Nowadays most of the Linux flavored desktop like Ubuntu, Mint, Fedora, Suse etc. are coming with very interactive user friendly graphical user interface (GUI). Using Linux GUI is similar to use other graphical user interface OS like Windows XP/7/8, Mac OS, Android or iOS etc.

Although Linux is coming with user friendly GUI but it is also providing a very strong command interface called command line interface (CLI) terminal similar to dos command interface in Windows. Similar to dos, this CLI is also not user friendly. But Linux terminal commands are important to learn as it is the base of this OS and if you learn this you can do almost anything in your system using terminal application (don’t take it so seriously, it will not cook food for you ;-) but definitely it will do).

So here is my first trick.

Use “apropos” to find your command

Any newbie when first open the Linux terminal, they can get confused because they don’t know what to do. But actually they know what to do but don’t know how to do that. So here is my first trick when you open Linux terminal. Don’t think too much, your first command is “apropos”. Using apropos command you can find all the command to do anything. For example, if you want to download a file using command, give command

apropos “download”

It will show you the list of all the commands, with their initial help, to download a file.

Now you try finding your command to download a file which is “wget”. wget command can be used as follows:

wget

But how will you know that “wget” or any other command can be used like this.

So here is my second tip.

Use “man” command for command manual page

It is very important to know about that how can you get the help of any Linux command. You can use any Linux command with care, if you will find its help. So after you know, which command can be used to do your task, check its manual page by “man” command. Linux Manual pages show the syntax and the detail description of the options of the command.

man <command>

Other than manual page of any Linux commands, a simple help is also there. So my third tip is about that.

Use “-h” or “–help” argument for command help

Most of the Linux commands have its help. Other than manual page, this help is also useful to learn the command syntax and options. Sometimes only this help is enough to execute a command but better look for its manual page to get detailed help.

wget -h

or

wget --help

Conclusion

After learning above three tips, you can find any required command and its manual or help. So, start finding and using Linux command line terminal.

Please feel free to contact me if you still need any help in using Linux.

Related Page:

Linux Commands Man Pages

These files play the important role in Linux startup and shutdown process. When a service is started through an init script, a file is touched in the /var/lock/subsys/ directory with the same name as the init script. This lock file helps in various manners like:

• This file represents that the service should be running or subsystem locked.
• It helps to avoid another instance of a service, if it accidentally started again.
• It is mandatory to create, if service need to be stopped in shutdown.

When the service is stopped, this file is removed.

However only lock file is not enough to know that the service is running or not. Status of a running service can be captured by using status function defined in /etc/rc.d/init.d/functions. Following command in an init script show the status of the service (if status case created in init script):

service <servicename> status

It checks both PID and the lock file of the service. If PID is not found but the lock file exists, you will get following message:

 dead but subsys locked

It is not always mandatory to create lock file, the services can be started and stopped without it. But it can create problem during shutdown and RUNLEVEL switch. So follow the recommended steps (recommended by me) to write a good init script (also drafting a tutorial for writing init script):

• In start section of init script touch the lock file after starting the service. You can use touch at the end of start case.

touch /var/lock/subsys/

• Don’t forget to check the lock file before starting the service in start case to avoid the multiple session of same service.

if [ ! -f /var/lock/subsys/ ]; then
     start # start service here
fi

• Don’t forget to remove the lock in stop case, it can also be added at the end of stop case.

rm -f /var/lock/subsys/<servicename>

In case system goes power down, lock files remain exist in the system due to non-execution of stop case. It does not tend it to failure as we added a check of existence of lock file in start case. , But the PID of those services will not found that means service is staled. During startup process, init checks if PID of a service exist or not. It realize a stale lock file, and clean itself up, which allow the init script to start the service successfully.

Requirement

Create a CentOS 6 bootable USB which will support customized installation (by using kickstart configuration file).

Limitations with other software

UNetbootin: Bootable USB of CentOS 6 created by UNetbootin is not even booting the system using USB and not support kickstart configuration file.

liveusb-creator: It support live Linux Fedora OS only like fedora-live and not support kickstart configuration file.

Universal-USB-Installer: It successfully boot the CentOS 6 from USB but failed to install by kickstart configuration file.

