Monday, September 28, 2009

Domain name resolutions using 'host' command in Linux

host - DNS lookup utility

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.

1. In this example we are asking host to give us the IP of www.askarali.org

host www.askarali.org
www.askarali.org has address 202.125.140.141

2. For more detailed output use -v or -d switch

host -v askarali.org
Trying "askarali.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58441 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;askarali.org. IN A ;; ANSWER SECTION: askarali.org. 600 IN A 202.125.140.141 ;; AUTHORITY SECTION: askarali.org. 600 IN NS dns00.beaconet.net. askarali.org. 600 IN NS dns01.beaconet.net. ;; ADDITIONAL SECTION: dns00.beaconet.net. 85792 IN A 202.125.140.139 dns01.beaconet.net. 85792 IN A 202.125.140.138 Received 130 bytes from 203.99.163.189#53 in 174 ms Trying "askarali.org" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5014 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;askarali.org. IN AAAA ;; AUTHORITY SECTION: askarali.org. 600 IN SOA dns00.beaconet.net. postmaster.askarali.org. 200803202 28800 7200 2419200 86400 Received 95 bytes from 203.99.163.189#53 in 19 ms Trying "askarali.org" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9732
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;askarali.org. IN MX

;; ANSWER SECTION:
askarali.org. 600 IN MX 10 smtp.askarali.org.

;; AUTHORITY SECTION:
askarali.org. 600 IN NS dns00.beaconet.net.
askarali.org. 600 IN NS dns01.beaconet.net.

;; ADDITIONAL SECTION:
smtp.askarali.org. 600 IN A 203.148.64.29
dns00.beaconet.net. 85792 IN A 202.125.140.139
dns01.beaconet.net. 85792 IN A 202.125.140.138

Received 151 bytes from 203.99.163.189#53 in 12 ms

3. For particular type of DNS record for example NS, MX, SOA, CNAME use the -t option. In the following example will search for name server (NS), mail exchanger (MX) and Start of Authority (SOA) for askarali.org

host -t NS askarali.org
askarali.org name server dns00.beaconet.net.
askarali.org name server dns01.beaconet.net.

host -t MX askarali.org
askarali.org mail is handled by 10 smtp.askarali.org.

host -t SOA askarali.org
askarali.org has SOA record dns00.beaconet.net. postmaster.askarali.org. 200803202 28800 7200 2419200 86400

For more information on host read the RTFM (man host)

Sunday, September 27, 2009

Installing NRPE in Solaris 10

1. Install NRPE and dependencies using blastwave repository, if new to blastwave then follow the howto use the repostory for installing third party and GNU tools in Solaris.

/opt/csw/bin/pkgutil -i nrpe

2. Download manifest files
wget -P /tmp/ http://www.terdmonk.com/files/solaris/nagios/nrpe_smf.zip

# cd /tmp
# unzip nrpe_smf.zip
# mv nrpe/manifest/nagios-nrpe.xml /var/svc/manifest/network
# mv nrpe/method/nagios-nrpe /lib/svc/method/nagios-nrpe
# svccfg import /var/svc/manifest/network/nagios-nrpe.xml

3. Create nrpe.cfg file
mv /opt/csw/etc/nrpe.cfg-sample /opt/csw/etc/nrpe.cfg

4. Fixing permissions
chown nagios:nagios /opt/csw/etc/nrpe.cfg
chmod ug+x /lib/svc/method/nagios-nrpe

5. Starting NRPE daemon
# svcadm disable nrpe
# svcadm enable nrpe

That's all confirm that nrpe is running and listening on port 5666

# svcs | grep nrpe
online May_29 svc:/network/nagios/nrpe:default

# netstat -a | grep 5666
*.5666 *.* 0 0 49152 0 LISTEN
Booting Linux Over HTTP

Wow one now can boot Linux over HTTP with BKO, sound very interesting project soon I'll give a try to it.
All one need a machine and have to dowload a small bootable 56K program (pgxe) which take care of network connectivity. After downloading the pgxe have burn it to CD, or copy to USB stick.

