Mohan WebSite

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (230)
- ftp (5)
- IPTABLES (15)
- SFTP (1)
- swap (3)
Centos RHEL 7 (270)
centos8 (3)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (31)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (9)
Ldap (5)
Linux (189)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (36)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

determine the runlevel in solaris

Determining a System’s Run Level

Display run level information by using the who -r command.

$ who -r

Use the who -r command to determine a system’s current run level for any level.

Example 6-1 Determining a System’s Run Level

This example displays information about a system’s current run level and previous run levels.

$ who -r
 .    run-level 3  Dec 13 10:10  3  0 S
$

Output of `who` `-r` command	Description
`run-level 3`	Identifies the current run level
`Dec 13 10:10`	Identifies the date of last run level change
`3`	Also identifies the current run level
`0`	Identifies the number of times the system has been at this run level since the last reboot
`S`	Identifies the previous run level

Disabling Servies on Solaris 10

SUN has done a equally good things with Solaris 10 as they have done bad with the same. Sometimes I wonder how or why no one takes care of small issues with Solaris 10. It has become very popular since it went open source, but still there are some annoyances which a day to day system admin can do without.

Few weeks ago I built 4 Solaris 10 server and even though our Flar image had most of the services turned off, some of them came up when the system was built. But turning off services in Solaris 10 is very easy. Here is what I did:

1. Identify what each port is mapped to within /etc/services:
egrep “22|111|6112|8891|8892|32773” /etc/services
ssh 22/tcp # Secure Shell
sunrpc 111/udp rpcbind
sunrpc 111/tcp rpcbind
dtspc 6112/tcp # CDE subprocess control
seosload 8892/tcp

2. Using SVCS determine which services are online under RPC:
svcs | grep rpc
online Jun_04 svc:/network/rpc/bind:default
online Jun_04 svc:/network/rpc/bootparams:default
online Jun_04 svc:/network/rpc/meta:default
online Jun_04 svc:/network/rpc/smserver:default

3. Since RPC service is up, use it to determine what is running on port 32773:
rpcinfo -p | grep 32773
100026 1 udp 32773 bootparam
100229 1 tcp 32773 metad
100229 2 tcp 32773 metad

4. Find out what each service means:
svcs -xv /network/rpc/smserver
svc:/network/rpc/smserver:default (removable media management)
State: online since Mon Jun 04 06:43:02 2007
See: man -M /usr/share/man -s 1M rpc.smserverd
Impact: None.

svcs -xv /network/rpc/meta
svc:/network/rpc/meta:default (SVM remote metaset services)
State: online since Mon Jun 04 06:43:02 2007
See: man -M /usr/share/man -s 1M rpc.metad
Impact: None.

svcs -xv /network/rpc/bind
svc:/network/rpc/bind:default (RPC bindings)
State: online since Mon Jun 04 06:43:00 2007
See: man -M /usr/share/man -s 1M rpcbind
See: /var/svc/log/network-rpc-bind:default.log
Impact: None.

5. Disable each service:
svcadm -v disable /network/rpc/bind
svc:/network/rpc/bind:default disabled.

svcadm -v disable /network/rpc/bootparams
svc:/network/rpc/bootparams:default disabled.

svcadm -v disable /network/rpc/meta
svc:/network/rpc/meta:default disabled.

svcadm -v disable /network/rpc/smserver
svc:/network/rpc/smserver:default disabled.

6. Verify RPC is not running:
rpcinfo -p | more
rpcinfo: can’t contact portmapper: RPC: Rpcbind failure – RPC: Failed (unspecified error)

Hardening a Solaris Installations

installation can be secured: the object is to have a box which can be accessed remotely via SSH and therefore used as a general purpose Unix server.

1.1. Patch and Firewall

First <ilnk=”patchsolaris”>patch and <ilnk=”firewallsolaris”>firewall the machine.

1.2. Network-Related Daemons

In this section, our aim is to permanently stop network-related daemons which are not required, or better still, remove all software related to them. (Removal means fewer tools for intruders to play with.)

Whilst there are high-level, graphical tools which help with Solaris software package administration, we require something more fine-grained; in addition, it is beneficial to understand the Solaris package system so we opt for use of the command-line tools such as pkginfo and pkgrm. And /var/sadm/install/contents tells us which files belong to which packages.

The remainder of this section reflects the rough journal of the securing of and a real installation. As such it is not a textbook example, but a real one!

Initial Scan of Open Ports

Scanning the Solaris box with nmap shows a scary number of possible entry points for would-be hackers:

  7/tcp      open        echo                    
  9/tcp      open        discard                 
  13/tcp     open        daytime                 
  19/tcp     open        chargen                 
  21/tcp     open        ftp                     
  22/tcp     open        ssh                     
  23/tcp     open        telnet                  
  37/tcp     open        time                    
  79/tcp     open        finger                  
  111/tcp    open        sunrpc                   
  512/tcp    open        exec                    
  513/tcp    open        login                   
  514/tcp    open        shell                   
  515/tcp    open        printer                 
  540/tcp    open        uucp                    
  587/tcp    open        submission
  898/tcp    open        unknown                 
  4045/tcp   open        lockd                   
  6112/tcp   open        dtspc                   
  7100/tcp   open        font-service            
  32771/tcp  open        sometimes-rpc5          
  32772/tcp  open        sometimes-rpc7          
  32773/tcp  open        sometimes-rpc9          
  32774/tcp  open        sometimes-rpc11         
  32775/tcp  open        sometimes-rpc13         
  32776/tcp  open        sometimes-rpc15         
  32777/tcp  open        sometimes-rpc17         
  32778/tcp  open        sometimes-rpc19         
  32779/tcp  open        sometimes-rpc21         
  32780/tcp  open        sometimes-rpc23

