllowOverride
o AuthConfig
o FileInfo
o Limit

Options include:
o ExecCGI - Allows CGI programs in the directory to be executed.
o FollowSymLinks
o Includes
o Indexes
o MultiViews
o None - No options
o All - All options except MultiViews
* Permissions - Are set with statements such as:

Order deny, allow
Deny from all

or:

Order allow, deny
Allow from all

and tag pairs along with and tags are set with options such as:
o GET
o POST
o OPTIONS
o PROPFIND
* and tag pairs can be set to limit access to specific file types the same as is done with directory entries above.
* CGI Driectory definition which defined what directory CGI application files are kept in and can be used to run these files. Other directories can be specified to allow the execution of CGI files if the ExecCGI option is specified in these directory entries.


Allow Override None
Options None
Order allow, deny
Allow from all

* AddType and Add handler statements. These statements allow file types and associated programs to handle these file types. You will linely need this set of entries to run PHP.

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

To run server parsed SHTML files you will need:

AddType text/html .shtml
AddHandler server-parsed .shtml

This is just a partial list of common apache web server options. For a more complete guide, including setting up virtual hosts, refer to the Apache web server documentation.
Getting user filled out form data from the web

There are many types of programs that can be written to do this:

1. Perl CGI scripts
2. Shell CGI scripts
3. PHP scripts that are scripts run on the server side when the page is requested. PHP code is embedded in the HTML page, but files are labeled with the .php extension.
4. Java Servlets
5. Compiled programs based on any language.

The CGI Environment:

The Web server fills in a standard list of environment variables when it runs. It writes to other environment variables when it is requested to. Since the Apache server always runs, anything it puts in the environment is readable by other programs, such as a Perl script program. This is possible as long as the other program knows the names of the variables to be read.

Terms:

* CGI - Common Gateway Interface. A set of rules (interface) for scripting and exchanging data over the web.
* SGML - Standard Generalized Markup Language. HTML is an application of this.
* URL - Universal Resource Locator. Includes protocol (HTTP, FTP, FILE, GOPHER), module name, path name of object.
* IIS - Microsoft's Internet Information Server (A web server for NT)
* IDC - Internet Database Connector
* ISAPI - Microsoft web programming (Internet Server Application Programming Interface)

Linux files are setup so access to them is controlled. There are three types of access:
read
write
execute

Each file belongs to a specific user and group. Access to the files is controlled by user, group, and what is called other. The term, other, is used to refer to someone who is not the user (owner) of the file, nor is the person a member of the group the file belongs to. When talking about setting permissions for "other" users to use, it is commonly referred to as setting the world execute, read, or write bit since anyone in the world will be able to perform the operation if the permission is set in the other category.

File names and permission characters

File names can be up to 256 characters long with "-", "_", and "." characters along with letters and numbers.
When a long file listing is done, there are 10 characters that are shown on the left that indicate type and permissions of the file. File permissions are shown according to the following syntax example: drwerwerwe
There are a total of 10 characters in this example, as in all Linux files. The first character indicates the type of file, and the next three indicate read, write, and execute permission for each of the three user types, user, group and other. Since there are three types of permission for three users, there are a total of nine permission bits. The table below shows the syntax: 1    2    3    4    5    6    7    8    9    10
File    User Permissions    Group Permissions    Other Permissions
Type    Read    Write    Execute    Read    Write    Execute    Read    Write    Execute
d    r    w    e    r    w    e    r    w    e
   

Character 1 is the type of file: - is ordinary, d is directory, l is link.
Characters 2-4 show owner permissions. Character 2 indicates read permission, character 3 indicates write permission, and character 4 indicates execute permission.
Characters 5-7 show group permissions. Character 5=read, 6=write, 7=execute
Characters 8-10 show permissions for all other users. Character 8=read, 9=write, 10=execute

There are 5 possible characters in the permission fields. They are:
r = read - This is only found in the read field.
w = write - This is only found in the write field.
x = execute - This is only found in the execute field.
s = setuid - This is only found in the execute field.
If there is a "-" in a particular location, there is no permission. This may be found in any field whether read, write, or execute field.
Examples

Type "ls -l" and a listing like the following is displayed: total 10                       
drwxrwxrwx    4    george    team1    122    Dec 12 18:02    Projects
-rw-rw-rw-    1    george     team1    1873    Aug 23 08:34    test
-rw-rw-rw-    1    george    team1    1234    Sep 12 11:13     datafile


