yum install fuse-sshfs
or
apt-get install sshfs
command:
mount -t fuse sshfs#user@host:/path /mnt/test
or
sshfs user@host:/path /mnt/test
fstab command:
# <file system> <mount point> <type> <options>
sshfs#myname@www.myhome.com:/home/myname /mnt/sshfs/homebox fuse comment=sshfs,noauto,users,exec,uid=1000,gid=1000,allow_other,reconnect,transform_symlinks,BatchMode=yes
http://www.ghacks.net/2007/03/28/disable-balloon-tips-in-windows-vista/
This article explains how to disable Balloon Tips in Windows Vista. I thought it would be a nice follow up article on the one that described how to make the balloon tips transparent. I personally think that Balloon Tips have no right to be there at all, they look awful and most do not contain information that are important in any way. I disabled them the first day I started using Windows XP and I did the same on my Windows Vista notebook. Balloon Tips are a waste of time in my opinion. Let me explain how you can disable balloon tips in Windows Vista.
As I said earlier gpedit.msc is not available in Windows Vista Home and Home Premium which means that we have to rely on the registry to disable those annoying balloon tips in Windows Vista.
http://gentoo-wiki.com/SECURITY_Limit_User_Processes
Some weeks ago there was a controversial discussion at Kriptopolis (a Spanish site mainly dedicated to computer security) about a supposed Denial of Service (DoS) vulnerability present in many Linux distributions and some BSDs. In the end, the vulnerability was a mere shell-based fork bomb that a local user would be able to trigger in most desktop Linux distributions, because it’s not a common practice to limit the number of user processes. This is the cryptic piece of code that may probably lock your system after some seconds:
:(){ :|:& };:
Its usage of special characters may make it difficult to understand for some people, and impossible to understand for those unfamiliarized with Bourne shell scripts. A shell function can be defined in two ways: either function function_name { code ; } or function_name () { code ; }. The code above uses the second form to define a function named : (a colon). The body of the function runs the function twice recursively in a pipe which is sent to the background and, after the function is defined, it is called by invoking its name as a command. If we call this function spawn_two we could write it this way:
spawn_two() { spawn_two | spawn_two & }; spawn_two
Why is this called a fork bomb? In POSIX, the system call fork is used to create new processes in a system. A fork bomb is a program of some kind that starts creating processes rapidly, and all of them remain in the system (that is, they don’t finish immediately). If there is no established system limit in the number of processes a user may run, this process creation routine will eventually take all the system resources and lock the machine for a long time, usually forcing a hard reboot when it becomes unresponsive.
This special piece of code is very nasty, and its composition has been calculated precisely. In particular, you’ll notice that the function calls itself twice, using a pipe, and sends the pipe to the background. Each of these steps has a purpose. If it simply called itself, the shell process would automatically start eating all available CPU time, while the amount of memory used by the shell would start increasing, but you could kill this routine at any time pressing Ctrl+C and it wouldn’t create any new process. If you add the ampersand at the end, you’ll trigger the creation of a subshell to run the function, achieving a fork. But the parent function call would finish immediately after creating this subshell (the subshell would be sent to the background and the function would then finish). New processes would be created continuously, but processes would finish continuously too, and the process count in the system would barely increase. If you instead called the function twice, using the pipe, without sending it to the background, you’d create a fork bomb:
:(){ :|:; };:
Using & instead of a semicolon inside the function body serves the purpose of making it nasty, because the subshells are created as background processes while the control returns to the original shell. You can’t cancel the process creation routine with Ctrl+C, and if you exit the shell you used to launch the routine, the process creation will still continue. It’s almost impossible to stop it.
Fork bombs are sometimes created by mistake, specially when you are learning the use of fork during a programming course. These fork bombs have the collaretal effect of triggering a Doh! exclamation that can be heard from miles away. The exact distance is proportional to the boot time and the number of users in the system. Fortunately, there are ways to limit the number of user processes in a system. These limits can protect you mainly from your own mistakes. If a remote attacker is able to trigger a fork bomb in your system, you probably have a more serious problem than simply the lack of this limit.