`inetd`

Start simple: SSH does not run out of the super-server, inetd, so we comment out almost everything from /etc/inetd.conf and

    kill -HUP <inetd pid>

Network-Related Packages (`r`-commands; `finger`)

Next, look for network-related packages.

    pkginfo | grep -i network

yields three SUNW packages to uninstall — shown also are packages which depend on those we want to remove (indentation indicates a package dependency — an indented package depends on the above, less indented package):

  SUNWrcmdc        Remote Network Client Commands
      SUNWppm        Solaris Print Manager
          SUNWmp        MP Print Filter
      SUNWscpu        Source Compatibility, (Usr)
          SUNWbcp        SunOS 4.x Binary Compatibility
              SUNWscbcp        SPARCompilers Binary Compatibility Libraries

  SUNWrcmdr        Remote Network Server Commands (Root)
  SUNWrcmds        Remote Network Server Commands (Usr)

Removing all the above, and bringing the machine into single-user mode and backup, the following are gone (good!):

  79/tcp     open        finger                  
  512/tcp    open        exec                    # rexec
  513/tcp    open        login                   # rlogin
  514/tcp    open        shell                   # rsh

Printer Daemon

Next, we target the printer daemon:

    pkginfo | grep -i printer

yields candidates: SUNWpsu Solaris Print – LP Server, (usr) SUNWpsr Solaris Print – LP Server, (root) SUNWpcu Solaris Print – Client, (usr) SUNWscplp Solaris Print – Source Compatibility SUNWpcr Solaris Print – Client, (root) Removal, moving to single-user mode and bringing the system back up we find

    515/tcp    open        printer

has gone.

UUCP, FTP, Telnet and NTP

And now, UUCP, FTP, Telnet and NTP:

    pkginfo | grep -i uucp
    pkginfo | grep -i ftp
    pkginfo | grep -i telnet
    pkginfo | grep -i ntp    


yielded

     SUNWbnur       Networking UUCP Utilities, (Root)
     SUNWbnuu       Networking UUCP Utilities, (Usr)

     SUNWftpr       FTP Server, (Root)
     SUNWftpu       FTP Server, (Usr)

     SUNWtnetr      Telnet Server Daemon (Root)
     SUNWtnetc      Telnet Command (client)
     SUNWtnetd      Telnet Server Daemon (Usr)

     SUNWntpr       NTP, (Root)
     SUNWntpu       NTP, (Usr) 

eliminating

    540/tcp    open        uucp                    
    21/tcp     open        ftp                     
    23/tcp     open        ftp                     
                                  # The ntp daemon was not actually listening.

X Font Server

The X font server:

    SUNWxwfs        X Window System Font server

    7100/tcp   open        font-service

YP, NIS+, NFS, Samba, PPP, HTTP and DHCP

More Services: YP/NIS, NIS+, NFS, Samba, PPP, Web, DHCP

  SUNWypr        NIS Server for Solaris (root)
  SUNWypu        NIS Server for Solaris (usr)


  SUNWnisr       Network Information System, (Root)
  SUNWnisu       Network Information System, (Usr)


  SUNWnfscr      Network File System (NFS) client support (Root)
      SUNWvolu       Volume Management, (Usr)
          SUNWvolg        Volume Management Graphical User Interface
  SUNWnfscu      Network File System (NFS) client support (Usr)
  SUNWnfscx      Network File System (NFS) client support (Root) (64-bit)
  SUNWnfssr      Network File System (NFS) server support (Root)
  SUNWnfssu      Network File System (NFS) server support (Usr)
  SUNWnfssx      Network File System (NFS) server support (Root) (64-bit)

   
  SUNWsmbac      samba - A Windows SMB/CIFS fileserver for UNIX (client)
  SUNWsmbar      samba - A Windows SMB/CIFS fileserver for UNIX (Root)
  SUNWsmbau      samba - A Windows SMB/CIFS fileserver for UNIX (Usr)


  SUNWpppd       Solaris PPP Device Drivers
  SUNWpppdr      Solaris PPP configuration files
  SUNWpppdt      Solaris PPP Tunneling
  SUNWpppdu      Solaris PPP daemon and utilities
  SUNWpppdx      Solaris PPP Device Drivers (64-bit)
  SUNWpppg       GNU utilities for PPP


  SUNWapchr      Apache Web Server (root)
  SUNWapchu      Apache Web Server (usr)
  SUNWapchd      Apache Web Server (usr)


  SUNWtcatr      Tomcat Servlet/JSP Container (root)
  SUNWtcatu      Tomcat Servlet/JSP Container


  SUNWdhcm       DHCP Manager
  SUNWdhcsb      Binary File Format Data Module for BOOTP/DHCP Services
  SUNWdhcsr      BOOTP/DHCP Server Services, (Root)
  SUNWdhcsu      BOOTP/DHCP Server Services, (Usr)

What’s Left?

So what’s left?

