centostricks

Just another WordPress.com site

Replace a faulty disk from Volume Group


This commands are run on CentOS EL 6.0

Replace a faulty disk from Volume Group

Here /dev/sdb has an hardware issue and its been found to be a faulty Disk.

Step 1: Let us scan to find any data available on the faulty disk, Here we find that 120MB is consumed and data is available

[root@localhost ~]# pvscan
PV /dev/sdc    VG VG_01           lvm2 [1020.00 MiB / 1020.00 MiB free]
PV /dev/sdb    VG VG_00           lvm2 [1020.00 MiB / 120.00 MiB free]
PV /dev/sda2   VG VolGroup        lvm2 [12.51 GiB / 0    free]
PV /dev/sdd                       lvm2 [1.00 GiB]
Total: 4 [15.50 GiB] / in use: 3 [14.50 GiB] / in no VG: 1 [1.00 GiB]

Step 2 : Check the LV and PV mapping  :  /dev/VG_00/song is mapped to /dev/sdb

[root@localhost ~]# pvdisplay -m /dev/sdb
— Physical volume —
PV Name               /dev/sdb
VG Name               VG_00
PV Size               1.00 GiB / not usable 4.00 MiB
Allocatable           yes
PE Size               4.00 MiB
Total PE              255
Free PE               30
Allocated PE          225
PV UUID               9oE3Rn-8obQ-8wwn-Samq-tM1N-VVaM-o1qf5W

— Physical Segments —
Physical extent 0 to 224:
Logical volume    /dev/VG_00/song
Logical extents    0 to 224
Physical extent 225 to 254:
FREE

[root@localhost ~]# lvdisplay -m /dev/VG_00/song
— Logical volume —
LV Name                /dev/VG_00/song
VG Name                VG_00
LV UUID                09CVS7-y162-Y8pp-IUXH-v67C-Pw7a-auFCKj
LV Write Access        read/write
LV Status              available
# open                 1
LV Size                900.00 MiB
Current LE             225
Segments               1
Allocation             inherit
Read ahead sectors     auto
– currently set to     256
Block device           253:2

— Segments —
Logical extent 0 to 224:
Type        linear
Physical volume    /dev/sdb
Physical extents    0 to 224

Step 3: Check the status of current LV

[root@localhost ~]# lvscan
ACTIVE            ‘/dev/VG_00/song’ [900.00 MiB] inherit
ACTIVE            ‘/dev/VolGroup/lv_root’ [10.54 GiB] inherit
ACTIVE            ‘/dev/VolGroup/lv_swap’ [1.97 GiB] inherit

Step 4 : Adding a New PV to VG to move the data from faulty PV to this NEW PV( IN our case /dev/sdb is found faulty)

[root@localhost ~]# vgextend VG_00 /dev/sd
sda   sda1  sda2  sdb   sdc   sdd
[root@localhost ~]# vgextend VG_00 /dev/sdd
Volume group “VG_00” successfully extended

Step 5 : Moving all its extents from /dev/sdb to free extents in VG_00, in our case we have only one pv /dev/sdd which is newly added. So all the extents are moved to /dev/sdd

[root@localhost ~]# pvmove /dev/sdb
/dev/sdb: Moved: 12.9%
/dev/sdb: Moved: 100.0%
[root@localhost ~]#
[root@localhost ~]#

Step 6 : Check for the changes, All the extents from /dev/sdb is moved to /dev/sdd..

[root@localhost ~]# pvscan
PV /dev/sdc    VG VG_01      lvm2 [1020.00 MiB / 1020.00 MiB free]
PV /dev/sdb    VG VG_00      lvm2 [1020.00 MiB / 1020.00 MiB free]
PV /dev/sdd    VG VG_00      lvm2 [1020.00 MiB / 120.00 MiB free]
PV /dev/sda2   VG VolGroup   lvm2 [12.51 GiB / 0    free]
Total: 4 [15.50 GiB] / in use: 4 [15.50 GiB] / in no VG: 0 [0   ]

Step 7: Still our LV is active and all data is intact. nothing is lost🙂

[root@localhost ~]# lvscan
ACTIVE            ‘/dev/VG_00/song’ [900.00 MiB] inherit
ACTIVE            ‘/dev/VolGroup/lv_root’ [10.54 GiB] inherit
ACTIVE            ‘/dev/VolGroup/lv_swap’ [1.97 GiB] inherit
[root@localhost ~]# cd /striped/
[root@localhost striped]# ls
aa  lost+found  test
[root@localhost striped]# cat aa
dnandsandlandtesteinggg
[root@localhost striped]# cd

Step 8 : Now we are removing the faulty DISK (PV) /dev/sdb from Volume group VG_00

[root@localhost ~]# vgreduce VG_00 /dev/sdb
Removed “/dev/sdb” from volume group “VG_00”

Step 9: OUR Faulty Disk /dev/sdb is free from all VG and ready to be removed from System

[root@localhost ~]# pvscan
PV /dev/sdd    VG VG_00           lvm2 [1020.00 MiB / 120.00 MiB free]
PV /dev/sdc    VG VG_01           lvm2 [1020.00 MiB / 1020.00 MiB free]
PV /dev/sda2   VG VolGroup        lvm2 [12.51 GiB / 0    free]
PV /dev/sdb                       lvm2 [1.00 GiB]
Total: 4 [15.50 GiB] / in use: 3 [14.50 GiB] / in no VG: 1 [1.00 GiB]
[root@localhost ~]# cd /striped/
[root@localhost striped]# ls
aa  lost+found  test
[root@localhost striped]# cat aa
dnandsandlandtesteinggg

Now Our LV /dev/VG_00/song is using the extents from /dev/sdd.

[root@localhost ~]# lvdisplay -m /dev/VG_00/song
— Logical volume —
LV Name                /dev/VG_00/song
VG Name                VG_00
LV UUID                09CVS7-y162-Y8pp-IUXH-v67C-Pw7a-auFCKj
LV Write Access        read/write
LV Status              available
# open                 1
LV Size                900.00 MiB
Current LE             225
Segments               1
Allocation             inherit
Read ahead sectors     auto
– currently set to     256
Block device           253:2

— Segments —
Logical extent 0 to 224:
Type        linear
Physical volume    /dev/sdd
Physical extents    0 to 224

ALL THE BEST !!! . We did all this steps. without unmounting the filesystem or taking the system Down !!! Good Luck !!

resize logical Volume (LV) with Risk


This blog shows how to reduce the LV and split the VG to create a VG with unused Space

Warning !!! Reducing LV is like playing with DATA !!!