In POSIX systems, programs can use setrlimit() to set resource limits and getrlimit() to get them. There are two limits, the soft limit and the hard limit. Only privileged processes may surpass the soft limit and go up to the hard limit, so in the usual case both limits have the same value or the soft limit is the only one that matters. Use man setrlimit to get the gory details. Resource limits are preserved via fork and exec, so the key to limit the whole system is to establish them from a process that is as close to the process tree root as possible. While we are interested in setting the maximum number of processes per user, there are more types of resource limits, including the size of core dumps, the number of open files, the number of pending signals and many more.
There are at least three common ways of establishing resource limits, depending on your system and how strict you want to get regarding who will have limits and what will those limits be. The Gentoo wiki has an entry on limiting the number of user processes which mentions two of those ways.
The configuration file /etc/security/limits.conf is read by PAM. Its syntax is very flexible and allows setting general limits as well as specific limits for users and groups. Any application and login system using PAM will benefit from this central configuration point. Unfortunately (in this case), Slackware does not ship PAM and I can’t report on how effective this configuration point is, and if its settings are used when logging in from virtual terminals as well as graphical login managers. It probably works on both and it’s the mechanism you should try to use if your system features PAM.
The shadow package (the one that provides login, su, chsh, passwd, useradd, etc) uses the file /etc/limits. Its syntax differs from the previous configuration file and it’s not as flexible or powerful, but it should be more than enough for basic usage. This file is used, in my system, by login when you log in using a virtual terminal, because login is invoked by agetty, but it doesn’t seem to be used by my graphical login manager, which is KDM. For this reason, my X11 session wouldn’t be limited if I relied on /etc/limits.
The third and most flexible way of setting resource limits is via the shell built-in ulimit command, if it exists. Bash, for example, has this command. It’s a built-in command and not an external program for obvious reasons. Just like the cd command is a shell built-in because it needs to run the chdir system call inside the shell process (running it from a child process wouldn’t make sense), ulimit will always be a built-in command if it exists, so it sets the limits for the current shell and all its subprocesses. Most shells read /etc/profile when they are started normally, so you can call ulimit from it or from any file “sourced” by it. Under Bash, use help ulimit to get a brief description of the command. Being able to call ulimit from the shell is also flexible, while inconvenient, in the sense that you can trigger the call depending on many conditions. You can selectively run ulimit depending on the username or group. It’s as flexible as a shell script is.
Example: In my Slackware system I considered this was the best way to set a limit in the number of processes, so I created a file called /etc/profile.d/_ulimit.sh and run ulimit -u 256 from it. It works in both virtual terminals and X11 sessions, setting a limit of 256 processes per user.
Note that when you manage a multiuser system you need to make sure that your limits are enforced whatever the login mechanism and shell are. You may also want to restrict the shell your users may establish via chsh by restricting the contents of /etc/shells to shells in which you know your mechanism works. In multiuser systems you should take this seriously because a fork bomb (by mistake or not) can potentially harm many users. In the same way multiuser systems usually enforce disk quotas, other resource limits should also be in place.
There is no universal value that will fit every situation. Some people probably won’t want to establish a limit. Many Linux and BSD distributions don’t have any limit set because they’re oriented to desktop usage (a handful of users, one at a time) and may not want to establish a limit in the number of processes they may run, in the same way that they don’t set any disk quotas by default. But, if you want to protect the system from your own mistakes, you should try to use a number high enough for your typical needs but not very high. In the Kriptopolis discussion people mentioned their systems crashing with the limit set to 1024 or 512 processes, but I don’t trust those comments, unless they’re testing on a very old machine. Mine had absolutely no problem with 1024 or 512 processes, but I set the limit, as you saw, to 256. Under normal usage, check the number of processes you have running on your machine. Right now I checked and I have 32 processes. Hence, 256 is a pretty conservative while safe number. The syntax of ps is awfully platform specific, but ps --no-headers -U $(whoami) | wc -l gives me that number in my system.
At least in Linux 2.6 systems with NPTL, the limit does not really apply to the number of processes, but to the number of threads. See the code for my pthread_bomb.c:
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
void *create_and_join(void *unused)
{
pthread_t self = pthread_self();
pthread_t subthread;
if (pthread_create(&subthread, NULL, create_and_join, NULL) != 0) {
printf("Thread %lu: thread creation failedn", self);
return NULL;
}
printf("Thread %lu: created thread %lun", self, subthread);
pthread_join(subthread, NULL);
return NULL;
}
int main()
{
create_and_join(NULL);
return 0;
}
It can be compiled with something like gcc -pthread -Wall -O2 -o pthread_bomb pthread_bomb.c but remember that, due to the multithreaded nature of the program, the message about the thread creation failure may not appear in the last line.
