Biggest installed packages in Fedora

Quick tip to see which are the biggest currently installed packages on your Fedora box:
 

rpm -qa --queryformat '%10{size}-%{name}-%{version}\n' | sort -k1,1n

You might also be interested in fslint:
 
yum install fslint

It lists packages by size, and it will autoselect dependencies for packages you want to delete

Linux Files and File Permission

Linux files are setup so access to them is controlled. There are three types of access: read write execute Each file belongs to a specific user and group. Access to the files is controlled by user, group, and what is called other. The term, other, is used to refer to someone who is not the user (owner) of the file, nor is the person a member of the group the file belongs to. When talking about setting permissions for "other" users to use, it is commonly referred to as setting the world execute, read, or write bit since anyone in the world will be able to perform the operation if the permission is set in the other category. File names and permission characters File names can be up to 256 characters long with "-", "_", and "." characters along with letters and numbers. When a long file listing is done, there are 10 characters that are shown on the left that indicate type and permissions of the file. File permissions are shown according to the following syntax example: drwerwerwe There are a total of 10 characters in this example, as in all Linux files. The first character indicates the type of file, and the next three indicate read, write, and execute permission for each of the three user types, user, group and other. Since there are three types of permission for three users, there are a total of nine permission bits. The table below shows the syntax: 1 2 3 4 5 6 7 8 9 10 File User Permissions Group Permissions Other Permissions Type Read Write Execute Read Write Execute Read Write Execute d r w e r w e r w e

• Character 1 is the type of file: - is ordinary, d is directory, l is link.
• Characters 2-4 show owner permissions. Character 2 indicates read permission, character 3 indicates write permission, and character 4 indicates execute permission.
• Characters 5-7 show group permissions. Character 5=read, 6=write, 7=execute
• Characters 8-10 show permissions for all other users. Character 8=read, 9=write, 10=execute
  

There are 5 possible characters in the permission fields. They are:

• r = read - This is only found in the read field.
• w = write - This is only found in the write field.
• x = execute - This is only found in the execute field.
• s = setuid - This is only found in the execute field.
• If there is a "-" in a particular location, there is no permission. This may be found in any field whether read, write, or execute field.
  

Examples

Type "ls -l" and a listing like the following is displayed:

total 10
drwxrwxrwx	4	rajat	team	122	Dec 12 18:02	Projects
-rw-rw-rw-	1	rajat	team	1873	Aug 23 08:34	test
-rw-rw-rw-	1	rajat	team	1234	Sep 12 11:13	datafile

Which means the following:

Type and	# of	Files's	File's	Size in	Date of last	Filename
Permission field	Links	Owner	Group	Bytes	modification
|	|	|	|	|	|	|
drwxrwxrwx	4	rajat	team	122	Dec 12 18:02	Projects

The fields are as follows:

1. Type field: The first character in the field indicates a file type of one of the following:
   • d = directory
   • l = symbolic link
   • s = socket
   • p = named pipe
   • - = regular file
   • c= character (unbuffered) device file special
   • b=block (buffered) device file special
2. Permissions are explained above.
3. Links: The number of directory entries that refer to the file. In our example, there are four.
4. The file's owner in our example is rajat.
5. The group the file belongs to. In our example, the group is team.
6. The size of the file in bytes
7. The last modification date. If the file is recent, the date and time is shown. If the file is not in the current year, the year is shown rather than time.
8. The name of the file.
   

Set User Identification Attribute

The file permissions bits include an execute permission bit for file owner, group and other. When the execute bit for the owner is set to "s" the set user ID bit is set. This causes any persons or processes that run the file to have access to system resources as though they are the owner of the file. When the execute bit for the group is set to "s", the set group ID bit is set and the user running the program is given access based on access permission for the group the file belongs to. The following command:
chmod +s myfile
sets the user ID bit on the file "myfile". The command:
chmod g+s myfile
sets the group ID bit on the file "myfile".
The listing below shows a listing of two files that have the group or user ID bit set.