  22/tcp     open        ssh                     
  25/tcp     open        smtp                    
  111/tcp    open        sunrpc                  
  587/tcp    open        submission              
  6112/tcp   open        dtspc                   
  7100/tcp   open        font-service            
  32771/tcp  open        sometimes-rpc5          
  32772/tcp  open        sometimes-rpc7          
  32773/tcp  open        sometimes-rpc9          
  32774/tcp  open        sometimes-rpc11         
  32775/tcp  open        sometimes-rpc13         
  32776/tcp  open        sometimes-rpc15         
  32777/tcp  open        sometimes-rpc17         
  32778/tcp  open        sometimes-rpc19

We have removed the X-font-server package and no XFS-type daemon is running, but the machine is still listening on 7100!?!? Aha! The font-server entry in inetd.conf is still there... Comment out.

Sendmail

Next up, Sendmail: we want to be able to send email but not receive it so rename and chmod 400 the sendmail init script in/etc/init.d and remove S88sendmail from rc2.d:

    mv sendmail __sendmail.orig_install.no_start

and eliminated

    25/tcp open smtp

Hmmm, port 587 also closed, I wonder what did that? Google [port 587 solaris]:

If you are using sendmail to receive messages (on port 25), you should turn off the Message Submission port (587/tcp). In /etc/mail/sendmail.cf, comment out
        O DaemonPortOptions=Port=587, Name=MSA, M=E 
with a hashmark

So we got one for free!

CDE (`/usr/dt`)

There is a load of RPC-related stuff to get rid of. CDE uses RPC and its crap anyway... There’s also dtspc on 6112:

    fgrep dtspc /var/sadm/install/contents

yields

    /usr/dt/bin/dtspcd f none 0555 root bin 27376 27505 1016069365 SUNWdtdmn
    /usr/dt/config/dtspcdenv f none 0444 root bin 1183 21978 1016069365 SUNWdtdmn
    /usr/dt/share/man/man1m/dtspcd.1m f none 0444 root bin 5230 44603 1016073808 SUNWdtma
    /usr/dt/share/man/man4/dtspcdenv.4 f none 0444 root bin 5316 53514 1016073844 SUNWdtma

so remove

  SUNWdtma     CDE man pages
  SUNWdtdmn    CDE daemons
      SUNWscgui    Solaris Smart Card Administration GUI
      SUNWjmfp     Java Media Framework Player
      SUNWpdas     PDA Synchronization for Solaris
      SUNWdtjxt    Java Extensions
          SUNWdtdst    CDE Desktop Applications
              SUNWpmowu  Power Management OW Utilities, (Usr)
              SUNWdtnsc     Netscape Componentization Support for CDE
              SUNWpmowm  Power Management OW Utilities Man Pages
      SUNWdthe     CDE HELP RUNTIME
      SUNWdtezt      Solaris Desktop Extensions Applications
          SUNWdtmaz       Desktop Power Pack man pages
      SUNWdtim   Solaris CDE Image Viewer
      SUNWdtwm  CDE DESKTOP WINDOW MANAGER
      SUNWdtab  CDE DTBUILDER 
      SUNWdthev    CDE HELP VOLUMES
      SUNWdthez   Desktop Power Pack Help Volumes
      SUNWdtdem       CDE DEMOS

Solaris Management Tools

Noticed this on a restart:

    Shutting down Solaris Management Console server on port 898.

    pkginfo | grep -i management

    SUNWmcex       Solaris Management Console 2.1 (Examples)
    SUNWmcdev      Solaris Management Console 2.1 (Development Kit)
    SUNWmc         Solaris Management Console 2.1 (Server Components)
        SUNWwbmc       Solaris Management Console 2.1 (WBEM Components)
            SUNWmga   Solaris Management Applications
                SUNWdclnt    Solaris Diskless Client Management Application
                SUNWlvmg     Solaris Volume Management Application
                SUNWrmui     Resource Management User Interface Components
                SUNWpmgr     Solaris Patch Management Applications
        SUNWlvma    Solaris Volume Management APIs
        SUNWmga     Solaris Management Applications
    SUNWmcc        Solaris Management Console 2.1 (Client Components)
    SUNWmccom      Solaris Management Console 2.1 (Common Components)

then init s, init 3 had no effect! Try a reboot — eliminated:

   898/tcp    open        unknown

Solaris Web Management Tools

A netstat -a | grep LIST shows up

    *.5987               *.*                0      0 49152      0 LISTEN

Google [port 5987 solaris]

The CIM Object Manager listens for remote method invocation (RMI) connections on RMI port 5987 and now listens for XML/HTTP connections on HTTP port 5988. (In the Solaris 8 software release and updates of the Solaris 8 release, the CIM Object Manager listened for XML/HTTP connections on default HTTP port 80.)

Solaris documentation indicates that CIM is part of WBEM.

    fgrep -i WBEM /var/sadm/install/contents

yields up

    SUNWmgapp  WBEM Management Applications
        SUNWrmwbu     Resource Management WBEM Instrumentation (usr)
        SUNWrmwbx Resource Management WBEM Instrumentation (64-bit

    SUNWwbcou       WBEM Services (usr)

Restart; eliminated!

Nearly There!

