Follow us on Social Media !
Subscribe to Sysadminshare

Shellshock bug – vulnerability on Bash shell: How to fix ?



Shellshock bug – vulnerability on Bash shell: How to fix ?


On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash's ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.


Examples of exploitable systems include the following:

    Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
    Certain DHCP clients
    OpenSSH servers that use the ForceCommand capability
    Various network-exposed services that use Bash


How to check the vulnerability ?


Run the below command and check

env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"


If Vulnerability exists you will get below output

[root@serverA ~]# env x='() { :;}; echo vulnerable' bash -c "echo Bash  test"
Bash is vulnerable
Bash test
[root@serverA ~]#



How to fix vulnerable?

 

Ubuntu/Debian : apt-get

#sudo apt-get update && sudo apt-get install --only-upgrade bash

CentOS / Red Hat / Fedora : YUM


#sudo yum update bash




Be sure to update all of your affected servers to the latest version of Bash! Also, be sure to keep your servers up to date with the latest security updates!



Cheers !!!

Install Redhat Linux 5/6 on iSCSI SAN Boot : How to ??


Software iSCSI:

For a software initiator to implement a SAN boot device, you can have the root device on an iSCSI LUN, and you can use any of the following options to load the kernel:
 1.A host’s locally attached disk (for storing kernel and initrd images)
 2.A Preboot Execution Environment (PXE) Server

Hardware iSCSI:

If the SAN boot LUN uses an iSCSI HBA, then, because the protocol stack runs on the HBA, it is ready to communicate with the storage system and discover a LUN when it starts up.
You can have both the boot device and root device on an iSCSI LUN.

 Install RHEL 5/6 in software iSCSI SAN boot:


Steps :

1.When you initiate the installation, specify the Boot Option as linux mpath and press Enter.

2.Continue with the installation until you reach the storage configuration page. Click Advanced storage configuration.

3.Select Add iSCSI target and click Add drive.

4.Enter the Target IP address and the iSCSI initiator name.
Note: You should ensure that you associate this IQN with the correct privileges on the storage controller.

5.On the storage controller, create an igroup with the initiator name that you provided in Step 4.

6.Create a LUN on the storage system on which you intend to create root partition, and map it to the igroup.

7.Return to the host screen.

8.Click Add Target in the Configure iSCSI Parameters window.

When you add the target, the target portal is discovered.

Note: You should ensure that multiple target portals are discovered, because the Red Hat 
.installer does not identify the iSCSI device as a multipathed device unless it has more than one path.

9.To discover more target portals, repeat Step 2 through Step 8.

You should now see a multipathed iSCSI device listed in the drives section.
Note: If the iSCSI multipathed device is not listed, you should check the configuration.

10.Select a partitioning layout as Create custom layout and Click Next.

You can now proceed with the installation process and enter choices until you reach the Installation Summary page.

11.At the storage devices selection screen, select the iSCSI multipathed device from the list of allowable drives where you want to install the root file system.

12.Create the root file system on the selected device and select the mount point as /.

13.Create a SWAP partition.

Note: You can create a SWAP partition on the same LUN that contains the root partition or on a different LUN.
If you are using the software suspend functionality, you should ensure that the SWAP partition is on a local disk.

14.Create the /boot partition.
You can create a /boot partition on a locally attached disk or use a PXE server to load the kernel boot image.

15.Click Next and follow the installation prompts to complete the installation.



Install RHEL 5/6 on Hardware iSCSI SAN boot:

Steps

1.Create a LUN on the storage system and map it to the host. This will be the SAN boot LUN.

You should ensure that the SAN boot LUN is mapped, and multiple paths to the SAN boot LUN are available on the host. You should also ensure that the SAN boot LUN is visible to the host during the boot process.

2.Set the Initiator IP Settings and Initiator iSCSI Name in Host Adapter Settings.

3.Set the Primary and Alternate Target IP and iSCSI Name and Adapter Boot Mode to Manual in iSCSI Boot Settings.
For information, see your HBA vendor-specific documentation.

4.After making changes to the HBA BIOS, save and exit.
Reboot the host.