-rws--x--x   1 root    root    14024 Sep  9 2010 donefile
-rwxr-sr-x   1 root   mail    12072 Aug 16 2010 lockfile

The files donefile and lockfile are located in the directory "/usr/bin". The "s" takes the place of the normal location of the execute bit in the file listings above. This special permission mode has no meaning unless the file has execute permission set for either the group or other as well. This means that in the case of the lockfile, if the other users (world execute) bit is not set with permission to execute, then the user ID bit set would be meaningless since only that same group could run the program anyhow. In both files, everyone can execute the binary. The first program, when run is executed as though the program is the root user. The second program is run as though the group "mail" is the user's group.

For system security reasons it is not a good idea to set many program's set user or group ID bits any more than necessary, since this can allow an unauthorized user privileges in sensitive system areas. If the program has a flaw that allows the user to break out of the intended use of the program, then the system can be compromised.

Directory Permissions

There are two special bits in the permissions field of directories. They are:

• s - Set group ID
• t - Save text attribute (sticky bit) - The user may delete or modify only those files in the directory that they own or have write permission for.
  

Save text attribute

The /tmp directory is typically world-writable and looks like this in a listing:

drwxrwxrwt   13 root     root         4096 Apr 15 08:05 tmp

Everyone can read, write, and access the directory. The "t'' indicates that only the user (and root, of course) that created a file in this directory can delete that file.

To set the sticky bit in a directory, do the following:
chmod +t data
This option should be used carefully. A possible alternative to this is

1. Create a directory in the user's home directory to which he or she can write temporary files.
2. Set the TMPDIR environment variable using each user's login script.
3. Programs using the tempnam(3) function will look for the TMPDIR variable and use it, instead of writing to the /tmp directory.
   

Directory Set Group ID

If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.

This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called sample and add the users Tom and Jerry to the group sample. The directory sampledir can be created with the set GID bit set and Tom and Jerry although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.

The following command will set the GID bit on a directory:
chmod g+s sampledir
The directory listing of the directory "sampledir":
drwxrwsr-x 2 Tom sample 1674 Sep 17 1999 sampledir
The "s'' in place of the execute bit in the group permissions causes all files written to the directory "sampledir" to belong to the group "sample" .

Examples

Below are examples of making changes to permissions:

chmod u+x myfile	Gives the user execute permission on myfile.
chmod +x myfile	Gives everyone execute permission on myfile.
chmod ugo+x myfile	Same as the above command, but specifically specifies user, group and other.
chmod 400 myfile	Gives the user read permission, and removes all other permission. These permissions are specified in octal, the first char is for the user, second for the group and the third is for other. The high bit (4) is for read access, the middle bit (2) os for write access, and the low bit (1) is for execute access.
chmod 764 myfile	Gives user full access, group read and write access, and other read access.
chmod 751 myfile	Gives user full access, group read and execute permission, and other, execute permission.
chmod +s myfile	Set the setuid bit.
chmod go=rx myfile	Remove read and execute permissions for the group and other.

Below are examples of making changes to owner and group:

chown Jerry test1	Changes the owner of the file test1 to the user Jerry.
chgrp Jerry test1	Changes the file test1 to belong to the group "jerry".

Note: Linux files were displayed with a default tab value of 8 in older Linux versions. That means that file names longer than 8 may not be displayed fully if you are using an old Linux distribution. There is an option associated with the ls command that solves this problem. It is "-T". Ex: "ls al -T 30" to make the tab length 30.

Umask Settings

The umask command is used to set and determine the default file creation permissions on the system. It is the octal complement of the desired file mode for the specific file type. Default permissions are:

• 777 - Executable files
• 666 - Text files
  

These defaults are set allowing all users to execute an executable file and not to execute a text file. The defaults allow all users can read and write the file.

The permission for the creation of new executable files is calculated by subtracting the umask value from the default permission value for the file type being created. An example for a text file is shown below with a umask value of 022:

        666 Default Permission for text file
       -022 Minus the umask value
      -----
        644 Allowed Permissions

Therefore the umask value is an expression of the permissions the user, group and world will not have as a default with regard to reading, writing, or executing the file. The umask value here means the group the file belongs to and users other than the owner will not be able to write to the file. In this case, when a new text file is created it will have a file permission value of 644, which means the owner can read and write the file, but members of the group the file belongs to, and all others can only read the file. A long directory listing of a file with these permissions set is shown below.