Which means the following: Type and    # of    Files's    File's    Size in     Date of last    Filename
Permission field    Links    Owner    Group    Bytes    modification   
|    |    |    |    |    |    |
drwxrwxrwx     4    george    team1    122    Dec 12 18:02    Projects


The fields are as follows:
Type field: The first character in the field indicates a file type of one of the following:
d = directory
l = symbolic link
s = socket
p = named pipe
- = regular file
c= character (unbuffered) device file special
b=block (buffered) device file special
Permissions are explained above.
Links: The number of directory entries that refer to the file. In our example, there are four.
The file's owner in our example is George.
The group the file belongs to. In our example, the group is team1.
The size of the file in bytes
The last modification date. If the file is recent, the date and time is shown. If the file is not in the current year, the year is shown rather than time.
The name of the file.
Set User Identification Attribute

The file permissions bits include an execute permission bit for file owner, group and other. When the execute bit for the owner is set to "s" the set user ID bit is set. This causes any persons or processes that run the file to have access to system resources as though they are the owner of the file. When the execute bit for the group is set to "s", the set group ID bit is set and the user running the program is given access based on access permission for the group the file belongs to. The following command:

chmod +s myfile

sets the user ID bit on the file "myfile". The command:

chmod g+s myfile

sets the group ID bit on the file "myfile".

The listing below shows a listing of two files that have the group or user ID bit set.
-rws--x--x   1 root    root    14024 Sep  9 1999 chfn
-rwxr-sr-x   1 root   mail    12072 Aug 16 1999 lockfile

The files chfn and lockfile are located in the directory "/usr/bin". The "s" takes the place of the normal location of the execute bit in the file listings above. This special permission mode has no meaning unless the file has execute permission set for either the group or other as well. This means that in the case of the lockfile, if the other users (world execute) bit is not set with permission to execute, then the user ID bit set would be meaningless since only that same group could run the program anyhow. In both files, everyone can execute the binary. The first program, when run is executed as though the program is the root user. The second program is run as though the group "mail" is the user's group.

For system security reasons it is not a good idea to set many program's set user or group ID bits any more than necessary, since this can allow an unauthorized user privileges in sensitive system areas. If the program has a flaw that allows the user to break out of the intended use of the program, then the system can be compromised.
Directory Permissions

There are two special bits in the permissions field of directories. They are:
s - Set group ID
t - Save text attribute (sticky bit) - The user may delete or modify only those files in the directory that they own or have write permission for.
Save text attribute

The /tmp directory is typically world-writable and looks like this in a listing:
drwxrwxrwt   13 root     root         4096 Apr 15 08:05 tmp

Everyone can read, write, and access the directory. The "t'' indicates that only the user (and root, of course) that created a file in this directory can delete that file.

To set the sticky bit in a directory, do the following:

chmod +t data

This option should be used carefully. A possible alternative to this is
Create a directory in the user's home directory to which he or she can write temporary files.
Set the TMPDIR environment variable using each user's login script.
Programs using the tempnam(3) function will look for the TMPDIR variable and use it, instead of writing to the /tmp directory.
Directory Set Group ID

If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.

This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called spcprj and add the users Kathy and Mark to the group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy and Mark although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.

The following command will set the GID bit on a directory:

chmod g+s spcprjdir

The directory listing of the directory "spcprjdir":

drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir

The "s'' in place of the execute bit in the group permissions causes all files written to the directory "spcprjdir" to belong to the group "spcprj" .
Examples
Below are examples of making changes to permissions:chmod u+x myfile    Gives the user execute permission on myfile.
chmod +x myfile    Gives everyone execute permission on myfile.
chmod ugo+x myfile    Same as the above command, but specifically specifies user, group and other.
chmod 400 myfile    Gives the user read permission, and removes all other permission. These permissions are specified in octal, the first char is for the user, second for the group and the third is for other. The high bit (4) is for read access, the middle bit (2) os for write access, and the low bit (1) is for execute access.
chmod 764 myfile    Gives user full access, group read and write access, and other read access.
chmod 751 myfile    Gives user full access, group read and execute permission, and other, execute permission.
chmod +s myfile    Set the setuid bit.
chmod go=rx myfile    Remove read and execute permissions for the group and other.