You may have noticed how some shells, specially bash, implement a number of typical commands as shell built-ins, despite the fact that they exist as independent programs in your system. This goes agains the old Unix philosopy “one program for one task”. Sometimes the shell built-ins help it being more efficient but sometimes they’re created for security reasons. If you’re enforcing a limit in the number of processes but reach that limit by accident, the shell built-in command kill can help you send signals. If the shell relied on the external kill command, it would need to create a new process to run it, and that may not be possible.
http://www.crypt.gen.nz/selinux/disable_selinux.html
You’ve setup a new system, or installed something new on your Linux system and its not working. You get the feeling that SELinux is the cause of the problem. This page was written to help.
Overview
Should you really disable SELinux?
Temporarily switch off enforcement
Permanently Permissive
Fully Disabling SELinux
Re-Enabling SELinux
SELinux has two major components on your system. There’s the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there’s file labels : every file on your system has extra labels attached to it which tie-in with those access rules. Run ls -Z and you’ll see what I mean.
Be aware that by disabling SELinux you will be removing a security mechanism on your system. Think about this carefully, and if your system is on the Internet and accessed by the public, then think about it some more. Joshua Brindle (an SELinux developer) has comments on disabling SELinux here, which states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism.
You need to decide if you want to disable SELinux temporarily to test the problem, or permanently switch it off. It may also be a better option to make changes to the policy to permit the operations that are being blocked - but this requires knowledge of writing policies and may be a steep learning curve for some people. For the operating system as a whole, there is two kinds of disabling:
Disabling SELinux could lead to problems if you want to re-enable it again later. When the system runs with file labelling disable it will create files with no label - which could cause problems if the system is booted into Enforcement mode. A full re-labelling of the file system will be necessary.
You can switch the system into permissive mode with the following command:
echo 0 >/selinux/enforce
You’ll need to be logged in as root, and in the sysadm_r role:
newrole -r sysadm_r
To switch back into enforcing mode:
echo 1 >/selinux/enforce
In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above.To check what mode the system is in,
cat /selinux/enforce
which will print a “0″ or “1″ for permissive or enforcing - probably printed at the beginning of the line of the command prompt.
The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it.In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
… just change SELINUX=enforcing to SELINUX=permissive, and you’re done. Reboot if you want to prove it.For the other Linuxes which don’t have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you’re using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example,
title SE-Linux Test System root (hd0,0) kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0 #initrd /boot/initrd-2.4.20-selinux-2003040709.img
Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
… and then reboot the system.For the other Linuxes which don’t have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you’re using the GRUB boot loader. On the kernel line, add selinux=0 at the end. For example,
title SE-Linux Test System
root (hd0,0)
kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb selinux=0
#initrd /boot/initrd-2.4.20-selinux-2003040709.img
You will have to reboot to disable SELinux, you just can’t do it while the system is running.
If you’ve disabled SELinux as in the section above, and you want to enable it again then you’ve got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won’t have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won’t work properly.What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by adding selinux=1 to the kernel boot line, then boot into permissive mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.
After booting into permissive mode, run fixfiles relabel
Alternatively, in Fedora and RedHat Enterprise Linux you can touch /.autorelabel and reboot or put autorelabel on the boot command line ( in both cases the system gets a full relabel early in the boot process ). Note that this can take quite some time for systems with a large number of files.
After relabelling the filesystem, you can switch to enforcing mode (see above) and you system should be fully enforcing again.
http://wiki.linuxquestions.org/wiki/Dd
The dd command copies data from one place to another. Sometimes cat can do the same thing (with redirection), but dd has options to translate data, selectively copy only part of a data stream, and buffer its reads and writes.
dd can copy a CD to an ISO file, copy one partition to another, or restore an image file to a disk. Using the seek and count options, an individual sector of a disk can be extracted without having to wait for the entire rest of the disk to be read.
dd may also be used to extract data from or insert data into arbitrary positions in a file. This can be useful as a way of working with binary files from the command line.
|
Contents[hide] |
The main options to be concerned about are if= (input file) and of= (output file). By default, dd reads from stdin and writes to stdout. Here are some examples of how dd may be used:
# dd if=/dev/hda of=/dev/sda conv=noerror,sync bs=4k
This command is used often to create a backup of a drive (/dev/hda) directly to another hard drive (/dev/sda). (The device name /dev/hda is typical of an IDE hard drive, the device /dev/sda is typical of a USB disk.) This works only if the hard drive has enough storage to accommodate the source drive’s filesystem. The advantage of this is that you do not have to mount the hard drive to make a backup and the only reference to hda is in /dev and in the command which is usually in a script in cron.
