Table: Crontab Fields and Allowed Ranges (Linux Crontab Syntax)
Field
Description
Allowed Value
MIN
Minute field
0 to 59
HOUR
Hour field
0 to 23
DOM
Day of Month
1-31
MON
Month field
1-12
DOW
Day Of Week
0-6
CMD
Command
Any command to be executed.
1. Scheduling a Job For a Specific Time
The basic usage of cron is to execute a job in a specific time as shown below. This will execute the Full backup shell script (full-backup) on 10th June 08:30 AM.
Please note that the time field uses 24 hours format. So, for 8 AM use 8, and for 8 PM use 20.
30 08 10 06 * /home/user/full-backup
30 – 30th Minute
08 – 08 AM
10 – 10th Day
06 – 6th Month (June)
* – Every day of the week
2. Schedule a Job For More Than One Instance (e.g. Twice a Day)
The following script take a incremental backup twice a day every day.
This example executes the specified incremental backup shell script (incremental-backup) at 11:00 and 16:00 on every day. The comma separated value in a field specifies that the command needs to be executed in all the mentioned time.
00 11,16 * * * /home/user/bin/incremental-backup
00 – 0th Minute (Top of the hour)
11,16 – 11 AM and 4 PM
* – Every day
* – Every month
* – Every day of the week
3. Schedule a Job for Specific Range of Time (e.g. Only on Weekdays)
If you wanted a job to be scheduled for every hour with in a specific range of time then use the following.
Cron Job everyday during working hours
This example checks the status of the database everyday (including weekends) during the working hours 9 a.m – 6 p.m
To view your crontab entries type crontab -l from your unix account as shown below.
user@dev-db$ crontab -l
@yearly /home/user/annual-maintenance
*/10 * * * * /home/user/check-disk-space
[Note: This displays crontab of the current logged in user]
View Root Crontab entries
Login as root user (su – root) and do crontab -l as shown below.
root@dev-db# crontab -l
no crontab for root
Crontab HowTo: View Other Linux User’s Crontabs entries
To view crontab entries of other Linux users, login to root and use -u {username} -l as shown below.
To edit a crontab entries, use crontab -e as shown below. By default this will edit the current logged-in users crontab.
user@dev-db$ crontab -e
@yearly /home/rusermesh/centos/bin/annual-maintenance
*/10 * * * * /home/user/debian/bin/check-disk-space
~
"/tmp/crontab.XXXXyjWkHw" 2L, 83C
[Note: This will open the crontab file in Vim editor for editing.
Please note cron created a temporary /tmp/crontab.XX... ]
When you save the above temporary file with :wq, it will save the crontab and display the following message indicating the crontab is successfully modified.
~
"crontab.XXXXyjWkHw" 2L, 83C written
crontab: installing new crontab
Edit Root Crontab entries
Login as root user (su – root) and do crontab -e as shown below.
root@dev-db# crontab -e
Edit Other Linux User’s Crontab File entries
To edit crontab entries of other Linux users, login to root and use -u {username} -e as shown below.
Ideally you may not have a requirement to schedule a job every minute. But understanding this example will will help you understand the other examples mentioned below in this article.
* * * * * CMD
The * means all the possible unit — i.e every minute of every hour through out the year. More than using this * directly, you will find it very useful in the following cases.
When you specify */5 in minute field means every 5 minutes.
When you specify 0-10/2 in minute field mean every 2 minutes in the first 10 minute.
Thus the above convention can be used for all the other 4 fields.
7. Schedule a Background Cron Job For Every 10 Minutes.
Use the following, if you want to check the disk space every 10 minutes.
*/10 * * * * /home/user/check-disk-space
It executes the specified command check-disk-space every 10 minutes through out the year. But you may have a requirement of executing the command only during office hours or vice versa. The above examples shows how to do those things.
Instead of specifying values in the 5 fields, we can specify it using a single keyword as mentioned below.
There are special cases in which instead of the above 5 fields you can use @ followed by a keyword — such as reboot, midnight, yearly, hourly.
Table: Cron special keywords and its meaning
Keyword
Equivalent
@yearly
0 0 1 1 *
@daily
0 0 * * *
@hourly
0 * * * *
@reboot
Run at startup.
8. Schedule a Job For First Minute of Every Year using @yearly
If you want a job to be executed on the first minute of every year, then you can use the@yearly cron keyword as shown below.
This will execute the system annual maintenance using annual-maintenance shell script at 00:00 on Jan 1st for every year.
@yearly /home/user/red-hat/bin/annual-maintenance
9. Schedule a Cron Job Beginning of Every Month using @monthly
It is as similar as the @yearly as above. But executes the command monthly once using@monthly cron keyword.
This will execute the shell script tape-backup at 00:00 on 1st of every month.
@monthly /home/user/suse/bin/tape-backup
10. Schedule a Background Job Every Day using @daily
Using the @daily cron keyword, this will do a daily log file cleanup using cleanup-logs shell scriptat 00:00 on every day.
11. How to Execute a Linux Command After Every Reboot using @reboot?
Using the @reboot cron keyword, this will execute the specified command once after the machine got booted every time.