Below are examples of making changes to owner and group:chown mark test1    Changes the owner of the file test1 to the user Mark.
chgrp mark test1    Changes the file test1 to belong to the group "mark".


Note: Linux files were displayed with a default tab value of 8 in older Linux versions. That means that file names longer than 8 may not be displayed fully if you are using an old Linux distribution. There is an option associated with the ls command that solves this problem. It is "-T". Ex: "ls al -T 30" to make the tab length 30.

Umask Settings

The umask command is used to set and determine the default file creation permissions on the system. It is the octal complement of the desired file mode for the specific file type. Default permissions are:
777 - Executable files
666 - Text files

These defaults are set allowing all users to execute an executable file and not to execute a text file. The defaults allow all users can read and write the file.

The permission for the creation of new executable files is calculated by subtracting the umask value from the default permission value for the file type being created. An example for a text file is shown below with a umask value of 022:
        666 Default Permission for text file
       -022 Minus the umask value
      -----
        644 Allowed Permissions

Therefore the umask value is an expression of the permissions the user, group and world will not have as a default with regard to reading, writing, or executing the file. The umask value here means the group the file belongs to and users other than the owner will not be able to write to the file. In this case, when a new text file is created it will have a file permission value of 644, which means the owner can read and write the file, but members of the group the file belongs to, and all others can only read the file. A long directory listing of a file with these permissions set is shown below.
-rw-r--r--   1 root     workgrp          14233 Apr  24 10:32 textfile.txt

A example command to set the umask is:

umask 022

The most common umask setting is 022. The /etc/profile script is where the umask command is usually set for all users.

Red Hat Linux has a user and group ID creation scheme where there is a group for each user and only that user belongs to that group. If you use this scheme consistently you only need to use 002 for your umask value with normal users.

There are three good methods of finding files in linux:
The slocate database
The whereis command
The find command
The slocate database

To use the locate command, you will need to have a slocate database set up on your system. On many systems it is updated periodically by the cron daemon. Try the slocate command to see if it will work on your system:


Will list all files that contain the string "whereis". If that command did not work you will need to run the command:


This command will build the slocate database which will allow you to use the locate command. This command will take a few minutes to run.
The whereis command

This command will locate binary (or executable) programs and their respective man pages. The command:


will find all binaries and manpages with the name linuxconf.


The following are examples of the find command: find /home -user mark Will find every file under the directory /home owned by the user mark.
find /usr -name *spec Will find every file under the directory /usr ending in ".spec".
find /var/spool -mtime +40 Will find every file under the directory /var/spool that has data older than 40 days.


Find is a very powerful program and very useful for finding files with various characteristics. For more information, read the man page about find by typing "man find".
Locating man pages by subject

There is a keyword option in the man command that can be used to find man pages that have specific words in their descriptions. An example is:


to find all man pages that talk about processes. Use the command:

man -k process |grep kernel

to find information on kernel processes. An equivalent command is the apropos command as follows:


The which(1) program is a useful command for finding the full path of the executable program that would be executed if the name of the executable program is entered on the command line. The command:


Will show the full path of the startx command that will be run if "startx" is entered on the command line when an X session is started.

Basic Unix Commands

A
 alias    Create an alias
 apropos  Search Help manual pages (man -k)
 apt-get  Search for and install software packages (Debian)
 aspell   Spell Checker
 awk      Find and Replace text, database sort/validate/index

B
 bash     GNU Bourne-Again SHell
 bc       Arbitrary precision calculator language
 bg       Send to background
 break    Exit from a loop
 builtin  Run a shell builtin
 bzip2    Compress or decompress named file(s)

C
 cal      Display a calendar
 case     Conditionally perform a command
 cat      Display the contents of a file
 cd       Change Directory
 cfdisk   Partition table manipulator for Linux
 chgrp    Change group ownership
 chmod    Change access permissions
 chown    Change file owner and group
 chroot   Run a command with a different root directory
 cksum    Print CRC checksum and byte counts
 clear    Clear terminal screen
 cmp      Compare two files
 comm     Compare two sorted files line by line
 command  Run a command - ignoring shell functions
 continue Resume the next iteration of a loop
 cp       Copy one or more files to another location
 cron     Daemon to execute scheduled commands
 crontab  Schedule a command to run at a later time
 csplit   Split a file into context-determined pieces
 cut      Divide a file into several parts