5. Install the operating system on the boot LUN and follow the installation prompts to complete the installation.

Note: You should specify Boot Option as linux mpath during the operating system installation. When you

Linux Interview Questions - PORT Related: PART 7



PORT Related interview questions in Linux:

1. What is a port?
A port is piece of software which is used as docking point in your machine, where remote application can communicate. This is analogy to the physical ports for entering in to a country from different sea ports.

2. What is hardware port?
This is physical peripheral connection point to a machine from a physical device.

3. What is a socket?
Socket is combination of software Port+IP address.

A socket is just a logical endpoint for communication. They exist on the transport layer. You can send and receive things on a socket, you can bind and listen to a socket. 
A socket is specific to a protocol, machine, and port, and is addressed as such in the header of a packet.

4. What is the range of ports or how many ports are there?
Port numbers can vary from 0 to 65535, so total we can get 65536 ports

5. Why port numbers are just 65536?
This is because limitation in TCP/IP stack where the port number field is just 16bit size. So we get only 2^16 ports which are equal to 65536 available ports

6.What are the well-known ports or assigned ports or default ports?
Well known ports are from 0 to 1023(total 2^10=1024 ports)

7.What do you mean by default port?
Default port is a designated port for particular well-known server.

8.Can we change default port for a service(example Apache, squid)?
Yes, we can change. In most apache and DNS we can change this using listen configuration entry in httpd.conf and . Squid have port entry in its squid.conf file to mention port number.

9.What are the protocol numbers for TCP and UDP?
Do not confuse this one with port numbers. TCP and UDP have their own numbers in TCP/IP stack.
TCP protocol number:6
UDP protocol number:17

10. Is there any way I can see all the port information in Linux?
Yes, you can get that from /etc/services files.

11. How can I see open ports in Linux?
use nmap , lsof or netstat commands.

Ex: #lsof -i
Ex: #netstat -tulpn
Ex: #nmap -sT -O localhost

12.Which port is used by Ping command?

The answer is none. No ports required for Ping as it uses icmp packets 

It needs to allow icmp 'echo-request' (type 8) packets out and icmp 'echo-reply' (type 0) packets in.  

Ping Use ICMP to comminicate and ICMP is a protocol not a service. Hence it does not use a specific port 

FLOW :
ICMP Echo Request
|
Type (8) Code (0)

Checksum

Identification

Sequence
 |
Test Data 




Ports and corresponding port numbers:


20 – FTP Data (For transferring FTP data)

21 – FTP Control (For starting FTP connection)

22 – SSH(For secure remote administration which uses SSL to encrypt the transmission)

23 – Telnet (For insecure remote administration

25 – SMTP(Mail Transfer Agent for e-mail server such as SEND mail)

53 – DNS(Special service which uses both TCP and UDP)

67 – Bootp

68 – DHCP

69 – TFTP(Trivial file transfer protocol uses udp protocol for connection less transmission 
of data)

80 – HTTP/WWW(apache)

88 – Kerberos

110 – POP3(Mail delivery Agent)

123 – NTP(Network time protocol used for time syncing uses UDP protocol)

137 – NetBIOS(nmbd)

138 - NetBIOS 


139 – SMB-Samba(smbd)

143 – IMAP

161 – SNMP(For network monitoring)

162-SNMP Trap

 389 – LDAP(For centralized administration)

443 – HTTPS(HTTP+SSL for secure web access)

514 – Syslogd(udp port)

636 – ldaps(both tcp and udp)

873 – rsync



VMware VCP-5 Exam Latest dumps - VCP5.1 and VCP5.5 Dumps


VMware VCP Exam Latest dumps - VCP5.1 and VCP5.5 Dumps


I have done VCP 5 exam using the below dumps only. Both are valid and verified. Please download and use it.


VCP 5.5 - DUMPS -Download click here

VCP-5.1 - DUMPS -Download click here


File Encryption using GPG in Linux: How to ??


File Encryption using GPG in Linux:

GPG is an encryption and signing tool for Linux/UNIX like operating system. With GPG you can encrypt and decrypt files with a password. Basically gpg uses a pair of keys, public key and private key. Data encrypted with one key can only be decrypted with the other. You can use gpg to provide digital encryption and signing services using the OpenPGP standard.

gpg may be run as stand alone without any commands, in which case it will perform a reasonable action depending on the type of file it is given as input.