@reboot CMD
12. How to Disable/Redirect the Crontab Mail Output using MAIL keyword?
By default crontab sends the job output to the user who scheduled the job. If you want to redirect the output to a specific user, add or update the MAIL variable in the crontab as shown below.
user@dev-db$ crontab -l
MAIL="user"
@yearly /home/user/annual-maintenance
*/10 * * * * /home/user/check-disk-space
[Note: Crontab of the current logged in user with MAIL variable]
If you wanted the mail not to be sent to anywhere, i.e to stop the crontab output to be emailed, add or update the MAIL variable in the crontab as shown below.
MAIL=""
13. How to Execute a Linux Cron Jobs Every Second Using Crontab.
You cannot schedule a every-second cronjob. Because in cron the minimum unit you can specify is minute. In a typical scenario, there is no reason for most of us to run any job every second in the system.
14. Specify PATH Variable in the Crontab
All the above examples we specified absolute path of the Linux command or the shell-script that needs to be executed.
For example, instead of specifying /home/user/tape-backup, if you want to just specify tape-backup, then add the path /home/user to the PATH variable in the crontab as shown below.
user@dev-db$ crontab -l
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/home/user
@yearly annual-maintenance
*/10 * * * * check-disk-space
[Note: Crontab of the current logged in user with PATH variable]
15. Installing Crontab From a Cron File
Instead of directly editing the crontab file, you can also add all the entries to a cron-file first. Once you have all thoese entries in the file, you can upload or install them to the cron as shown below.
Note: This will install the cron-file.txt to your crontab, which will also remove your old cron entries. So, please be careful while uploading cron entries from a cron-file.txt.
From upgrades to headless operation to emulation - some topics, no matter how important, refuse to fit neatly into any one chapter. This appendix serves as a reference center for some of these need-to-know items.
Linux Security With TCP Wrappers
The TCP Wrappers package is installed by default on Fedora Linux and provides host-based security separate from that provided by a firewall running on the server itself or elsewhere.
The application relies on two main files:
/etc/hosts.allow: Defines the hosts and networks allowed to connect to the server. The TCP Wrappers enabled application searches this file for a matching entry, and if it finds one, then the connection is allowed.
/etc/hosts.deny: Defines the hosts and networks prohibited from connecting to the server. If a match is found in this file, the connection is denied. No match means the connection proceeds normally.
The /etc/hosts.allow file is always read first and both files are always read from top to bottom, therefore the ordering of the entries is important.
The TCP Wrappers File Format
The format of the file is as follows:
:
This example allows all traffic from the 192.168.1.0/24 and the 192.168.2.0/255.255.255.0 networks and SSH from only two hosts, 172.16.1.1 and 216.10.119.244. All HTTP Web traffic is allowed. All other TCP traffic to the host is denied. Notice how the subnet masks can use the slash nomenclature or the dotted decimal 255.255.255.0 format.
#
# File: hosts.allow
#
ALL: 192.168.1.0/24 192.168.2.0/255.255.255.0
sshd: 172.16.1.1 216.10.119.244
httpd: ALL
#
# File: hosts.deny
#
ALL: ALL
Determining the TCP Daemon's Name
The easiest way of determining the name of a daemon is to use the ps command and then use grep to filter for the name of the service. Here, the example quickly determines the daemon name (/usr/sbin/sshd) for the SSH server process. Because TCP Wrappers only requires the program name and not the path, sshd therefore becomes the entry to place in the TCP-daemon-name column of the configuration file.
For a full explanation of all the options available, refer to section 5 of the man pages for hosts_access.
[root@bigboy tmp]# man 5 hosts_access
TCP wrappers is simple to implement, but you have to set them on every host. Management is usually easier on a firewall that protects the entire network.
Adjusting Kernel Parameters
Unlike many Linux applications that need to be restarted before their configuration parameters are read, many of the Linux kernel's parameters can be instantaneously activated and deactivated.
The Linux kernel stores many of its dynamic parameters in the /proc filesystem, which resides on a virtual RAM disk in memory for maximum performance.
Parameters are generally categorized by function within subdirectories of the /proc; information on IDE hard drives are located in the /proc/ide directory, for example, and general system parameters are located in the /proc/sys directory.
System parameters are held within files with names that mimic their function. For example, a Linux system can become a rudimentary router if the IP forwarding networking parameter is set to 1, not 0. Networking parameters for IPv4 addressing schemes are located in the /proc/sys/net/ipv4/. The file that covers IP forwarding is named ip_forward and contains a single byte: 1 when it's active or 0 when it's not.
You can update these files by redirecting the output of the echo command to overwrite the file contents using the > redirection character. This line activates IP forwarding by overwriting the contents of the ip_forward file with the value 1.
There are some disadvantages to doing this. It is not a permanent solution, and the system will revert back to its defaults after the next reboot. You can overcome this by adding the echo commands to the /etc/rc.local script that runs at the end of each reboot. This too has its disadvantages; it is the very last script to be run so if your parameters need to be set earlier, as most kernel parameters should be, it isn't a suitable solution.