D
 date     Display or change the date & time
 dc       Desk Calculator
 dd       Convert and copy a file, write disk headers, boot records
 ddrescue Data recovery tool
 declare  Declare variables and give them attributes
 df       Display free disk space
 diff     Display the differences between two files
 diff3    Show differences among three files
 dig      DNS lookup
 dir      Briefly list directory contents
 dircolors Colour setup for `ls'
 dirname  Convert a full pathname to just a path
 dirs     Display list of remembered directories
 du       Estimate file space usage

E
 echo     Display message on screen
 egrep    Search file(s) for lines that match an extended expression
 eject    Eject removable media
 enable   Enable and disable builtin shell commands
 env      Environment variables
 ethtool  Ethernet card settings
 eval     Evaluate several commands/arguments
 exec     Execute a command
 exit     Exit the shell
 expect   Automate arbitrary applications accessed over a terminal
 expand   Convert tabs to spaces
 export   Set an environment variable
 expr     Evaluate expressions

F
 false    Do nothing, unsuccessfully
 fdformat Low-level format a floppy disk
 fdisk    Partition table manipulator for Linux
 fg       Send job to foreground
 fgrep    Search file(s) for lines that match a fixed string
 file     Determine file type
 find     Search for files that meet a desired criteria
 fmt      Reformat paragraph text
 fold     Wrap text to fit a specified width.
 for      Expand words, and execute commands
 format   Format disks or tapes
 free     Display memory usage
 fsck     File system consistency check and repair
 ftp      File Transfer Protocol
 function Define Function Macros

G
 gawk     Find and Replace text within file(s)
 getopts  Parse positional parameters
 grep     Search file(s) for lines that match a given pattern
 groups   Print group names a user is in
 gzip     Compress or decompress named file(s)

H
 hash     Remember the full pathname of a name argument
 head     Output the first part of file(s)
 history  Command History
 hostname Print or set system name

I
 id       Print user and group id's
 if       Conditionally perform a command
 ifconfig Configure a network interface
 ifdown   Stop a network interface
 ifup     Start a network interface up
 import   Capture an X server screen and save the image to file
 install  Copy files and set attributes

J
 join     Join lines on a common field

K
 kill     Stop a process from running

L
 less     Display output one screen at a time
 let      Perform arithmetic on shell variables
 ln       Make links between files
 local    Create variables
 locate   Find files
 logname  Print current login name
 logout   Exit a login shell
 look     Display lines beginning with a given string
 lpc      Line printer control program
 lpr      Off line print
 lprint   Print a file
 lprintd  Abort a print job
 lprintq  List the print queue
 lprm     Remove jobs from the print queue
 ls       List information about file(s)
 lsof     List open files

M
 make     Recompile a group of programs
 man      Help manual
 mkdir    Create new folder(s)
 mkfifo   Make FIFOs (named pipes)
 mkisofs  Create an hybrid ISO9660/JOLIET/HFS filesystem
 mknod    Make block or character special files
 more     Display output one screen at a time
 mount    Mount a file system
 mtools   Manipulate MS-DOS files
 mv       Move or rename files or directories

N
 netstat  Networking information
 nice     Set the priority of a command or job
 nl       Number lines and write files
 nohup    Run a command immune to hangups
 nslookup Query Internet name servers interactively

O
 open     Open a file in its default application
 op       Operator access

P
 passwd   Modify a user password
 paste    Merge lines of files
 pathchk  Check file name portability
 ping     Test a network connection
 popd     Restore the previous value of the current directory
 pr       Prepare files for printing
 printcap Printer capability database
 printenv Print environment variables
 printf   Format and print data
 ps       Process status
 pushd    Save and then change the current directory
 pwd      Print Working Directory

Q
 quota    Display disk usage and limits
 quotacheck Scan a file system for disk usage
 quotactl Set disk quotas

R
 ram      ram disk device
 rcp      Copy files between two machines.
 read     read a line from standard input
 readonly Mark variables/functions as readonly
 renice   Alter priority of running processes
 remsync  Synchronize remote files via email
 return   Exit a shell function
 rm       Remove files
 rmdir    Remove folder(s)
 rsync    Remote file copy (Synchronize file trees)

