Imagine you want to open up a port range to your host ($FW) in your shorewall’s ‘rules’ file. So let’s say we run an Asterisk machine and we want to open RTP ports 10000 to 20000 to your machine, you would have to do something like:
ACCEPT net $FW udp 10000:20000
For more reference on Asterisk’s firewall rules, click here.
You might get in a position in which you want to read the statistics for your network interface card on a linux machine. Let’s take eth0 as an example. You want to know the total amount of traffic and the current traffic flow. You’ll need at least 2 utilities, ifconfig (which is present by default on any linux machine) and ifstat. This blog post will use php as the language to manipulate the data.
To get the data we want from ifconfig we need:
/sbin/ifconfig eth0 | grep "RX bytes"
This will get us the following line:
RX bytes:3549674055 (3.3 GiB) TX bytes:1118123145 (1.0 GiB)
We can use this to see the number of bytes received/transmitted. Next thing to do is to get the current traffic of an interface:
ifstat -i eth0 1 1
Which will give us something like:
eth0
KB/s in KB/s out
1.97 26.63Pay attention to the “1 1″ parameters, they will enforce only one measurement being done by ifstat, which is what we need.
To parse this data we will need some regular expressions. For ifconfig we need:
/:[0-9]{1,10}\b/This will read the RX bytes and TX bytes part, which we need. Note that it includes the “:” symbol which we will filter out with for example str_replace.
For ifstat we need:
/[0-9]+[\.][0-9]{2}/Which will read KB/s in and KB/s out.
Let’s combine this together in one script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | <?php $interface = 'eth0'; $grep_path = '/bin/grep'; $ifconfig_path = '/sbin/ifconfig'; $ifstat_path = '/usr/bin/ifstat'; /* get current traffic count */ $ifconfig = shell_exec("$ifconfig_path $interface | $grep_path \"RX bytes\""); /* match the counters */ preg_match_all("/:[0-9]{1,10}\b/", $ifconfig, $matches); /* extract the counts and strip out :'s */ $up = str_replace(':', '', $matches[0][0]); $down = str_replace(':', '', $matches[0][1]); /* round to GiB's */ $up = round($up / 1073741824, 2); $down = round($down / 1073741824, 2); /* get ifstat output */ $ifstat = shell_exec("$ifstat_path -i $interface 1 1"); /* match */ preg_match_all("/[0-9]+[\.][0-9]{2}/", $ifstat, $matches); /* extract */ $in = $matches[0][0]; $out = $matches[0][1]; /* print */ echo "up: $up GiB ($out kB/s) down: $down GiB ($in kB/s)".PHP_EOL; ?> |
I also added an example to output the data, but of course you’re free to use whatever you like. In this example I formatted the up/down data to GiB’s, by dividing by 1GiB (1073741824).
Example output:
up: 2.72 GiB (26.28 kB/s) down: 0.73 GiB (1.79 kB/s)
Now a final word on 32-bits systems. As you might know, the counter on your network interface will collapse at the 4GB mark because a 32-bits integer is used. On a 64-bits computer you’ll not have this problem. To get around this you will need to store the values you get every time you run this script into a file and read them every run. Then you can add the two counts together to get the real traffic count. A method is described here. This is an old version of the above script, but does include taking in account the 32-bits problem. So combining the above with the other script should enable you to get what you want. Happy coding!
I found it very hard to setup a tftp server under Debian. Finally I got around it and decided to share it. Actually it’s quite simple, but you’ve got to know the actions.
First install the tftpd daemon:
apt-get install tftpdNow we will need to edit /etc/inetd.conf and add the line:
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd /tftpboot
You may notice the usage of the root user in this entry. You could instead use a separate user on which you could apply a quota! Which is nice if you have a r/w tftp server but you want to avoid people stuffing your server. This is surely more secure, so very advisable.
Let’s create our /tftpboot directory:
mkdir /tftpboot
Now depending on your setup you’ll need to put the right permissions/ownership on your directory. For r/w use a 777 mask and for r/o use a 555 mask. When using another user for the tftpd server you will need to chown that directory. In my case I only needed a 555 mask and running as root, so the only step I did was:
chmod 555 /tftpboot
Final thingy is to restart the inet daemon:
/etc/init.d/openbsd-inetd restart
Of course you’ll need to do this after every change to your /etc/inetd.conf.
Happy configuring!
p.s. Most of this should also be applicable to non-debian machines.