Linux has a more elegant solution called the /etc/sysctl.conf file. It is a list of all the /proc filesystem files the systems administrator wants to customize and the values they should contain. The file has two columns, the first is the filename relative to the /proc/sys directory, and the second is the value the file should contain separated by an equals sign. You can also replace the slashes in the filename with periods. Continuing with the example, you can set the /proc/sys/net/ipv4/ip_forward file with a value of 1 using either of these configurations.
Editing the /etc/sysctl.conf file isn't enough, because the update isn't instantaneous. You have to force Linux to reread the file and reset the kernel parameters using the sysctl -p command. In the example, the /proc/sys/net/ipv4/ip_forward file had a value of 0 until the sysctl command ran, after which time, IP forwarding was activated.
The use of the /etc/sysctl.conf is important in day to day administration.
Running Linux Without A Monitor
You can reduce the cost of ownership of your Linux system by not using a VGA monitor. This creates what is also known as a headless system. Operating costs may not be important at home, but will be in a corporate environment with large numbers of Linux servers racked in data centers. In such cases, access to the Linux box can be more cheaply provided via the COM port.
I've included this section, largely because I have occasionally hosted the Web site www.linuxhomenetworking.com at friends' homes and felt badly about borrowing their monitors. Having access via the COM ports has also helped me in both the home and business situations. The most common occurrence is when the system is hung, locking out network access, and I need to get to it by using:
A notebook PC with a console cable connected to the COM port
A modem connected to the COM port
Telnet to log in to a terminal server that has one of its ports connected to the Linux box's COM port
Preparing To Go "Headless"
One of the advantages of this method is that you don't need a keyboard either. Unfortunately, your BIOS may halt the system during the Power On Self Test (POST) if it doesn't detect a keyboard. Make sure you disable this feature in the BIOS setup of your PC before proceeding. You can usually find the POST feature on the very first screen under the Halt On option.
You also need to make sure that you have activated your COM ports in your BIOS settings.
For connectivity that doesn't involve modems (PC to PC) connect a null modem cable to the COM port you want to test, connect the other end to the client PC running Hyperterm or whatever terminal emulation software you are using. One popular Linux equivalent to Hyperterm is minicom.
If you're using a modem for connectivity, then you'll need a full modem cable and you'll have to test via a dial up connection.
Configuration Steps
In RedHat/Fedora Linux, the COM1 and COM2 ports are controlled by a program called agetty, but agetty usually isn't activated when you boot up unless its configuration file /etc/inittab is modified. In other versions of Linux, agetty may be called just plain getty. Table I.1 lists the physical ports to their equivalent Linux device names.
Table I.1 How Physical COM Ports Map To Linux TTYS Devices
Port
Linux "agetty" Device Name
COM1
ttyS0
COM2
ttyS1
You can determine whether you have valid serial ports using the setserial command. In this case we are looking for all available ports between ttyS0 to ttyS7. You can see we only have two valid selections, ttyS0 and ttyS1.
To configure both valid COM ports for terminal access, add these lines to /etc/inittab:
# Run COM1 and COM2 gettys in standard runlevels
S0:235:respawn:/sbin/agetty -L 9600 ttyS0 vt102
S1:235:respawn:/sbin/agetty -L 9600 ttyS1 vt102
What do these lines mean? At boot time, when the system enters runlevels 2, 3, or 5, agetty must attach itself to devices ttyS0 and ttyS1 and emulate a VT102 terminal running at 9600 baud. The -L means ignore modem control signals, this option should be omitted if you are connecting the port to a modem. The respawn lines mean that agetty will restart automatically if, for whatever reason, it dies.
The next step is to restart the init process to re-read /etc/inittab:
[root@bigboy tmp]# init q
You'll be able to verify the activation of agetty process by querying the process table using the ps command.
Now you need to configure the terminal client (Hyperterm) to match the speed settings in /etc/inittab. Connect the console/modem cable between the client and your Linux box. Press Enter a couple times, and celebrate when you see something like this:
Red Hat Linux release 8.0 (Psyche)
Kernel 2.4.18-14 on an i586
bigboy login:
Note: By default, user root will not be able to log in from a terminal. To do this, you'll have to edit the /etc/securetty file, which contains the device names of TTY lines on which root is allowed to login. Just add ttyS0 and ttyS1 to the list if you need this access.
Switching Your Console to the Serial Port
By configuring the options in your /etc/grub.conf file you can redirect console output to one of your newly configured serial ports. This will allow you to see all of the bootup and shutdown messages on this new serial terminal port. In this example, the /dev/ttyS1 port has been configured to become the new console. The text to add to the file is highlighted in red:
With this modification you will still be able to completely administer the system using this port, inclusive of the grub pre-boot commands, after the next reboot. Note: It is possible that the kudzu hardware detection program may not be compatible you’re your non default console configuration that doesn't use your system's video adapter. If your system hangs on reboot, you may have to reset your system; break into the grub bootloader; temporarily remove the console options from the boot command line; and disable kudzu when the system fully reboots.
[root@bigboy tmp]# chkconfig kudzu off
This is an unlikely event with newer Linux versions, but you should be aware that it can happen.