Aside from SSH, only RPC-related stuff left:

  22/tcp     open        ssh          
  111/tcp    open        sunrpc       
  32771/tcp  open        sometimes-rpc5          
  32772/tcp  open        sometimes-rpc7          
  32773/tcp  open        sometimes-rpc9          
  32774/tcp  open        sometimes-rpc11

The Last Few RPC-Related Daemons

What processes are running?

    ps -ef

reveals

  rpc.ttdbserverd
  snmpXdmid
  dmispd

Of ToolTalk Google says:

CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain

and we know about SNMP...

    fgrep -i tooltalk /var/sadm/install/contents

gives candidates:

   SUNWtltk  ToolTalk runtime
       SUNWolrte    OPEN LOOK toolkits runtime environment
       SUNWtltkd    ToolTalk developer support
       SUNWtltkm    ToolTalk manual pages
       SUNWdtct     UTF-8 Code Conversion Tool
       SUNWxwdem    X Window System demo programs
       SUNWlpmsg    LP Alerts

    # ...and for SNMP :

    SUNWsacom Solstice Enterprise Agents 1.0.3 files for root file system
        SUNWmipr   Mobile-IP (Root)
            SUNWmipu    Mobile-IP (Usr)

Inetd and RPC: Finally

A final consideration of inetd and RPC — we don’t need the former since SSH runs independently and we don’t want the latter, so:

    /etc/init.d/inetsvc stop    (to stop inetd)
    /etc/init.d/rpc stop  

    cd /etc/init.d
    mv inetsvc __inetsvc.orig_install.no_start
    mv rpc __rpc.orig_install.no_start
    chmod 400 __inetsvc.orig_install.no_start
    chmod 400 __rpc.orig_install.no_start

`syslogd`

That leaves no TCP listeners and one UDP listener:

      *.syslog                              Idle

The man page for syslogd indicates that the default behaviour is to listen.

    /etc/init.d/syslog:             # ...and /etc/rc?.d/S??syslog

        ## /usr/sbin/syslogd >/dev/msglog 2>&1 &
        /usr/sbin/syslogd -t >/dev/msglog 2>&1 &


    /etc/default/syslogd:

        LOG_FROM_REMOTE=NO          # ...from "YES"

and restart.

process id attached with particular port in sunos

pfiles /proc/* 2>/dev/null | nawk '
/^[0-9]*:/ { pid=$0 }
/port: 7085$/ { printf("%s %s\n",pid,$0);}'

I would try something like:

$ lsof -i :7085

PCP is a script that enables administrators to see what open TCP ports are in use on a Solaris system. It maps ports to PIDs and vice versa. It accepts wildcards and will also show at a glance all open ports and their corresponding PIDs. It is nice script gives a very fine out put. Just try it.

Example: #pcp -p PORT_NUMBER or #pcp -P PROCESS_ID

#!/usr/bin/ksh
#
# # PCP (PID con Port)
# v1.10 08/10/2010 Sam Nelson sam @ unix.ms
#
# If you have a Solaris 8, 9 or 10 box and you can't
# install lsof, try this. It maps PIDS to ports and vice versa.
# It also shows you which peers are connected on which port.
# Wildcards are accepted for -p and -P options.
#
# Many thanks Daniel Trinkle trinkle @ cs.purdue.edu
# for the help, much appreciated.

#
i=0
while getopts :p:P:a opt
do
case "${opt}" in
p ) port="${OPTARG}";i=3;;
P ) pid="${OPTARG}";i=3;;
a ) all=all;i=2;;
esac
done
if [ $OPTIND != $i ]
then
echo >&2 "usage: $0 [-p PORT] [-P PID] [-a] (Wildcards OK) "
exit 1
fi
shift `expr $OPTIND - 1`
if [ "$port" ]
then
# Enter the port number, get the PID
#
port=${OPTARG}
echo "PID\tProcess Name and Port"
echo "_________________________________________________________"
for proc in `ptree -a | awk '/ptree/ {next} {print $1};'`
do
result=`pfiles $proc 2> /dev/null| egrep "port: $port$"`
if [ ! -z "$result" ]
then
program=`ps -fo comm= -p $proc`
echo "$proc\t$program\t$port\n$result"
echo "_________________________________________________________"
fi
done
elif [ "$pid" ]
then
# Enter the PID, get the port
#
pid=$OPTARG
# Print out the information
echo "PID\tProcess Name and Port"
echo "_________________________________________________________"
for proc in `ptree -a | awk '/ptree/ {next} $1 ~ /^'"$pid"'$/ {print $1};'`
do
result=`pfiles $proc 2> /dev/null| egrep port:`
if [ ! -z "$result" ]
then
program=`ps -fo comm= -p $proc`
echo "$proc\t$program\n$result"
echo "_________________________________________________________"
fi
done
elif [ $all ]
then
# Show all PIDs, Ports and Peers
#
echo "PID\tProcess Name and Port"
echo "_________________________________________________________"
for proc in `ptree -a | sort -n | awk '/ptree/ {next} {print $1};'`
do
out=`pfiles $proc 2>/dev/null| egrep "port:"`
if [ ! -z "$out" ]
then
name=`ps -fo comm= -p $proc`
echo "$proc\t$name\n$out"
echo "_________________________________________________________"
fi
done
fi
exit 0

Adding Samba to the Service Management Facility

I am a bit new to the Service Management Facility (SMF) introduced into Solaris 10, but after getting my feet wet I kinda like it. These steps came in handy for me when I needed to add Samba to SMF.

Backup and Remove samba rc* scripts
bash-3.00# tar cvpf - /etc/rc?.d/???samba | gzip -c > /var/tmp/etc-rc-samba.tar.gz a /etc/rc0.d/K03samba 1K a /etc/rc1.d/K03samba link to /etc/rc0.d/K03samba a /etc/rc2.d/K03samba link to /etc/rc0.d/K03samba a /etc/rc3.d/S90samba link to /etc/rc0.d/K03samba a /etc/rcS.d/K03samba link to /etc/rc0.d/K03samba

Verify the archive:
bash-3.00# gunzip < /var/tmp/etc-rc-samba.tar.gz | tar -tvpf -

Wait!! Let’s hold off on removing the samba rc* files until everything is working properly.

