|
Sys Admin and The Perl
Journal CD-ROM version 12.0
Version 12.0 delivers every issue of Sys Admin from 1992 through 2006 and every
issue of The Perl Journal from 1996-2002 in one convenient CD-ROM!
Order now! |
|
 |
|
|
VPNSCAN: Extending the Audit and Compliance Perimeter
Rob VandenBrink
Vandenbrink provides a tool called VPNSCAN for auditing remote IP addresses for compliance with an existing remote access policy.
The Best Guides for Managing Information Security
Kerry Thompson
Thompson reviews several freely available documents that can help with managing IT security.
Near-Native Virtualization Solutions for Linux -- VMware vs. Parallels
Jesse Stanley
Stanley examines the strengths and weaknesses of some common virtualization solutions to help you decide which product is best for your environment.
Implementing Micro-Partitioning on the IBM p5 595 Server
Chris Gibson
Gibson describes how to move to micro-partitioning and how to monitor and measure your shared processor pool.
Configuring a Virtual I/O Server
Mark R. Bush
Bush shows how to use IBM's virtual I/O server technology to create many reliable and robust logical partitions on a single server.
Questions and Answers
Amy Rich
Rich describes how to set up a serial console, suggests a fix for a buggy real time clock, and explains slave ptys.
A Comparison of I/O Schedulers
Mulyadi Santosa, Fawad Lateef
The authors provide an overview and comparison of Linux disk I/O schedulers.
Upgrading Linux
Mark Roth
Roth provides some tips for upgrading or migrating Linux without too much pain.
Starting, Stopping, and Replacing Users' Cron Jobs
John Spurgeon, Ed Schaefer
John and Ed describe Bourne shell scripts for temporarily disabling and restoring a user's cron jobs.
Questions and Answers
Amy Rich
Rich explains the importance of the superblock, identifies an AIX 5.3 bug, and provides some Solaris patching tips.
Automating the Management of Network Devices through the Command-Line
Alan Holt
Holt describes how to automate the remote management of a domain of network devices using the Python programming language.
Automating Signature Updates for Cisco IPS/IDS Sensors
Lisa Hamet Bernard
Bernard developed a set of Perl scripts to automate the process of signature update discovery and retrieval. In this article, she describes the details of these processes, highlighting remote management of a Cisco IPS device via SSH.
Console Servers Product Survey
Steve Michnick
Michnick and the Sys Admin staff present the latest console server product information.
Conserver: An Update on the Open Source Console Management System
Bryan Stansell
Stansell updates his coverage of the Conserver project.
Console Server Design Considerations
Ron McCarty
McCarty provides an overview of console server issues to consider.
Navigating the System Virtualization Maze — Part 2
Peter Baer Galvin
In part 2 of this column, Galvin describes how to determine the best virtualization solution for your environment.
Java Web Application First Aid
Alan Berg
Berg explains how to find the cause of some common issues arising when deploying Web applications with Tomcat, Apache server, and mod_jk.
PMAN — Partition Manager for Oracle Range Partitions
Michael Wang, Julie Wang
The authors describe the benefits of Oracle table partitioning.
Database Protection Using Oracle Data Guard
Aaron Diehl
Diehl describes implementation and monitoring strategies of Oracle’s Data Guard services that can help make database recovery less painful.
Oracle RAC Primer
Chris Page
Page examines how a RAC database environment differs from a conventional Oracle database.
SortingHat — Which Server Do You Belong In?
John Spurgeon, Ed Schaefer
John and Ed describe the use of a Korn shell script called SortingHat for organizing files.
Questions and Answers
Amy Rich
Rich clears up mysteries involving Fibre Channel, named.conf, and Solaris™ 10 Zones.
Navigating the System Virtualization Maze — Part 1
Peter Baer Galvin
In the first of this two-part series, Galvin discusses virtualization in general, examining the options, benefits, and data needed to determine the best virtualization solution for your own circumstances.
Oracle RAC Isn’t Just for Databases
Chris Page
Page examines Oracle’s clusterware technology and provides a simple configuration for demonstration purposes.
Implementing Highly Available Oracle Databases with Red Hat Cluster Suite
Sergey Nemirovsky
Nemirovsky explains the capabilities and limitations of Red Hat Cluster Suite in reducing downtime and improving availability of Oracle databases.
Questions and Answers
Amy Rich
Rich answers questions about missing symlinks, Solaris-compatible hardware, and glue records.
Miscellaneous Unix Tips: Answering Novice Shell Questions
John Spurgeon, Ed Schaefer
In this article, the authors cover a few of the novice questions they've fielded.
RAM Nagios vs. HD Nagios: Performance Evaluation
Jonathan Krein
Krein provides Nagios performance information as a follow-up to his article that appeared in the January issue of Sys Admin.
Backup Encryption
Kerry Thompson
Thompson shows how to add encryption to your backups and describes some pitfalls to watch out for.
Respect Your Backup Admin?
Roger Feldman
Feldman looks at some backup scenarios to help determine the level of administration needed. He focuses on the real skills needed to run various backups and briefly describes some of the technologies used.
Scyld ClusterWare
Scyld ClusterWare: An Innovative Architecture For Maximizing Return On Investment In Linux Clustering
Test Your Knowledge of Samba Topics
Emmett Dulaney
Dulaney presents 50 sample questions (and answers) with which to test your knowledge of Samba -- a focal point on the new LPIC-3 certification.
Certification: A First Look at LPIC-3 Certification
Emmett Dulaney
Dulaney provides a list of topics to know before attempting the LPIC-3 certification exams.
Questions and Answers
Amy Rich
Rich answers questions about ipfilter failure, a lost JBOD stripe,
and troubleshooting the orcallator process.
MLN — Taking Virtual Machines to the Next Level
Kyrre Begnum, John Sechrest
The authors describe MLN, which provides systems
administrators with an easy and powerful tool for virtual
machine management.
Xen Master is Yum
Faye Gibbins
Gibbins shows how to set up a self-managed Xen cluster.
Dynamic Patching via State and Run-time Control
James Hartley
Hartley shows how to use state to control the operation of scripts and gain high-level control of system operation by dynamically altering system files during the execution of patching scripts.
Monitoring Changes on Your Network over Time Using PBNJ
Joshua D. Abraham
Abraham provides an introduction to PBNJ, a suite of tools written in Perl that parses, correlates, and stores the information harvested from Nmap.
Questions and Answers
Amy Rich
Rich tackles questions about ZFS disk partitioning, resetting firmware passwords, and more.
Questions and Answers
Amy Rich
Questions and Answers
Learning DTrace -- Part 4: Solving Everyday Problems
Chip Bennett
In part three of this series on DTrace, I covered a lot of detail on the power of the D language. In this part, I'll use that power to look at two common uses for DTrace: application profiling and finding system performance problems.
MySQL 5 Cluster with Solaris(TM) 10 Zones/ZFS/Resource Control
Derek Crudgington
Solaris 10 introduced several pieces of technology that can benefit systems administrators, particularly when used together. Zones can provide application isolation and assist in server consolidation efforts. Combining the Fair Share Scheduler (FSS) with zones gives the administrator control over the amount of system resources allocated to each zone. Running zones on top of the ZFS file system allows each zone to be set up in a matter of minutes and can also provide other benefits such as compression, snapshots, and self healing.
Using DNSBLs to Monitor Network Security
Luis E. Munoz
Many email administrators are turning to DNSBLs -- DNS Block Lists -- as useful weapons in the arsenal against spam. There are DNSBLs covering many aspects of the security spectrum related to spam. A brief sample of the overall focus of the most common lists include:
Open HTTP proxies
Open SMTP proxies
Zombies or trojaned machines
Miscellaneous open proxies
Hosts that send spam to spamtrap addresses
Using Adaptive Read-Ahead to Improve I/O Throughput on Linux
Mulyadi Santosa, Fengguang Wu
For years, I/O has been a major problem when dealing with latency. CPU, memory, network connection, and bus are getting faster in significant way. But what about disk? With the birth of SATA, disk is getting some acceleration, but the problem with disk access is that it is so slow compared to memory access.
Questions and Answers
Amy Rich
Questions and Answers
IBM/Rational ClearCase VOB Automounting
Victor Burns
In the June 2006 issue of Sys Admin magazine, I discussed some commonly used as well as a few more advanced features of the automounter. One of these advanced features is the "autofs" file system that makes the automounter possible. I illustrated the dynamic use of the "autofs" file system in conjunction with the -fstype mount option. This combination can support VOB automounting by using cascading indirect automount maps.
Cyclades ACS Console Servers
Joe Freeman
Terminal servers, network access servers, and console servers all come from similar roots. Although they were originally used to connect green-screen, dumb terminals to remote hosts, it didn't take long for people to realize that they could put a pair of modems and a phone line between the terminal and the terminal server. Once IP became the prevalent protocol, it was a fairly simple task to add an IP stack to the terminal server and create a device that allowed remote users to connect to the IP network from a remote location.
Security Best Practices for Console Servers: An Interface Approach
Ron McCarty
Console servers have become key components of managing large centralized data centers as well as remote sites and shops that require quick administrative access to systems during outages.
Using Console Servers to Support Audits Driven by Sarbanes-Oxley
Ron McCarty
The Sarbanes-Oxley Act (SOX), which was passed in 2002, established requirements for public companies to ensure accuracy of their financial reporting. These requirements have created an audit focus point for most IT shops in publicly traded companies.