This steps are done on CentOS 6.x OS EL

[root@localhost ~]# lvreduce -L 900M /dev/VG_00/song
WARNING: Reducing active and open logical volume to 900.00 MiB
THIS MAY DESTROY YOUR DATA (filesystem etc.)
Do you really want to reduce song? [y/n]: y
Reducing logical volume song to 900.00 MiB
Logical volume song successfully resized
[root@localhost ~]# resize2fs /dev/VG_00/song
resize2fs 1.41.10 (10-Feb-2009)
Filesystem at /dev/VG_00/song is mounted on /striped; on-line resizing required
On-line shrinking from 393216 to 230400 not supported.
[root@localhost ~]# umount /striped/
[root@localhost ~]# resize2fs /dev/VG_00/song
resize2fs 1.41.10 (10-Feb-2009)
Please run ‘e2fsck -f /dev/VG_00/song’ first.

[root@localhost ~]# e2fsck -f /dev/VG_00/song
e2fsck 1.41.10 (10-Feb-2009)
The filesystem size (according to the superblock) is 393216 blocks
The physical size of the device is 230400 blocks
Either the superblock or the partition table is likely to be corrupt!
Abort<y>? yes

[root@localhost ~]# resize2fs /dev/VG_00/song
resize2fs 1.41.10 (10-Feb-2009)
Please run ‘e2fsck -f /dev/VG_00/song’ first.

[root@localhost ~]# man re
[root@localhost ~]# man resize2fs
[root@localhost ~]# resize2fs -f /dev/VG_00/song
resize2fs 1.41.10 (10-Feb-2009)
Resizing the filesystem on /dev/VG_00/song to 230400 (4k) blocks.
The filesystem on /dev/VG_00/song is now 230400 blocks long.

[root@localhost ~]# e2fsck -f /dev/VG_00/song
e2fsck 1.41.10 (10-Feb-2009)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/VG_00/song: 13/65536 files (7.7% non-contiguous), 23039/230400 blocks
[root@localhost ~]# mount /dev/VG_00/song /striped/
[root@localhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
11G  4.5G  5.4G  46% /
tmpfs                 499M  524K  499M   1% /dev/shm
/dev/sda1             485M   33M  428M   7% /boot
/dev/sr0              4.1G  4.1G     0 100% /media/RHEL_6.0 x86_64 Disc 1
/dev/mapper/VG_00-song
884M   74M  766M   9% /striped
[root@localhost ~]# cd /striped/
[root@localhost striped]# ll
total 40992
-rw-r–r–. 1 root root       24 Aug 10 08:38 aa
drwx——. 2 root root    16384 Aug 10 08:35 lost+found
-rw-r–r–. 1 root root 41955328 Aug 10 08:36 test
[root@localhost striped]# cat aa
dnandsandlandtesteinggg

[root@localhost striped]#
[root@localhost striped]#
[root@localhost striped]# pvscan
PV /dev/sdb    VG VG_00           lvm2 [1020.00 MiB / 120.00 MiB free]
PV /dev/sdc    VG VG_00           lvm2 [1020.00 MiB / 1020.00 MiB free]
PV /dev/sda2   VG VolGroup        lvm2 [12.51 GiB / 0    free]
PV /dev/sdd                       lvm2 [1.00 GiB]
Total: 4 [15.50 GiB] / in use: 3 [14.50 GiB] / in no VG: 1 [1.00 GiB]
[root@localhost striped]# pvmove /dev/sdc /dev/sdb
No data to move for VG_00
[root@localhost striped]#
[root@localhost striped]# vgsplit VG_00 VG_01 /dev/sdc
Volume group VG_00 is not resizeable.
[root@localhost striped]# vgchange -x y VG_00
Volume group “VG_00” successfully changed
[root@localhost striped]# vgsplit VG_00 VG_01 /dev/sdc
New volume group “VG_01” successfully split from “VG_00”
[root@localhost striped]# vgscan
Reading all physical volumes.  This may take a while…
Found volume group “VG_01” using metadata type lvm2
Found volume group “VG_00” using metadata type lvm2
Found volume group “VolGroup” using metadata type lvm2
[root@localhost striped]# pvscan
PV /dev/sdc    VG VG_01           lvm2 [1020.00 MiB / 1020.00 MiB free]
PV /dev/sdb    VG VG_00           lvm2 [1020.00 MiB / 120.00 MiB free]
PV /dev/sda2   VG VolGroup        lvm2 [12.51 GiB / 0    free]
PV /dev/sdd                       lvm2 [1.00 GiB]
Total: 4 [15.50 GiB] / in use: 3 [14.50 GiB] / in no VG: 1 [1.00 GiB]
[root@localhost striped]# ls
aa  lost+found  test
[root@localhost striped]# cat aa
dnandsandlandtesteinggg

Hot remove scsi Disk in Centos 6.x without reboot of OS


Hot remove SCSI disk without rebooting CentOS 5.x/6.x

Error message shown once the Disk is removed from Virtual Machine at VM Level….

[root@localhost ~]# tailf /var/log/messages
Aug 10 07:32:52 localhost kernel: end_request: I/O error, dev sde, sector 8
Aug 10 07:32:52 localhost kernel: sd 2:0:4:0: [sde] Unhandled error code
Aug 10 07:32:52 localhost kernel: sd 2:0:4:0: [sde] Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK
Aug 10 07:32:52 localhost kernel: sd 2:0:4:0: [sde] CDB: Read(10): 28 00 00 00 00 08 00 00 08 00
Aug 10 07:32:52 localhost kernel: end_request: I/O error, dev sde, sector 8
Aug 10 07:32:52 localhost kernel: sd 2:0:4:0: [sde] Unhandled error code
Aug 10 07:32:52 localhost kernel: sd 2:0:4:0: [sde] Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK
Aug 10 07:32:52 localhost kernel: sd 2:0:4:0: [sde] CDB: Read(10): 28 00 00 00 00 08 00 00 08 00
Aug 10 07:32:52 localhost kernel: end_request: I/O error, dev sde, sector 8

Parted is still showing information of /dev/sde, even after its removed from the Virtual Machine (VM)

[root@localhost ~]# parted -l
Model: VMware, VMware Virtual S (scsi)
Disk /dev/sda: 14.0GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  525MB   524MB   primary  ext4         boot
 2      525MB   14.0GB  13.4GB  primary               lvm

Error: /dev/sdb: unrecognised disk label                                  

Model: VMware, VMware Virtual S (scsi)
Disk /dev/sdc: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start  End  Size  Type  File system  Flags

Error: /dev/sdd: unrecognised disk label                                  

Error: /dev/sde: unrecognised disk label                    

/proc/partitions is still showing information of /dev/sde, even after its removed from the Virtual Machine (VM)