Linux Distributions supported or available to boot over HTTP..
1. Debian : Debian live
2. Ubuntu : 9.04
3. Damm Small Linux : Lightweight linux distribution with GUI.
4. Knoppix : Knoppix 5.0.1 English.
5. Fedora 11 Live CD : Currently only single user mode is working. (Working on complete live CD)

Squid configurations examples

Here are the collection of Squid Configurations contributed by me on wiki-squid intended to demonstrate the flexibility of Squid.

SquidAndOpenLDAP
In this example a squid installation will use LDAP to authenticate users before allowing them to surf the web. For security reasons users need to enter their username and password before they are allowed to surf the internet.

SquidAndMysql
In this example a squid installation will use Mysql to authenticate users before allowing them to surf the web. For security reasons users need to enter their username and password before they are allowed to surf the internet.

SquidAndRADIUS
In this example a squid installation will use RADIUS "squid_radius_auth" Squid RADIUS authentication helper to authenticate users before allowing them to surf the web. For security reasons users need to enter their username and password before they are allowed to surf the internet.
Installing Postfix in Solaris 10

Solaris 10 like all other Unix/Linux comes with sendmail by default, however managing sendmail is difficult that's where Postfix come into picture.
Postfix is easier to install and configure in Solaris 10 this is how I did it a while back.
Hope this will also help other fulks looking for installing Postfix in Solaris 10.

Wednesday, September 16, 2009

Securing the BIND using "Views"

BIND server is not without centain vulnerabilities, a bad guys can turn misconfigured bind into launching platform for DDOS attacks. Vandals can also take advantage of an insecure BIND configuration and poison the cache, thus permitting host impersonation and redirecting legitimate traffic to black holes or malicious hosts.

Here you will learn how to secure BIND using views, the sample config is for cache only named server and can easily be modified and used for your primary DNS server which could be authorized for your company domain.

named.conf

acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
192.168.1.0/24 // Replace it with your network
localhost;
};

logging {
category lame-servers {null; };
};

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;

// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;

// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;

// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interface state {UP|DOWN}.
interface-interval 0;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

view "trusted" IN {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
// Link in our zones
zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
};
view "badguys" IN {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients {"any"; }; // all others hosts
recursion no;
additional-from-auth no;
additional-from-cache no;

// Link in our zones
zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
};
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;

zone "." {
type hint;
file "/dev/null";
};

zone "bind" {
type master;
file "db.bind";
};

allow-query {
trusted;
};
allow-transfer {
none;
};
};

include "/etc/rndc.key";

The db.bind zone file

The db.bind zone file is used to track miscreants who attempt to query the CHAOS TXT records version.bind and authors.bind. You can also use this zone file to change the strings returned by such queries. Using the "version" directive in the options stanza will block the version.bind query, but it will not log such attempts.

; @(#)db.bind v1.2 25 JAN 2001 Rob Thomas noc@cymru.com
;
$TTL 1D
$ORIGIN bind.
@ 1D CHAOS SOA localhost. root.localhost. (
2001013101 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.

version.bind. CHAOS TXT "BIND 9.1.3+robhacks"
authors.bind. CHAOS TXT "are better coders than I. :)"

Tuesday, September 15, 2009

Converting VMware image to VirtualBox

VirtualBox can run VMs created by VMware Workstation or Server for this you need to import vmdk files using the following procedure

* Start Virtual Box

* Goto File > Virtual Disk Manager

* Click Add. Locate and select the copied .vmdk file. Click OK.

* Create a New VM as usual using the added vmdk file

* Boot the VM

Monday, September 14, 2009

OpenSolaris vs. Linux, For Linux Users

With Sun busy being swallowed up by Oracle, should Linux geeks pay any interest to OpenSolaris? TuxRadar put together a guide to OpenSolaris's most interesting features from a Linux user's perspective, covering how to get started with ZFS and virtualisation alongside more consumer-friendly topics such as hardware and Flash support.