Make Your Linux Box Emulate A VT100 Dumb Terminal
Dumb terminals are devices that allow you to log in to your system via the COM port. You can make your Linux box emulate a dumb terminal quite easily. Why would you want to? For example, you run Linux on a notebook and you need to use it to access a hung headless Linux server via the COM port, Or, perhaps you need to gain access to a modem connected to the COM port. This section will focus on the notebook scenario, not using Linux to dial a modem:
Configuration Steps
The most commonly used Linux terminal emulation program is minicom. It is simple to use mainly because it uses a text-based GUI. You first need to go through all the relevant steps listed in the "Preparing to go Headless" section to ensure you have the right type of cable and correct BIOS settings.
Be warned, minicom will clash with your agetty configuration explained previously: A headless system cannot be used to access another headless system using the headless COM port. You, therefore, have to disable the agetty configuration for the port on which you wish to run minicom.
1. It is important not to have an agetty entry for the COM port you are going to use. If an entry exists, disable agetty on COM1 by commenting out the ttyS0 agetty statements in the /etc/inittab file. COM1 now handles outbound minicom connections to other systems, and other systems using minicom can use COM2 to access this system. The next phase is to restart the init process to reload the new /etc/inittab settings.
2. Edit /etc/inittab:
# Run COM1 and COM2 gettys in standard runlevels
#S0:235:respawn:/sbin/agetty -L 9600 ttyS0 vt102
S1:235:respawn:/sbin/agetty -L 9600 ttyS1 vt102
3. Restart init
[root@bigboy tmp]# init q
4. Run minicom in setup mode using the minicom -s command, which brings you to the setup menu:
[root@bigboy tmp]# minicom -s
------[configuration]-------
| Filenames and paths |
| File transfer protocols |
| Serial port setup |
| Modem and dialing |
| Screen and keyboard |
| Save setup as dfl |
| Save setup as.. |
| Exit |
| Exit from Minicom |
----------------------------
5. Select the Serial Port Setup menu item. Make the speed match that of the remote headless system and make sure the correct serial COM device is chosen. Device /dev/ttyS0 is COM1 and /dev/ttyS1 is COM2. Also make sure that flow control is off.
-------------------------------------------
| A - Serial Device : /dev/ttyS0 |
| B - Lockfile Location : /var/lock |
| C - Callin Program : |
| D - Callout Program : |
| E - Bps/Par/Bits : 9600 8N1 |
| F - Hardware Flow Control : No |
| G - Software Flow Control : No |
| |
| Change which setting? |
-------------------------------------------
6. Select the Modem and Dialing option and make sure the Init String and Reset String settings are blank.
7. Select the Save Setup as dfl to make this your saved default setting, and then choose Exit from Minicom.
8. Make sure the other system is correctly configured for headless operation. Connect the cables between the systems.
9. Re-enter minicom, this time without the -s.
[root@bigboy tmp]# minicom
10. Press Enter, and you should get a login prompt
Welcome to minicom 2.00.0
OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
Compiled on Jun 23 2002, 16:41:20.
Press CTRL-A Z for help on special keys
bigboy login:
11. To exit minicom, type Ctrl-A, then Z, then X
12. Users other than root will get a "permission denied" message if they use minicom, because the COM ports are not normally accessible to regular users. To get around this, user root can either give everyone read/write access using the chmod command or add selected trusted users to your sudo configuration.
Remember that minicom resets the privileges to the COM port each time you change the configuration with minicom -s so you may find yourself having to run chmod from time to time.
[root@bigboy tmp]# chmod o+rw /dev/ttyS0
Note: This configuration is sufficient for connection to a Cisco router, switch or PIX firewall. Just remember to use the Cisco proprietary RJ45 type console cable to connect your COM port to the network device.
Dual Booting Fedora and Ubuntu Linux on Servers
Before virtualization in which multiple and different operating system could be run simultaneously on the same server there was dual booting. This older method allows a system to boot one of many different operating systems residing on its disks. It is still commonly used on slower hardware, by students and in lab testing environments. This section describes how it is done, but first we need to discuss a disk’s master boot record (MBR).
The MBR stores the disk’s partition table, a unique disk id, and information that points to a predefined partition on the disk that should contain files used in booting. The data included in this boot partition includes a file with the initial boot menu screen and the bootable kernels associated with each menu entry. In Fedora the installation process creates a separate boot partition ( /boot ) from the root partition, in Ubuntu, the boot partition and the root partition are the same ( / ).
This information is important to understand when installing Fedora and Ubuntu together in a dual boot configuration. The example shown here assumes that Fedora will be installed first. Let’s go!
Installing and Configuring Fedora
Follow these steps carefully and you should have a functioning system with few installation headaches.
Install Fedora using the custom disk layout without LVM and leave a single free partition area large enough to install Ubuntu later. Fedora will configure the disk’s master boot record (MBR) to point to the /boot partition and the /boot/grub/menu.lst file with the startup menu.
With a brand new Fedora installation in which there is only one version of the kernel, this menu may not be seen when you reboot Fedora. Edit the /boot/grub/menu.lst file and comment out the hiddenmenu parameter to ensure the menu shows up and configure it to be displayed for some time using the timeout parameter. In this case it is set to 60 seconds.