[root@localhost ~]# cat /proc/partitions
major minor  #blocks  name

   8        0   13631488 sda
   8        1     512000 sda1
   8        2   13118464 sda2
 253        0   11051008 dm-0
 253        1    2064384 dm-1
   8       32    1048576 sdc
   8       48    1048576 sdd
   8       16    1048576 sdb
   8       64    1048576 sde

/proc/scsi/scsi is still showing information of /dev/sde, even after its removed from the Virtual Machine (VM)

[root@localhost ~]# cat /proc/scsi/scsi
Attached devices:
Host: scsi1 Channel: 00 Id: 00 Lun: 00
  Vendor: NECVMWar Model: VMware IDE CDR10 Rev: 1.00
  Type:   CD-ROM                           ANSI  SCSI revision: 05
Host: scsi2 Channel: 00 Id: 00 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02
Host: scsi2 Channel: 00 Id: 01 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02
Host: scsi2 Channel: 00 Id: 02 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02
Host: scsi2 Channel: 00 Id: 03 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02
Host: scsi2 Channel: 00 Id: 04 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02

REMOVING THE  /DEV/SDE FROM OPERATING SYSTEM WITH BELOW COMMAND !!!

[root@localhost ~]# echo “scsi remove-single-device 2 0 4 0” > /proc/scsi/scsi
[root@localhost ~]# cat /proc/scsi/scsi
Attached devices:
Host: scsi1 Channel: 00 Id: 00 Lun: 00
  Vendor: NECVMWar Model: VMware IDE CDR10 Rev: 1.00
  Type:   CD-ROM                           ANSI  SCSI revision: 05
Host: scsi2 Channel: 00 Id: 00 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02
Host: scsi2 Channel: 00 Id: 01 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02
Host: scsi2 Channel: 00 Id: 02 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02
Host: scsi2 Channel: 00 Id: 03 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02

the above output no more shows info about “Host: scsi2 Channel: 00 Id: 04 Lun: 00”

/dev/sde is no more shown now

[root@localhost ~]# cat /proc/partitions
major minor  #blocks  name

   8        0   13631488 sda
   8        1     512000 sda1
   8        2   13118464 sda2
 253        0   11051008 dm-0
 253        1    2064384 dm-1
   8       32    1048576 sdc
   8       48    1048576 sdd
   8       16    1048576 sdb
[root@localhost ~]#

/dev/sde is no more shown now

[root@localhost ~]# parted -l | grep “dev/sd*”
Disk /dev/sda: 14.0GB
Error: /dev/sdb: unrecognised disk label                                  
Disk /dev/sdc: 1074MB
Error: /dev/sdd: unrecognised disk label                                  
Warning: Unable to open /dev/sr0 read-write (Read-only file system).  /dev/sr0
Error: /dev/sr0: unrecognised disk label

Good Luck !!!!

Hot add scsci Disk in Centos 6.x/5.x without reboot of OS


Steps to Identify a newly added scsi disk in Centos 6.0 without rebooting OS

[root@localhost ~]# ls /sys/class/scsi_host/host
host0/ host1/ host2/
[root@localhost ~]#

This command will identify and hot add the disk running on host 2 , below we can see then as scsi2..

[root@localhost ~]# echo “- – -” > /sys/class/scsi_host/host2/scan

Now displaying the identified disks /dev/sdc, /dev/sdd, /dev/sdb

[root@localhost ~]# fdisk -l |grep sd
Disk /dev/dm-0 doesn’t contain a valid partition table
Disk /dev/dm-1 doesn’t contain a valid partition table
Disk /dev/sdc doesn’t contain a valid partition table
Disk /dev/sdd doesn’t contain a valid partition table
Disk /dev/sdb doesn’t contain a valid partition table
Disk /dev/sda: 14.0 GB, 13958643712 bytes
/dev/sda1 * 1 64 512000 83 Linux
/dev/sda2 64 1698 13118464 8e Linux LVM
Disk /dev/sdc: 1073 MB, 1073741824 bytes
Disk /dev/sdd: 1073 MB, 1073741824 bytes
Disk /dev/sdb: 1073 MB, 1073741824 bytes

[root@localhost ~]# cat /proc/scsi/scsi
Attached devices:
Host: scsi1 Channel: 00 Id: 00 Lun: 00
Vendor: NECVMWar Model: VMware IDE CDR10 Rev: 1.00
Type: CD-ROM ANSI SCSI revision: 05
Host: scsi2 Channel: 00 Id: 00 Lun: 00
Vendor: VMware, Model: VMware Virtual S Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
Host: scsi2 Channel: 00 Id: 01 Lun: 00
Vendor: VMware, Model: VMware Virtual S Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
Host: scsi2 Channel: 00 Id: 02 Lun: 00
Vendor: VMware, Model: VMware Virtual S Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
Host: scsi2 Channel: 00 Id: 03 Lun: 00
Vendor: VMware, Model: VMware Virtual S Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02

current status : there are 2 scsi drives with 1 scsi drive (CDROM) on scsi 1 is the harddrive. Now i have added 1 more scsi drive. We will see what happens

Adding one more disk, but identifying with a different command

Another method used to identify the newly added disk : this command will not alter/overwrite any existing configurations

[root@localhost ~]# echo “scsi add-single-device 2 0 4 0” > /proc/scsi/scsi

When we run with a wrong values, below will be the output. there is no changes or damage. i have not encountered any issues. but not recommended to do so !

[root@localhost ~]# echo “scsi add-single-device 0 0 4 0” > /proc/scsi/scsi
-bash: echo: write error: Invalid argument
[root@localhost ~]# echo “scsi add-single-device 0 4 4 0” > /proc/scsi/scsi
-bash: echo: write error: Invalid argument
[root@localhost ~]# echo “scsi add-single-device 0 3 4 0” > /proc/scsi/scsi
-bash: echo: write error: Invalid argument
[root@localhost ~]# echo “scsi add-single-device 0 2 4 0” > /proc/scsi/scsi
-bash: echo: write error: Invalid argument
[root@localhost ~]# echo “scsi add-single-device 0 1 4 0” > /proc/scsi/scsi
-bash: echo: write error: Invalid argument
[root@localhost ~]# echo “scsi add-single-device 1 0 4 0” > /proc/scsi/scsi
-bash: echo: write error: Invalid argument
[root@localhost ~]# echo “scsi add-single-device 4 0 4 0” > /proc/scsi/scsi
-bash: echo: write error: No such device or address
[root@localhost ~]# echo “scsi add-single-device 3 0 4 0” > /proc/scsi/scsi
-bash: echo: write error: No such device or address

The effect of echo “scsi add-single-device 2 0 4 0” > /proc/scsi/scsi is shown below :

[root@localhost ~]# echo “scsi add-single-device 2 0 4 0” > /proc/scsi/scsi
[root@localhost ~]# cat /proc/scsi/scsi
Attached devices:
Host: scsi1 Channel: 00 Id: 00 Lun: 00
Vendor: NECVMWar Model: VMware IDE CDR10 Rev: 1.00
Type: CD-ROM ANSI SCSI revision: 05
Host: scsi2 Channel: 00 Id: 00 Lun: 00
Vendor: VMware, Model: VMware Virtual S Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
Host: scsi2 Channel: 00 Id: 01 Lun: 00
Vendor: VMware, Model: VMware Virtual S Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
Host: scsi2 Channel: 00 Id: 02 Lun: 00
Vendor: VMware, Model: VMware Virtual S Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
Host: scsi2 Channel: 00 Id: 03 Lun: 00
Vendor: VMware, Model: VMware Virtual S Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
Host: scsi2 Channel: 00 Id: 04 Lun: 00
Vendor: VMware, Model: VMware Virtual S Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02

We can see that there is a newly identified disk, Please use fdisk or parted to create required partitions ….