S
 screen   Multiplex terminal, run remote shells via ssh
 scp      Secure copy (remote file copy)
 sdiff    Merge two files interactively
 sed      Stream Editor
 select   Accept keyboard input
 seq      Print numeric sequences
 set      Manipulate shell variables and functions
 sftp     Secure File Transfer Program
 shift    Shift positional parameters
 shopt    Shell Options
 shutdown Shutdown or restart linux
 sleep    Delay for a specified time
 slocate  Find files
 sort     Sort text files
 source   Run commands from a file `.'
 split    Split a file into fixed-size pieces
 ssh      Secure Shell client (remote login program)
 strace   Trace system calls and signals
 su       Substitute user identity
 sudo     Execute a command as another user
 sum      Print a checksum for a file
 symlink  Make a new name for a file
 sync     Synchronize data on disk with memory

T
 tail     Output the last part of files
 tar      Tape ARchiver
 tee      Redirect output to multiple files
 test     Evaluate a conditional expression
 time     Measure Program running time
 times    User and system times
 touch    Change file timestamps
 top      List processes running on the system
 traceroute Trace Route to Host
 trap     Run a command when a signal is set(bourne)
 tr       Translate, squeeze, and/or delete characters
 true     Do nothing, successfully
 tsort    Topological sort
 tty      Print filename of terminal on stdin
 type     Describe a command

U
 ulimit   Limit user resources
 umask    Users file creation mask
 umount   Unmount a device
 unalias  Remove an alias
 uname    Print system information
 unexpand Convert spaces to tabs
 uniq     Uniquify files
 units    Convert units from one scale to another
 unset    Remove variable or function names
 unshar   Unpack shell archive scripts
 until    Execute commands (until error)
 useradd  Create new user account
 usermod  Modify user account
 users    List users currently logged in
 uuencode Encode a binary file
 uudecode Decode a file created by uuencode

V
 v        Verbosely list directory contents (`ls -l -b')
 vdir     Verbosely list directory contents (`ls -l -b')
 vi       Text Editor
 vmstat   Report virtual memory statistics

W
 watch    Execute/display a program periodically
 wc       Print byte, word, and line counts
 whereis  Report all known instances of a command   
 which    Locate a program file in the user's path.
 while    Execute commands
 who      Print all usernames currently logged in
 whoami   Print the current user id and name (`id -un')
 Wget     Retrieve web pages or files via HTTP, HTTPS or FTP

X
 xargs    Execute utility, passing constructed argument list(s)
 yes      Print a string until interrupted
 .        Run a command script in the current shell
 ###      Comment / Remark

Linux Directory Structure

Note: Files are grouped according to purpose. Ex: commands, data files, documentation.

Parts of a Unix directory tree. See the FSSTND standard (Filesystem standard)
/            Root
|---root        The home directory for the root user
|---home        Contains the user's home directories
|    |----ftp        Users include many services as listed here
|    |----httpd
|    |----samba
|    |----user1
|    |----user2
|---bin            Commands needed during bootup that might be needed by normal users
|---sbin        Like bin but commands are not intended for normal users.  Commands run by LINUX.
|---proc        This filesystem is not on a disk.  Exists in the kernels imagination (virtual).  This directory
|    |            Holds information about kernel parameters and system configuration.
|    |----1        A directory with info about process number 1.  Each process
|                has a directory below proc. 
|---usr            Contains all commands, libraries, man pages, games and static files for normal
|    |            operation.
|    |----bin        Almost all user commands.  some commands are in /bin or /usr/local/bin.
|    |----sbin        System admin commands not needed on the root filesystem.  e.g., most server
|    |            programs.
|    |----include    Header files for the C programming language.  Should be below /user/lib for
|    |            consistency.
|    |----lib        Unchanging data files for programs and subsystems
|    |----local        The place for locally installed software and other files.
|    |----man        Manual pages
|    |----info        Info documents
|    |----doc        Documentation for various packages
|    |----tmp
|    |----X11R6        The X windows system files.  There is a directory similar to usr below this
|    |            directory.
|    |----X386        Like X11R6 but for X11 release 5
|---boot        Files used by the bootstrap loader, LILO.  Kernel images are often kept here.
|---lib            Shared libraries needed by the programs on the root filesystem
|    |----modules     Loadable kernel modules, especially those needed to boot the system after
|             disasters.
|---dev            Device files for devices such as disk drives, serial ports, etc.
|---etc            Configuration files specific to the machine.
|    |----skel        When a home directory is created it is initialized with files from this directory
|    |----sysconfig     Files that configure the linux system for networking, keyboard, time, and more.
|---var            Contains files that change for mail, news, printers log files, man pages, temp files
|    |----file
|    |----lib        Files that change while the system is running normally
|    |----local        Variable data for programs installed in /usr/local.
|    |----lock        Lock files.  Used by a program to indicate it is using a particular device or file
|    |----log        Log files from programs such as login and syslog which logs all logins,
|    |            logouts, and other system messages.
|    |----run        Files that contain information about the system that is valid until the system is
|    |            next booted
|    |----spool        Directories for mail, printer spools, news and other spooled work.
|    |----tmp        Temporary files that are large or need to exist for longer than they should in
|    |            /tmp.
|    |----catman    A cache for man pages that are formatted on demand
|---mnt            Mount points for temporary mounts by the system administrator.
|---tmp            Temporary files.  Programs running after bootup should use /var/tmp.