Questions and Answers
Amy Rich
Questions and Answers
Processing User Input: Timeout Mechanisms
Ed Schaefer, John Spurgeon
Waiting for a user to respond to a program that is requesting input can be an issue. How do you provide a timeout mechanism in your shell scripts? In this column, we consider three methods. We touch on the read command's -t option; we discuss manipulating the terminal driver with the stty command; and we present our own script, called timeout_countdown, that can kill another process if the user doesn't respond within a certain amount of time.
Sun Cluster 3.x Quorum Issue
Peter Van der Weerd
Clustering software usually consists of a collection of scripts and binaries that unconfigure an interface, bring down an application, unmount some file systems, give away a group of disks, and reverse this procedure on some other machine. This goes for all Unix cluster solutions. Of course, there are some differences on different levels. Different vendors use different storage products and software to manage devices, have their own ideas about establishing and maintaining membership between the clustered machines, and so on.
Questions and Answers
Amy Rich
Questions and Answers
Network Device Configuration Management
Anshuman Kanwar
Your most elaborate disaster recovery plans are only as good as your backups. In the context of routers (and most firewalls), all configuration is normally stored as a plain-text file in flash memory or some sort of NVRAM. Creating a replica of a router in case of catastrophic failure is simply a matter of physically plugging in a cold standby and copying the configuration from some backup medium onto the new device.
Questions and Answers
Amy Rich
Questions and Answers
Questions and Answers
Amy Rich
Amy Rich answers Questions for July 2006.
Converting Dates to Week Dates
Ed Schaefer, John Spurgeon
Dates are often identified by a year, a month, and a day of the month. An alternative notation, common in European countries and in manufacturing industries, uses a year, a week number, and a day of the week to specify a date. The main difficulty with using weeks to specify a date is identifying when the first week of a year should begin.
Questions and Answers
Amy Rich
Questions and Answers
An Interview with DTrace Guru Jarod Jenson
Peter Baer Galvin
The world is still in the early days of exploring and using DTrace, Sun's extraordinary new performance analysis tool. There are, however, some trends already revealing themselves. Specifically, all programs have performance problems, and (almost?) all performance problems on Solaris 10 systems can be revealed via DTrace. Jarod Jenson, Chief Systems Architect at Aeysis, spends a lot of his time using DTrace to track down performance problems.
Console Servers Product Survey
Steve Michnick
The principal gateway for accessing and managing all systems in a modern datacenter is a solid and secure console server. Console servers provide access to almost any device controlled by a serial port such as servers, network hubs, routers, switches, and power management systems. The datacenter support staff needs a fast and reliable means to connect to all datacenter components through one centralized service. Sys admins need secure local and remote access to system consoles from any location at any time to effectively and efficiently manage all the servers in a distributed environment. System managers need the ability to monitor connection sessions, audit access logs, and ensure encryption of console activity to meet increasingly strict security expectations from customers and government regulators.
Console Design Considerations
Ron McCarty
This article will cover some of the more common design criteria and best practices you should consider when designing and acquiring a console infrastructure. Console servers, although little known outside the datacenter, provide key services to quick recovery, better systems administration practices, and better datacenter security.
Worldwide Access to Your Serial Consoles
Mark Uris, John Fox
Imagine being able to reboot a server from the system console from Europe or at an airport during a layover. Imagine not having to physically be present at your datacenter to perform tasks that require console access but, instead, doing them in the comfort of your own home or office. Now imagine doing all this with relatively low-cost commodity components running your favorite Unix-variant operating system along with an open source software package.
Questions and Answers
Amy Rich
Questions and Answers
Getting to Know Your Network -- Part IV
Luis E. Munoz
Previously in this series, I presented aconfig, a tool that allows the execution of configuration commands mixed with Perl in our network devices. I showed how to use this tool to extract information about the network topology and configuration and store it into a database for simplified querying and reporting. This, in itself, is a valuable addition to incident response and vulnerability management processes, which eases the task of determining the significance of daily threats to our network.
BackFire: A Flexible Backup Tool
Robert Sciuk
It is said that systems administration, like flying fighter planes from an aircraft carrier, is 90% boredom interspersed with moments of sheer terror. Okay, I said it, but there is an element of truth to it. To mitigate the panic involved when one's system drive fails and a career-changing moment hangs upon your ability to recover your boss's family photos, I present the evolution of a script, called BackFire, which had its origins as NFS_Backup (see "Backup Scripts from UnixReview.com" in the April 2002 issue of Sys Admin magazine: http://www.samag.com/documents/s=7033/sam0204d/) and has been in production in various incarnations since 1996.
Restoring Your Confidence in Oracle Backups
John Ouellette
Wouldn't it be great to be able to rely on your backups and have full confidence that they will work properly during a disaster or a routine restore operation? Unfortunately, making assumptions about your restores can lead to delays in projects, wasted time, and ultimately data loss. While it may be fairly easy to configure backups and assume the restore process will work as long as the backups have run successfully, the reality is that each process is different and involves its own set of challenges.
Archiving Korn Shell History Files
John Spurgeon, Ed Schaefer
Shell history gives users the ability to manipulate commands previously entered at the command line. It is not an auditing tool. Nevertheless, systems administrators often resort to looking at shell history files to trace user activity. When used as an audit utility, shell history has serious drawbacks. For example:
Once a shell history file contains the maximum number of commands, old commands are removed as new ones are entered.
History files may be modified by a user who is trying to cover his tracks.
Timestamps are not available to determine when a command was executed.
History files are typically stored in the user's home directories making it difficult to process the information.
It can be tricky to tell who executed certain commands if someone used su to become another user, such as root.
Questions and Answers
Amy Rich
Questions and Answers
Getting to Know Your Network -- Part III
Luis E. Muñoz
As you may remember, in the previous parts of this series, I presented a tool called aconfig that allows sys admins to execute combinations of configuration commands and Perl code -- ascripts -- on network devices. I showed how to use this to harvest the version and configuration information from network devices, and then place the relevant parts of this information into a relational database.
MySQL 5.0 Cluster: Architecture, Implementation, and Management
Norm Collins
Today's networks and applications are concentrating more on high availability and redundancy. Corporations are selling services to customers with a "guarantee", or "service-level agreement" (SLA), that provides an overall percentage of uptime along with detailed instructions on the rebate structure if certain conditions are not met. One of the key components in the delivery of information to customers is the availability of data from a robust and effective database management system (DBMS).
Questions and Answers
Amy Rich
Questions and Answers
Getting to Know Your Network -- Part II
Luis E. Munoz
In the first article of this series, I showed how to build a script, aconfig, which allowed us to quickly execute commands on network devices. It also allowed us to use Perl to generate commands on the fly and process the result of those commands. To tell aconfig what to do, I wrote some small snippets of configuration commands, called ascripts. Those ascripts are used to gather version and configuration information from the network devices. In this article, I'll take the process one step further and build all this into a neat network inventory. (The complete listings for this article are available from the Sys Admin Web site at: http://www.sysadminmag.com.)
Implementing Standard Login Scripts
Ed Schaefer, John Spurgeon
Consider a server model where numerous Unix servers are distributed across numerous production sites hosting database engines and other software applications. Also, assume that only the local systems administrators have command-line access. We think standardizing the administrator's login scripts is a good way to maintain high application availability.
Questions and Answers
Amy Rich
Questions and Answers
Veritas Volume Manager Recovery Features
Ryan Matteson
Veritas Volume Manager (VxVM) has become the standard Logical Volume Manager (LVM) in many enterprises for its robust feature set, its ability to run on multiple operating systems (e.g., HP-UX, Linux, Solaris, Windows), and the numerous scalability, availability, and recoverability features that come with the base product. The recoverability features help to ensure that data is protected when hardware platforms fail and to ease the process required to restore systems to an operational state.
Automate System Configurations and Changes with cfengine
John Borwick
Humans are not as good as computers at applying changes consistently. If you manually maintain several computers, your machine configurations will drift apart over time. Aside from the problems inherent in manual maintenance, there are several benefits to automated, repeatable processes. Repeatable processes help you understand and document your machines' environments. If you can automate system changes, you can repeat your configuration process. You can develop disaster-recovery systems that rely on reinstalling the OS and applying changes, rather than recovering your OS from backups. Automating your system configurations also means less work for you over time.
Questions and Answers
Amy Rich
Questions and Answers
Generating Object Accessors
Randal L. Schwartz
The traditional Perl object model is rather simple. Create a hash, use a reference to that hash as the object (appropriately blessed so that we can find the associated package of methods), and use the hash elements as the member variables. So, for a class Rectangle, we write the constructor as:
Routing and Alias Management with OpenLDAP and Sendmail
John D'Emic
LDAP and Sendmail offer sys admins considerable advantages for dynamic mail routing and centralized alias management. A common requirement, as an organization grows, is to support geographically dispersed mailservers. While this can be achieved by using subdomaining (i.e., bill@nyc.acme.com, jane@dublin.acme.com), it is generally preferable to route the mail dynamically from a single address (jane@acme.com). I'll explore how this can be accomplished using Sendmail in conjunction with OpenLDAP.
Questions and Answers
Amy Rich
Questions and Answers
Taming Nagios
David Josephsen
In the past few years, Nagios has become the industry standard open source systems monitoring tool. If you're using an open source app to monitor the availability, state, or utilization of your servers or network gear, then chances are you are using Nagios to do it. To those who have worked with it, this is no surprise. The lightweight design of Nagios offloads the actual query logic into "plug-ins", which are easily created, modified, and re-purposed by sys admins. The lack of complex query logic leaves the Nagios daemon free to manage scheduling and notifications and to handle UI. Nagios's "keep it simple" approach makes it straightforward to administer, network transparent, and amazingly flexible.