Linux Tip/Tricks continue...

Command to search packages with duplicats sort them

rpm -qa --qf "%{name} %{epoch}:%{version} - %{arch}\n" | sort


Creating thumbnails on the fly using ImageMagick

for img in *.jpg; do convert -resize 200 "$img" thumb_"$img";done


Renaming all files in current directory to filename.orig - you should use quotes around $file if your filenames contain spaces

for file in *; do mv $file $file.orig; done


Chop value to two decimal places using 'bc'

printf "%.2f\n" $(echo $'scale=2\n'"1.006"'+.005' | bc)


Finds all files over 20,000KB (roughly 20MB) in size and presents their names and size in a human readable

find / -type f -size +20000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'


OR

find / -type f -size +20M -exec ls -lh {} \;

Find some text in lot of files and then delete those files

grep -rls "PATTERN" . | tr '\n' '\0' | xargs -0 rm

Saturday, September 12, 2009

Linux Tip/Tricks continue...

To print unique IPs from squid access.log and sort them
awk '{print $3}' /var/log/squid/access.log.0 | sort -ut . -n -k 1,1 -k 2,2 -k 3,3 -k 4,4 | nl


This one doesn't sort but gives uniq ips with line number.
awk '{print $3}' /var/log/squid/access.log.0 | sort -u | nl


To put some text on every blank line
sed 's/^/some text/' urls > newfile


To kill the process
ps -ef | grep xterm | awk '{print $2}' | xargs kill -9



Check if the machine is live, useful for use in scripts.
if ping -c 1 mydomain.com >/dev/null 2>&1; then echo "live";else echo "dead";fi

Friday, September 11, 2009

Linux Tip and Tricks continue...

Continuation with the day to day commands that I have compiled over the time.

Removing commented lines (starting with #) from a file
grep -v '^#' squid.conf > squid.conf.new

To remove empty lines from a text file. I've been using sed with
sed '/^ *$/d' squid.conf.new > squid.conf.nospace

Do the same thing with sed in one line
$ sed '/^#/d' squid.conf.default | sed /^$/d > squid.conf.new

To remove all commented lines (starting with #) and blank lines from a file
sed -e '/^\(#\|$\)/ d' squid.conf.default > squid.conf.new

Same thing using egrep
egrep -v '^(#|$)' squid.conf.default > squid.conf.new

OR
grep '^[^#]' squid.conf > squid.conf.new

Thursday, September 10, 2009

Hammad got admission in BCS

Hammad got admission in Mardan Univeristy BCS, he is now university going boy :)
It was another cool day of Ramadan, nothing much at work (in this holy month working get bit slow).
In the morning did a tape backup of AAA data, backup taking is already automated including backing up to external machine and restoring.
Tomorrow there is a meeting call on the proposed expansion BRAS project in the CDDT building H9, Mr. Imtiaz (GM IP OPs MMBB Core) will chair the meeting.

Wednesday, September 9, 2009

Reunion

Today after a long time I have contact one of my childhood friend Shamsul Qamar. We lived and grow up in Mirpurkhas Sugar Mills colony where both of our fathers were working.Its was very nice to talk to one childhood friend, it reminds the great and ever lasting memories of childhood.He is working in sugar industry like his father and lives with his family in Torro (Mardan), Shams promise to visit me during coming Eid and I am looking forward :)

Monday, September 7, 2009

Linux commands

Here are the series of commands bash tip/tricks which I have learn time to time while working.

# To report oldest file in a directory
ls -1rt | head -n1

# To rename lot of files to different name
for i in `find -type d`; do mv $i `basename $i (ska)`; done

# Very handy while copying ssh public key to remote server, where one have to create .ssh directory, authorized file, keeping the permissions straight.
mkdir .ssh --mode 700 ; touch .ssh/authorized_keys ; chmod 644 .ssh/authorized_keys
# Whats the quick way to remove .blah.com from mycomany.blah.com ?