Initializing the Newly added disk before creating partitions

Better to use fdisk to create partitions with fdisk(Initializes the Disk) , as this disks are not initialized yet, and will give below errors, if parted is used

[root@localhost ~]# parted -l |grep sd*
Model: VMware, VMware Virtual S (scsi)
Disk /dev/sda: 14.0GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
Error: /dev/sdb: unrecognised disk label
Error: /dev/sdc: unrecognised disk label
Error: /dev/sdd: unrecognised disk label
Error: /dev/sde: unrecognised disk label

See the below results, parted is not even allowing to create partitions :

[root@localhost ~]# parted /dev/sdc
GNU Parted 2.1
Using /dev/sdc
Welcome to GNU Parted! Type ‘help’ to view a list of commands.
(parted) p
Error: /dev/sdc: unrecognised disk label
(parted) u s
(parted) mkpart primary 64 -1s
Error: /dev/sdc: unrecognised disk label
(parted) p
Error: /dev/sdc: unrecognised disk label
(parted)

See the below output. “Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)”

If you are flexible with fdisk, you can go ahead and create partitions and save it.

If you are not flexible with fdisk and good with parted, just use the below steps , don’t create any partitions. just access the device and type ‘w’ later use parted to create partitions

[root@localhost ~]# fdisk /dev/sdc
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xfa03eeaf.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won’t be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

WARNING: DOS-compatible mode is deprecated. It’s strongly recommended to
switch off the mode (command ‘c’) and change display units to
sectors (command ‘u’).

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Now use parted and create partitions. see the below output, no more errors or warning. you are good to proceed with next steps of creating partitions. Good Luck !!!

[root@localhost ~]# parted /dev/sdc
GNU Parted 2.1
Using /dev/sdc
Welcome to GNU Parted! Type ‘help’ to view a list of commands.
(parted) p
Model: VMware, VMware Virtual S (scsi)
Disk /dev/sdc: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags

(parted)

***** END****

Disk resize steps when we see partitions as a Separate Disk in fdisk


[root@test ~]# fdisk -lu

Disk /dev/sda: 107.4 GB, 107374182400 bytes
255 heads, 63 sectors/track, 13054 cylinders, total 209715200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00073eef

Device Boot Start End Blocks Id System
/dev/sda1 * 64 208895 104416 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 208896 209715199 104753152 8e Linux LVM

Disk /dev/mapper/VG_00-LV_root: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/mapper/VG_00-LV_root doesn’t contain a valid partition table

Disk /dev/mapper/VG_00-LV_swap: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/mapper/VG_00-LV_swap doesn’t contain a valid partition table

Disk /dev/mapper/VG_00-LV_var: 32.2 GB, 32212254720 bytes
255 heads, 63 sectors/track, 3916 cylinders, total 62914560 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/mapper/VG_00-LV_var doesn’t contain a valid partition table

Disk /dev/mapper/VG_00-LV_tmp: 2147 MB, 2147483648 bytes
255 heads, 63 sectors/track, 261 cylinders, total 4194304 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/mapper/VG_00-LV_tmp doesn’t contain a valid partition table

Disk /dev/mapper/VG_00-LV_opt: 34.2 GB, 34225520640 bytes
255 heads, 63 sectors/track, 4161 cylinders, total 66846720 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/mapper/VG_00-LV_opt doesn’t contain a valid partition table
[root@test ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VG_00-LV_root
9.9G 1.4G 8.0G 15% /
tmpfs 7.8G 0 7.8G 0% /dev/shm
/dev/sda1 99M 32M 63M 34% /boot
/dev/mapper/VG_00-LV_opt
32G 317M 30G 2% /opt
/dev/mapper/VG_00-LV_tmp
2.0G 68M 1.9G 4% /tmp
/dev/mapper/VG_00-LV_var
30G 1.8G 27G 7% /var

[root@test ~]# parted /dev/sda
GNU Parted 2.1
Using /dev/sda
Welcome to GNU Parted! Type ‘help’ to view a list of commands.
(parted) print
Model: VMware Virtual disk (scsi)
Disk /dev/sda: 107GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.8kB 107MB 107MB primary ext3 boot
2 107MB 80.5GB 80.4GB primary lvm

(parted) u s
(parted) print
Model: VMware Virtual disk (scsi)
Disk /dev/sda: 209715200s
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 64s 208895s 208832s primary ext3 boot
2 208896s 157286399s 157077504s primary lvm

(parted) rm 2
Warning: WARNING: the kernel failed to re-read the partition table on /dev/sda
(Device or resource busy). As a result, it may not reflect all of your changes
until after reboot.
(parted) print
Model: VMware Virtual disk (scsi)
Disk /dev/sda: 209715200s
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 64s 208895s 208832s primary ext3 boot

You are facing ERROR

(parted) mkpart primary 208896s 209715200s
Error: The location 209715200s is outside of the device /dev/sda.
(parted) print
Model: VMware Virtual disk (scsi)
Disk /dev/sda: 209715200s
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 64s 208895s 208832s primary ext3 boot

You Should use the below COMMAND

(parted) mkpart primary 208896s -1s
Warning: WARNING: the kernel failed to re-read the partition table on /dev/sda
(Device or resource busy). As a result, it may not reflect all of your changes
until after reboot.
(parted) print
Model: VMware Virtual disk (scsi)
Disk /dev/sda: 209715200s
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 64s 208895s 208832s primary ext3 boot
2 208896s 209715199s 209506304s primary

(parted) toggle 2 lvm
Warning: WARNING: the kernel failed to re-read the partition table on /dev/sda
(Device or resource busy). As a result, it may not reflect all of your changes
until after reboot.
(parted) print
Model: VMware Virtual disk (scsi)
Disk /dev/sda: 209715200s
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 64s 208895s 208832s primary ext3 boot
2 208896s 209715199s 209506304s primary lvm