-rw-r--r--   1 root     workgrp          14233 Apr  24 10:32 textfile.txt

A example command to set the umask is:
umask 022
The most common umask setting is 022. The /etc/profile script is where the umask command is usually set for all users.

Red Hat Linux has a user and group ID creation scheme where there is a group for each user and only that user belongs to that group. If you use this scheme consistently you only need to use 002 for your umask value with normal users.

How to identify Open Ports in Red Hat/CentOS/Fedora/Ubuntu server with nmap

Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques, version detection (determine service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host OS or device identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Most Unix and Windows platforms are supported in both GUI and commandline modes. Several popular handheld devices are also supported, including the Sharp Zaurus and the iPAQ.
Install nmap in Fedora /CentOS/ RedHat

#yum install nmap -y
 
Install nmap in ubuntu
$sudo apt-get install nmap

Nmap examples

Here are some Nmap usage examples, from the simple and routine to a little more complex and esoteric. Some actual IP addresses and domain names are used to make things more concrete. In their place you should substitute addresses/names from your own network.. While I don’t think port scanning other networks is or should be illegal, some network administrators don’t appreciate unsolicited scanning of their networks and may complain. Getting permission first is the best approach.
For testing purposes, you have permission to scan the host scanme.nmap.org. This permission only includes scanning via Nmap and not testing exploits or denial of service attacks. To conserve bandwidth, please do not initiate more than a dozen scans against that host per day. If this free scanning target service is abused, it will be taken down and Nmap will report Failed to resolve given hostname/IP: scanme.nmap.org. These permissions also apply to the hosts scanme2.nmap.org, scanme3.nmap.org, and so on, though those hosts do not currently exist.
#nmap -v scanme.nmap.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-06 18:02 IST
Initiating Ping Scan at 18:02
Scanning scanme.nmap.org (64.13.134.52) [4 ports]
Completed Ping Scan at 18:02, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:02
Completed Parallel DNS resolution of 1 host. at 18:02, 0.29s elapsed
Initiating SYN Stealth Scan at 18:02
Scanning scanme.nmap.org (64.13.134.52) [1000 ports]
Discovered open port 21/tcp on 64.13.134.52
Discovered open port 143/tcp on 64.13.134.52
Discovered open port 53/tcp on 64.13.134.52
Discovered open port 22/tcp on 64.13.134.52
Discovered open port 443/tcp on 64.13.134.52
Discovered open port 25/tcp on 64.13.134.52
Discovered open port 110/tcp on 64.13.134.52
Discovered open port 80/tcp on 64.13.134.52
Discovered open port 8008/tcp on 64.13.134.52
Discovered open port 8010/tcp on 64.13.134.52
Discovered open port 119/tcp on 64.13.134.52
Completed SYN Stealth Scan at 18:03, 34.78s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.043s latency).
Not shown: 986 filtered ports
PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
25/tcp    open   smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http
110/tcp   open   pop3
113/tcp   closed auth
119/tcp   open   nntp
143/tcp   open   imap
443/tcp   open   https
8008/tcp  open   http
8010/tcp  open   xmpp
31337/tcp closed Elite

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 35.48 seconds
           Raw packets sent: 3986 (175.360KB) | Rcvd: 71 (3024B

This option scans all reserved TCP ports on the machine scanme.nmap.org . The -v option enables verbose mode.

#nmap -sS -O scanme.nmap.org/24



Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

#nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127


Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

#nmap -v -iR 100000 -Pn -p 80


Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -Pn since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

Cacti Network Graphing Tool RedHat / CentOS / Fedora Install and Configure

Cacti is a network graphing tool similar to MRTG. How do I install and configure common options to collect SNMP data and various other data (such as system load, network link status, hard disk space, logged in users etc) into an RRD?

From the official project site:

Cacti is a complete frontend to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering. There is also SNMP support for those used to creating traffic graphs with MRTG.

Required software(s)

You need to install the following software on RHEL / Fedora / CentOS Linux:

1. MySQL Server : Store cacti data.
2. NET-SNMP server - SNMP (Simple Network Management Protocol) is a protocol used for network management.
3. PHP with net-snmp module - Access SNMP data using PHP.
4. Apache / lighttpd / ngnix webserver : Web server to display graphs created with PHP and RRDTOOL.