Making a Dashboard Widget for Systems Administration Purposes
Mihalis Tsoukalos
With the release of Mac OS X 10.4 (a.k.a. Tiger), Apple introduced a new feature called Dashboard. Dashboard is like a second layer to the desktop that consists of widgets, which are small, lightweight, task-specific applications. Figure 1 shows my personal Dashboard setup. Dashboard is activated and de-activated and, at the same time, widgets are shown and hidden, respectively. In this article, I will describe the construction of a widget for systems administration purposes.
Simplifying Solaris Patches
Paul Guglielmino
Maintaining large numbers of systems over time can cause small (and sometimes large!) differences in the system configurations. Some of these differences may occur in the system's patch levels. Perhaps an ad hoc patch for the development environment never made it to production or space issues prevented a patch from getting installed. Regardless of the reason for these differences, it's good to have a way to measure the accuracy of your configurations. When issues arise, knowing these differences will aid you in troubleshooting problems.
Security Forensics Using DTrace
Boris Loza
Solaris 10 has introduced a new tool for Dynamic Tracing in the OS environment -- dtrace. This is a very powerful tool that allows systems administrators to observe and debug the OS behavior or even to dynamically modify the kernel. Although this tool has been designed primarily for developers and administrators, in this article, I will explain how to use dtrace as a security forensics tool for analyzing suspicious files and processes.
Observing I/O Behavior with the DTraceToolkit
Ryan Matteson
With the recent release of the Solaris 10 Operating System, Sun unleashed the Dynamic Tracing Facility (DTrace) on the world. Dynamic tracing can be used by administrators, developers, and quality engineering to track down reliability and performance problems, correlate disparate events, and observe applications and the Solaris kernel in ways that have never before been possible.
Questions and Answers
Amy Rich
Questions and Answers
Cameo Appearance as DBA -- Part II
Roger Feldman
Part I of "Cameo Appearance as DBA" concentrated on background information that needs to be considered to create test databases for Sybase and Oracle. I covered issues that affect how you will analyze your current configurations and how you will approach your installations. I then made the initial connections to the database and considered how you can start and stop the database. In Part II, I will dive into exploration of the database using the command-line utilities.
Chain Gang: Using SSH Chains to Traverse Firewalls
Ralf Hack
Imagine that you're working at home and you need access through the corporate firewall, but your document server, intranet Web server, and the development systems are protected by a managed shared firewall. Additionally, routing restrictions require multiple hops to gain access to your LAN. Even with a comprehensive VPN solution, you may experience difficulties accessing your normal work environment. Network restriction and network segmentation designed to protect your environment may hinder usability. Other than disregarding change control processes or maintenance windows, there is often no fast and sure way to open a port on short notice.
Remote Administration Based on VPN for Home Networks
Rafael Palacios, José Daniel Muñoz Frías
Because of recent improvements in communications, telework is increasing in all developed countries. One of the major problems associated with telework, from the technical point of view, relates to network and computer configuration. Although these problems are usually easily solved by systems administrators in the office, they can sometimes be impossible to address without going to the employee's home.
An Overview of IBM p5 Virtualization Features
Ron Jachim
If your management is like mine, they want to see their expensive computing resources utilized as fully as possible. This often contradicts the common expectation of being able to run additional applications without purchasing additional hardware. The management where I work has requested that we show better utilization. Incorrect figures abound as to our current utilization, but everyone believes it can be improved.
NIM: Installation and Configuration
Alex Markelov, Joseph Kiernan
When we first set up a Network Installation Management server for AIX in our own test lab, the unclear and somewhat self-contradictory NIM manual for AIX 4.3.3 made it a painful experience. Our goal is to make your path to a working NIM server/client environment shorter and more interesting. This article is intended as a practical, step-by-step guide for setting up a NIM server for AIX, and we provide it as a complement to the official manual.
System Automation with PXE, Kickstart, and Cfengine
John Borwick
Manually installing operating systems and software is hard, and inevitably results in mistakes that make each server subtly different. Many administrators have surmounted the problems of manual installation by implementing a fully automated installation (FAI) process. With FAI, you can tell a server to install itself and return later to find a fully configured machine. The problem with FAI is that, while it guarantees a certain initial state, it does not necessarily configure each application or maintain the server's state over time -- you're on your own scheduling cron jobs and installing configuration files.
Oversubscribing an Oracle Server Using Solaris FSS
Eric Forgette
One of the biggest challenges in consolidating database instances onto a single, multiprocessor system is the limited control over the priority of processes running in the time share scheduling class. In this class, each runnable thread is individually scheduled based on its priority, time spent on CPU, and time spent waiting for a CPU. Thus, a database instance with many threads can get more work done than an instance with only a few threads.
Questions and Answers
Amy Rich
Questions and Answers
Queuing Jobs with qjob
Ed Schaefer, John Spurgeon
Most systems administrators are familiar with using the cron facility or the at command to schedule jobs. Sometimes an attempt is made to schedule jobs so they don't conflict with one another. For example, it may be necessary to limit the number of resource-intensive jobs running at the same time to avoid overloading the system. Or you may need to prevent jobs from simultaneously accessing a shared resource. This can be challenging, especially if commands must be run frequently and the time they take to complete is significant and variable.
Running any x86 Operating System in a Solaris 10 Zone
Tim McMurphy
In the spring of 2004, when the Solaris 10 beta with zones first shipped, my local Sun representative said you couldn't run any operating system except Solaris 10. That was like waving a red flag in front of a bull to me, and I just had to prove him wrong. After quite a few failures, I abandoned the idea of running other operating systems by installing an OS and trying to talk to the global zone like a hardware emulator, and I looked for other approaches.
Standardize Your Backups with a Decision Point System
Ian Mahaney
Backup and restore policies can be difficult to define and understand. While business priorities shift, new products are introduced, and requirements change, administrators are faced with the task of managing an effective backup solution that spans the entire enterprise. Today's dynamic environments often result in uncertainty regarding the properties of a backup policy and leave IT managers asking why? To simplify the creation of backup policies and answer the question why, administrators can utilize a Decision Point System when determining backup requirements.
Techniques for Production-Grade Scripts
Brian Martin
Systems administrators have many responsibilities including maintaining and upgrading operating systems, supporting the development staff, serving as the help desk (fixing printers and supporting users), and more. We never have enough time, so we write scripts. We write scripts for ourselves and our users to turn complex tasks into simpler, faster ones. Some of these scripts run quickly, with someone right there watching the results. Others run unattended, often overnight or as the result of a crontab entry. Some scripts are fairly unimportant -- it's nice to have a pretty graph of network statistics, but hardly catastrophic if the script fails. Other scripts are vital, either to the operation of the system, or to the operation of the business.
Implementing an Effective Abuse Management Process -- Part III
Luis E. Munoz
In the two previous articles on abuse management, I described the Mail::Abuse package, discussed receiving and analyzing abuse reports, and showed how to configure the abuso script for the network. In this third and last part, I show how to test your setup so that Mail::Abuse automatically analyzes the abuse complaints sent to the contact addresses at your site.
Implementing Rsync-Only Access over Chroot SSH
Julie Wang, Michael Wang
Rsync provides a flexible and efficient way to transfer files. Unlike ftp and scp, it can transfer the subset of files that has changed and only the differences within each file. Rsync can transfer files over SSH protocol, which provides the protection on the contents of the files via encryption. However, rsync over SSH requires a shell account on the remote site. This shell account, if unrestricted, can potentially read and write beyond the intended area. It may fill the /tmp space as a trivial example.
Tuning Your SELinux Policy with Audit2allow
Kevin Fenzi
Fedora Core 3 Linux has been shipping with Security Enhanced Linux (SELinux) enabled by default for about six months now. SELinux allows privileges to be separated much more finely than the typical approach of having users and groups and the all-powerful root "superuser". The default SELinux configuration is fine for some uses, but the SELinux configuration files make sendmail.cf look easy. In this article, I will show you step-by-step how to tune your SELinux policy to your specific needs using the audit2allow tool.
Questions and Answers
Amy Rich
Questions and Answers
Creating Cross-Platform Solutions with Open Database Connectivity
D. Hageman
Systems administrators can often find themselves in a situation where they are forced to support a product lacking in adequate documentation, stability, and technical support. The stories vary, but the end result is generally the same. You can probably hear your boss right now, saying: "We can't get rid of this product, because it is essential to our business."
FreeTDS for Database Connectivity
Kevin M. Lyons
It has often been said that the world would be a nicer place for programmers and administrators if everyone used the same operating system, if only one database were needed, only one programming language... Let us pause for a moment while you stop laughing.
The Strange New World of the SolarisTM 10 Service Management Facility
Peter Baer Galvin
Solaris 10 has many new and innovative features. The Service Management Facility, however, is particularly different from previous Solaris releases and is core to systems administration, so it deserves some scrutiny and attention. The first hint that you are in a new world is a glance at the /etc/rc* directories. The next clue is that killing a process such as sendmail no longer works. Where are we and why are we here? Let's take a look at the Solaris 10 Service Management Facility (SMF).
Questions and Answers
Amy Rich
Questions and Answers
Migrating to Mozilla Thunderbird
Dennis Gesker
You probably already know that Mozilla Firefox is a Web browser developed and distributed by the Mozilla Foundation. The release of the browser has been met with a warm reception, and there are reports that it has even made some headway in winning market share away from the dominant Microsoft product, Internet Explorer.