Now it’s time to configure Ubuntu to work seamlessly with Fedora.
Installing and Configuring Ubuntu
Reboot and install Ubuntu server. Pay attention to two parts of this process.
1. Near the beginning you will be prompted for disk partition information. Select the option that installs Ubuntu in the unused free partition space only. Write down partition number where the root, or / partition will be installed. In this case we’ll assume it is /dev/sda11. This will be needed later.
2. Close to the end you will be asked whether you want to install grub on the MBR or on the root partition. Select the root partition of /dev/sda11.
Note: DO NOT install on the MBR. Ubuntu will read the contents of Fedora’s menu.lst file, will add it to its own menu.lst file in /dev/sda11 and then will make the MBR point to the Ubuntu menu.lst file. The difficulty is that the Fedora menu.lst file contents are specific to the current versions of the Fedora kernel files. If you upgrade Fedora the Ubuntu menu.lst file will not be updated and Fedora won’t be able to boot properly again from the now outdated Ubuntu menu.lst file.
Configuring Fedora grub to dual boot with Ubuntu
Now it’s time to tie the Fedora installation to that of Ubuntu. Here are the steps.
1. Reboot. At the Fedora startup menu enter single user mode to reduce the risk of disk activity interfering with our work.
2. We will now need to properly configure grub to use the Fedora menu for Fedora boots using the Fedora grub boot loader and the Ubuntu menu for Ubuntu boots with the Ubuntu boot loader.
3. As seen before, Ubuntu was installed on the /dev/sda11 partition. We need to access those files. Mount /dev/sda11 on /mnt and run Ubuntu’s version grub which should now be /mnt/usr/sbin/grub
# mount /dev/sda11 /mnt
# /mnt/usr/sbin/grub
4. Grub numbers partitions and disks starting from 0. Linux numbers partitions starting from 1 and disks are defined alphabetically from a-z. So in this case Linux partition sda11 will be grub partition (hd0,10).
Use the device command to map the two together. Follow this with the root command to set up the Ubuntu grub boot loader to accept a transfer of authority from another preliminary loader, in this case it will be Fedora but we don’t specify this yet. The setup command will configure grub correctly, and is done as a precaution as the Ubuntu installation process should have done this already.
grub> device (hd0) /dev/sda
grub> root (hd0,10)
grub> setup (hd0,10)
Checking if "/boot/grub/stage1" exists... yes
Checking if "/boot/grub/stage2" exists... yes
Checking if "/boot/grub/e2fs_stage1_5" exists... yes
Running "embed /boot/grub/e2fs_stage1_5 (hd0,10)"... failed (this is not fatal)
Running "embed /boot/grub/e2fs_stage1_5 (hd0,10)"... failed (this is not fatal)
Running "install /boot/grub/stage1 (hd0,10) /boot/grub/stage2 p /boot/grub/menu.lst "... succeeded
Done.
grub> quit
Note: DO NOT run the grub-install command to configure grub as you will be running the fedora version of the command against an incompatible Ubuntu partition. It will appear to work as seen in the following example but the rest of the setup will fail.
[root@smallfry-f]# grub-install /dev/sda11
Installation finished. No error reported.
This is the contents of the device map /boot/grub/device.map.
Check if this is correct or not. If any of the lines is incorrect,
fix it and re-run the script `grub-install'.
# this device map was generated by anaconda
(hd0) /dev/sda
[root@smallfry-f]#
Note: DO NOT run the grub-install command located on the Ubuntu partition or in a chroot jail will not work either giving messages like these
[root@smallfry-f ~]# mount /dev/sda11 /mnt/ubuntu/
[root@smallfry-f ~]# cd /mnt/ubuntu/
[root@smallfry-f ubuntu]# usr/sbin/grub-install /dev/sda11
/usr/sbin/grub: Not found.
[root@smallfry-f ubuntu]# chroot /mnt/ubuntu
root@smallfry-f:/# /usr/sbin/grub-install /dev/sda11
/dev/sda11: Not found or not a block device.
root@smallfry-f:/# exit
We’re not finished yet. There a few more steps to go!
Configuring Fedora grub to dual boot with Ubuntu
Now it’s time to configure the Fedora menu.lst file to point to the menu.lst of the Ubuntu installation.
Note: You can do the following steps while still in single user mode or you can reboot Fedora and do them in an ssh session as it will be easier to cut and paste some of the commands to follow. Remember Ubuntu will not boot yet or be displayed in the startup menu.
1. Edit /boot/grub/menu.lst and add the entries for Ubuntu with its own menu line option. The title command gives the Ubuntu entry the label “Ubuntu Boot Menu”. The root command points to the /dev/sda11 partition or (hd0,10) as grub expects it to be called. Finally the chainloader command tells Fedora’s grub to hand over control to whatever grub boot loader is found in that partition. In this case that loader that will be found will belong to Ubuntu. Here is a sample of what it should look like.