Prerequisites of ISO2USB software

This is the minimum requirement for all ISO to USB software. It need followings:

• ISO file or CD/DVD of CentOS 6 (Custom Installation disk of CentOS 6).
• A USB drive to boot the system.

Prepare CentOS 6 bootable from ISO file or CD/DVD

After downloading ISO2USB software for Windows, follow the steps given below:

• Plug the USB drive to Windows XP/Vista/7 machine.
• Execute the ISO2USB software.

ISO2USB Software

• Browse CentOS 6 ISO (with custom installation) file by using the highlighted browse button.

Browse Custom CentOS-6 ISO file

• Click on OK button but before clicking on OK button; just make sure that correct USB drive should be selected.

Select USB drive

• Click Exit button, when finished.

Exit ISO2USB

• Safely remove USB drive from Windows XP/Vista/7 system.

USB drive is now ready to install CentOS 6 (with custom configuration file) on your system.

The WordPress.com stats helper monkeys prepared a 2013 annual report for this blog.

Here’s an excerpt:

Madison Square Garden can seat 20,000 people for a concert. This blog was viewed about 68,000 times in 2013. If it were a concert at Madison Square Garden, it would take about 3 sold-out performances for that many people to see it.

Click here to see the complete report.

Click following Sign up button to create your free account and Sign in if you already created your free account.

Cheers……

To configure the IPSec between servers following are the requirements:

• IPSec-tools package
• Static IP address for each system

IPSec-tools can be downloaded from http://ipsec-tools.sourceforge.net/.

Installation IPSec-tools package:

To install give the following commands:

# tar jxf ipsec-tools-x.y.z.tar.bz2
# cd ipsec-tools-x.y.z
# ./configure
# make
# make install

If you get error in compilation, please go through the comments. You will find the solution.

Replace x.y.z with the version of the downloaded sources.

Instead of compiling and installing IPSec-tools from source, it can be done using CentOS repository:

# yum install ipsec-tools

IPSec communication between two Linux systems

Using Pre-shared key authentication method:

Linux to Linux IPSec communication can be used to secure the communication between Server (IP address: 192.168.1.1) to Server (IP address: 192.168.1.2). It can also be used to encrypt the client-sever communication. For example: L2TP VPN Server and client communication, VNC server and client communication can be secured using ipsec-tools. For both cases following steps need to be followed.

The first step is to write a configuration file /etc/raccoon/setkey.conf with following entries on 192.168.1.1.

#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
spdadd 192.168.1.1 192.168.1.2 any -P out ipsec
        esp/transport//require;
spdadd 192.168.1.2 192.168.1.1 any -P in ipsec
        esp/transport//require;

The same /etc/setkey.conf can be created on the 192.168.1.2 host, with inverted -P in and -P out options.

#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
spdadd 192.168.1.1 192.168.1.2 any -P in ipsec
        esp/transport//require;
spdadd 192.168.1.2 192.168.1.1 any -P out ipsec
        esp/transport//require;

With the security policies set up you can configure racoon. We will add paths for the preshared key file, and certification directory. This is an example of /etc/racoon.conf with the paths and a general phase two policy set up:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
{
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm 3des, blowfish 448, rijndael;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

The sainfo identifier is used to make a block that specifies the settings for security associations. Instead of setting this for a specific host, the anonymous parameter is used to specify that these settings should be used for all hosts that do not have a specific configuration. The pfs_group specifies which group of Diffie-Hellman exponentiations should be used. The different groups provide different lengths of base prime numbers that are used for the authentication process. Group 2 provides a 1024 bit length if you would like to use a greater length, for increased security, you can use another group (like 14 for a 2048 bit length). The encryption_algorithm specifies which encryption algorithms this host is willing to use for ESP encryption. The authentication_algorithm specifies the algorithm to be used for ESP Authentication or AH. Finally, the compression_algorithm is used to specify which compression algorithm should be used when IPcomp is specified in an association.

The next step is to add a phase one configuration for the key exchange with the other host to the racoon.conf configuration file.

remote 192.168.1.2
{
        exchange_mode aggressive, main;
        my_identifier address;
        proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
        }
}

The remote block specifies a phase one configuration. The exchange_mode is used to configure what exchange mode should be used for phase. You can specify more than one exchange mode, but the first method is used if this host is the initiator of the key exchange. The my_identifier option specifies what identifier should be sent to the remote host. If this option committed address is used, this sends the IP address as the identifier. The proposal block specifies parameter that will be proposed to the other host during phase one authentication. The encryption_algorithm, and dh_group are explained above. The hash_algorithm option is mandatory, and configures the hash algorithm that should be used. This can be md5, or sha1. The authentication_method is crucial for this configuration, as this parameter is used to specify that a preshared key should be used, with pre_shared_key.