Monitoring LDAP Performance
Ryan Matteson
LDAP has become the Internet standard directory access protocol and is used to access everything from DNS zone files to user account information. As companies and software vendors rely more heavily on LDAP directory servers, the need to measure server throughput and performance becomes imperative. In this article, I will describe several tools that can be used to monitor the health and performance of an LDAP directory server, and I'll explain how Orca can be used to trend directory server performance over time.
Migrating to LDAP-Based Naming Service in a Heterogeneous Environment
Kaijun Zhan
Lightweight Directory Access Protocol, or LDAP, is increasingly popular in today's Unix/Linux environment as an option for naming services. Unlike NIS, which is based on a flat namespace, LDAP-based architecture is flexible and scalable. However, the process of seamlessly converting from one naming service to another can be very complicated.
Remote Logging with SSH and Syslog-NG
Hal Pomeranz
One of the points I make repeatedly in my training classes is the value of centralized logging. Keeping an off-line copy of your site's logs on some central, secure log server not only gives you greater visibility from a systems management perspective but also can prove invaluable after a security incident when the local copies of the log files on the target system(s) have been compromised by the attacker.
Branded VPN Deployment and Seamless Remote Management
Adam Olson
Bridging the gap between production network systems and remote users has always posed challenges. Initial infrastructure design, access privileges, and client software needs all must be addressed to ensure that network capacity and maintenance issues remain manageable as the user base grows. Perhaps the most important consideration is ease of use for the end user. Software, in general, is becoming more and more intuitive and end users expect a certain level of usability and aesthetic quality.
The OpenLDAP Perl Backend
Reinhard Voglmaier
OpenLDAP is the reference implementation for the LDAP protocol. The OpenLDAP distribution [1] is not just an LDAP server but also offers a framework containing everything necessary to build an LDAP workbench. And, most importantly for projects with a small budget, it's completely open source and free.
Bootable Solaris Installation CD: Part II
Rytis Sileika
In last month's issue, I looked at the basic setup for a custom Solaris installation CD. This month, I'll show you several different tricks for creating local customizations from the base install.
Failover Firewalls with OpenBSD and CARP
Jason Dixon
Firewalls are a required component in commercial and residential computer networks. For many installations, the firewall is a single point of failure between client systems and external resources. It can also become a liability when hardware or applications fail, leaving potential customers unable to reach your servers. A properly designed and executed failover configuration for your primary firewall will address many of these concerns. This article introduces a proven method for installing redundant stateful firewalls using native OpenBSD features.
High Availability Clustering with Veritas Cluster Server
Paul Guglielmino
When one of your systems goes down, don't you wish that your users wouldn't notice? With the aid of highly available clusters, your users can continue working as if nothing had happened, and the systems administrator can deal with the problem undisturbed. This article provides an introduction to basic clustering concepts with Veritas Cluster Server (VCS) using Sun Solaris as the sample platform. VCS can run on a wide verity of Unix and Windows systems and the principles are the same on all systems, but the implementation may differ slightly from what is presented here. Knowledge of Veritas Volume Manager is not required to benefit from this article, but may be helpful since VCS and volume manager are tightly integrated.
Linux High Availability Clusters with Heartbeat, DRBD, and DRBDLinks
Sean Reifschneider
Linux clusters using Heartbeat and DRBD allow High Availability (HA) clusters to be created very inexpensively. In the past, HA clusters typically required a standalone RAID array (preferably Fibre Channel) in addition to the pair of servers. Now, for a fraction of the cost of a standalone RAID array and using entirely free software, an HA cluster can be built with Heartbeat and DRBD.
Questions and Answers
Amy Rich
Questions and Answers
Avoiding SQL Injection Attacks
Randal L. Schwartz
In recent months, the entertainment news was abuzz with how socialite Paris Hilton had had her Sidekick phone "hacked", revealing phone numbers for many famous people, interesting notes about possible profit participation in the "stolen" sex tape, and lurid pictures, all of which were broadcast widely on the Internet. But the quiet word amongst computer security professionals was that this wasn't a matter of hacking into her phone at all, not that the entertainment news people would know or care. Instead, certain individuals have claimed responsibility through a well-known security flaw on T-Mobile's Web site, with which the phone is synchronized. Thus, it wasn't the phone that was the source of information -- it was the Web site.
Do-It-Yourself Clusters
Denis Sunko
Our research group recently bought a new, fourth node for our tiny cluster. I added the following three lines into /etc/dhcpd.conf on the master node (see Listing 1):
Manipulating Floppy Disk Images on Solaris
Ed Schaefer, John Spurgeon
With the advent of CD and DVD burners, USB flash drives, and high speed networks, floppy drives are becoming passé. For some administrators, however, floppies are still a convenient way to transfer and store small amounts of data. Moreover, a floppy drive may be required to install hardware drivers and other software that is still distributed on diskette.
See Your Files and Descriptions with "List"
Jim Pinson
The Unix/Linux world loves short file names, especially for commands. In a world dominated by "ls", "cp", and "mv", longer filenames such as "md5sum" seem almost extravagant. The short file names certainly save us a lot of effort when we type commands, especially those long pipe commands we seem to favor.
Bootable Solaris Installation CD
Rytis Sileika
Have you ever found yourself needing to install two Sun servers one day, then a week later another one, then a few days later three more? Then somebody asks you to install yet another server exactly like the first one. You have probably already thought about creating a JumpStart server so you could install via the network, but say the last two servers that you installed were in a branch office far away, so there was no network connection.
Portable Jumpstart Environment
Michael R. Sbailo Jr.
Automating system builds has greatly increased systems administrators' ability to build and recover environments in a more uniform manner. Each platform has its own method of accomplishing this, such as Jumpstart (Solaris), Autoyast (SUSE), Kickstart (Red Hat), etc. In this article, I'll focus on running Solaris's Jumpstart technology from a Linux-based laptop. Because of the need to support sites in the field that are scaled down and thus cannot support a full-blown boot environment, I wanted to combine all the components of Jumpstart into one.
Makeinstall -- Capture File System Changes with Snapshot and Rsync
Julie Wang, Michael Wang
Generally speaking, a software application is just a set of files on the file system. Some applications will automatically start one or more processes -- such as sendmail, Apache, and MySQL -- upon startup. Other applications -- such as Perl, PHP, Python, and shell scripts -- wait to be called.
Bogocats: How Many Are in Your Backup?
James Price
One of the most important tasks a systems administrator performs is providing backup and recovery of data. Backing up data to tape is the solution most commonly used by Unix admins. In general, backing up data to tape is a relatively straightforward, simple operation, but some of the conventions and the details of the process can be confusing and are worthy of examination.
The smbbackup Utility
Sandor Patocs
Although Linux has enjoyed tremendous growth and increased popularity, many organizations still heavily favor the use of Windows. CostWare, the company I work for, provides a cost recovery system for professional organizations such as law firms. It is not uncommon for CostWare to be the only Linux-based application server in a firm.
Questions and Answers
Amy Rich
Questions and Answers
Capacity Planning for Oracle Databases Using Legato NetWorker
John Ouellette
While planning for backups, I wanted to know how large our databases would be in a year. No one I asked could provide an answer, so I decided to figure it out for myself. In this article, I will explain my process.
Questions and Answers
Amy Rich
Questions and Answers
Restoring Dirvish Disk-to-Disk Backups: Part III
Keith Lofstrom
Dirvish is a disk-to-disk backup program, a Perl wrapper around the rsync file system network copy program. Using Unix-style hard links, dirvish and rsync allow successive backup images to share identical data files and occupy the same disk space, greatly reducing backup time and backup disk usage.
Intrusion Prevention and Active Response: Implementing an Open Source Defense
Angela Orebaugh, Eric Cole
The term "intrusion prevention" has become prevalent in marketing materials and sales presentations as commercial vendors develop an abundance of products (both good and bad) under this umbrella term. While commercial intrusion prevention products are often technologically diverse and contain a rich feature set, they also often come with a hefty price tag.
Linux Server Monitoring with IPMI
Philip J. Hollenback
If you have expensive computer systems running in your data center, you want to make sure they keep running smoothly. Server vendors have addressed this by adding system monitoring devices to motherboards to report on temperatures, fan speeds, and voltages.
Profiling SAN, NAS, and DAS I/O Stacks Using io_profile
Bill Pierce
Performance benchmarks are often regarded as one step above voodoo (see "Benchmarking Systems" by Henry Newman, Sys Admin, April 2003: http://www.samag.com/documents/s=7898/sam0304i/). With so much at stake, it's understandable that vendors want to isolate their products in environments and measure them in situations in which they will do best. But storage products don't operate in isolated environments. They are components of I/O stacks that will behave differently when used and tuned in combination with other components.
Save Bandwidth and Increase Performance with Cache-Control Response Headers
Jeffrey Fulmer
Most Web sites contain static elements that are shared by several pages. Each page on a template-driven site will likely contain common elements such as style sheets, Java scripts, and images. As a browser parses HTML, it looks for items required to construct the page. If each request requires the browser to repeatedly download the same elements, a lot of unnecessary bandwidth will be consumed in just a few short clicks.
A User-Friendly Web Site Update Tool
Lisa Hamet Bernard
Because I come from the command-line world, I am amazed at the level of dependence on GUI-based administration tools that has evolved in recent years. These interfaces have become so prevalent that many IT staffers with system management responsibilities are loath to use any package without a point-and-click front end. I recently encountered such a scenario with one of my customers.