Possible inputs are as follows.

1. Encrypted message is decrypted
2. Signature is verified
3. File containing keys is listed


Command to encrypt a file

#gpg -c sample

Above command will create a encrypted sample.gpg file. The -c option will encrypt with symmetric cipher. Make sure to remember your passphrase, if you forgot it then you cannot recover the data as it uses a very strong encryption. 


Let us now see few examples of encryption and decryption with gpg command.

1.Key Generation

#gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)

 Select default (1) and press enter.
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

 Use the default here and press enter.

Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years

 Use the default option
Key does not expire at all
Is this correct? (y/N)

 Enter “y” and press enter.
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>”

Real name:

 Type a name here. For example I used here “sam”. Remember the name you use..

Then enter your email address and comment.
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

 Press O and then Enter.
Enter passphrase:


2. Encryption of file

Syntax for encryption is

#gpg -e -r

Let us now encrypt a file named chumma.txt with above generated key “india”. 

#gpg -e -r india /home/mades/chumma.txt

Above command will generate chumma.txt.gpg file.

3.Decryption of File

Syntax for decryption is

#gpg --output --decrypt

##gpg -d sample.gpg


If you want to decrypt the file and send output to a new file name instead of standard output. You can do this as follow.

#gpg -o chumma -d chumma.gpg



Redhat Cluster - Interview Questions and Answers: Part 1



1. What is CMAN
  • Basically, cluster manager is a component of the cluster project that handles communications between nodes in the cluster.
  • CMAN is Cluster Manager. It manages cluster quorum and cluster membership.
  • CMAN runs on each node of a cluster

2. What is RGManager

RGManager manages and provides failover capabilities for collections of cluster resources called services, resource groups, or resource trees.

In the event of a node failure, RGManager will relocate the clustered service to another node with minimal service disruption. You can also restrict services to certain nodes, such as restricting  httpd to one group of nodes while  mysql can be restricted to a separate set of nodes.

When the cluster membership changes, openais tells the cluster that it needs to recheck it’s resources. This causes rgmanager, the resource group manager, to run. It will examine what changed and then will start, stop, migrate or recover cluster resources as needed.
Within rgmanager, one or more resources are brought together as a service. This service is then optionally assigned to a failover domain, an subset of nodes that can have preferential ordering.


3. What is Cluster Quorum


  • Quorum is a voting algorithm used by CMAN.
  • CMAN keeps a track of cluster quorum by monitoring the count of number of nodes in cluster.
  • If more than half of members of a cluster are in active state, the cluster is said to be in Quorum
  • If half or less than half of the members are not active, the cluster is said to be down and all cluster activities will be stopped
  • Quorum is defined as the minimum set of hosts required in order to provide service and is used to prevent split-brain situations.
  • The quorum algorithm used by the RHCS cluster is called “simple majority quorum”, which means that more than half of the hosts must be online and communicating 
  • in order to provide service.
4.  What is split-brain

It is a condition where two instances of the same cluster are running and trying to access same resource at the same time, resulting in corrupted cluster integrity
Cluster must maintain quorum to prevent split-brain issues

It's necessary for a cluster to maintain quorum to prevent 'split-brain' problems. If we didn't enforce quorum, a communication error on that same thirteen-node cluster
may cause a situation where six nodes are operating on the shared disk, and another six were also operating on it, independently. Because of the communication error,
the two partial-clusters would overwrite areas of the disk and corrupt the file system. With quorum rules enforced, only one of the partial clusters can use the shared storage, thus protecting data integrity.

Quorum doesn't prevent split-brain situations, but it does decide who is dominant and allowed to function in the cluster. Should split-brain occur, quorum prevents more than one cluster group from doing anything.


5. What is Fencing


  • Fencing is the disconnection of a node from the cluster’s shared storage. Fencing cuts off I/O from shared storage, thus ensuring data integrity. The cluster infrastructure performs fencing through the fence daemon,  fenced.
  • Power fencing — A fencing method that uses a power controller to power off an inoperable node.
  • storage fencing — A fencing method that disables the Fibre Channel port that connects storage to an inoperable node.
  • Other fencing — Several other fencing methods that disable I/O or power of an inoperable node, including IBM Bladecenters, PAP, DRAC/MC, HP ILO, IPMI, IBM RSA II, and others.