#
# File: /boot/grub/menu.lst
#
default=0
timeout=60
splashimage=(hd0,0)/grub/splash.xpm.gz
#hiddenmenu
title Fedora (2.6.27.5-117.fc10.i686)
root (hd0,0)
kernel /vmlinuz-2.6.27.5-117.fc10.i686 ro root=UUID=de68defd-1f82-4ad3-b39e-0776b15d6d92 rhgb quiet
initrd /initrd-2.6.27.5-117.fc10.i686.img
title Ubuntu Boot Menu
root (hd0,10)
chainloader +1
2. Reboot and you should now get a Fedora startup menu with an Ubuntu option. By using your arrow keys you can scroll down and select the Ubuntu option. This will then cause the Ubuntu startup menu to be displayed. You can boot Ubuntu by scrolling down to the menu item and hitting . From there you will be able to select the Ubuntu kernel of your choice. The default should be sufficient and will boot automatically after the Ubuntu menu.lst file’s timeout period expires.
Your dual booting configuration is complete. Boot your operating systems and configure them as you desire.
Simple Troubleshooting
If you try to boot Ubuntu from the menu and you get an “error 15: file not found” message then you most likely haven’t properly completed the grub configuration steps or you have a typographical error in your Ubuntu menu.lst file or the Fedora menu.lst file’s entry that points to Ubuntu.
If you select the Ubuntu menu item and you immediately return to the Fedora boot menu screen then you probably ran the grub-install command when you shouldn’t have.
How to get Ubuntu to Boot by Default
Making Ubuntu the preferred operating to boot when the server is unattended requires two file edits.
1. The first is done by booting Fedora and editing the /boot/grub/menu.lst and setting the default option to select Ubuntu. A default of 0 causes the first menu item title to be selected by default, a value of 1 selects the second, a value of two selects the third and so on. In this example setting the value to 1 will cause the Ubuntu menu item, the second in the list, to be automatically chosen.
2. Reboot your system. The Fedora menu will change to become the Ubuntu menu and then the default Ubuntu kernel will boot. You can change the Ubuntu default boot kernel by editing the /boot/grub/menu.lst file’s default parameter after the Ubuntu boot is completed using the guidelines given previously.
Note: If you are skillful you don’t have to reboot. Just mount the appropriate partitions and edit the menu.lst file.
Conclusion
Operating system virtualization has reduced the need to create dual booting systems, but this section should still be valuable to those of you who need to troubleshoot a GRUB configuration.
VPN Terms and Methods
A virtual private network (VPN) provides security for transmission of sensitive information over unprotected networks such as the Internet. VPN relationships are established between trusted sites on the Internet making the public network appear to be virtually the same as a private network to the VPN members. VPNs, however, have their own language. Once you know the terms, you'll be ready to get to work.
Authentication: The process of ensuring that the VPN data received is both unchanged and from the expected source.
Encryption: The use of special mathematical equations to scramble the bits in a data stream, rendering the data stream unreadable to anyone who does not have access to the corresponding decryption equation. The process is usually made even harder through the use of an encryption key, which modifies the way the equations do the scrambling. Only persons with access to this key and the corresponding programs are able to recover the original data. Data encryption helps to prevent unauthorized persons from having access to the data.
IPSec: The name given to a number of data communications protocols designed to authenticate and encrypt VPN data to protect it from unauthorized viewing or modification as it is transmitted across a network.
Authentication header (AH): One of two IPSec security protocols. Provides authentication and antireplay services, without encryption, by adding its own security header to the original IP packet
Encapsulating security protocol (ESP): The other IPSec security protocol. Provides authentication, encryption, and antireplay services. It encrypts the data within the packet and then adds its own security header to the original IP packet. Because ESP headers don't authenticate the outer IP header as AH headers do, AH and an ESP are often used in combination with each other. This is called transport adjacency.
Transport mode VPN: A style of VPN in which the original source and destination address of the data sent over the VPN is unchanged. Figures I.1 and I.2 provide examples of transport mode VPN IP packets. (For more information on the IP protocol, please refer to Chapter 2, "Introduction to Networking", which introduces networking concepts.)
Figure I.1 Transport mode AH packet format
Original IP Header
Inserted AH Header
Original TCP Header
Data
Figure I.2 Transport mode AH / ESP packet format
Original IP Header
Inserted AH Header
Inserted ESP Header
Original TCP Header
Data
Tunnel mode VPN: A style of VPN in which the original source and destination address of the data sent over the VPN is changed by encapsulating the original IP packet within another IP packet. The original packet is frequently encrypted, header and all, in an effort to provide an additional layer of security by not revealing the true identities of the servers communicating with each other. Figures I.3 and I.4 show examples of tunnel mode VPN IP packets.
Figure I.3 Tunnel mode AH packet format
New IP Header
Inserted AH Header
Original IP Header
Original TCP Header
Data
Figure I.4 Tunnel mode AH / ESP packet format
New IP Header
Inserted AH Header
Inserted ESP Header
Original IP Header
Original TCP Header
Data
Authentication and Encryption methods
IPSec data integrity is usually provided by one of two hashed message authentication code (HMAC) methods:
Message Digest 5 (MD5)
Secure Hash Algorithm (SHA-1).