Install the software

First  to install mysql, apache and php:
# yum install mysql-server mysql php-mysql php-pear php-common php-gd php-devel php php-mbstring php-cli php-snmp php-pear-Net-SMTP php-mysql httpd

Configure MySQL server

First, set root password:
# mysqladmin -u root password NEWPASSWORD

Create cacti MySQL database

Create a database called cacti, enter:
# mysql -u root -p -e 'create database cacti'
Create a user called cacti with a password called catipass, enter:
# mysql -u root -p

mysql> GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY 'catipass;
mysql> FLUSH privileges;
mysql> \q

Install snmpd

Type the following command to install net-snmpd
# yum install net-snmp-utils php-snmp net-snmp-libs
Configure snmpd, open /etc/snmp/snmpd.conf
# vi /etc/snmp/snmpd.conf
Append / modify it as follows (see snmpd.conf man page for details):

com2sec local     localhost           public
group MyRWGroup v1         local
group MyRWGroup v2c        local
group MyRWGroup usm        local
view all    included  .1                               80
access MyRWGroup ""      any       noauth    exact  all    all    none
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root  (configure /etc/snmp/snmp.local.conf)
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat

Save and close the file. Turn on snmpd service:
# /etc/init.d/snmpd start
# chkconfig snmpd on
Make sure you are getting information from snmpd:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
Sample ouptut:

IP-MIB::ipAdEntIfIndex.10.10.9.108 = INTEGER: 2
IP-MIB::ipAdEntIfIndex.67.yy.zz.eee = INTEGER: 3
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1

Install cacti

First, make sure EPEL repo is enabled. Type the following command to install cacti:
# yum install cacti

Install cacti tables

Type the following command to find out cacti.sql path:
# rpm -ql cacti | grep cacti.sql
Sample output:

/var/www/cacti/cacti.sql

Type the following command to install cacti tables (you need to type the cacti user password):
# mysql -u cacti -p cacti < /usr/share/doc/cacti-0.8.7g/cacti.sql

Configure cacti

Open /etc/cacti/db.php file, enter:
# vi /etc/cacti/db.php
Make changes as follows:

 
/* make sure these values refect your actual database/host/user/password */
$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "cacti";
$database_password = "cactipass";
$database_port = "3306";
 

Save and close the file.

Configure httpd

Open /etc/httpd/conf.d/cacti.conf file, enter:
# vi /etc/httpd/conf.d/cacti.conf
You need to update allow from line. Either set to ALL or your LAN subnet to allow access to cacti:

 
#
# Cacti: An rrd based graphing tool
#
Alias /cacti    /usr/share/cacti
  Directory /usr/share/cacti 

Order Deny,Allow
        Deny from all
        Allow from 10.0.0.0/8 

Directory

Another option is create /usr/share/cacti/.htaccess file and password protect the directory. Finally, restart httpd:
# service httpd restart

Setup cacti cronjob

Open /etc/cron.d/cacti file, enter:
# vi /etc/cron.d/cacti
Uncomment the line:

*/5 * * * *     cacti   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1

Save and close the file.

Run cacti installer

Now cacti is ready to install. Fire a webbrowser and type the url:
http://your.example.com/cacti/
OR
http://your.server.ip.address/cacti/
Just follow on screen instructions. The default username and password for cacti is admin / admin. Upon first login, you will be force to change the default password.

How do I configure SNMP data collection?

SNMP can be used to monitor server traffic. Once installed login to cacti.
=> Click on Devices
=> Select Localhost
=> Make sure SNMP options are selected as follows:

Fig.01: SNMP configuration

Finally, click on Save button.

How do I create SNMP graphs?

Click on "Create Graphs for this Host" link on top right side.
Select SNMP - Interface Statistics
Select a graph type (such as In/Out bytes with total bandwidth)
Finally, click on Create button.

How do I view graphs?

To view graphs click on Graphs tab. Here is sample graph from one my own box:

Fig.02: Cacti in Action - Memory, CPU and Network Usage

(Fig.02: Cacti in action)

Fig.03: Cacti in Action Disk, Load average and User stats