Introduction

The File Transfer Protocol (FTP) is used as one of the most common means of copying files between servers over the Internet. Most web based download sites use the built in FTP capabilities of web browsers and therefore most server oriented operating systems usually include an FTP server application as part of the software suite. Linux is no exception.

This chapter will show you how to convert your Linux box into an FTP server using the default Very Secure FTP Daemon (VSFTPD) package included in Fedora.
FTP Overview

FTP replies on a pair of TCP ports to get the job done. It operates in two connection channels as I'll explain:

FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection.

FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server.

In addition to these channels, there are several varieties of FTP.

Types of FTP

From a networking perspective, the two main types of FTP are active and passive. In active FTP, the FTP server initiates a data transfer connection back to the client. For passive FTP, the connection is initiated from the FTP client.

From a user management perspective there are also two types of FTP: regular FTP in which files are transferred using the username and password of a regular user FTP server, and anonymous FTP in which general access is provided to the FTP server using a well known universal login method.

Take a closer look at each type.

Active FTP

The sequence of events for active FTP is:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection.
Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client.
Thus the ls listing that you asked for comes back over the port 20 to high port connection, not the port 21 control connection.

FTP active mode therefore transfers data in a counter intuitive way to the TCP standard, as it selects port 20 as it's source port (not a random high port that's greater than 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.

Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.

Passive FTP

Passive FTP works differently:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection.
Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.

Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because client always initiates the required connections, passive FTP works better for clients protected by a firewall.

As Windows defaults to active FTP, and Linux defaults to passive, you'll probably have to accommodate both forms when deciding upon a security policy for your FTP server.

Regular FTP

By default, the VSFTPD package allows regular Linux users to copy files to and from their home directories with an FTP client using their Linux usernames and passwords as their login credentials.

VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you to restrict the addition of new files to your system to authorized personnel.

The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as everyone either has to get a unique Linux user account or has to use a shared username and password. Anonymous FTP allows you to avoid this difficulty.
 
Anonymous FTP

Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s and uploading diagnostic information for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured Linux username and password, anonymous FTP requires only a username of anonymous and your email address for the password. Once logged in to a VSFTPD server, you automatically have access to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.

As seen in Chapter 6, "Installing Linux Software", using anonymous FTP as a remote user is fairly straight forward. VSFTPD can be configured to support user-based and or anonymous FTP in its configuration file which you'll see later.

Problems With FTP And Firewalls

FTP frequently fails when the data has to pass through a firewall, because firewalls are designed to limit data flows to predictable TCP ports and FTP uses a wide range of unpredictable TCP ports. You have a choice of methods to overcome this.

Note: The Appendix II, "Codes, Scripts, and Configurations", contains examples of how to configure the VSFTPD Linux firewall to function with both active and passive FTP.
 