The following version and components of samba were installed at the time of this writing:
bash-3.00# pkginfo -l | grep samba NAME: samba - A Windows SMB/CIFS fileserver for UNIX (client) DESC: samba - A Windows SMB/CIFS fileserver for UNIX (client) 3.0.11 NAME: samba - A Windows SMB/CIFS fileserver for UNIX (Root) DESC: samba - A Windows SMB/CIFS fileserver for UNIX (Root) 3.0.11 NAME: samba - A Windows SMB/CIFS fileserver for UNIX (Usr) DESC: samba - A Windows SMB/CIFS fileserver for UNIX (Usr) 3.0.11

Create and edit the smb.conf file
In the /etc/sfw directory copy the example smb.conf-example file to smb.conf and edite to your liking. I like to copy the sample file to smb-<server_name>.conf.

bash-3.00# pwd /etc/sfw bash-3.00# ls -l total 66 ...edited... -rw-r--r-- 1 root bin 9975 Feb 12 11:01 smb.conf-example

bash-3.00# cp smb.conf-example smb-<server_name>.conf
bash-3.00# vi !$

Creating the control script
The control script: /lib/svc/method/samba will contain the following:

bash-3.00# cat > /lib/svc/method/samba
#! /sbin/sh #

. /lib/svc/share/smf_include.sh

case “$1” in
‘start’)
echo ‘Starting samba services: ‘
/usr/sfw/sbin/smbd -s /etc/sfw/smb-<server_name>.conf -D
/usr/sfw/sbin/nmbd -s /etc/sfw/smb-<server_name>.conf -D
;;
‘stop’)
/usr/bin/pkill smbd
/usr/bin/pkill nmbd
exit 0
;;
‘refresh’)
echo ‘Refreshing samba services:’
/usr/bin/pkill -HUP smbd
/usr/bin/pkill -HUP nmbd
exit 0
;;
*)
echo “Usage: $0 { start | stop | refresh }”
exit 1
;;
esac
#EOF

Change Permissions and ownership for the Control Script:
The control script needs to be executable.

bash-3.00# ls -l "/lib/svc/method/samba" -rw-r--r-- 1 root root 465 Feb 12 13:52 /lib/svc/method/samba bash-3.00# chown :bin "/lib/svc/method/samba" bash-3.00# chmod +x "/lib/svc/method/samba" bash-3.00# ls -l !$ ls -l "/lib/svc/method/samba" -rwxr-xr-x 1 root bin 465 Feb 12 13:52 /lib/svc/method/samba

The manifest: /var/svc/manifest/network/samba.xml

Create the manifest file and edit where appropiate:

bash-3.00# cat > /var/svc/manifest/network/samba.xml
<?xml version=”1.0??>
<!DOCTYPE service_bundle SYSTEM “/usr/share/lib/xml/dtd/service_bundle.dtd.1?>
<service_bundle type=”manifest” name=”SUNWsmbar:samba”>
<service name=”network/samba” type=”service” version=”1?>
<create_default_instance enabled=”false”/>
<single_instance/>
<!–
First of all, if the config file is not present,
then we needn”t bother with anything else.
–>
<dependency name=”config-file” grouping=”require_all” restart_on=”none” type=”path”>
<service_fmri value=”file:///etc/sfw/smb-server_name.conf”/>
</dependency>

<!–
If there”s no network, then there”s no point in running
–>
<dependency name=”loopback” grouping=”require_all” restart_on=”error” type=”service”>
<service_fmri value=”svc:/network/loopback:default”/>
</dependency>
<dependency name=”physical” grouping=”optional_all” restart_on=”error” type=”service”>
<service_fmri value=”svc:/network/physical:default”/>
</dependency>

<!–
Since Samba may be providing a home directory service,
it is as well that we ensure that the file-systems are
all mounted before it is started. This is not essential
but in general it is a good thing and doesn”t really hurt.
–>
<dependency name=”fs-local” grouping=”require_all” restart_on=”none” type=”service”>
<service_fmri value=”svc:/system/filesystem/local”/>
</dependency>

<!–
now we have the start stop and refresh methods
–>
<exec_method type=”method” name=”start” exec=”/lib/svc/method/samba start” timeout_seconds=”60?/>
<exec_method type=”method” name=”stop” exec=”/lib/svc/method/samba stop” timeout_seconds=”60?/>
<exec_method type=”method” name=”refresh” exec=”/lib/svc/method/samba refresh” timeout_seconds=”60?/>

<property_group name=”samba” type=”application”>
<stability value=”Evolving”/>
</property_group>
<property_group name=”startd” type=”framework”>
<propval name=”ignore_error” type=”astring” value=”core,signal”/>
</property_group>

<stability value=”Evolving”/>
<!–
A description of the Service
–>
<template>
<common_name>
<loctext xml:lang=”C”>Samba Server</loctext>
</common_name>
<documentation>
<manpage title=”samba” section=”1M”/>
<doc_link name=”samba.org” uri=”http://www.samba.org/docs/”/>
</documentation>
</template>
</service>
</service_bundle>
# EOF

Double-check the manifest for errors
bash-3.00# svccfg validate /var/svc/manifest/network/samba.xml bash-3.00#

