Nasser Heidari

2009-07-31

Linux Ethernet Bonding

Filed under: Linux — Nasser Heidari @ 18:31

Bonding allows you to aggregate multiple ports into a single group, effectively combining the bandwidth into a single connection. Bonding also allows you to create multi-gigabit pipes to transport traffic through the highest traffic areas of your network. For example, you can aggregate three megabits ports (1 mb each) into a three-megabits trunk port. That is equivalent with having one interface with three megabits speed.
You can use it wherever you need redundant links, fault tolerance or load balancing networks. It is the best way to have a high availability network segment. A very useful way to use bonding is to use it in connection with 802.1q VLAN support (your network equipment must have 802.1q protocol implemented).

In order to configure Ethernet bonding, the kernel must have support for bonding:

# modprobe --list | grep bonding

/lib/modules/2.6.26-2-686/kernel/drivers/net/bonding/bonding.ko

Then :

# modprobe bonding mode=0 miimon=50 # load bonding module # ifconfig eth0 down # putting down the eth0 interface # ifconfig eth1 down # putting down the eth1 interface # ifconfig bond0 hw ether 00:12:34:56:78:90 # changing the MAC address of the bond0 interface # ifconfig bond0 192.168.0.254 up # to set ethX interfaces as slave the bond0 must have an ip. # ifenslave bond0 eth0 eth1 # putting the eth0 and eth1 interface in the slave mod for bond0

Now you can configuration by entering this command :

# cat /proc/net/bonding/bond0

Ethernet Channel Bonding Driver: v3.2.5 (March 21, 2008)

Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 50
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Link Failure Count: 1
Permanent HW addr: 08:00:27:d7:a8:cb

Slave Interface: eth1
MII Status: up
Link Failure Count: 1
Permanent HW addr: 08:00:27:a9:e3:bf

You can set up your bond interface according to your needs. Changing one parameters (mode=X) you can have the following bonding types:
mode=0 (balance-rr)
Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

mode=1 (active-backup)
Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

mode=2 (balance-xor)
XOR policy: Transmit based on [(source MAC address XOR’d with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

mode=3 (broadcast)
Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

mode=4 (802.3ad)
IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

Pre-requisites:
1. Ethtool support in the base drivers for retrieving
the speed and duplex of each slave.
2. A switch that supports IEEE 802.3ad Dynamic link
aggregation.
Most switches will require some type of configuration
to enable 802.3ad mode.

mode=5 (balance-tlb)
Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

Prerequisite:
Ethtool support in the base drivers for retrieving the
speed of each slave.

mode=6 (balance-alb)
Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.

The most used are the first four mode types…

For more information , refer to these pages :
http://sourceforge.net/projects/bonding
http://linux-ip.net/html/ether-bonding.html
http://www.linuxfoundation.org/en/Net:Bonding
http://www.linuxhorizon.ro/bonding.html
http://www.howtoforge.com/nic_bonding

Advertisements

2009-07-29

Sum using awk

Filed under: Linux — Nasser Heidari @ 10:28

Sum a column of file sizes output from an ls command using awk:

# ls -l *.iso | awk '{ SUM += $5} END { print SUM/1024/1024 }'

the below command will show you amount of memory used by apache :

# ps -ylC httpd --sort:rss | awk '{ SUM += $8 } END { print SUM/1024 }'

VMware ESX, killing a virtual machine that won’t die !

Filed under: Miscellaneous — Nasser Heidari @ 05:12

Sometimes the Virtual Center won’t do the job. You virtual machine has hung and you need to kill it. Here are 2 examples of how you can kill the vm from within the service console:

1. The ‘VMWARE-CMD’ command

* Log on to the service console and issue the following command ‘vmware-cmd /vmfs/volumes///.vmx stop’ you must not use the friendly datastore name. If you need to know the location of all vm’s type ‘VMWARE-CMD -l’ that will list on vm’s and the location for the corresponding vmx file.
* If that fails, then try it with the hard option, ‘vmware-cmd /vmfs/volumes///.vmx stop hard’ this command will just try and kill it without shutting it down.

2. Kill it using the PID command

* Run the following command: ps auxfww | grep to locate the correct PID of the virtual machine, the first number to appear in the output is your vm’s PID. Use the PID number to terminate the process by issuing kill -9

2009-07-24

SMTP Auth – Postfix and SASL (Debian)

Filed under: Linux — Nasser Heidari @ 07:06
# apt-get install sasl2-bin libsasl2 libsasl2-modules

Now edit /etc/default/saslauthd:

START=yes

Now we should create /etc/postfix/sasl/smtpd.conf :

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Ok, let’s add some lines in /etc/postfix/main.cf to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

postfix does a chroot so it can’t communicate with saslauthd. This is the tricky part:

# rm -r /var/run/saslauthd/
# mkdir -p /var/spool/postfix/var/run/saslauthd
# ln -s /var/spool/postfix/var/run/saslauthd /var/run
# chgrp sasl /var/spool/postfix/var/run/saslauthd
# adduser postfix sasl 

Now restart postfix and start saslauthd

# invoke-rc.d postfix restart
# invoke-rc.d saslauthd start

2009-07-21

Full Disk Image Backups With dd

Filed under: Linux — Nasser Heidari @ 07:28

Backup

dd if=/dev/sda of=/dev/stdout bs=1M | bzip2 | ssh USERNAME@remotehost "cat - > drive.img.bz2"

Restore

ssh USERNAME@remotehost "cat drive.img.bz2" | bzip2 -dc | dd if=/dev/stdin of=/dev/sda bs=1M

2009-07-18

Fun

Filed under: Miscellaneous — Nasser Heidari @ 17:12

Q: What’s tiny and yellow and very, very, dangerous?
A: A canary with the super-user password !!!