$str=~s/\.blah\.com//i

# Finding files and then deleting them

find /software/ftp/ -name '*.exe' -print0 | xargs -0 rm -f

Or much better to use the -exec action:

find /software/ftp/ -name '*.exe' -exec rm {} \;

# Extract url for path to Full version of last kernel for each branch

wget -O /dev/stdout http://www.kernel.org/ 2>/dev/null | grep ">F<"|head |awk -F "\"" '{ print $2 }' # This version will download the kernels wget -O /dev/stdout http://www.kernel.org/ 2>/dev/null | grep ">F<"|head |awk -F "\"" '{ print $2 }'|while read line;do if [ -n "$line" ]; then wget -c "http://www.kernel.org$line";fi;done#

#Find files that has been access +n days ago and then remove it.

find . -mtime +180 -exec ls -lh {} \;
find . -mtime +180 -exec rm -f {} \;

Updating Nagios package

Today at last I have updated the Nagios package which was delayed from quit sometime.

Updating was quite transparent, only the index.php page has been replaced. Actually instead of displaying the default Nagios index page I have changed it to display the "Host Group Summary" page to all using Nagios web UI.

So all I have to do to change

/usr/share/nagios/index.php (path might be different if installed from source)

frame src="main.php" name="main" frameborder="0"

To

frame src="/nagios/cgi-bin/status.cgi?hostgroup=all&style=summary" name="main" frameborder="0"

Sunday, September 6, 2009

Sunday is family day

Its Sunday so like every Sunday its family day. On Sunday night i usually watch movie but due to ramadan karim I am not watching movies.
Yesterday i was watching news and then while checking email found an email from Pat (founder of Slackware, a oldest serviving Linux distro). Wow Pat and team released Slackware 13.0 in 2009-08-27.
Its always nice to see Pat working hard and releasing the stable versions of slackware.
Slackware is my favourite Linux distro, and i used it exclusively as my home and work desktop OS for almost 3 years.
However due to work nature (need to work more) got switched to Fedora. Switching off from Slackware doesn't mean that I do not like it. I learn Linux with slackware, and I am still a proud slacker :)
Well Fedora is bit easier to maitain and installing packages is also easy using YUM.

Thursday, September 3, 2009

Ayesha wake up in Peshmani

Today at the time of Peshmanay my daughter Ayesha wake up, normally she sleeping at that time while me and my wife talk our food. Well long story short then she wants us to play and listen to her :)
It took another hour and half when she again went sleep.

Ayesah is almost 11 month old now and she is getting very naughty and its very hard for both of us to keep and eye on her not just an eye but these age babies require a very close watch and i am thinking to monitor her via Nagios http://www.nagios.org :)

Love Open Source

I love open source, not because this community provide free and the best software but bcoz they way this community works. I wish one day all the evil IT empires will open source there fat ass softwares.

Monitoring

You either fight fires all day, or build a flame resistant structure. Monitoring is the smoke detector. Notification is the alarm system. Fireman, or Fire Marshall - take your pick...

If you are not monitoring, then you are not managing.

Wednesday, September 2, 2009


I almost forget to talk about my daughter, whom is the centre of gravity these days.
I wonders how smart she is getting day by day, while we (me and my wife) sit during the iftar she is the one to handle :)
She tries to get her hands to each pot she see and if Ayesha got spoon in her hands then its drums all around.
Ayesha mother wait till I come back from work so that she could start working in the kitchen and i could look after Ayesha.
We father and daughter went out after the prayers of Asar. Ayesha loves going out (probably she got bored staying at home all day).
Its the Holy month of Ramadan and during this month we fast. Tell you what I got too lazy coz of level of energy :)
As Allah says this month is for me so we fast with devotion to get all out of the this holy month in term of recetation of Quran, praying 5 times (this we do the whole year), the prayers of travis.
After the whole day of fasting its really a blessing when one Iftar, this is the real time to thanks Allah for all his givings.
During the month of Ramadan one could realize for can imagine a bit the feelings of one who's hungry.
This month is the month of brotherhood, love, devotion.