If there are errors in the file you will get an error like the below, just double-check the file for correctness. If no complaints from validating then all should be good. bash-3.00# svccfg validate /var/svc/manifest/network/samba.xml svccfg: couldn't parse document

Importing the Manifest in order to start and stop samba
bash-3.00# svccfg import /var/svc/manifest/network/samba.xml bash-3.00#

Enabling Samba
bash-3.00# svcadm -v enable samba svc:/network/samba:default enabled. bash-3.00# svcs | grep samba online 14:31:10 svc:/network/samba:default bash-3.00# svcs -l samba fmri svc:/network/samba:default name Samba Server enabled true state online next_state none state_time Mon Feb 12 14:31:10 2007 logfile /var/svc/log/network-samba:default.log restarter svc:/system/svc/restarter:default contract_id 31 dependency require_all/none file:///etc/sfw/smb-server_name.conf (online) dependency require_all/error svc:/network/loopback:default (online) dependency optional_all/error svc:/network/physical:default (online) dependency require_all/none svc:/system/filesystem/local (online)

If all want well, verify that samba is running by trying to access a share through Windows (Start->Run, then enter the name of your server. E.g., \\server_name). You can also check the output of ps, though this may not mean everything is working.

bash-3.00# ps -ef | grep smb
root 269 1 0 14:31:10 ? 0:00 /usr/sfw/sbin/smbd -s /etc/sfw/smb-server_name.conf -D
root 273 269 0 14:31:10 ? 0:00 /usr/sfw/sbin/smbd -s /etc/sfw/smb-server_name.conf -D
root 276 1 0 14:31:10 ? 0:00 /usr/sfw/sbin/nmbd -s /etc/sfw/smb-server_name.conf -D
root 688 643 0 15:26:59 pts/1 0:00 grep smb
Removing the older samba rc* files
Ok. If everything sent well, then old samba rc* files can be removed, but they do not have to be.

bash-3.00# rm -i /etc/rc?.d/???samba rm: remove /etc/rc0.d/K03samba (yes/no)? yes rm: remove /etc/rc1.d/K03samba (yes/no)? yes rm: remove /etc/rc2.d/K03samba (yes/no)? yes rm: remove /etc/rc3.d/S90samba (yes/no)? yes rm: remove /etc/rcS.d/K03samba (yes/no)? yes

Don’t forget to remove /etc/init.d/samba
bash-3.00# rm -i /etc/init.d/samba rm: remove /etc/init.d/samba (yes/no)? yes bash-3.00#

The below resources helped me greatly and provide more in depth information than what I provide here.

URL: http://forum.sun.com/jive/thread.jspa?threadID=106458&messageID=366067
URL: http://blogs.sun.com/tdw/date/20050211#more_smf
URL: http://www.sunfreeware.com/sshsol10.html
URL: http://www.oreillynet.com/pub/a/sysadmin/2006/04/13/using-solaris-smf.html?page=4

CentOS 7 Installation Failed

After hearing the news that CentOS 7 had been published, I decided to install it on my computer. I downloaded the ISO image from the CentOS official website (the one named CentOS-7.0-1406-x86_64-DVD.iso) and then burned it onto a USB drive by using a tool named UltraISO.

After that, I rebooted my computer and pressed F12to choose my boot device. (My GIGABYTE motherboard uses F12 to choose a boot device.) I chose this: UEFI: hp v245o 1100, where hp v245o 1100 is the USB name, and I suppose this is a so-called EFI boot from USB. After that, three menu selections are presented:

Install CentOS 7,
Test this media & install CentOS 7,
and Troubleshooting –>.

At first I decided to choose option 1 to let it display all its running messages, so I typed e and here is what I get:

1
2
3

set params ‘Install CentOS 7’
linuxefi /images/pxeboot/vmlinuz inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 quiet
initrdefi /images/pxeboot/initrd.img

So I removed the quiet param and pressed CTRLx to start, then I got this:

have no idea what the fb is, and the installation process just stopped there.

So I decided to try the 3rd option (the Troubleshooting –> one) with no luck; I still cannot install this CentOS 7 and I got something like:

1
2
3
4
5

> [7.471771] scsi 0:0:0:0: alua: not attached
> [7.474665] sd 0:0:0:0: [sda] no Caching mode page found
> [7.474682] sd 0:0:0:0: [sda] Assuming drive cache: write through
> dracut-initqueue[685]: Warning: Could not boot
> dracut-initqueue[685]: Warning: /dev/root does not exist

How I can solve this problem?

Answer:

I think you must make bootable usb using dd command (if your iso is in home directory):

First unmount (not eject) the usb: sudo umount /dev/sdb1

Then, write the image to the disk:

1	sudo dd bs=4M if=CentOS-7.0–1406-x86_64-Everything.iso of=/dev/sdb

Then it will not show /dev/root does not exist.

shell scripts sample

#!/bin/bash
for ((i=1;i<=254;i++))
do
ip=192.168.1.$i
ping $ip -c 1 |grep -q ‘ttl=’ && echo “$ip” >> alive.txt
done

#!/bin/bash
groupadd websphere
for user in app1 app2 app3 app4
do
useradd -g websphere -s /sbin/nologin -d /dev/null $user
(echo $user;echo $user) | smbpasswd -s -a $user
done

cat access.log |awk ‘{print $1}’|sort |uniq -c |sort -nr |head -10

#!/bin/sh
for i in 1 3 5 7 10
do
j=3
while (( “$j” > “$i” ))
do
if [ “$i” -gt 1 ]; then
break
fi
echo -n ” ”
let “j–”
done

k=1
while (( “$k” <= “$i” ))
do
echo -n “*”
let “k++”
done
echo ” ”
done
#!/bin/bash
m=1

for ((i=1;i<=100;i++))
do
#temp1
let “temp1=i%7”

if [ “$temp1” -ne 0 ]; then
continue
fi

#
echo -n “$i ”

#temp2
let “temp2=m%7”