A short while ago I found a script on a website that checks if there are any security updates available for your debian system. The script sends out an email when there are new updates. I don’t know where I got it from, but I do like to share it:
#! /bin/sh # Debian security updates script TMP=$(mktemp /tmp/upgrade.XXXXXX) (apt-get -qq update && apt-get -dqq upgrade && apt-get -sqq upgrade) > ${TMP} 2>&1 if [ -s ${TMP} ]; then mail -s "$(hostname): New security updates available" root < ${TMP} fi rm -f ${TMP}
I created a cronjob to run the script every day at 0:00, in the morning when I wake up I get an email when there are new updates and I update my machine with apt-get upgrade, because the packages already got downloaded by the script. I really enjoy this snippet.
I have found myself in the position that I would like to have some files I have on my server to have a backup made regularly. Luckily I have a friend which also has a server at home. I heard about rsync but found it insecure so I looked into tunneling it over ssh and I found a solution for it. Problem still was to regularly do a backup, so I needed some scheduling, cronjobs! Then another issue raised, what about the ssh session, I can’t put my password in the script so I needed ssh key-authentication. As you can see already it was quite a ride to get all things sorted out correctly. That is why I decided to share this.
Note: you don’t need root permissions to do this, maybe to install rsync if not installed yet.
Ok, where to begin? Well the most important thing is to have key-authentication working, which sometimes can be rather difficult.
For better reference we will now define a naming for the source and the destination servers:
- a = source
- b = destination
Let’s continue:
On a open a ssh session from host a to host b to allow your ssh to get familiar with the host key of host b. This will put the key in ~/.ssh/known_hosts. This will avoid your cronjob hanging later on.
On host a:
ssh-keygen -t rsaIf you are asked for a pass phrase, leave it empty. Use the default given directory as a place to store the key.
cd ~/.ssh/ ls -lh
matthias@a:~/.ssh$ ls -lh total 16K -rw------- 1 matthias matthias 1.7K 2007-08-26 19:38 id_rsa -rw-r--r-- 1 matthias matthias 395 2007-08-26 19:38 id_rsa.pub
Now you’ll need to upload ‘id_rsa.pub’ to host b:
sftp matthias@b sftp> cd .ssh sftp> put id_rsa.pub Uploading id_rsa to.pub /home/matthias/.ssh/id_rsa.pub id_rsa.pub 100% 1675 1.6KB/s 00:01 sftp> exit
You could delete the public key on host a now for security reasons, it’s no longer used on this host:
rm id_rsa.pubOn host b:
cd ~/.ssh/ cat id_rsa.pub >> authorized_keys
This will enable you to log in with the private key earlier created. You will also need the right permissions on your files, because of the ‘StrictModes yes’ set by default in any sshd configuration, you should not want to modify this value, instead assign the right permissions:
chmod 700 ~/.ssh chmod 644 authorized_keys chmod 644 id_rsa.pub
Talking about permissions, ‘StrictModes yes’ forces you to have a 755 mask on your home directory:
chmod 755 ~
Ok, test your key authentication by opening a ssh session from host a to be, as you will see you will not need to put your password! It may take longer to log in than normally. If this didn’t work, leave a comment.
Ok, so much for the key authentication, next thing to do is creating some directory structure to have one directory where you put synchronisable files in.
Example, on host a and b:
mkdir ~/sync
On host a:
mkdir ~/sync/scripts
Which will hold the script that will do the synchronisation. I like to put it there, but of course you could take it somewhere else. Choice is up to you!
Now open ~/sync/scripts/sync_script.sh with you favourite editor, it should contain something like:
#!/bin/bash lockfile="/home/user/sync/scripts/sync.lock" if test -e $lockfile; then echo "another rsync is already in process, will schedule new files for next run !!" else touch $lockfile rsync -avz --delete --exclude ".*" -e ssh /home/user/sync/ user@b:/home/user/sync rm $lockfile fi
replace ‘user’ with your username and make sure the lockfile can be created! As stated before this needs some tweaking.
Don’t forget to do:
chmod u+x ~/sync/scripts/sync_script.sh
So this is the synchronisation script! you could run it by issuing:
~/sync/scripts/sync_script.sh
You will probably see your sync script being rsync-ed together with your lock file depending on your configuration. Now you can simply put some files on host a in the ’sync’ directory and once the script is called it will synchronise your files!
One thing left to do, scheduling:
crontab -e
Example:
*/5 * * * * /home/matthias/sync/scripts/sync_script.sh > /dev/null 2>&1
Which will call the script every 5 minutes, which means my files get synchronised every 5 minutes. You might wonder about race-conditions, but due to the ‘lockfile’ these are prevented.
Well that’s about it, I find it to be useful. Of course you could tweak it some more, but it’s a nice start!