(parted) quit

Reboot the BOX

[root@test ~]# pvscan
PV /dev/sda2 VG VG_00 lvm2 [74.88 GiB / 0 free]
Total: 1 [74.88 GiB] / in use: 1 [74.88 GiB] / in no VG: 0 [0 ]
[root@test ~]# pvresize /dev/sda2
Physical volume “/dev/sda2” changed
1 physical volume(s) resized / 0 physical volume(s) not resized
[root@test ~]# pvscan
PV /dev/sda2 VG VG_00 lvm2 [99.88 GiB / 25.00 GiB free]
Total: 1 [99.88 GiB] / in use: 1 [99.88 GiB] / in no VG: 0 [0 ]
[root@test ~]# lvscan
ACTIVE ‘/dev/VG_00/LV_root’ [10.00 GiB] inherit
ACTIVE ‘/dev/VG_00/LV_var’ [30.00 GiB] inherit
ACTIVE ‘/dev/VG_00/LV_tmp’ [2.00 GiB] inherit
ACTIVE ‘/dev/VG_00/LV_swap’ [1.00 GiB] inherit
ACTIVE ‘/dev/VG_00/LV_opt’ [31.88 GiB] inherit
[root@test ~]# vgscan
Reading all physical volumes. This may take a while…
Found volume group “VG_00” using metadata type lvm2
[root@test ~]# lvextend -l +100%FREE /dev/VG_00/LV_opt
Extending logical volume LV_opt to 56.88 GiB
Logical volume LV_opt successfully resized

[root@test ~]# resize2fs /dev/VG_00/LV_opt
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/VG_00/LV_opt is mounted on /opt; on-line resizing required
old desc_blocks = 2, new_desc_blocks = 4
Performing an on-line resize of /dev/VG_00/LV_opt to 14909440 (4k) blocks.
The filesystem on /dev/VG_00/LV_opt is now 14909440 blocks long.

[root@test ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VG_00-LV_root
9.9G 1.4G 8.0G 15% /
tmpfs 7.8G 0 7.8G 0% /dev/shm
/dev/sda1 99M 32M 63M 34% /boot
/dev/mapper/VG_00-LV_opt
56G 320M 53G 1% /opt
/dev/mapper/VG_00-LV_tmp
2.0G 68M 1.9G 4% /tmp
/dev/mapper/VG_00-LV_var
30G 1.8G 27G 7% /var
[root@test ~]# lvscan
ACTIVE ‘/dev/VG_00/LV_root’ [10.00 GiB] inherit
ACTIVE ‘/dev/VG_00/LV_var’ [30.00 GiB] inherit
ACTIVE ‘/dev/VG_00/LV_tmp’ [2.00 GiB] inherit
ACTIVE ‘/dev/VG_00/LV_swap’ [1.00 GiB] inherit
ACTIVE ‘/dev/VG_00/LV_opt’ [56.88 GiB] inherit

Upgrade Ruby for a particular user not affecting system ruby


Upgrade Ruby for a particular user not affecting system ruby

1. install for specific <User> Account

2. yum -y install git

3. sudo yum -y install zlib-devel openssl-devel openssl openssl097a

4. add the following to /home/<user>/.bashrc  or .bash_profile

unset RUBYLIB
export PATH=”$HOME/.rbenv/bin:$PATH”
eval “$(rbenv init -)”

5. install rbenv

git clone git://github.com/sstephenson/rbenv.git .rbenv

6. install ruby-build

git clone git://github.com/sstephenson/ruby-build.git

cd ruby-build;

vi install.sh | change the prefix to home directory(/home/<user>)
./install.sh

7. install ruby 1.8.7

rbenv-install 1.8.7-p358

8. set the version for your current directory or globally for that user

local –

rbenv local 1.8.7-p358

global

rbenv global 1.8.7-p358

Run Multiple Python Version on a Single system, without altering System Python


Run Multiple Python Version on a Single system, without altering System Python

  1. wget http://www.python.org/ftp/python/2.7/Python-2.7.tar.bz2
  2. tar -xvjf Python-2.7.tar.bz2
  3. cd Python-2.7

Dependency required :

  1. yum install readline-devel
  2. yum install gdbm-devel
  3. yum install sqlite-devel
  1. ./configure –prefix=/usr/local/python2.7
  2. make
  3. make install

This installs python on a separate folder under /usr/local/python2.7

Now Once Python is installed, we can configure particular users to use the latest version of python :

$ vim ~/.bashrc

  1. User specific aliases and functions
    alias python=’/usr/local/python27/bin/python’

$ python
Python 2.7 (r27:82500, Mar 22 2011, 13:20:42)

VNC Server/Client


 

What is VNCserver?
VNC stands for Virtual Network Computing. It was originally developed by AT&T as a way to administer machines without using the console.

Why use VNCserver?
In Linux, everything can be done from a shell. However, there may be a time when you need to access the machine as if you were at the console.

Getting Started
You will need several things to get started:

• root privledges
• VNC client software (tightVNC)
• A good password!

As I mentioned above, this example is done with RHEL, which comes standard with VNCserver installed. To start the vncserver simply invoke the following commands:
[root@test etc]# service vncserver start
Starting VNC server: [ OK ]
[root@test etc]#
[root@test etc]# vncpasswd
Password:
Verify:
[root@test etc]# vncserver

New ‘test:1 (root)’ desktop is test:1

Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/test:1.log

So what did we do there? First, we started the vncserver service. It may or may not have already been running on your system. Next we set a password to access the VNC desktop. When you set the password, you will not see any characters on the screen, and you must enter the password twice. You will only need to do this the very first time you run vncserver. The password will be saved in the Linux filesystem, and you can change it at any time by invoking the vncpasswd command again. Last, to activate the VNC desktop, we simply invoked the vncserver command.
Notice the output; the desktop is named “test:1” which can also be replaced via the machines IP address.
Connecting
Assuming you already installed VNC client, enter the desktop name:

# vncviewer test:1

You can replace the server name with an IP address if you are logging in from outside your LAN. Remember, if you are using nat port 5900 must be forwarded to your VNCserver.

Upon successful connection, you will be prompted for a password. You will then see a terminal screen that will allow you to execute commands

_________________________________________________________________________________________________________

VNCserver in Runlevel 5 (KDE or Gnome)

If you are new to linux, running VNC server with a terminal isn’t going to do you much good. You might want to have a menu-driven GUI like Windows. No problem. Follow these steps:

First, we are going to assume that VNCserver is running under the root user, as shown with the example above. For this example, I will be editing my VNCserver to enter Gnome. You can specify a KDE desktop if you have KDE installed on your server. Make sure you are in the root directory.