6. What is Quorum disk


  • In case of a 2 node cluster, quorum disk acts as a tie-breaker and prevents split-brain issue
  • If a node has access to network and quorum disk, it is active
  • If a node has lost access to network or quorum disk, it is inactive and can be fenced
  • A Quorum disk, known as a qdisk is small partition on SAN storage used to enhance quorum. It generally carries enough votes to allow even a single node to take quorum during a cluster partition. 
  • It does this by using configured heuristics, that is custom tests, to decided which which node or partition is best suited for providing clustered services during a cluster reconfiguration.

7. How to set up a quorum disk/partition?

Note that if you configure a quorum disk/partition, you don't want two_node="1" or expected_votes="2" since the quorum disk solves the voting imbalance. 

You want two_node="0" and expected_votes="3" (or nodes + 1 if it's not a two-node cluster). However, since 0 is the default value for two_node, you don't need to specify it at all. 

If this is an existing two-node cluster and you're changing the two_node value from "1" to "0", you'll have to stop the entire cluster and restart it after the configuration is changed (normally, the cluster doesn't have to be stopped and restarted for configuration changes, but two_node is a special case.) Basically, you want something like this in your /etc/cluster/cluster.conf:

  <cman two_node="0" expected_votes="3" .../>
    <clusternodes>
       <clusternode name="node1" votes="1" .../>
       <clusternode name="node2" votes="1" .../>
    </clusternodes>
  <quorumd device="/dev/mapper/lun01" votes="1"/>

Note: You don't have to use a disk or partition to prevent two-node fence-cycles; you can also set your cluster up this way. 

You can set up a number of different heuristics for the qdisk daemon. For example, you can set up a redundant NIC with a crossover cable and use ping operations to the local router/switch to break the tie (this is typical, actually, and is called an IP tie breaker). 
A heuristic can be made to check anything, as long as it is a shared resource.

8 .What can cause a node to leave the cluster?

A node may leave the cluster for many reasons. Among them:


  1. Shutdown: cman_tool leave was run on this node
  2. Killed by another node. The node was killed with either by cman_tool kill or qdisk.
  3. Panic: cman failed to allocate memory for a critical data structure or some other very bad internal failure.
  4. Removed: Like 1, but the remainder of the cluster can adjust quorum downwards to keep working.
  5. Membership Rejected: The node attempted to join a cluster but it's
  6. cluster.conf file did not match that of the other nodes. To find the real reason for this you need to examine the syslog of all the valid cluster members to find out why it was rejected.
  7. Inconsistent cluster view: This is usually indicative of a bug but it can also happen if the network is extremely unreliable.
  8. Missed too many heartbeats: This means what it says. All nodes are expected to broadcast a heartbeat every 5 seconds (by default). If none is received within

9 . How can I define a two-node cluster if a majority is needed to reach quorum?

We had to allow two-node clusters, so we made a special exception to the quorum rules. There is a special setting "two_node" in the /etc/cluster.conf file that looks like this:

<cman expected_votes="1" two_node="1"/>

This will allow one node to be considered enough to establish a quorum. Note that if you configure a quorum disk/partition, you don't want two_node="1".


10. What is the best two-node network & fencing configuration?

In a two node cluster (where you are using two_node="1" in the cluster configuration, and w/o QDisk), there are several considerations you need to be aware of:

If you are using per-node power management of any sort where the device is not shared between cluster nodes, it must be connected to the same network used by CMAN for cluster communication. Failure to do so can result in both nodes simultaneously fencing each other, leaving the entire cluster dead, or end up in a fence loop. Typically, this includes all integrated power management solutions (iLO, IPMI, RSA, ERA, IBM Blade Center, Egenera Blade Frame, Dell DRAC, etc.), but also includes remote power switches (APC, WTI) if the devices are not shared between the two nodes.

It is best to use power-type fencing. SAN or SCSI-reservation fencing might work, as long as it meets the above requirements. If it does not, you should consider using a quorum disk or partition

If you can not meet the above requirements, you can use quorum disk or partition.


Blogger Tips and TricksLatest Tips And TricksBlogger Tricks