#7
if [ “$temp2″ -eq 0 ]; then
echo ” ”
fi

let “m++”
done

#!/bin/bash
echo “”This is a system initialization script, careful”
input_fun()
{
OUTPUT_VAR=$1
INPUT_VAR=””
while [ -z $INPUT_VAR ];do
read -p “$OUTPUT_VAR” INPUT_VAR
done
echo $INPUT_VAR
}
input_again()
{
MYHOSTNAME=$(input_fun “please input the hostname:”)
DOMAINNAME=$(input_fun “please input the domainname:”)
CARD_TYPE=$(input_fun “please input card type(eth0):”)
IPADDR=$(input_fun “please input ip address(192.168.100.1):”)
NETMASK=$(input_fun “please input netmask(255.255.255.0):”)
GATEWAY=$(input_fun “please input gateway(192.168.100.1):”)
MYDNS1=$(input_fun “please input DNS1(114.114.114.114):”)
MYDNS2=$(input_fun “please input DNS2(8.8.4.4):”)
}
input_again
MAC=$(ifconfig $CARD_TYPE | grep “HWaddr” | awk -F[” “]+ ‘{print $5}’)

#SET COMPUTER NAME
cat >/etc/sysconfig/network <<ENDF
NETWORK=yes
HOSTNAME=$MYHOSTNAME
ENDF

cat >/etc/sysconfig/network-scripts/ifcfg-$CARD_TYPE <<ENDF
DEVICE=$CARD_TYPE
BOOTPROTO=static
HWADDR=$MAC
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
IPADDR=$IPADDR
NETMASK=$NETMASK
GATEWAY=$GATEWAY
ENDF

/etc/init.d/network restart

cat >/etc/hosts <<ENDF
127.0.0.1 $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME localhost
$IPADDR $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME localhost
ENDF

cat >/etc/resolv.conf <<ENDF
domain $DOMAINNAME
search $DOMAINNAME
nameserver $MYDNS1
nameserver $MYDNS2
ENDF

#Close SELINUX
sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/sysconfig/selinux
setenforce 0

#Modify number of open files
echo “* soft nofile 66666” >> /etc/security/limits.conf
echo “* hard nofile 66666” >> /etc/security/limits.conf

#Optimize the kernel parameters
cat >> /etc/sysctl.conf << ENDF
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024 65535
ENDF
sysctl -p

#Turn off the system without service
for server in `chkconfig –list |grep 3:on|awk ‘{ print $1}’`
do
chkconfig –level 3 $server off
done

for server in crond network rsyslog sshd
do
chkconfig –level 3 $server on
done

## Increase user and sudo privilege escalation
user_add()
{
USERNAME=$(input_fun “please input new user name:”)
useradd $USERNAME
passwd $USERNAME
}
user_add

chmod +w /etc/sudoers
echo “$USERNAME ALL=(ALL) ALL” >>/etc/sudoers
chmod -w /etc/sudoers
# Set the time zone synchronization
yum -y install ntpdate
/usr/sbin/ntpdate time.nist.gov

echo “*/5 * * * * root /usr/sbin/ntpdate time.nist.gov 1> /dev/null 2>&1” >> /var/spool/cron/root

# Configure SSHD
sed -i ‘/^#Port/s/#Port 22/Port 65535/g’ /etc/ssh/sshd_config
sed -i ‘/^#UseDNS/s/#UseDNS yes/UseDNS no/g’ /etc/ssh/sshd_config
sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/g’ /etc/ssh/sshd_config
sed -i ‘s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g’ /etc/ssh/sshd_config
iptables -A INPUT -p tcp –dport 65535 -j ACCEPT
/etc/init.d/sshd restart

MySQL slow remote connection causes and solutions

Because the network is deployed MySQL server, there is no load, when the speed local connections are normal, but it is especially slow when connected via a network, the last inspection found that a DNS resolution problem

In the MySQL configuration file /etc/my.cnf in the [mysqld] added

skip-name-resolve

Reboot, test the normal speed.

SSH password authentication

There are times when you really want to get rid of SSH password authentication, however SSH is VERY picky about permissions etc. I just found out that there’s a tool for that in all Linux boxes!

As promised, the two simple steps:

Create your keypair (assuming you don’t already have it ready)
```
$ ssh-keygen -t rsa
```
Make sure NOT to enter a passphrase, or you’ll have to enter that every time you use the keypair!
Copy it over to the server and make all necessary adjustments (create directory, fix permissions, etc)
```
$ ssh-copy-id -i id_rsa.pub user@example.com
```
You’ll be prompted for your password, and then notified that you can now try logging into the server.
Enjoy!

–

Tomcat 8 on CentOS 7

The instructions below are assuming you’re logged in as root, if you are logged in as another user remember to prepend sudo to the commands shown below.