[root@test ~]# cd .vnc
[root@test .vnc]# ls
passwd         test:1.pid  test:2.pid  test:3.pid  test:4.pid  test:5.pid             test.area51.lan:1.pid test:1.log  test:2.log  test:3.log  test:4.log  test:5.log  test.area51.lan:1.log  test.area51.lan:2.log xstartup
[root@test .vnc]# vi xstartup

Using vi (vim) to edit the xstartup file, make sure your file matches this one:

#!/bin/sh

# Uncomment the following two lines for normal desktop:

unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
startx &

Notice that the last line is “startx &” as this command will launch Gnome upon login via VNCserver. If you are using a KDE desktop, the line “startkde &” should replace the last line.

Logging in, you will be presented with a Gnome or KDE desktop.

 

External Links :

http://bobpeers.com/linux/vnc

Network Card Settings in CentOS/RHEL


How to create Virtual (alias) Interface for Ethernet in Linux

 Why do we need multiple Alias Interfaces?

Ex :  Let me consider hosting multiple Website/FTP sites on a Single server and each website to be accessed using a different IP address. In this case, let me consider we need to host 10 websites each one to be access with a different IP address,  then we need 10 NIC cards with one IP address each on the Card which results in increased cost, space and maintenance. This can be overcome with a single Physical Network card with multiple Virtual Interfaces. Here all virtual NIC will share the MAC address of eth0 physical interface.

Case 1 :

To create a range of alias interfaces

Create the following /etc/sysconfig/network-scripts/ifcfg-eth0-range0:

IPADDR_START=<start ip address>
IPADDR_END=M<end IP address>
CLONENUM_START=0
NETMASK=<network mask>

Example :

IPADDR_START=192.168.10.20
IPADDR_END=192.168.10.30
CLONENUM_START=0
NETMASK=255.255.255.0

 Here alias interfaces will be created starting from eth0:0 to eth0:10, eth0:0 will be having 192.168.10.20 to eth0:10 will be having ip address 192.168.10.30

/etc/rc.d/init.d/network restart

Case 2:

Let me consider a requirement with only one alias network card.

Here we can follow the below steps

# cp /etc/sysconfig/network-scripts/ifcfg-eth0  /etc/sysconfig/network-scripts/ifcfg-eth0:0

# vi /etc/sysconfig/network-scripts/ifcfg-eth0:0

Replace line DEVICE=eth0 to DEVICE=eth0:0 and change the IPADDRESS as per the requirement and

# /etc/init.d/network restart

If you want the virtual IP address come up on boot, you need to replace

 ONBOOT=YES 

 to

 ONPARENT=YES

 This makes the interface only come up when the parent interface comes up, while ONBOOT=YES would pull up the parent interface even if that is configured to not come up on boot.

To make the changes take effect please restart the network services using:

# /etc/init.d/network restart

 

Setup Speed/Duplex settings on a network card in CentOS/Redhat 5.x

 Verify the required packages are installed

# rpm –qa ethtool net-tools
If not already installed, follow the below command

#yum install ethtool net-tools

Add line to the configuration file of the network card, like /etc/sysconfig/network-scripts/ifcfg-eth0

ETHTOOL_OPTS=”autoneg off speed 1000 duplex full”

Execute the below commands to make the changes take effect.

Note : Before doing this change, verify if your switch supports this configuration. Else your network cards will not function anymore.

#ifdown eth0

#ifup eth0

To verify the changes

# ethtool eth0   

For temporary change with ethtool, execute the below command:

# ethtool -s eth0 speed 1000 duplex full

For temporary change with mii-tool, execute the below command:

Disable auto-negotiation, and force the MII to 1000baseTx-FD

# mii-tool -F 1000baseTx-FD

Hardening RHEL/CentOS 5.x


Hardening RHEL/CentOS

1. System and Network Services 

1.1 The Default Run level to be set to 3 in /etc/inittab 

id:3:initdefault:

1.2 The Below System and Network Services in the table can be enabled 

System and Network Services
ntpd
network
sshd
syslog
auditd
acpid
cpuspeed
crond
anacron
irqbalance
iptables
And All other services specific to the server
Disable All other services in all runlevels which is not needed

To enable the services on the runlevels; chkconfig –level 345 <servicename> on

To disable all other services on the runlevels; chkconfig –level 345 <servicename> off

2. Default Permissions

2.1 Umask must be set to 0027 in /etc/login.defs and /etc/profile

Edit /etc/login.defs  and /etc/profile and set umask 027

3. Password Policies

3.1 Minimum password length must be set to 8 characters.

 Edit /etc/login.defs and set  PASS_MIN_LEN   8

3.2 Password triviality checking must be enforced.

Edit /etc/pam.d/system-auth and set password    requisite     pam_cracklib.so try_first_pass retry=3 minlength=10 difok=2 lcredit=1 ucredit=1 dcredit=1 ocredit=2

3.3 Maximum age of the password must be 90 days.

Edit /etc/login.defs and set  PASS_MAX_DAYS   45

3.4 Minimum age of the password must be 15 days.

Edit /etc/login.defs and set PASS_MIN_DAYS   3

3.5 Set Password Warning age to 7 days.

Edit /etc/login.defs and set PASS_WARN_AGE   7

3.6 User account to be locked after 90 days of inactivity.

Edit /etc/default/useradd and set INACTIVE=90

3.7 Remove encrypted password from /etc/shadow for unused users.

4. Account Policies(PAM)

4.1 Account Lockout policies (lock account after three attempts)

Edit /etc/pam.d/system-auth and add auth        required      pam_tally.so onerr=fail deny=3 unlock_time=360 

The above line should be immediate after pam_env and before the pam_unix.so line in configuration file

Accounts can be unlocked by running faillog –r –u <username>

faillog –u <username> to display the number of attempts and failures

5. Disable unnecessary accounts

5.1 Change the default shell to /sbin/nologin to users in the below table

Make use of command usermod –s /sbin/nologin to change the shell to /sbin/nologin

Below table holds a list of users whose shell has to be disabled

Users Shell
Bin /sbin/nologin
Daemon /sbin/nologin
Adm /sbin/nologin
Lp /sbin/nologin
Uucp /sbin/nologin
Operator /sbin/nologin
Nobody /sbin/nologin
Dbus /sbin/nologin
Avahi /sbin/nologin
Smmsp /sbin/nologin
Mail /sbin/nologin
Ntp /sbin/nologin
Haldaemon /sbin/nologin
Sshd /sbin/nologin
Gdm /sbin/nologin
Xfs /sbin/nologin
Sabayon /sbin/nologin
Sync /sbin/nologin
Shutdown /sbin/nologin
Halt /sbin/nologin
News /sbin/nologin
Games /sbin/nologin
Gopher /sbin/nologin
ftp /sbin/nologin
Nscd /sbin/nologin
Distcache /sbin/nologin
Vcsa /sbin/nologin
Pcap /sbin/nologin
Apache /sbin/nologin
Rpc /sbin/nologin
Nfsnobody /sbin/nologin
Webalizer /sbin/nologin
Dovecot /sbin/nologin
Squid /sbin/nologin
Mailnull /sbin/nologin
Hsqldb /sbin/nologin
Dbus /sbin/nologin
Named /sbin/nologin
Avahi-autoipd /sbin/nologin
Gdm /sbin/nologin