Questions and Answers
Amy Rich
Questions and Answers
Using Unknown Passwords
Ed Schaefer, John Spurgeon
Often, several administrators have root privileges on a system. In cases where people are allowed to log in as root or use su to become root, more than one person needs to know root's password.
Licensing Risks, Not Revolutions: Part II
Bryan Smith
Part I of this article focused on redefining software licenses beyond the one-dimensional, non-descriptive values of "open" and "closed" (proprietary). It expanded the categorizations, applying the values to axes of "source code" and "standards compliance."
Taking Back Your Mailbox with Greylisting
Sean Reifschneider
Unsolicited commercial email, a.k.a. spam, is an attack on the Internet. It's as simple as that. Until we start really treating it as such, the problem is only going to get worse. In the meantime, we've got greylisting.
Using Dirvish for Disk-to-Disk Backups: Part II
Keith Lofstrom
Dirvish is a disk-to-disk backup program, a Perl wrapper around the rsync file system network copy program. Using Unix-style hard links, dirvish and rsync allow successive backup images to share identical data files and occupy the same disk space, greatly reducing backup time and backup disk usage.
Next Generation DHCP Deployments
Dave Hull, George F. Willard III
As device mobility has transformed a novelty into a user expectation, the need for managed dynamic network configuration in campus and wireless environments has grown exponentially. User mobility and ease of end-user device network configuration have become key requirements when designing multi-user accessible networks. Additional challenges in this environment include maintaining security access controls, usage tracking, billing, and end-user support.
The SolarisTM 10 Zone Defense
Kevin Wenchel
Zone technology is a new component of the Solaris 10 N1 Grid Computing Environment. Zones allow systems administrators to partition a single instance of the Solaris operating environment into multiple virtual OS instances, each completely isolated from and unaware of the others. In contrast to virtual machine software products, such as VMWare, which virtualize physical hardware to allow multiple operating systems to run independently on a single physical machine, Solaris zones virtualize the Solaris operating system environment itself. This allows multiple instances of the Solaris operating system environment to run within a single instance of the Solaris kernel.
Centralized User Management with Kerberos and LDAP
Travis Crawford
Many computing environments are designed to make network resources available to users from any location, such as personal workstations, public workstations, and the Web. User management is an important part of this type of distributed computing environment because it provides the consistent authentication and authorization service necessary for universal access. Kerberos and LDAP are two protocols that have been designed to solve the distributed authentication and authorization problem.
Questions and Answers
Amy Rich
Questions and Answers
Licensing Risks, Not Revolutions
Bryan Smith
The primary role of IT is to mitigate risk to corporate investments in information. Simple labels on software like "open" or "proprietary" do little to classify risk to an organization's data and IP. In this article, I'll examine these labels and suggest some new ways to define software types.
Using the R System for Systems Administration
Mihalis Tsoukalos
This article is about R, which is an advanced statistical package with many complex capabilities. However, don't be afraid of R if you aren't very comfortable with mathematics and statistics. This article will cover some simple, useful capabilities of the package tailored for systems administrators.
BIND Management Using ProBIND
Mark Barrow
I was recently hired to sort out the management of a clients BIND DNS servers. They had deployed multiple BIND DNS servers running on Solaris to serve both internal and external DNS for themselves as well as primary and secondary DNS services for many of their customers. The current solution involved editing the zone files on each master server (Internal/External), then reloading the DNS into a test namespace to check for errors (using nslookup, etc.) before deploying to the production namespace and running a Perl script to reload all of the servers. Although extremely stable, it was necessary that skilled sys admins spend a lot of time managing the solution. They wanted a solution that that could be maintained by other office staff.
IP Policy Enforcement with Netinfo
Stefanos Harhalakis
A common problem faced by systems administrators who don't have complete management of their network is IP policy enforcement. There are a lot of tools for monitoring routers and switches (referred as network devices), but there are few for monitoring the leaf nodes and their status.
Dirvish for Disk-to-Disk Backups -- An Open Source Success Story
Keith Lofstrom
What will you do if a company that produces one of your critical software applications goes out of business? If it's proprietary software, you may be in big trouble. Open source, on the other hand, leaves you in control (sometimes, too much control). This article tells how I ended up managing an open source backup tool, dirvish.
The Solaris™ Performance Advantage
Sun Microsystems, Inc.
October 12, 2004 -- Power enterprise applications at record speed with the one-two punch of the Solaris OS and AMD Opteron processors.
Target Consolidation
Sun Microsystems, Inc.
The SolarisTM Containers technology, coming with the SolarisTM 10 Operating System, sends resource utilization through the roof and revolutionizes the economics of data center management.
Peer Deep with DTrace
Sun Microsystems, Inc.
Track, tune, and troubleshoot your systems in real time with Sun's new dynamic tracing framework, part of the SolarisTM 10 OS.
Questions and Answers
Amy Rich
Questions and Answers
Solaris™ 10 Privileges
Peter Baer Galvin
Since the beginning of Unix time, system privileges have been binary. Either you had the superuser rights by running a setuid-root program or su'ing to root, or you were nobody (that is, an average user). This model caused great problems for users and systems administrators alike. Users had to fight to gain access to system resources and commands that they would find useful. Systems administrators had to fight to defend the system from exploitation of bugs that would give root access to crackers. With Solaris 10 privileges, there are now 47 different privileges that can be assigned to programs, to users, and to roles. Welcome to the brave, new, and much more secure world of Solaris 10.
Automatically Mirroring the Boot Disk with Custom JumpStart
Matthew Cheek
One of the unsung heroes of the Solaris Operating Environment (OE) is the Custom JumpStart facility. This powerful framework permits a Solaris systems administrator to automatically install or upgrade multiple systems based on pre-defined Profiles. This is especially valuable in environments with many, similarly (or identically) configured servers as it can result in absolute consistency across machines. Once the JumpStart server components are properly provisioned, a completely automated, hands-free Solaris installation is possible. In addition to automating the basics of a Solaris installation, such as partitioning disks, selecting software groups, and configuring network interfaces, Custom JumpStart also provides for the execution of pre-installation and post-installation scripts, which permits absolute customization of the install process.
Wedding Samba to an Active Directory Domain
Brett Lymn
Recently, Microsoft has changed the way it stores details for a user. Gone are the Primary and Backup domain controllers, where the Primary Domain Controller was the master of all and the Backup domain controllers provided a partial service in the event the Primary went down. In its place is a new, more distributed system called Active Directory where all the authentication servers are peers that replicate the active directory contents between them.
TCP/IP and Security
Arnaud Aubert
The worldwide success of the Internet rapidly made TCP/IP the most used network protocol. Despite its popularity, it lacks some important features especially regarding security. In fact, TCP/IP can neither ensure the hosts you're communicating with are the ones you think nor prevent the data from being captured. For example, passwords used in protocols like HTTP, POP3, or telnet are not usually encrypted.
SolarisTM BSM Auditing
Hal Pomeranz
When enabled, the Solaris Basic Security Module (BSM) can create an extremely detailed audit trail for all processes on the system. The level of auditing produced is at the level required by systems attempting to achieve the DoD "C2" level certification. The simplest description of BSM auditing that I've been able to come up with is to imagine running truss -- the Solaris system call tracing tool -- on every single process on the system and saving the resulting output to a file. BSM actually provides even more detailed information than that.
PrimePower, SPARC, and the Advanced Product Line
Mike Scott
In June 2004 Sun Microsystems and Fujitsu ended months of speculation by announcing a partnership and consolidated roadmap for their products in an effort to cut research/development and manufacturing costs of the next generation product line.
Questions and Answers
Amy Rich
Questions and Answers
Change Control
Bob Ess
What do you mean the DNS server was being patched -- didn't you discuss that with the server team? How could the network guys be working on the core when you were updating the app server? Don't you guys talk?
Building a Bridge-Based Firewall
Gleicon S. Moraes
Bridges are network devices that were widely used in older network setups (like Novell's NetWare) and are still in use in some equipment, such as xDSL modems. In a simple way, they just copy the network packet from one interface to another, making it possible to deal with two different network buses (or types), as is the case of DSL bridges.
Centralized Logging for UNIX, Windows, and Network Devices
Corey Ramsden
There's nothing sexy about log files, but where would we be without them? They are our eyes and ears for the digital jungle. Like other senses, they can overload us with too much information from too many sources. One way to get a handle on this problem is to consolidate logging to one or more central loghosts.
SSH-Access
Sean Mostafavi
These days, it seems that I travel all over the place. When I receive a call that one of the Web servers is down, I find the nearest machine connected to the Internet and establish a Secure Shell connection to see what's going on. In light of recent bugs found in OpenSSL and OpenSSH, I am wary of having an sshd process running and accepting connections from anywhere in the world. So like most other good admins, I limit who is authorized to access the Secure Shell port.
Using FCheck
Jason Perlman
One of the main tasks for systems administrators is monitoring their systems for file tampering. This can be accomplished by using commercial products such as Tripwire or, in this case, FCheck. I have come up with a blueprint and scripts that improve the usability and security of FCheck.
Debugging SSL
Ryan Matteson
The SSL and TLS protocols have become the standard for securing network communications. These protocols provide confidentiality, authentication, and message integrity, but add additional complexity to client/server communications. This situation is most evident when application maintainers and systems administrators need to debug application-layer protocols protected by SSL. In this article, I will discuss two utilities -- ssldump and openssl -- that can help debug applications utilizing SSL.