With racoon set up there is one thing left to do, the preshared key has to be added to /etc/racoon/psk.txt. The syntax is very simple, each line contains a host IP address and a key. These parameters are separated with a tab. For example:

192.168.1.2    somekey

Now time to test the security policies & raccoon configuration.

$ setkey -f /etc/setkey.conf
$ racoon -F

For instance, you could ping the other host to start with. The first time you ping the other host, this will fail:

$ ping 192.168.1.2
connect: Resource temporarily unavailable

But after some time you will get reply. Now all the communication between IP addresses 192.168.1.1 and 192.168.1.2 is secured with IPSec. Instead of making complete secure communication, it can be changed port specific, which can be used for client-server secure communication. It just need to modify /etc/setkey.conf file for port specific configuration.

Check related posts: how to configure L2TP VPN on CentOS using rp-l2tpd and how to configure L2TP VPN on CentOS using xl2tpd

Why it is required? If you want to set up your Linux box as a web hosting server for its users, you may need to give SFTP access. But they can get access to whole system Linux tree, just for reading but still very unsecure. So it is mandatory to lock them in their home directory.

There are many other applications, it’s just a common example, so lets start its configuration.

Linux Box Detail:

Its mine Linux Box, your Linux system may vary. Only thing to take care is the openssh-server version, because openssh-server-5.3p1 support SFTP chroot. Older version supports but its tricky, please let me k now if you want to know that too.

Operating System: CentOS 6.3/x86_64

Kernel Version: 2.6.32-279.19.1.el6/x86_64

Openssh Server Version: openssh-server-5.3p1-81.el6_3/x86_64

sshd Server Configuration:

Add the following tail output to your Linux box’s SSH

server configuration file /etc/ssh/sshd_config.

[rahulpanwar@myhost ~]# tail -6 /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group www-hosting
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Then restart sshd service to enable this configuration.

[rahulpanwar@myhost ~]# sudo /etc/init.d/sshd restart

Create Chroot Users:

[rahulpanwar@myhost ~]# sudo mkdir /etc/skel/public_html
[rahulpanwar@myhost ~]# sudo groupadd www-hosting
[rahulpanwar@myhost ~]# sudo useradd -s /sbin/nologin -g www-hosting linuxexplore.com

Setting Permissions:

[rahulpanwar@myhost ~]# sudo chown root:www-hosting /home/linuxexplore.com
[rahulpanwar@myhost ~]# sudo chmod 755 /home/linuxexplore.com

That’s all now create multiple users for web hosting, and offer the secure sftp access to your customers.

Shell Script to Create Web Hosting Users:

#!/bin/bash
HOSTING_DIR="/etc/skel/public_html"
CHROOT_GRP="www-hosting"
USR_NAME="$1"

[ ! -d "$HOSTING_DIR" ] && mkdir -p $HOSTING_DIR
grep ^"${CHROOT_GRP}:" /etc/group || /usr/sbin/groupadd www-hosting
grep ^"${USR_NAMEP}:" /etc/passwd || /usr/sbin/useradd -s /sbin/nologin -g $CHROO_GRP $USR_NAME
chown root:$CHROOT_GRP /home/$USR_NAME
chmod 755 /home/$USR_NAME

Selinux Configuration:

Disable the selinux permanently or configure it for read write user’s home directory in SSH chroot.

[rahulpanwar@myhost ~]# sudo setsebool -P ssh_chroot_rw_homedirs on
[rahulpanwar@myhost ~]# sudo restorecon -R /home/$USERNAME

Troubleshooting

From: https://wiki.archlinux.org/index.php/SFTP-chroot

sshd[3505]: fatal: bad ownership or modes for chroot directory "/home/linuxexplore.com"

It’s ChrootDirectory ownership problem, sshd will reject sftp connections to accounts that are set to chroot into any directory that has ownership/permissions that sshd doesn’t consider secure. sshd’s apparently strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable for the owner. So, for example, if the chroot environment is in a user’s home directory both /home and /home/username must be owned by root and have permissions like 755 or 750 ( group ownership should allow user to access ).