5.2 Check the Group members

Only root should be the member of root group, no other users should be the member of root group

Check the /etc/group and /etc/gshadow file for the group information

Proper group/owner permissions for the application need to be maintained

6. Auditing

6.1 Enabling the Auditd Service.

chkconfig –level 345 auditd on

7. Login Banner to be used

Add a banner as per your company policy

Edit /etc/ssh/sshd_config and set Banner /etc/ssh/sshd.banner

8. SSH Server Settings.

8.1 sshd must be present and configured according to your company accepted practices

Set the following environment variables to be accepted by sshd:

LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_IDENTIFICATION LC_ALL LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

Display the above mentioned warning banner

Require password-based authentication at a minimum

Do not permit empty passwords

Do not permit root login (Permit Root Logon no)

Configure sshd to bind to 22/tcp for incoming connections

Configure sshd to bind to a different port for incoming connections

Require shell login with RSA Key.

Require minimum version 2 of the ssh protocol

Enable X11 forwarding

The SyslogFacility must be set to AUTHPRIV when logging messages from sshd.

Configure the file transfer subsystem to be /usr/libexec/openssh/sftp-server

Use PAM for authentication

8.2 Configuration as per the details in 8.1

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL

Banner /etc/ssh/sshd.banner

PasswordAuthentication yes

PermitEmptyPasswords no

PermitRootLogin yes

Port 22

Protocol 2

RSAAuthentication yes

X11Forwarding  yes

SyslogFacility AUTHPRIV

Subsystem  sftp   /usr/libexec/openssh/sftp-server

UsePAM  yes

8.3 Remove Network applications that compromise servers

wget (Remove wget package, rpm –e wget)

nmap ( Remove nmap package, rpm –e nmap)

finger (Remove finger package, rpm –e finger)

rlogin, rsh,rcp (Remove rsh package, rpm –e rsh)

remove all email clients

ftp (Remove ftp package, rpm –e ftp)

9. Set User Identity(SUID) and Set Group Identity (SGID) Permission Adjustment

SUID programs (particularly those that are SUID root) are frequent targets of attack. By disabling unnecessary SUID programs, its more difficult for system users to obtain unauthorized privilege

SGID programs (particularly those that are SGID root) are frequent targets of attack. By disabling unnecessary SGID programs, its more difficult for system users to obtain unauthorized privilege

The following programs’ SUID permissions may remain enabled and others as required

/usr/sbin/rhnsd

/usr/sbin/rhn-profile-sync

/usr/sbin/rhn_register

/usr/sbin/rhn_check

/usr/sbin/rhnreg_ks

/usr/bin/passwd

/usr/bin/curl

/bin/ping

/bin/su

/usr/bin/sudo

/usr/bin/sudoedit

All other SUID permissions must be disabled.

All SGID permissions must be disabled.

chmod u-s, g-s <filename> can be used to disable the permissions

10. Host-based Intrusion Detection System (HIDS) Solution

All production servers must have some form of host intrusion detection agent installed onto the system. This is to ensure that monitors are put in place for file integrity, system configuration, application activity, root kit detection, and to report on alerting. Such as: tripwire, aide or another Open Source product

Tools that can be used  atmu and aide

Abstract Machine Test utility – atmu

Memory, network, disk, cpu security tests

Can be run as cron job to repeatedly assure basic security assumptions

Results sent to audit system

Aide – File Integrity testing utility

Configured by /etc/aide.conf

–init snapshots the disksystem to /var/lib/aide/aide.db.new.gz

Copy snapshot to immutable or safe location

Rename snapshot to /var/lib/aide/aide.db.gz before doing comparison

–check will compare current with snapshot for differences, Summary sent to audit system

11. Setup Routing

Routing must be configured according to the approved detail design document and accepted practices. IP forwarding must be disabled.

12. Concord Configuration

Simple Network Management Protocol (SNMP) daemon community strings must be configured according to the detailed design document

13. Remove Crtl+Alt+ Delete Trap

Remove the CTRL-ALT-DELETE trap out of /etc/inittab by commenting out the following line:

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

14. Disable Interactive Boot

Remove Interactive boot by changing the line in /etc/sysconfig/init

PROMPT=no

15. Sysclt Parameter tuning

Modify the ipv4 to improve security and protect against denial of service attacks by hard coding in /etc/sysctl.conf. The following changes must be made

net.ipv4.ip_forward=0

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.lo.log_martians = 0

net.ipv4.conf.eth0.log_martians = 0

kernel.sysrq = 0

net.ipv4.tcp_fin_timeout = 15

net.ipv4.tcp_keepalive_time = 1800

net.ipv4.tcp_window_scaling = 0

net.ipv4.tcp_sack = 0

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_syncookies = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.conf.all.log_martians = 1

net.ipv4.tcp_max_syn_backlog = 1024

net.ipv4.ip_local_port_range = 16384 65536

16. Network Service Access Control

ü       /etc/hosts.allow and /etc/hosts.deny configurations must be configured according to the current NSA approved list of hosts which are  allowed to use local network services (as decided by the tcpd service) and/or the ssh daemon (the sshd service).

17. Apache Server Hardening Doc

17.1 Apache Banner Linux Distribution Disclosure

Edit /etc/httpd/conf/httpd.conf Change the ServerTokens OS to ServerTokens Prod

17.2 HTTP server type and version revealed

Edit /etc/httpd/conf/httpd.conf Change ServerSignature On to ServerSignature Off

17.3 Disable Trace – telnet to port 80 shows TRACE is enabled or not.

How ever we can add the following line to the httpd.conf for disabling TRACE if its enabled

<Directory />
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
</Directory>

17.4 SSL Medium Strength Cipher Suites Supported

Edit /etc/httpd/conf.d/ssl.congSet the line SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Confirm by typing the following line in the concosle openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP(Make sure Open ssl installed)

18. Configure Iptables.

18.1 Block all the traffic by default and create a white list traffic.

IPTABLES

To flush all the rules in all the tables, chains of iptables.