Eight Great Reasons to Love Lynx
Dave Taylor
Take a deep breath, and let's go back in time a few years to Windows 95. Think about people saying "Leenucks? What's that?" and just maybe imagine being in a public place without 10% of the people chatting away on cell phones. Remember an upstart company called Netscape and a browser formerly known as NCSA Mosaic. And let's go back just a little bit further...
Off-Host Backup Processing with Veritas FlashSnap
Borislav Stoichkov
Backup times and the resources associated with them are becoming more and more important in the evolving model of 24/7 application development and content management. Developers all over the world collaborate on the same projects and access the same resources that must be 100% available during the business hours of their respective time zones. This gives systems administrators very little room to completely satisfy their customers -- the developers.
Questions and Answers
Amy Rich
Questions and Answers
Checking Email with PHP
Russell Dyer
As a consultant I'm often away from my office and will miss email from clients. With Web access to my email server, I can read and send mail; however, I don't have time to keep checking email when I'm working. Instead, I've written a program in PHP that checks email for me. I have cron run it every 15 minutes. If there's a message, PHP sends a text message to my cellular telephone letting me know. In this article, I will review this PHP script as a learning opportunity.
Process Tracing with the Linux Trace Toolkit
B. B. Ramya, V. Pavithra, B. Thangaraju
Debugging an application or kernel program can be done with the GNU Debugger (gdb), Linux Kernel Source Level Debugger (kgdb), or Linux Kernel Debugger (kdb), but if we want to trace a particular process, we must use the strace utility, which will trace system calls and signals. Strace will trace only one process and present the result in text form. To trace many processes in a given period of time, Linux Trace Toolkit (LTT) is a better choice.
Locking Down Linux with Bastille
Kristy Westphal
As is widely known throughout the security community, default installations of operating systems are not very secure with regard to file system permissions, services enabled by default, and access control settings. Although many vendors are attempting to make their operating systems better by default, there are still some basic checks that can be done to make a system even more secure.
Strong Passwords with PAM
Hal Pomeranz
Standard Unix reusable passwords are not really a good authentication system. However, the costs associated with migrating to an alternate authentication system, such as two-factor token authentication or smartcard-based systems, are too high for most enterprises. So sites are generally left with the "lowest common denominator" option provided by their vendors.
Contingency Planning: Lessons Learned from the 9/11 Tragedy
Lisa M. Jaworski
The terrorist attacks that occurred on September 11, 2001, resulted in terrible human loss. Additionally, many buildings were destroyed or damaged to the extent that they had to be condemned. From an Information Technology (IT) perspective, networks were brought down, equipment and cabling were obliterated, and on-site and local backup tapes were destroyed. Because of the lengthy, ensuing chaos in the local area, it was very difficult for businesses, whose key IT functions were disabled, to bring disaster recovery personnel into the area. An unknown number of users lost Internet connectivity because their Internet Service Providers (ISPs) had points of presence in the World Trade Center [14].
WebJob -- Virtual Evidence Locker and Administration Tool
Dave Mangot
WebJob is a program written by Klayton Monroe of KoreLogic (http://www.korelogic.com) that allows you to download and execute code from a remote server in an easy and secure manner. The original intent of WebJob was to aid in the performance of incident response and triage on potentially compromised, or otherwise "hostile" systems. What Klayton created, however, is an extremely versatile and powerful tool that has many applications.
Dissecting PC Server Performance
Bryan Smith
Servers are all about I/O. Commodity PC servers have rarely offered high-performance I/O, until now. In this article, I'll dissect PC server design and discuss how to evaluate the performance of AMD Opteron solutions.
Enter the Storage Administrator
Greg (shoe) Schuweiler
The tasks of a systems administrator's job are changing. In small and large environments, systems administrators used to spend their days (and nights) managing any number of servers with locally attached disks with an occasional timeout for a game of X-Pilot, Doom, etc. We tuned the servers, managed the disks and the data, and backed up the data to locally attached tape drives.
Questions and Answers
Amy Rich
Questions and Answers
Solaris 10 x86 on VMware
Peter Baer Galvin
The history of the x86 releases of Solaris is long and sordid, full of mystery, promise, heartache, and resignation. However, with Solaris 10, Sun is promising full, renewed support of the x86 platform, including Intel and AMD chip support. Even though we are still a few months from the official release of Solaris 10, I wanted to test this new Sun resolve and determine whether Solaris 10 x86 is a usable, feature-rich, first-class citizen. This month's Solaris Companion discusses installing and testing S10 x86 within the VMware environment. In a subsequent column, I'll describe an install to native hardware.
Trapping Special Characters in the Korn Shell
Ed Schaefer, John Spurgeon
Have you ever needed to know whether a user pressed the up arrow key or some other unprintable character from within a shell script? The Korn shell provides no command for detecting whether a user has pressed a special character (arrow keys, function keys, and control key sequences). With a little programming, and by setting certain terminal driver options with the stty command, you can detect these keys. In this column, we'll:
-Discuss special key composition and how to use the stty command in a shell script to break down the composition.
-Present shell function GetKey, which determines whether a special key has been pressed (the unprintable control characters are embedded in the script).
-Present shell function NewGetKey (a rewrite of GetKey), which does not use embedded, unprintable control characters, thus improving script portability.
-Conclude by presenting a "C" utility -- keycode -- that, with the press of a key, displays the key and its value in decimal, octal, and hexadecimal.
Using IPFilter to Protect Your Datacenter
Mike Scott
Security in the datacenter is a deeply contentious topic. Many people recognize the importance of the requirement, but unfortunately most companies shy away from the complexity of implementing adequate security even for their most critical servers.
tSmoke: Automating Availability Measures with Smokeping
Dan McGinn-Combs
I manage a global network. Although I am on call all the time, it is not unusual for my colleagues in different time zones to refrain from calling me during my night. Even so, I like to know whether something is down on the network when I wake up in the morning. That way, I have some idea about how much of my day will be consumed with fighting fires and how much I can dedicate to my day job.
Crontrolling Your Crontabs
Matthew Hoskins
Crontab files were designed to be modified from within an editor. This poses a problem if you want to automate or script crontab manipulations. Most initial operating system installs come with a basic set of housekeeping cron jobs scheduled to run at various times. As a systems administrator, you probably replace many of these built-in jobs or augment them with homegrown programs. This can easily be accomplished during the operating system install by replacing the standard crontab file, wherever it may be. But after installing the OS, you may also install applications and services. Unless all your systems do exactly the same thing, you will most likely need to install different crontab entries on different systems and update them over the life of a system.
Unix Monitoring Scripts
Damir Delija
It is impossible to do systems administration without monitoring and alerting tools. Basically, these tools are scripts, and writing such monitoring scripts is an ancient part of systems administration that's often full of dangerous mistakes and misconceptions.
Windows Client Backups with rsync and FreeBSD
Geoff Breach
We've all heard of those new "fast and unreliable" hard disks that have replaced the "slow and unreliable" ones that we used in the past. Well, during this past year, all of the unreliable ones seemed to be happening to me, and so I needed a solution to keep data loss to a minimum. My environment is a little unique -- most of the computers involved are laptops, and some of them never appear on my LAN. Also, I'm not in a position to demand that my customers make backups. Some may choose
Questions and Answers
Amy Rich
Questions and Answers
UNIX and Microsoft Single Sign-On
Simon Biles
Whether we like it or not, Microsoft is making inroads into what used to be a Unix-dominated enterprise environment and has made progress in incorporating industry standards into its latest server offerings. Kerberos is now the default authentication method in Windows 2K and up, which has opened doors to a true single sign-on service for both Windows and Unix machines without the need for any third-party solutions.
Linux ACLs
Nicholas Kirsch
Why use Access Control Lists (ACLs)? Aren't traditional Unix file permissions enough for any situation? Consider, for example, a semester-long software engineering course in which 30 students work in three-member teams on two projects. With traditional Unix permissions, each team/project combination would require a group, because all the team members must be able to collaborate, but teams must be isolated. Additionally, the professor needs access to project files for grading and for remote assistance. With this setup, the systems administrator would need to create 20 unique groups for each semester. If there were four such courses, there would be 80 groups; and if there were four projects, there would be 160 groups. With standard Unix permissions, the students cannot administer the groups themselves and the permissions are not flexible enough to allow the students to share their files with only members of their teams. This obviously becomes a management nightmare and a lot of work for the administrator.
Using LSD to Sync a Solaris Environment
Justin Buhler
Currently, my team and I manage more than 400 Sun servers for the Athens 2004 Olympic Summer Games. From previous events (see Problem Profile sidebar), I learned that we had a definite need for a centralized Unix software distribution utility. In this article, I will show how we have used the versatility of an LDAP directory, vendor's standard packaging, and a little Perl to achieve centralized and secure software distribution.
System Inventory Using LDAP
Kaijun Zhan
System inventory is an application with many uses ranging from hardware and software inventory data and collecting business-related information to configuration management and software distribution. Several commercial software options are available in the market. However, some of the challenges to deploying such commercial software are: compatibility with various platforms, integration complexity (heavy customization), high cost due to proprietary concept, function extensibility, lack of data security, and lack of standards. There are also homegrown solutions, such as using scripts and cron jobs to collect data that illustrate the limitations of scalability, security, and standardization.