If you are using sftp with public key check the following link:

http://www.centos.org/modules/newbb/viewtopic.php?topic_id=37903&forum=59

If chroot environment is in user’s home directory, make sure user have access to its home directory, or user would not be able to access its publickey, produce the error given in above CentOS forum link.

Preparation of installation of LibreOffice 4.0.0:

First of all download the newer version of LibreOffice 4.0.0 using wget command as follows.

wget http://download.documentfoundation.org/libreoffice/stable/4.0.0/rpm/x86/LibreOffice_4.0.0_Linux_x86_rpm.tar.gz

This tar file contains RPMs of LibreOffice 4.0.0 package. Extract this tar file to some location, I like /opt.

tar -xf Libreoffice_4.0.0_Linux_x86_rpm.tar.gz -C /opt

Uninstall Previous version of LibreOffice Package:

Previously existing installation of LibreOffice package must be removed before proceeding to installation of newer version. You can use yum erase command to remove old LibreOffice package.

yum erase libreoffice*

You can use any method to uninstall earlier LibreOffice package but it must be uninstalled first. Check my earlier post How to use yum for package management.

Installation of LibreOffice 4.0.0 RPMs:

To install the RPM, you can use yum command again.

cd /opt/LibreOffice_4.0.0.3_Linux_x86_rpm/RPMS/
yum localinstall *.rpm

It will install all LibreOffice RPMs from RPMS directory.

Finalizing the installation:

The above command(s) does the first part of the installation process. To complete the process, you also need to install the desktop integration packages. To do this, change directory to the desktop-integration directory that is within the RPMS directory, by entering the following command at the command line of a terminal window:

cd desktop-integration

Now run the installation command again:

yum localinstall libreoffice4.0-freedesktop-menus-4.0.0-103.noarch.rpm

The installation process is now completed, and you should have icons for all the LibreOffice.

Now you are ready to enjoy the power of opensource. Try this version, you will feel proud to be an Open Source user or supporter. Thanks a lot to Document Foundation for such a great product.

If you like this please don't forget to share this with others, Thanks.

Download the PAM Radius Module

To download the PAM Radius module, click here.

Installing & configuring PAM Radius Module

To install PAM radius module, give the following commands:

[root@rahul-pc]# tar -xvf pam_radius-1.3.17.tar.gz

[root@rahul-pc]# cd pam_radius-1.3.17

[root@rahul-pc]# make

It will generate a library file pam_radius_login.so. Copy that file to /lib/security/ directory.

[root@rahul-pc]# cp pam_radius_login.so /lib/security/

Create a directory /etc/raddb/. Copy the file pam_radius_auth.conf to /etc/raddb/ directory named as server.

[root@rahul-pc]# mkdir /etc/raddb/

[root@rahul-pc]# cp pam_radius_auth.conf /etc/raddb/server

Change the file /etc/raddb/server according to your configuration.

# Radius Server IP address           Secret                                   Timeout

192.168.2.43                                       yoursecret                          3

Configure PAM Applications for Radius Server

After doing the above configurations, edit the PAM application’s files to authenticate from radius server.

SSH server configuration

To authenticate the SSH server request from radius server, edit the file /etc/pam.d/sshd.  Add a new line

auth                       sufficient                             pam_radius_auth.so

above the following line

auth                       include                                 system-auth

After changing the PAM file, the authentication request for SSH server will go to the configured radius server (192.168.2.43 in our example) first. If the request is not accepted from radius server, then it will check the system-authentication.

Password change configuration

Similarly, to change the password of any SSH user, change the file /etc/pam.d/passwd. Add a new line

password                            sufficient                             pam_radius_auth.so

above the following line

password                            include                 system-auth

After this password change request will go to the radius server.

FTP Server Configuration

Similarly do the above changes for vsftpd file in /etc/pam.d/ directory. Then the entire authentication request for FTP server will go to radius server.

In the same way do the changes for other required applications.

PAM with Radius Authentication.

Thanks to all my friends and followers.

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

4,329 films were submitted to the 2012 Cannes Film Festival. This blog had 38,000 views in 2012. If each view were a film, this blog would power 9 Film Festivals

Click here to see the complete report.