#iptables –F

#iptables –t nat –F

#iptables –t mangle –F

#iptables –t  raw –F

By default all the chain policy will be accept. If not required chains policy can be changed to accept as shown below.

#iptables -P OUTPUT ACCEPT

#iptables -t nat -P PREROUTING ACCEPT

#iptables -t nat -P POSTROUTING ACCEPT

#iptables -t mangle -P POSTROUTING ACCEPT

#iptables -t mangle -P PREROUTING ACCEPT

#iptables -t mangle -P FORWARD ACCEPT

Setting the default policy to DROP to drop all the connection to the System

Drops all the packets entering the local system from the network

iptables –P INPUT DROP

Drops all the packets passing(routed) through the system. Will, be applicable if the system is configured as firewall.

iptables –P FORWARD DROP

I am creating a chain called whitelist all the rules will be added to this chain. This chain will contain all the whitelist rules

#iptables –N whitelist

This will create link to the whitelist chain from INPUT chain. So, all the rules in the whitelist chain will be applicable for the packets entering into INPUT chain. This rules are to be configured on the end server and not on the router.(For router the rules should be put into the FORWARD chain as well)

#iptables –A INPUT –j whitelist

#iptables –A INPUT –j Log

#iptables –A INPUT –j Limit

As all the packets to the system is dropped by default. We are going to implement a Stateful Inspection Firewall.

The below rule is going to allow all the packets that are related to established and related connections.  All other type of connections are dropped (ex : new, invalid, etc.,)

#iptables –A whitelist –m state –state ESTABLISHED, RELATED –j ACCEPT

Here we are going to allow new connection only to the required services that are to be accessed over the network/ internet.

To allow connections to HTTP protocol(change the port numbers if it is customized)

#iptables –A whitelist –p tcp –m state –state NEW –d <destination ip/usually the server ip> –dport 80 –j ACCEPT

#iptables –A whitelist –p tcp –m state –state NEW –d <destination ip/usually the server ip> –dport 8080 –j ACCEPT

To allow connections to HTTPS protocol (change the port numbers if it is customized)

#iptables –A whitelist –p tcp –m state –state NEW –d <destination ip/usually the server ip> –dport 443 –j ACCEPT

OR

We can even added one rule for allowing multiple ports

#iptables -A whitelist -p tcp –m comment –comment “To allow HTTP, HTTPS access”  -m multiport –destination-port 80,8080,443 –j ACCEPT

To allow access to the SSH server.

#iptables –A whitelist –p tcp –m state –state NEW –d <destip/serverip> –dport 22 –j ACCEPT

Note : Same type of rules can be configured to provide access to other services that are running

To provide access to services that are using loopback interface

#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

To provide access to multicast address if needed from lan

#iptables –A whitelist –m iprange –iprange 224.0.0.0-239.255.255.255 –j ACCEPT

To log all the Bad packets. I am creating a separate chain called log and link to the built in chains later, Here all the bad packets can be seen in /var/log/messages.

#iptables  -N Log

#iptables –A Log –m limit --limit 5/m --limit-burst 7 –j LOG –log-level 4  –log-prefix “Bad packets”

Log Nmap Scans

#iptables –N Antihacker_log

Null-scan

#iptables –A Antihacker_log -p tcp –tcp-flags ALL NONE -j LOG –log-prefix “Null Scan Detected”

Xmas-scan

#iptables –A Antihacker_log -p tcp –tcp-flags ALL ALL -j LOG –log-prefix “XMAS Scan Detected”

Syn fin-scan

#iptables –A Antihacker_log  -p tcp –tcp-flags ALL SYN,FIN -j LOG –log-prefix “SYNFIN-Scan Detected “

nmap-xmas-scan

#iptables –A Antihacker_log -p tcp –tcp-flags ALL URG,PSH,FIN -j LOG –log-prefix “NMAP-XMAS-SCAN Detected”

fin-scan

iptables –A Antihacker_log -p tcp –tcp-flags ALL FIN -j LOG –log-prefix “FIN-SCAN detected”

Link the User Defined Chain to Build-in chain

Iptables –A INPUT –j Antihacker

#iptables –N Limit

Will limit the ping packets to 4, 1 per second. Packet size with a range of 84 to 102

#iptables –A Limit –p icmp  –icmp-type  echo-reply –m comment –comment “limit 4 echoreply to the server” –m limit –limit 1/s –limit-burst 4 –m length –length 84:102 –j ACCEPT

#iptables –A Limit –p icmp  –icmp-type echo-request –m comment –comment “limit 4 echorequest to the server” –m limit –limit 1/s –limit-burst 4 –m length –length 84:102 –j ACCEPT

19. Selinux Configuration for securing files and services

# Edit /etc/sysconfig/selinux

Do the changes as show below

SELINUX=enforcing  (will enable the Selinux)

SELINUXTYPE=targeted (this provides security to the daemon and the processes that are running. Under the targeted policy, interactive processes are given the type unconfined t, so interactive users are not constrained by SELinux even if they attempt to take strange or malicious actions.)

Can stop attacks before they become complete system breaches

Alternate is yum install selinux-policy-strict (the specified package has to be installed)

SELINUXTYPE=strict ( full protection for all daemons, Security contexts are defined for all subjects and objects, and every single action is processed by the policy enforcement server)

Or

# setenforce 1 ( Modifies in real-time the mode Selinux is running. Here selinux is put into enforcing mode)

20. Password policies

20.1 Enabling Password History

Enabling Password history will not allow users to use there old password again. Procedure for mainintaing a password History

#touch /etc/security/opasswd

#chown root:root /etc/security/opasswd

#chmod 600 /etc/security/opasswd

This opasswd file will maintain the password history

password sufficient pam_unix.so md5 remember=12 use_authtok

This entry should be added to /etc/pam.d/system-auth file

20.2 Password Complexity

The Below specified line should be added to /etc/pam.d/system-auth file.

password required pam_cracklib.so retry=3 minlength=10 difok=2 lcredit=1 ucredit=1 dcredit=1 ocredit=2

Here the password minimum length to be 10 characters(some passwords can be 8 characters too) with 1 lowercase 1 uppercase 1 digit and 2 special characters.

Note: Any misconfiguration in system-auth file will lock all users access including Root User. (this can be fixed by running authconfig command from Single user mode

20.3 Lock account after certain number of failed login attempts

Configuration Follows below

auth        required      pam_env.so

auth        required      pam_tally.so onerr=fail deny=3 unlock_time=60

The above line as to be added to  /etc/pam.d/system-auth file

# faillog –u <username> will display number of failed login attempts.

#faillog –r –u  <username> will reset the counter for the specified  user and unlocks the account

This Line in the bold will configure account lockout after 3 failed login attempts. The account will be locked for 1 minute

All the Best🙂