The option “bs=4k” is used to specify the block size used in the copy. The default for the dd command is 512 bytes: use of this small block size can result in significantly slower copying. However, the tradeoff with larger block sizes is that when an error is encountered, the remainder of the block is filled with zero-bytes. So if you increase your block size when copying a failing device, you’ll lose more data but also spend less time trying to read broken sectors. Tools like dd_rescue and dd_rhelp can provide a more flexible solution in such cases, combining the speed of a large block size for the regions without errors with finer-grained block-copies for regions with errors.
# dd if=/dev/hda | gzip > /mnt/hdb1/system_drive_backup.img.gz
Here dd is making an image of the first harddrive, and piping it through the gzip compression program. The compressed image is then placed in a file on a seperate drive. To reverse the process:
# gzip -dc /mnt/hdb1/system_drive_backup.img.gz | dd of=/dev/hda
Here, gzip is decompressing (the -d switch) the file, sending the results to stdout (the -c switch), which are piped to dd, and then written to /dev/hda.
# dd if=/dev/fd0 of=/tmp/floppy.img bs=10240
That will copy the contents of the floppy to a file. Then, to put the image onto a new floppy, swap “if” and “of” params.
# dd if=/tmp/floppy.img of=/dev/fd0 bs=10240
You should do this before you edit your partition table so that you can put it back if you mess things up.
# dd if=/dev/hda of=/root/hda.boot.mbr bs=512 count=1
If things mess up, you can boot with Knoppix, mount the partition containing /root (hda1 in this example) and put back the MBR with the command:
# dd if=/mnt/hda1/root/hda.boot.mbr of=/dev/hda bs=512 count=1
Obviously, if you have a GPT system (like the intel mac for instance) this will need some adjustment.
see: http://forum.onmac.net/showthread.php?t=136
You can backup only the MBR and exclude the partition table with the command:
# dd if=/dev/hda of=/root/hda.mbr.noparttab bs=446 count=1
When making images, it’s quite easy to run up against various file size limitations. One way to work around a given file size limitation is to use the split command.
# dd if=/dev/hda1 | gzip -c | split -b 2000m - /mnt/hdc1/backup.img.gz.
To restore the multi-file backup, do the following:
# cat /mnt/hdc1/backup.img.gz.* | gzip -dc | dd of=/dev/hda1
To create an empty disk image, to be used as the disk for an emulator for example, one can get data from /dev/zero. To create a 10mb image:
$ dd if=/dev/zero of=myimage bs=1024 count=10240
A clever alternative is:
$ dd of=myimage bs=1024 count=0 seek=10240
Here we don’t write anything, not even zeroes, we just seek 10mb into the file and close it. The result is a sparse file that is implicitly full of 10mb of zeroes, but that takes no disk space. ls -l will report 10mb, while du and df will report 0. When the file is written to, either as an emulator disk or a loopback device, Linux will allocate disk space for the data. ls will still show 10mb, while du will gradually approach 10mb.
For swap images, where it’s more important to reserve the data than to save disk space, a non-sparse file is better.
This is what the Jargon File has to say about dd:
Although deprecated, dd is still widely in use on many systems.
This is the most comprehensive documentation and example sheet for one of the most useful, and least understood linux commands, called “dd”. This command has been part of UNIX since the 1970’s. It is a bitstream duplicator for copying data, but can use input or output pipes to another command.
http://www.sun.com/software/gridware/get.xml
Sun Grid Engine 6.1 is licensed based on the number of total processors and master agents in a grid. Enterprise-wide licenses are available. All software licenses for Sun Grid Engine 6 are valid for Sun Grid Engine 6.1. No additional licensing fees apply.