Client Protected By A Firewall Problem

Typically firewalls don't allow any incoming connections at all, which frequently blocks active FTP from functioning. With this type of FTP failure, the active FTP connection appears to work when the client initiates an outbound connection to the server on port 21. The connection then appears to hang, however, as soon as you use the ls, dir, or get commands. The reason is that the firewall is blocking the return connection from the server to the client (from port 20 on the server to a high port on the client). If a firewall allows all outbound connections to the Internet, then passive FTP clients behind a firewall will usually work correctly as the clients initiate all the FTP connections.
Solution

Table 15-1 shows the general rules you'll need to allow FTP clients through a firewall:
Client Protected by Firewall - Required Rules for FTPMethod     Source Address     Source Port     Destination Address     Destination Port     Connection Type
Allow outgoing control connections to server
Control Channel     FTP client / network     High1     FTP server2     21     New
FTP server2     21     FTP client/ network     High     Established3
Allow the client to establish data channels to remote server
Active FTP     FTP server 2     20     FTP client / network     High     New
FTP client / network     High     FTP server 2     20     Established3
Passive FTP     FTP client / network     High     FTP server 2     High     New
FTP server 2     High     FTP client / network     High     Established 3

1 Greater than 1024.
2 In some cases, you may want to allow all Internet users to have access, not just a specific client server or network.
3 Many home-based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.
Server Protected By A Firewall Problem

Typically firewalls don't let any connections come in at all. When a an incorrectly configured firewall protects an FTP server, the FTP connection from the client doesn't appear to work at all for both active and passive FTP.
Solution
Rules needed to allow FTP servers through a firewall.Method     Source Address     Source Port     Destination Address     Destination Port     Connection Type
Allow incoming control connections to server
Control Channel     FTP client / network 2     High1     FTP server     21     New
FTP server     21     FTP client / network 2     High     Established3
Allow server to establish data channel to remote client
Active FTP     FTP server     20     FTP client / network 2     High     New
FTP client / network 2     High     FTP server     20     Established3
Passive FTP     FTP client / network 2     High     FTP server     High     New
FTP server     High     FTP client / network 2     High     Established 3

1 Greater than 1024.
2 In some cases, you may want to allow all Internet users to have access, not just a specific client server or network.
3Many home-based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.
How To Download And Install VSFTPD

Most Linux software products are available in a precompiled package format. Downloading and installing packages isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail. It is best to use the latest version of VSFTPD.

When searching for the file, remember that the VSFTPD packages' filename usually starts with the word vsftpd followed by a version number, as in vsftpd-1.2.1-5.i386.rpm for Redhat/Fedora or vsftpd_2.0.4-0ubuntu4_i386.deb for Ubuntu.
 
How To Get VSFTPD Started

With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using these commands:
[root@bigboy tmp]# /etc/init.d/vsftpd start
[root@bigboy tmp]# /etc/init.d/vsftpd stop
[root@bigboy tmp]# /etc/init.d/vsftpd restart

With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command.
[root@bigboy tmp]# chkconfig vsftpd on

With Ubuntu / Debian the sysv-rc-conf command can be used like this:
root@u-bigboy:/tmp# sysv-rc-conf on

Note: In RedHat Linux version 8.0 and earlier, VSFTPD operation is controlled by the xinetd process, which is covered in Chapter 16, "Telnet, TFTP, and xinetd". You can find a full description of how to configure these versions of Linux for VSFTPD in Appendix III, "Fedora Version Differences."


Testing the Status of VSFTPD

You can always test whether the VSFTPD process is running by using the netstat -a command which lists all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected output.
[root@bigboy root]# netstat -a | grep ftp
tcp        0        0        *:ftp         *:*        LISTEN
[root@bigboy root]#

If VSFTPD wasn't running, there would be no output at all.
The vsftpd.conf File

VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you'll have to restart VSFTPD each time you edit the file in order for the changes to take effect. The file may be located in either the /etc or the /etc/vsftpd directories depending on your Linux distribution.

This file uses a number of default settings you need to know about.
VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of anonymous and a password that's the same as their email address, I would suggest turning this off. The configuration file's anonymous_enable directive can be set to no to disable this feature. You'll also need to simultaneously enable local users to be able to log in by removing the comment symbol (#) before the local_enable instruction.
If you enable anonymous FTP with VSFTPD, remember to define the root directory that visitors will visit. This is done with the anon_root directive.
anon_root=/data/directory
VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be changed by modifying the anon_upload_enable directive shown later.
VSFTPD doesn't allow anonymous users to create directories on your FTP server. You can change this by modifying the anon_mkdir_write_enable directive.
VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xferlog_file directive.
By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive. There is always the risk with anonymous FTP that users will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your /var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated partition.