DNS Security Protocols I: Dynamic Updates
Kerry Thompson
Of all of the many network protocols used in computer networking, DNS is one of the most fundamental and important. The task of mapping domain names to IP addresses seems simple, and at first approach it is. However, issues arise when that protocol becomes extensively trusted by systems. Packets within the DNS protocol are all sent as clear text, which means that they can easily be read and modified while in transit. DNS uses the UDP protocol, which has no handshaking between clients and servers and is therefore quite susceptible to spoofing attacks. We no longer have a trusted Internet in which we can trust insecure services -- there are malicious attackers that will do their very best to make users go to spoofed banking sites, to swamp everyone with spam, and to generally wreak havoc.
Real-World Uses for OpenSSL
Ryan Matteson
OpenSSL is an open source toolkit that implements the protocols and algorithms required by the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols. The toolkit includes a general-purpose cryptographic API, a full-featured command-line utility, and uses an Apache-style license. In this article, I will introduce the OpenSSL command-line utility and provide several examples of how OpenSSL can be used to secure data and manage digital certificates. Two example shell scripts are included to illustrate how OpenSSL can be used to monitor secure Web servers and provide notification when digital certificates are about to expire.
Computing Environment Crisis Management
Debby Hungerford
Power out? Servers not responding? Phone ringing off the hook? Monitoring systems sending lots of email? If any of these or other obvious signs of trouble are beginning to wreak havoc at your place of work, it's time to reach for that Big Red "Crisis Cookbook" and follow the procedures.
Introduction to Oracle Recovery Manager Backups
Sean Scott
Taking a physical backup of an Oracle database is no simple task. For years, DBAs depended on complex shell scripts that would extract lists of all the files that needed backup, build SQL and Unix commands to put tablespaces into backup mode and copy files, and monitor the process for exceptions. Backups for large databases could run for hours because the process simply made a copy of each database file, and there was no provision for incremental backups. Perhaps the deepest, darkest fear of any DBA was to perform a database recovery and realize that the entire plan was invalid due to the lack of one small, yet crucial, file.
Database Migrations the VxVM Way
Rainer Raab
The duties of a Unix systems administrator range from the simple and mundane, to the complex and mission-critical. We are often called upon to reset a password, remove an unwanted file, restore a backup, apply security patches, etc. Though not very challenging, these tasks are important and must be performed with vigor. Less frequently, we are enlisted to perform a challenging task, offering us a chance to learn something new and prove our worth. Such tasks include operating system upgrades, building Web server farms, allocating new disk arrays, and database migrations, to name a few. Database migrations, which are the most complex and mission critical, offer the most reward and the opportunity to add new skills to one's oeuvre.
Questions and Answers
Amy Rich
Questions and Answers
Monitoring a SAN with MRTG
Mike Scott
Storage area networks (SANs) are relatively new to the sys admin's toolbox and they bring a plethora of benefits. Unfortunately, they also bring complexity. SAN technology can potentially connect a server to hundreds or even thousands of storage devices via a single fibre pair. Similarly, a single host with multiple host bus adaptors (HBAs) can generate a huge amount of cross-SAN traffic, potentially causing contention on shared devices.
TKCluster
Tom Kunz
Linux has shown a lot of growth in the area of data-centric, high-availability clustering. Most admins are already familiar with computational clusters, known loosely as Beowulf clusters, which are implemented in the form of MPI, PVM, LAM, MOSIX, and other process-sharing and process-distributing technologies. There are also "Web service clusters", such as those distributed in years past by TurboLinux and others. These were typically groups of similarly configured servers that used DNS and round-robin IP address tricks to give the illusion of Web server high-availability to end users.
QoS Through the Network
Gilbert Held
In this article, I will point out some of the limitations of DiffServ and then examine an alternative approach to QoS based on Integrated Services and the use of RSVP. I will briefly describe and discuss a few techniques that can facilitate obtaining a QoS capability under different networking environments. There are many aspects associated with QoS that make network managers and LAN administrators yearn for the good old days when the use of 64-Kbps time slots was the only way to obtain a Quality of Service.
Getting Out/Getting In
David Beecher
It's 3 a.m. and you have been paged by one of your monitoring systems that another service is down. Your employer requires extreme security. There is no modem pool behind your fireline with which you can get inside, and no one can justify the cost of a VPN to your CEO. Also, because your fireline is managed by another corporate entity, there is no access through the "front door" to allow you to tunnel in to do maintenance. That means it's time to drive down to the office and hope your keycard still works. Here's an alternative.
Keeping Your Web Content in Sync
Adam Olson
This article is all about keeping the content in your Web server farm synchronized with rsync. rsync is a very handy program that provides a simple way to mirror content across a number of machines. I'll show how to design a straightforward content push system to keep front-end Web server content synchronized. There are plenty of ways to utilize a program like rsync; this is just one of them.
Using PortSentry and LogCheck
Anthony Cinelli
A successful network roll out begins and ends with security. No matter what amount of money is spent obtaining the latest and greatest hardware and software for a system, it can be rendered worthless if its security is compromised. Unfortunately, keeping up with system security can be a tedious task. An administrator must constantly stay aware of updates to currently used software, as well as the latest system compromise techniques. Due to this difficulty, system security is often lacking in many areas. All of this changed for me when I discovered the freeware tools offered by Psionic Software, Inc. called PortSentry and Logcheck. These tools can be quickly installed and configured on a system to improve its security.
Automatically Restart Login Services on a Remote Host
Hiu F. Ho
If you manage a server that is offsite, one of the worst things that can happen is that you can no longer log onto it, and you have to spend hours driving to the server in order to fix the problem. A number of problems, ranging from hardware failures to software problems, can keep you out of touch with your remote servers. For software-related problems, however, it may be possible to let the server automatically resuscitate your login service.
Tools Built to Sort Through Snort
Kristy Westphal
Snort, the lightweight network intrusion detection system, is already a great tool for any security-conscious network (see "Snort -- A Look Inside," Sys Admin, September 2000). The latest version of Snort, 1.7, has many new features above and beyond 1.6, including dynamic rules (rules that can turn on other rules), statistical anomaly detection preprocessor, improved IP defragmentation preprocessor, and a TCP stream reassembly preprocessor. New features and functions are continuously added.
WTMP: Another Step Toward Centralizing Event Management
Joe Aguiar
This article addresses yet another aspect of centralized event logging and management integrating data from the UNIX wtmp file into the the syslog text files. Because wtmp is not a text file, the typical shell commands are of limited use when examining its contents. I will discuss how to examine and integrate the data with the UNIX syslog utility for processing with familiar tools using a package written in C called logutmpd.
Simplifying WindowMaker Menus in a Distributed Environment
Anthony Taylor
Choosing a window manager for a distributed system is tough. When a single system serves up the desktop for many users, the window manager must be efficient; there's always a trade-off between functionality and memory and CPU use.
Multi-Vendor LAN Troubleshooting
Tom Podnar
During an infrastructure planning session, our IT department realized that we were running out of IP addresses more quickly than anticipated. Given the current rate of expansion, we estimated that we would be out of usable IP addresses within 90 days. We Ddecided a NAT (Network Address Translation) implementation would remedy the situation and selected a Cisco router-based solution as the foundation of our NAT LAN upgrade project.
A Flexible System for Centralized Backup
Ed L. Cashin
Storage capacity is growing, and the increasing centralization of storage capacity is a current trend. Companies are buying storage area networks (SANs) and tape robots. A plethora of software products are available to help us back up diverse clients to centralized storage, but you may already have all the software you need.
Keeping Data in Sync::rsync
Chris Hare
Data management is an ongoing issue that plagues many companies. Organizations are constantly looking for ways to move data securely between systems in an automated fashion, keeping file systems or data files synchronized, or simply ensuring a group of systems have common data.
Questions and Answers
Jim McKinstry
Questions and Answers
Books: A User's Report
Elizabeth Zinkann
Traditionally, January is Sys Admin's Linux issue. It is an excellent way to begin a year, and it is particularly enjoyable this year. Enthusiasm for Linux and for the Open Source community has never been as widespread as it is currently (perhaps with the exception of a certain area in Washington state). There are many excellent books to choose from, no matter what Linux distribution you choose to install. The books reviewed in this column include: User Friendly by Illiad (O'Reilly & Associates, Inc.); Red Hat Linux 6 Server by Mohammed J. Kabir (M&T Books); The No B.S. Guide to Red Hat Linux 6 by Bob Rankin (No Starch Press); and Linux: Installation, Configuration, and Use, Second Edition by Michael Kofler (Addison-Wesley).
Practical IP and DNS Tips
Ron Jachim
In the practice of systems administration, IP addressing and naming can eat you alive. Most networks aren't planned, they just grow. Consequently, an inordinate amount of time is spent handling the bookkeeping tasks like making client end changes. Although the reason for changing the email services to a new box may be valid, the process of implementing that change can be time consuming. Similarly, modifying client IP addresses and names is a nightmare unless some controls can simplify the process. In this brief article, I present a series of tips and tricks to help you better manage your DNS. This is not a tutorial on DNS. Instead, this is more of a field guide to good practices to help you effectively use DNS to reduce your workload.
Fast Port Speeds Do Not Build Optimized Networks
Ron McCarty
Hardware vendors now offer increasingly fast switches and routers for organizations with larger bandwidth needs -- which means most organizations. In a few short years, we have moved from 10-Mbps shared Ethernet segments and edge routers, to switched (10-Mbps and 100-Mps) networks, to the desktop with 100-Mbps and more found on the backbone using FDDI, Fast Ethernet, Gigabit Ethernet, and ATM. However, upgrades to higher port speeds and even speedier backbones have not always provided the expected results.