Many times you’ll find yourself in a position that some users on your machine are using too much disk space and eventually leading into a crash due to low disk-space. Linux enables you to do something about this and luckily it’s very easy. This tutorial is also applicable to other Linux distro’s but I’ll stick to Debian because this is my favourite. You are supposed to have root access to be able to follow this tutorial.
First of all if you haven’t already done so:
apt-get install quotaWhich will install the Debian support utility’s for managing quotas for users.
The next thing you will need to do. Is edit your /etc/fstab to enable quota on your file system.
You should add the ‘usrquota’ and ‘grpquota’ if you want to apply quota for groups, to your file system entry.
My fstab looks like the following:
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 /dev/hda3 / ext3 noatime,usrquota,grpquota,errors=remount-ro 0 1 /dev/hda1 /boot ext2 defaults 0 2 /dev/hda2 none swap sw 0 0
Note: there is also an option in the Debian installer to enable these options while installing your computer.
A second note: Also notice that you can decide on which partition you want quota! If you have a separate /home partition it would be wise to enable quota there instead of /.
Now to enable quota, you should issue the following commands:
touch /quota.user /quota.group chmod 600 /quota.* mount -o remount / quotacheck -avugm quotaon -avug
This will create the quota files for keeping track of the quota’s and it will remount your partition. Finally it enables quota’s! Of course you should note that this is an example for the partition /. Modifying it for /home should be obvious. If not, read a little bit about Linux partitioning on wikipedia
There is one other command which is really usefull because after doing this users can see how much space they have left:
chmod 664 /aquota.*
So much for the setup, now let’s go to the interesting stuff! Management.
There are a couple of commands to use for management:
repquota The repquota command is a utility for reporting quota summary information. SYNTAX: repquota [ -u | -g ] [ -a | filesystem ] The repquota command only displays user quotas by default, but you can specify that you wish to see group quotas by using the "-g" switch. You also need to specify the filesystem for which you wish to see a report, or you can specify the "-a" switch to see a report for all the filesystems for which quotas are enabled.
root@hephaistos:/# repquota -a *** Report for user quotas on device /dev/hda3 Block grace time: 7days; Inode grace time: 7days Block limits File limits User used soft hard grace used soft hard grace ---------------------------------------------------------------------- root -- 3991116 0 0 104009 0 0 daemon -- 52 0 0 4 0 0 man -- 596 0 0 16 0 0 news -- 4 0 0 1 0 0 www-data -- 4356468 0 0 2105 0 0
The “block limits” refer to the data blocks (the default is 1 block = 1k). The “file limits” refer to the number of files, or inodes, that have been consumed. The “grace” field corresponds to the number of grace days remaining before the user is locked out of their account. The user has until that time to reduce their quota to below the “soft” level.
edquota You can use the edquota command to edit user and group quotas. SYNTAX: edquota [ -u | -g ] <username or groupname>
For example, to edit the quota for “matthias”:
edquota matthias
Which will bring you an editor as specified in your profile, for me it’s vim:
Disk quotas for user matthias (uid 1000): Filesystem blocks soft hard inodes soft hard /dev/hda3 82424620 104857600 104857600 48139 0 0
The “blocks” and “inodes” fields cannot be edited, they are there for information purposes only. However, you can edit the soft and hard fields. The first pair refer to blocks, and the second to inodes.
As you can see I have a soft and a hard limit of 100G (1024 * 1024 * 100 = 104857600)
You can now save your changes if you made any, if you make an error you will be halted, so making mistakes is not easy, but you could set a lower limit than the size your files you currently posess, so you cannot create files anymore! So be careful when using this tool.
quota Unlike repquota and edquota, which only the root user can make use of, the quota command is available to all users, and it allows them to query their current quota information. SYNTAX: quota [ -q ] [ username ]
root@hephaistos:/# quota matthias Disk quotas for user matthias (uid 1000): Filesystem blocks quota limit grace files quota limit grace /dev/hda3 82424620 104857600 104857600 48139 0 0
When a normal user calls ‘quota’ it will see its quota.
The -q option is for only showing quota when somebody exceeded it.
The ‘quota’ command is also a nice command to put in your /etc/profile, because it will show a user’s quota when a user logs in! Using the -q option is a nice solution to not always face the person with his quota but only when he/she is exceeding or nearly exceeding the quota.
So that’s about it with quota’s. I suggest you to create a test user to play with and setting low quota’s. In that way you could try to copy a large file to it’s home directory and you will see the file copy will fail because of quota limitations.
Quota is a powerful tool, but use with care!