The configuration file is fairly straight forward as you can see in the snippet below where we enable anonymous FTP and individual accounts simultaneously.
# Allow anonymous FTP?
anonymous_enable=YES
...
# The directory which vsftpd will try to change
# into after an anonymous login. (Default = /var/ftp)
anon_root=/data/directory
...
# Uncomment this to allow local users to log in.
local_enable=YES
...
# Uncomment this to enable any form of FTP write command.
# (Needed even if you want local users to be able to upload files)
write_enable=YES
...
# Uncomment to allow the anonymous FTP user to upload files. This only
# has an effect if global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
...
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
...
# Activate logging of uploads/downloads.
xferlog_enable=YES
...
# You may override where the log file goes if you like.
# The default is shown below.
xferlog_file=/var/log/vsftpd.log
...

To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line.
Other vsftpd.conf Options

There are many other options you can add to this file:
Limiting the maximum number of client connections (max_clients)
Limiting the number of connections by source IP address (max_per_ip)
The maximum rate of data transfer per anonymous login. (anon_max_rate)
The maximum rate of data transfer per non-anonymous login. (local_max_rate)

Descriptions on this and more can be found in the vsftpd.conf man pages.
FTP Security Issues

FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted.
The /etc/vsftpd.ftpusers File

For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security.
Anonymous Upload

If you want remote users to write data to your FTP server, then you should create a write-only directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are:
[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload
FTP Greeting Banner

Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to determine the type of system you have. The directive in this file is.
ftpd_banner= New Banner Here
Using SCP As Secure Alternative To FTP

One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection. Secure Copy (SCP) and Secure FTP (SFTP) provide encryption and could be considered as an alternative to FTP for trusted users. SCP does not support anonymous services, however, a feature that FTP does support.
Troubleshooting FTP

You should always test your FTP installation by attempting to use an FTP client to log in to your FTP server to transfer sample files.

The most common sources of day-to-day failures are incorrect usernames and passwords.

Initial setup failures could be caused by firewalls along the path between the client and server blocking some or all types of FTP traffic. Typical symptoms of this are either connection timeouts or the ability to use the ls command to view the contents of a directory without the ability to either upload or download files. Follow the firewall rule guidelines to help overcome this problem. Connection problems could also be the result of typical network issues outlined in Chapter 4, "Simple Network Troubleshooting".
Tutorial

FTP has many uses, one of which is allowing numerous unknown users to download files. You have to be careful, because you run the risk of accidentally allowing unknown persons to upload files to your server. This sort of unintended activity can quickly fill up your hard drive with illegal software, images, and music for the world to download, which in turn can clog your server's Internet access and drive up your bandwidth charges.
FTP Users with Only Read Access to a Shared Directory

In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps:

1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:
# Allow anonymous FTP?
anonymous_enable=NO

2) Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this:
# Uncomment this to allow local users to log in.
local_enable=YES

3) Start VSFTP.
[root@bigboy tmp]# service vsftpd start

4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of ftp-users for the remote users
[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs

5) Make the directory accessible to the ftp-users group.
[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs

6) Add users, and make their default directory /home/ftp-docs
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2
[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4

7) Copy files to be downloaded by your users into the /home/ftp-docs directory

8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*
Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don't want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no:
write_enable = NO

Remember, you must restart VSFTPD for the configuration file changes to take effect.
Sample Login Session To Test Functionality

Here is a simple test procedure you can use to make sure everything is working correctly:

1) Check for the presence of a test file on the ftp client server.
[root@smallfry tmp]# ll
total 1
-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile
[root@smallfry tmp]#

2) Connect to bigboy via FTP
[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): user1
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
As expected, we can't do an upload transfer of testfile to bigboy.
ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)
553 Could not create file.
ftp>
But we can view and download a copy of the VSFTPD RPM located on the FTP server bigboy.
ftp> ls
227 Entering Passive Mode (192,168,1,100,35,173)
150 Here comes the directory listing.
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
226 Directory send OK.
ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp
local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-1.i386.rpm
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)
ftp> exit
221 Goodbye.
[root@smallfry tmp]#
As expected, anonymous FTP fails.
[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@smallfry tmp]#

Now that testing is complete, you can make this a regular part of your FTP server's operation.
Conclusion

FTP is a very useful software application that can have enormous benefit to a Web site or to collaborative computing in which files need to be shared between business partners. Although insecure, it is universally accessible, because FTP clients are a part of all operating systems and Web browsers. If data encryption security is of great importance to you, then you should probably consider SCP as a possible alternative.