Creating and Deploying a Honey Pot
David Endler
As the name suggests, the main idea behind a honey pot is to tempt crackers and intruders away from critical information with bait in the form of a seemingly vulnerable computer host. By doing this, we hope to glean information about the identity, motives, and skill of a potential perpetrator, which is sometimes more valuable than simply terminating his connection. Once an intruder gains access to the honey pot, it is useful to provide further bogus information to keep him logged in and occupied so that he might give himself away.
Questions and Answers
Jim McKinstry
Questions and Answers
Building a Web-based Java Application Server with Apache JServ
Don Gourley, Wei Wu
From the early days of the World Wide Web, systems developers have looked for ways to generate dynamic Web pages, especially for content based on information in databases. Application servers are now available that integrate directly with Web servers to extend Web server processing, without the overhead or complexity associated with previous mechanisms for dynamic content (such as CGI or scripts embedded in Web pages)(Figure 1).
Snort
Ron McCarty
My columns have recently covered design issues of networking including DNS, caching, and intrusion detection, so a break from the design consideration to a "how-to" is in order. In "Intrusion Detection Strategies and Design Considerations" (Sys Admin, September 1999), I covered intrusion detection issues, and now I will examine Snort, a freely available intrusion detection system.
Isolating Performance Problems
Steve Nice
Due to the complexity of today's computing environment, isolating performance problems can be difficult and time consuming. If you mix in hardware from a variety of vendors, add a pinch of software from various sources, and stir in support from third party suppliers, you've created a recipe for disaster. When trying to pinpoint a performance problem, all these ingredients must be considered. It is the server? Is it the client? Is it the network? In this article, I'll discuss ways to find the anwer.
Questions and Answers
Jim McKinstry
Questions and Answers
Router-Based Network Defense
Gilbert Held
While growing up in Brooklyn, I often heard the expression "da bums" used to refer to the love-hate relationship between the Brooklyn Dodgers and their fans. More recently, I've heard that expression used to refer to computer crackers. Once isolated incidents, these stories of problems caused by crackers now appear on the evening news. Because only a fraction of these problems are actually reported, the threat to organizational networks connected to the Internet may be much greater than we realize, and sales of hardware and software products developed to enhance security now represent a rapid growth industry.
NAT: Network Address Translator
Ron McCarty
Due to the well-publicized global IP depletion, the Internet community and vendors developed NAT (Network Address Translator). NAT allows organizations to use non-unique addresses (RFC 1918) internally to be translated into unique addresses. NAT is formalized in RFC 1631 and revisited in RFC 2663. Additionally, the IETF has a Web page for its NAT working group at: http://www.ietf.org/html.charters/nat-charter.html. This article covers the intricacies of NAT as well as various architectures that can be deployed within your organization and shows how NAT can help solve network architecture challenges.
Script Manager
Ed Quillen
Scripting is an invaluable tool for UNIX systems administrators. We constantly fix complex problems with a script here and a script there to keep everyone happy. When a seemingly insignificant and very hard-to-find script breaks for some odd reason, the whole house of cards can fall. The person who wrote that script may be somewhere in Redmond selling penguin dolls or something, and you have to fix the problem. Collecting the following basic pieces of information about scripts will help you solve most scripting problems:
Storage Area Networks -- Achieving Safe Shared Data Access
Ken Kutzer, George Ericson
The rapid acceptance of external RAID arrays in the 1990s established the way we currently work with storage in a client/server environment. In the future, Storage Area Networking (SANs) will dramatically alter the way we purchase, deploy, and manage storage. SANs will allow us to combine storage devices and servers in large, any-to-any networks, where we can create virtual connections between resources as needed. The drivers for this shift towards storage centralization and consolidation are simple -- boost efficiency, reduce management costs, and improve service levels.
LogViewer
Andy Sackrieter , Darrin Husmann
On our work as both consultants and systems administrators, we recognized the potential of log files as a valuable nugget in the enterprise systems rhetoric. System and application log files are where competent systems administrators usually find the true cause and applicable solution protocol to most system and application issues. After exhaustive searches, we realized that an easy-to-use, semi-autonomous log viewing application that offers a client-graphical user interface did not exist. So, while learning the Perl programming language, we wrote the application described in this article.
Beyond MRTG
Bill Kramp
It's hard to tell where you should be going if you don't know where you are right now. Without reliable data about your network, it's hard to estimate your upgrade needs, and you may miss the warning signs of impending doom as a section of the network begins to saturate with traffic. In the past, when Ethernet networks were a shared medium, placing a network sniffer anywhere on the network would have allowed you to view any problem that was occurring. However, with the shift to switched 100 Mbps and Gigabit hubs, placing a sniffer between two hubs can be very difficult, or almost impossible. We must turn to the switches themselves to provide that information.
ICMP: The Good, the Bad, and the Ugly
Ron McCarty
The Internet Control Message Protocol (ICMP) as defined by RFC 792 is a key part of the TCP/IP protocol family. ICMP's most popular application, ping, is possibly the most common network application provided by UNIX and non-UNIX network operating systems.
The Emergence of Convergence
Gilbert Held
During the 1960s, a popular movie was "The Graduate", starring Dustin Hoffman and Ann Bancroft. In one memorable scene, Bancroft's husband in the movie took Hoffman's character aside and, with one word, told him about the future -- that word was "plastics". In the year 2000, we have a new word that helps express the future direction of communications and is the focus of this article -- that word is "convergence". It is used in reference to the evolving integration of voice and data communications into a common networking infrastructure.
MPLS Part I: The Search for IP Quality of Service
Ron McCarty
Quality of Service (QoS) and Class of Service (CoS) are two buzzwords many net admins hear on a daily basis. A can of alphabet soup could not likely spell out all the acronyms and jargon surrounding QoS, CoS, voice over, committed information rate, and related technologies, but the net admin can often turn to Internet standards to provide solutions to today's and tomorrow's networking needs. Multiprotocol Label Switching (MPLS) is one such standard that provides some of the building blocks for providing QoS over IP backbones.
Setting Root SUIDed Programs at Work
Didier Racheneur
The SUID feature lets you alter a program's execution environment. This article describes SUID and provides some example SUID programs -- where there is power, there is danger. The article also include some security tips for using SUID programs without putting the network at risk.
Implementing Voice and Data Convergence
Gilbert Held
In my previous article, "The Emergence of Convergence" (Sys Admin, April 2000), I examined the rationale for integrating voice and data over a common infrastructure. I also noted that there are certain characteristics associated with human speech that cause the transmission of digitized voice to be dependent upon the end-to-end delay or latency associated with the communications infrastructure. In this article, I will focus on a number of practical implementation considerations that can make the integration of voice and data over a common infrastructure a reality. Each of the implementation considerations covered may only reduce end-to-end latency delays by a few to tens of milliseconds. However, the savings add up, and (to paraphrase a quote I like to use) a few milliseconds saved here and there can make convergence a reality!
SNMPv3 -- User Security Model
Eric Davis
This is the first of two articles describing the security features of the SNMP version 3 protocol. The SNMPv3 RFCs describe a new framework that is used for defining the relationships between the SNMP versions 1, 2, and 3 specifications. This framework is partitioned in a modular fashion and is heavily based on previous work (i.e., SNMPv1, SNMPv2c, SNMPv2u, and SNMPv2*).
The Use of Routers in Firewall Setup
Matej Sustic
Contrary to some opinions, a good firewall does not mean high security even if implemented properly. Even the best firewall can be an easy target if it's not protected by other means. For example, a firewall (or a proxy server) runs on top of an operating system that contains code that is not used by the firewall or proxy. This code includes bugs that can be abused to gain access to the firewall software. Many firewall vendors replace the original IP stacks with their own, but the operating system still remains the same. Some packets are processed by the operating system kernel before the firewall application even gets a chance to inspect them. A good example is an ICMP redirect message, which informs a host about a better path to a destination. Therefore, access and separation routers are used in front and behind the firewall to protect the firewall and the network.
Crypto 101
Kurt Seifried
Cryptography is the science (some say art) of keeping data secret. Cryptography allows you to prove identity, or conceal identity, verify the integrity of data, encrypt the data, and a variety of other services that are increasingly critical in the modern world. No one would even consider sending their credit card number over the Internet unencrypted, yet it is routine for administrators to log onto remote systems without any protection with their passwords moving around in plain sight. People send and receive email, not knowing who it is actually from, or if it has been tampered with or read by a third party. Most people will cite complexity or lack of options when asked why they don't use cryptographic software more often. Luckily, this situation has changed a lot in recent years.
MPLS Part II: A Closer Look
Ron McCarty
In last month's column, I covered IP routing, IP policies and traffic shaping, and the purpose of MPLS. As promised, this month I will cover the MPLS topology and traffic terminology, and some host-based MPLS development sites to watch.
Convergence Economics
Gilbert Held
In two previous articles, I examined the rationale for convergence and techniques for tuning your network to make the technology work. This last article in this series covering convergence of voice and data transmission onto a common network infrastructure focuses upon economics. Although one of the primary goals of convergence is to reduce the cost of communications, not all methods associated with the transmission of voice over data networks result in economic savings. As shown in the two examples presented in this article, in certain situations it is more economical to simply pick up the telephone and make a call over the existing Public Switched Telephone Network (PSTN) than attempt to integrate new equipment into your network infrastructure. As you might expect, there are other network situations where the economics associated with convergence can be quite appealing and justify the effort involved in making it a reality.
Tiger
Kristy Westphal
The typical systems administrator has more duties than it is humanly possible to accomplish in a regular work week. Security, unfortunately, always seems to be | |