IPSec usually uses one of two methods to encrypt data:
Data Encryption Standard (DES) using a 56-bit encryption key
Triple DES using a 168-bit encryption key.
Internet Key Exchange (IKE)
IKE provides authentication of the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. There are two main methods of establishing a trusted relationship between two devices that want to create a VPN between themselves.
Public Encrypted Keys
The first method is public key cryptography using RSA encryption pioneered by RSA Data Security Inc. Each VPN device has its own public and private keys. Anything encrypted with one of the keys can only be decrypted with the other. This allows you to create a signature when the message is encrypted with a sender's private key. The receiver verifies the signature by decrypting the message with the sender's public key.
A successful exchange requires the receiver to have a copy of the sender's public key and to know with a high degree of certainty that it really does belong to the sender, and not to someone pretending to be the sender. This certainty is assured using certificates and Certification Authorities.
A digital certificate contains information that identifies a user or device, such as a name, serial number, company, department, or IP address. It also contains a copy of the entity's public key. Certificates are managed and issued by Certification Authorities (CAs). A CA can either be a trusted public third party, such as VeriSign, or an in-house private server that you establish within your organization.
Prior to installing a certificate-based VPN, each VPN device must be preconfigured with the certificate generated for them by the CA. The VPN devices are also be preconfigured with the CA's certificate.
During the key exchange, the VPN peers authenticate by sending each other the certificate issued to them by the CA, but encrypted using their private key.
Each peer then uses the pre-installed CA certificate they have to authenticate with the CA and securely receive the other peer's certificate from the CA using public key cryptography.
Each peer then extracts the public key from the certificate they receive from the CA and uses it to decrypt the certificate they just received from the other peer.
Once the certificates received from the CA and the other peer match, authentication is complete.
Private Shared keys
The second method of establishing a trusted relationship is to have the devices at each end of the VPN use a shared key or password. The disadvantage is that each pair of VPN connections needs set of keys, making it difficult for large scale implementations. Unlike the RSA method, there is no CA to provide an impartial audit trail of VPN connection initiations.
IKE's role in creating Security Associations
Once authentication is complete, the VPN peers use IKE to negotiate the security associations (SAs) to be used at each end point. IKE, in turn, uses special ISAKMP IP packets using IP protocol 50 to establish a security association. SAs are comprised of transforms and shared keys. Transforms describe how the data will be transformed by the VPN and between which pre-defined networks at each end of the tunnel to provide the desired security, for example:
Packet encryption methods
Packet authentication methods
Transport versus tunnel mode
AH and or ESP usage
SA lifetime before it is renegotiated. (SAs are permanent for when manually established)
Shared keys are the actual keywords used by the encryption and authentication processes to protect the data.
VPN Security And Firewalls
All security devices in the path of a VPN connection have to allow IP protocol 50 between the two VPN devices to ensure that IKE works properly.
VPNs also use a separate channel through which the encrypted data passes as UDP packets through port 500. Unusually, the source and destination port is 500.
For the VPN to function correctly these protocols must also be allowed to pass through unimpeded. In certificate based VPNs, you may have to open up these ports and protocols to the CA as well.
Note: VPN tunnels frequently don't operate correctly if they have to pass through a firewall that uses NAT. They will tend to work if the NAT firewall is the termination point of the VPN.
VPN User Authentication Methods For Temporary Connections
The discussion so far has been slanted towards a permanent connection between purpose built VPN devices. Frequently, however, the device at the other end of the connection is a PC. Table I.2 shows some authentication methods used in such cases.
Table I-2 Types Of Dial Up VPN Authentication
Method
Description
IKE-XAUTH secured RADIUS
Usernames and passwords entered into the VPN remote login software are relayed by the VPN device at the remote end to a trusted RADIUS server. If the username/password combination is valid for remote login, then the RADIUS server authorizes the VPN device to continue with the IKE interchange.
ACE/SecurID
Software uses a username and password in conjunction with a small key-ring token with a digital display, also known as a fob, whose authentication serial number changes every few minutes for a login to occur. To log in, the user not only has to enter the username and password, but also the PIN tied to the fob plus the fob's dynamic serial number which is synchronized with the authentication server at the other end of the VPN.
Windows Domain
Remote home user authentication relies on the same username/password combination of the Windows Domain Controller that the user would normally use to log in when they are at work.
Local user database
Valid usernames and passwords are configured into the VPN device at the other end of the VPN
TCP/IP Packet Format
The TCP/IP packet contains an IP header followed by a TCP or UDP header followed by the TCP/UDP data as seen in Figure I.5.
Figure I.5
IP Header
TCP / UDP Header
Data
Tables I.3 through I.5 show the general format of the various TCP/IP header fields you may encounter.
Table I.3 Contents Of The IP Header
Field
Description
Ip Version
The version of IP being used. Version 4 is the current version used by most devices on the Internet. Version 6 is a newer format that allows for a more vast range of addresses.
IHL
Internet Header Length. Total length of the IP header.
Total Length
Total length of the IP packet.
DF Bit
Indicator to tell whether the data in the packet may be fragmented into smaller packets due to limitations of the communications line.
MF Bit
Indicator to tell whether this data in this packet is the last one of a stream of fragments.