2009-07-14

apt-get complain “The following signatures couldn’t be verified because the public key is not available”

Filed under: Linux — Nasser Heidari @ 04:40

If you happen to upgrade using apt-get and get the following error:

# apt-get update
...
Fetched 18.7kB in 3s (5301B/s)
Reading package lists... Done
W: GPG error: http://non-us.debian.org stable/non-US Release: The following signatures couldn't be verified 
because the public key is not available: NO_PUBKEY F1D53D8C4F368D5D W: You may want to run apt-get update to correct these problems


It means that your APT doesn’t have needed the public key. In the example above, finger print of the public key is
F1D53D8C4F368D5D. To remedy the problem, you should do the following:

# gpg --keyserver wwwkeys.eu.pgp.net --recv-keys F1D53D8C4F368D5D
gpg: requesting key 4F368D5D from hkp server wwwkeys.eu.pgp.net
gpg: key 4F368D5D: public key "Debian Archive Automatic Signing Key (2005) " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1

# gpg --armor --export F1D53D8C4F368D5D | apt-key add -
OK

Have a nice hacking ;)

2009-07-10

Netcat: The TCP/IP Swiss army knife

Filed under: freebsd,Linux,Miscellaneous,Security Tips and Issues — Nasser Heidari @ 13:44


Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

In this little guide I’ll quickly cover some very helpful usage’s of netcat .

Simple Chat:

The simplest example of netcat usage is to create a server-client chat system. In the following example it is assumed that the machine that creates the listening socket (server) has the 192.168.0.1 IP address. So, create the chat server on this machine and set it to listen to 12345 TCP port:

# nc -lp 12345

or

# nc -l 12345

If you now connect to port 12345 on that host, everything you type will be sent to the other party, which leads us to using netcat as a chat server.
Connect to it from another machine by entering this command:

# nc 192.168.0.1 12345

Now both parties can chat!

Port Scanner:

Netcat can be a port scanner. It does not have as many features as say nmap, but if you just want to see what ports are open on a given machine, you can simply do:

# nc -vzw 1 localhost 1-1000

Transferring Files:

Let’s say you want to transfer a file from machine A to machine B . you can use netcat as a file transfer software.
On machine A do the following, where 12345 is some unused port on which you want to send the file:

# nc -lp 12345 < myfile.tar.bz2

OR

# nc -l 12345 < myfile.tar.bz2

then go to the machine B and run this command: (192.168.0.1 is machine A IP address)

# nc 192.168.0.1 12345 > myfile.tar.bz2

Aanother Examples:

# tar -czf - /etc/ | nc -lp 12345

and then:

 # nc 192.168.0.1 12345 > mybackup.tar.gz

Simple Single page Web Server:

# while true; do nc -lp 8080 -q 1 < test.html; done

now if you connect to http://YOUR-IP-ADDRESS:8080 , you will see contents of test.html page .

Netcat as a Backdoor !!!

netcat can be used as a backdoor! You can specify the shell (or for that matter any executable) you want netcat to run at a successful connection with the -e parameter:

# nc -lp 54321 -e /bin/bash

now if you connect to the port 54321 , you will have a shell :

Getting System Information

# while true; do nc -lp 12345 -e /usr/bin/uptime; done

The user who wants to obtain system information has to issue the following command:

# nc 192.168.0.1 12345 

Identifying the version of a Web server

Filed under: Miscellaneous — Nasser Heidari @ 12:35

I will show you how you can identify the version of a Web server by issuing telnet command.
In the following example, we want to determine the version of a Web server by issuing a Hypertext Transfer Protocol (HTTP) HEAD request. The HEAD method allows a client to request HTTP header information. The output from the HEAD request will help us identify important information about the server, including the type and version of the Web server that is running. To perform a HEAD request, we’ll need to make a connection to the target Web server using the telnet command:

telnet www.microsoft.com 80

This simply makes a TCP connection to the Web server. Once the connection established, you need to issue the following command into the telnet Window:

HEAD / HTTP/1.0

After you hit enter two times, we get the following response (http header information)
from the Web server.

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 1020
Content-Type: text/html
Last-Modified: Mon, 16 Mar 2009 20:35:26 GMT
Accept-Ranges: bytes
ETag: "67991fbd76a6c91:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 10 Jul 2009 12:33:15 GMT
Connection: keep-alive

As you can see from the results , http://www.microsoft.com is surprisingly running a Microsoft-IIS/7.5 Web server using the ASP.NET Web application framework.

2009-07-08

Disable Beep/Bell ( Hardware beep )

Filed under: freebsd,Linux — Nasser Heidari @ 06:55

Linux:
Linux kernel has PC speaker beeper driver called pcspkr.ko. This driver is responsible for generating beeps while working at shell prompt / x terminal. To turn off the beep, simply remove driver from kernel. You also need to black list this driver so that it will not get loaded automatically.

# rmmod -v pcspkr

to prevent this module load automatically when you reboot your pc:
Open /etc/modprobe.d/blacklist file and add pcspkr:

blacklist pcspkr

appending a module here prevents the hotplug scripts from loading it .

you can use this command To turn it back on:

# modprobe pcspkr 

FreeBSD:
To enable or disable bell use MIB hw.syscons.bell under FreeBSD operating systems. Type the following command to disable for current session:

# sysctl hw.syscons.bell=0

Make sure settings remains same after you reboot you pc, enter:

# echo "hw.syscons.bell=0" >> /etc/sysctl.conf

X11

If you are working with X11, you can turn off the console beep using the command xset.

To turn the console beep off enter:

# xset b off

To turn it back on, enter:

# xset b on

You can also set the volume and the pitch of the beep. This is not always supported, depending on the hardware.

However if you want to set volume and pitch you can do something like that:

# xset b 10 1000 100

Next Page »