Enterprise Wide licenses are available and convenient. They allow corporations - at any location worldwide - to use Sun Grid Engine 6 for up to 120,000 CPUs and unlimited masters.
http://rcsg-gsir.imsb-dsgi.nrc-cnrc.gc.ca/documents/internet/node31.html
SSH is often used to login from one system to another without requiring passwords. A number of methods may be used for that to work properly, one of which is to setup a .rhosts file (permission 600) with its content being the name of the remote system you trust, followed by the username your trust:
nickel.sao.nrc.ca cantin
would mean you trust user cantin from nickel.sao.nrc.ca to connect to your account, without requiring a password. But for that to work, SSH itself must be configured to trust .rhosts files (which it does not for most OpenSSH installations - but we do on most systems RCSG maintains), and the private/public key pair of each system must be properly set in the system-wide ssh_known_hosts public key file.
This, of course, requires help from the local systems administrator.
The second method does not require any help from the systems administrator. And it does not require modifications to the .rhosts file. Instead, it requires you generate your own personal set of private/public pair.
ssh-keygen is used to generate that key pair for you. Here is a session where your own personal private/public key pair is created:
cantin@sodium:~> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/cantin/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/cantin/.ssh/id_rsa. Your public key has been saved in /home/cantin/.ssh/id_rsa.pub. The key fingerprint is: f6:61:a8:27:35:cf:4c:6d:13:22:70:cf:4c:c8:a0:23 cantin@sodium
The command ssh-keygen -t rsa initiated the creation of the key pair.
No passphrase was entered (Enter key was pressed instead).
The private key was saved in .ssh/id_rsa. This file is read-only and only for you. No one else must see the content of that file, as it is used to decrypt all correspondence encrypted with the public key.
The public key is save in .ssh/id_rsa.pub.
In this case, the content of file id_rsa.pub is
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEArkwv9X8eTVK4F7pMlSt45pWoiakFkZMw G9BjydOJPGH0RFNAy1QqIWBGWv7vS5K2tr+EEO+F8WL2Y/jK4ZkUoQgoi+n7DWQVOHsR ijcS3LvtO+50Np4yjXYWJKh29JL6GHcp8o7+YKEyVUMB2CSDOP99eF9g5Q0d+1U2WVdB WQM= cantin@sodium
It is one line in length.
Its content is then copied in file .ssh/authorized_keys of the system you wish to SSH to without being prompted for a password.
The example shown here generated keys on sodium by user cantin. If the public key generated, file .ssh/id_rsa.pub, was copied to your account, file .ssh/authorized_keys on nickel.sao.nrc.ca, then user cantin@sodium is allowed to SSH into your own account on nickel.sao.nrc.ca without the use of a password.
To summarize, a personal private/public key pair is generated using the ssh-keygen command. The public key is then copied onto a remote systems’ .ssh/authorized_keys file. And you can now SSH to the remote systems’s account without the use of a password.
http://www.gentoo.org/doc/en/home-router-howto.xml
Code Listing 5.2: Setting up iptables
First we flush our current rules # iptables -F # iptables -t nat -F Setup default policies to handle unmatched traffic # iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # iptables -P FORWARD DROP Copy and paste these examples … # export LAN=eth0 # export WAN=eth1 Then we lock our services so they only work from the LAN # iptables -I INPUT 1 -i ${LAN} -j ACCEPT # iptables -I INPUT 1 -i lo -j ACCEPT # iptables -A INPUT -p UDP –dport bootps -i ! ${LAN} -j REJECT # iptables -A INPUT -p UDP –dport domain -i ! ${LAN} -j REJECT (Optional) Allow access to our ssh server from the WAN # iptables -A INPUT -p TCP –dport ssh -i ${WAN} -j ACCEPT Drop TCP / UDP packets to privileged ports # iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 –dport 0:1023 -j DROP # iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 –dport 0:1023 -j DROP Finally we add the rules for NAT # iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP # iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT # iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT # iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE Tell the kernel that ip forwarding is OK # echo 1 > /proc/sys/net/ipv4/ip_forward # for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done This is so when we boot we don’t have to run the rules by hand # /etc/init.d/iptables save # rc-update add iptables default # nano /etc/sysctl.conf Add/Uncomment the following lines: net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 If you have a dynamic internet address you probably want to enable this: net.ipv4.ip_dynaddr = 1
http://www.cyberciti.biz/tips/linux-as-router-for-dsl-t1-line-etc.html
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