Fragment Offset
If the packet is part of a fragmented datagram, then this specifies where in the complete datagram the data in the packet should be inserted.
TTL
Time to live. This value is decremented by each router through which the packet passes. When the value reaches zero, the packet is discarded by the router. The server sending the data usually sets the TTL to a value high enough to reach its destination without being discarded. The TTL decrement feature is used by routers as an additional precaution to prevent the packet from mistakenly being routed around the Internet in an infinite loop caused by a routing error.
Protocol
Defines the type of protocol header to expect at the end of this header. For example, 6 = TCP. 17 = UDP
Header checksum
Used to ensure that the header contents are error free.
Source Address
Indicates the IP address of the server sending the data.
Destination Address
Indicates the IP address of the server intended to receive the data.
Table I.4 Contents Of The TCP Header
Field
Description
Source and Destination Port
Identifies points at which upper-layer source and destination processes receive TCP services.
Sequence Number
Usually specifies the number assigned to the first byte of data in the current message. In the connection-establishment phase, this field also can be used to identify an initial sequence number to be used in an upcoming transmission.
Acknowledgment Number
Contains the sequence number of the next byte of data the sender of the packet expects to receive.
Data Offset
Length of the TCP header.
Flags
Carries a variety of control information, including the SYN and ACK bits used for connection establishment, and the FIN bit used for connection termination.
Window
Specifies the size of the sender's receive window (that is, the buffer space available for incoming data)
Checksum
Used to ensure that the header contents are error free.
Data
Contains upper-layer information
Table I.5 Contents Of The UDP Header
Field
Description
Source and Destination Port
Identifies points at which upper-layer source and destination processes receive TCP services.
Length
Specifies the length of the UDP header and data
Checksum
Used to ensure that the header contents are error free.
ICMP Codes
You'll also encounter ICMP codes in your troubleshooting exercises, especially when viewing your iptables log files. Table I.6 lists the most commonly used codes.
Table I-6 ICMP Codes
Type
Name
Description
3
Destination Unreachable Codes
Net Unreachable
The sending device knows about the network but believes it is not available at this time. Perhaps the network is too far away through the known route.
Host Unreachable
The sending devices knows about host but doesn't get ARP reply, indicating the host is not available at this time
Protocol Unreachable
The protocol defined in IP header cannot be forwarded.
Port Unreachable
The sending device does not support the port number you are trying to reach
Fragmentation Needed and Don't Fragment was Set
The router needs to fragment the packet to forward it across a link that supports a smaller maximum transmission unit (MTU ) size. However, application set the Don't Fragment bit.
Source Route Failed
ICMP sender can't use the strict or loose source routing path specified in the original packet.
Destination Network Unknown
ICMP sender does not have a route entry for the destination network, indicating this network may never have been an available.
Destination Host Unknown
ICMP sender does not have a host entry, indicating the host may never have been available on connected network.
Source Host Isolated
ICMP sender (router) has been configured to not forward packets from source (the old electronic pink slip).
Communication with Destination Network is Administratively Prohibited
ICMP sender (router) has been configured to block access to the desired destination network.
Communication with Destination Host is Administratively Prohibited
ICMP sender (router) has been configured to block access to the desired destination host.
Destination Network Unreachable for Type of Service
The sender is using a Type of Service (TOS) that is not available through this router for that specific network.
Destination Host Unreachable for Type of Service
The sender is using a Type of Service (TOS) that is not available through this router for that specific host.
Communication Administratively Prohibited
ICMP sender is not available for communications at this time.
Host Precedence Violation
Precedence value defined in sender's original IP header is not allowed (for example, using Flash Override precedence).
5
Redirect Codes
Redirect Datagram for the Network (or subnet)
ICMP sender (router) is not the best way to get to the desired network. Reply contains IP address of best router to destination. Dynamically adds a network entry in original sender's routing tables.
Redirect Datagram for the Host
ICMP sender (router) is not the best way to get to the desired host. Reply contains IP address of best router to destination. Dynamically adds a host entry in original sender's route tables.
Redirect Datagram for Type of the Service and Network
ICMP sender (router) does not offer a path to the destination network using the TOS requested. Dynamically adds a network entry in original sender's route tables.
Redirect Datagram for the Type of Service and Host
ICMP sender (router) does not offer a path to the destination host using the TOS requested. Dynamically adds a host entry in original sender's route tables.
6
Alternate Host Address Codes
Alternate Address for Host
Reply that indicates another host address should be used for the desired service. Should redirect application to another host.
11
Time Exceeded Codes
Time to Live exceeded in Transit
ICMP sender (router) indicates that originator's packet arrived with a Time To Live (TTL) of 1. Routers cannot decrement the TTL value to 0 and forward the packet.
Fragment Reassembly Time Exceeded
ICMP sender (destination host) did not receive all fragment parts before the expiration (in seconds of holding time) of the TTL value of the first fragment received.
12
Parameter Problem Codes
Pointer indicates the error
Error is defined in greater detail within the ICMP packet.
Missing a Required Option
ICMP sender expected some additional information in the Option field of the original packet.