Install the necessary packages
First of all update your server and install the necessary packages using the following commands:

yum -y update
yum -y install curl libcap-devel
yum -y groupinstall “Development tools”

Download/Install Java JDK 8

We’ll download and install the latest Java JDK 8, from the Oracle webite. Download the rpm package according to your architecture:

curl -LO ‘http://download.oracle.com/otn-pub/java/jdk/8u51-b16/jdk-8u51-linux-x64.rpm’ -H ‘Cookie: oraclelicense=accept-securebackup-cookie’

alternatives –install /usr/bin/java java /usr/java/jdk1.8.0_51/jre/bin/java 1
alternatives –install /usr/bin/jar jar /usr/java/jdk1.8.0_51/bin/jar 1
alternatives –install /usr/bin/javac javac /usr/java/jdk1.8.0_51/bin/javac 1
alternatives –install /usr/bin/javaws javaws /usr/java/jdk1.8.0_51/javaws 1

alternatives –set java /usr/java/jdk1.8.0_51/jre/bin/java
alternatives –set javaws /usr/java/jdk1.8.0_51/jre/bin/javaws
alternatives –set javac /usr/java/jdk1.8.0_51/bin/javac
alternatives –set jar /usr/java/jdk1.8.0_51/bin/jar

http://mirror.nus.edu.sg/apache/tomcat/tomcat-8/v8.0.24/bin/apache-tomcat-8.0.24.tar.gz

Build Jsvc
Jsvc is a set of libraries and applications for making Java applications run on UNIX more easily and we’ll use it to start/stop the Tomcat instance. The building process is pretty straightforward:

cd /usr/tomcat/bin
tar xvfz commons-daemon-native.tar.gz
cd commons-daemon-*-native-src/unix
./configure –with-java=/usr/java/latest
make
cp jsvc ../..

Create tomcat user

The following commands will create a dedicated user who will run the Tomcat instance and change the ownership of all files in the /opt/tomcat directory to the newly created tomcat user.

useradd -r -s /sbin/nologin tomcat
chown -R tomcat: /usr/tomcat

Create a systemd service
Create a new file named tomcat.service:

vi /usr/lib/systemd/system/tomcat.service

[Unit]
Description=Apache Tomcat Web Application Container
After=network.target

[Service]
Type=forking
PIDFile=/var/run/tomcat.pid
Environment=CATALINA_PID=/var/run/tomcat.pid
Environment=JAVA_HOME=/usr/java/default
Environment=CATALINA_HOME=/usr/tomcat
Environment=CATALINA_BASE=/usr/tomcat
Environment=CATALINA_OPTS=

ExecStart=/usr/tomcat/bin/jsvc \
-Dcatalina.home=${CATALINA_HOME} \
-Dcatalina.base=${CATALINA_BASE} \
-cp ${CATALINA_HOME}/bin/commons-daemon.jar:${CATALINA_HOME}/bin/bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar \
-user tomcat \
-java-home ${JAVA_HOME} \
-pidfile /var/run/tomcat.pid \
-errfile SYSLOG \
-outfile SYSLOG \
$CATALINA_OPTS \
org.apache.catalina.startup.Bootstrap

ExecStop=/usr/tomcat/bin/jsvc \
-pidfile /var/run/tomcat.pid \
-stop \
org.apache.catalina.startup.Bootstrap

[Install]
WantedBy=multi-user.target

You can change the line with CATALINA_OPTS to suit your needs.
To enable the Tomcat service to start on boot run:

systemctl enable tomcat.service

Now, you can use the following commands to start, stop, restart and check the status the Tomcat service:

systemctl start tomcat
systemctl stop tomcat
systemctl restart tomcat
systemctl status tomcat

Final steps
If you need to open port 8080 in the firewall, run:

firewall-cmd –zone=public –add-port=8080/tcp –permanent
firewall-cmd –reload

That’s it, Tomcat installation is complete. To open Tomcat, point your browser at:

Recent Posts

Pages

Categories

Archives

Recent Comments

Categories

determine the runlevel in solaris

Determining a System’s Run Level

Disabling Servies on Solaris 10

Hardening a Solaris Installations

1.1. Patch and Firewall

1.2. Network-Related Daemons

Initial Scan of Open Ports

`inetd`

Network-Related Packages (`r`-commands; `finger`)

Printer Daemon

UUCP, FTP, Telnet and NTP

X Font Server

YP, NIS+, NFS, Samba, PPP, HTTP and DHCP

What’s Left?

Sendmail

CDE (`/usr/dt`)

Solaris Management Tools

Solaris Web Management Tools

Nearly There!

The Last Few RPC-Related Daemons

Inetd and RPC: Finally

`syslogd`

process id attached with particular port in sunos

Adding Samba to the Service Management Facility

CentOS 7 Installation Failed

shell scripts sample

MySQL slow remote connection causes and solutions

SSH password authentication

Tomcat 8 on CentOS 7

PRODUCTS

Recent Posts

Pages

Categories

Archives

Recent Comments

Categories

Determining a System’s Run Level

1.1. Patch and Firewall

1.2. Network-Related Daemons

Initial Scan of Open Ports

inetd

Network-Related Packages (r-commands; finger)

Printer Daemon

UUCP, FTP, Telnet and NTP

X Font Server

YP, NIS+, NFS, Samba, PPP, HTTP and DHCP

What’s Left?

Sendmail

CDE (/usr/dt)

Solaris Management Tools

Solaris Web Management Tools

Nearly There!

The Last Few RPC-Related Daemons

Inetd and RPC: Finally

syslogd

PRODUCTS

`inetd`

Network-Related Packages (`r`-commands; `finger`)

CDE (`/usr/dt`)

`syslogd`