I almost lost this precious domain of mine, sysadmindayph.com, because of procrastination.. Good thing I once again checked my email and re-read the email notification from my webhost provider.

So I immediately renewed the domain for another year…

Here’s the email notification from my webhosting provider:

Congratulations. Your Domain Name sysadmindayph.com has been Renewed for a period of 1 years. Please read through this mail, and store it for future reference, since it contains important information about the Renewal.

Order Details
Order ID: xxxxxxx
Domain Name: sysadmindayph.com
No of Years Added: 1
Invoice Total: PHP 00.0
New Expiry Date: Monday, July 27, 2009

So, for those waiting for this domain to become available, that’s the date to watch out or to wait for.

In the meantime, let’s continue putting valuable system administration, tech content to this blog.. also, let’s help put my redtube keyword and tube8 plus xhamster on page 1!

cheers!

Got a page on an error today:

Error, DISK_SPACE:/var - hostname - UNIX - EMAIL - 100% full, 0MB free, 722MB total

Did a quick ‘du’ on /var filesystem and found out the culprit directory:

# du -sk * | sort -rn | more
232013 preserve
222272 tmp
62607 sadm
58204 cfengine
44270 spool
40355 adm
510 cron
503 orca
343 apache

Read the rest of this entry »

Yep, this is a dummy’s reference… I keep on forgetting the syntax so I might as well put it here for my own reference…

vi is the one, if not the most popular text editor available for a System Administrator on a UNIX and UNIX-like machines.

It has two modes, command and editor mode.

Here are some syntax in using the Search and Replace in ‘vi’.

Search:

The most basic and most easily remembered command for searching is vi is slash or ‘/’ followed by the character being searched. That’s for forward searching. For backward, vi use ‘?’ followed by the string being searched.

To go to the next occurrance of the string being searched, vi use ‘n’ command. Doesn’t matter if your searching forward (from up, down) or backward, from down to top.

Example:

(you have to be in command mode… press ESC first)

/search_string

?search_string

Search and Replace

For search and replace, use the syntax

:%s/original/replaced/g

Make sense?
Any command that begins with a “:” is called a line mode command and performs its duty on the line the cursor is currently on.

The above syntax serves my purpose now… If I want to replace text in certain ranges.. syntax can be found here

Got a request from the boss today to extract all users plus their contact numbers from the Paging server

Server is a Red Hat Enterprise Linux AS release 4, running LAMP.

The data needed are located in several tables, so we need to query all relevant tables in the databse:

mysql> SELECT users.username, users.emailaddress, user_services.current_service FROM users, user_services WHERE users.username=user_services.username

The statement above queries two tables - users and user_services, as show from the expressin ‘FROM users, user_services’. The record in users table that information is required are in the username and emailaddress record. On user_services, it’s current_services. The WHERE sets the limit condition.

To send that output to a file, we use the INTO OUTFILE ‘</path/to/file>’.

So, that’s

mysql> SELECT users.username, users.emailaddress, user_services.current_service FROM users, user_services WHERE users.username=user_services.username INTO OUTFILE ‘/tmp/tempfile.txt’

Got this tips from the people at IBM.

These tips are a must not only for System Administrators but also for all UNIX users.

Ten good habits to adopt are:

1. Make directory trees in a single swipe.
2. Change the path; do not move the archive.
3. Combine your commands with control operators.
4. Quote variables with caution.
5. Use escape sequences to manage long input.
6. Group your commands together in a list.
7. Use xargs outside of find.
8. Know when grep should do the counting — and when it should step aside.
9. Match certain fields in output, not just lines.
10. Stop piping cats.

When listing mounted file system (df -k), it apparently freezes and displays:

 NFS server CDM Server not responding still trying

also when trying to change directory to /ctxmnt, the same error occurs

Not responding error message

In the unlikely event that the client drive mapping process on the server is slow in responding, an error (such as “NFS server CDM server not responding still trying” or “NFS server 127.0.0.1 not responding still trying” ) is displayed.

Normally, this request is fulfilled and the message “NFS server CDM server ok” or “NFS server 127.0.0.1 ok” is displayed. However, if the problem persists, you must restart the client drive mapping process on the server.

Tip To interrupt the request and get a command prompt, press CTRL and C, or send a SIGINT to the process.

To restart client drive mapping

1. Ensure that there are no users in the /ctxmnt directory (users should not be reading or writing to this directory, nor should it be their current directory). For example, you may want to ask your users to log off from the MetaFrame server—to do this, use the ctxmsg -a command to send a message to all users.

2. Stop client drive mapping. At the command prompt, type:

ctxsrv stop cdm

3. Restart client drive mapping. At the command prompt, type: ctxsrv start cdm

Quick post… note to self…

In resetting passwords for one of our customers, we have to create the necessary LDIF file (yep, system uses LDAP), and do the ldapmodify command.

Instead of creating ldif file (or editing existing) every time there is a password reset, why ‘vi’ every time when you can do a one line perl command to replace the ‘uid’ part of the LDIF file?

Example:

After checking that the password was indeed locked, we create an LDIF file like this one:

# more /tmp/ldif.txt
dn: uid=guttekg,ou=people,dc=domain,dc=domain2,dc=domain3,dc=com
changetype: modify
replace: userPassword
userPassword: R3s#tn9

and execute the ldapmodify command:

ldapmodify -D “cn=Directory Manager” -h ldap_server -f /tmp/ldif.txt

For the next password reset, we don’t have to do ‘vi’ and edit the ldif file. Simpley do:

perl -p -i -e ’s/oldstring/newstring/g’ *

.. and we’re done.. (after the ldapmodify of course)

Ah those mysterious dot files (.filename) What are those?

Cybercity explains that these are nothing but a configuration files that are found in one’s home directory. True.

It is use to configure settings for unix programs. True.

And the favorite of all explanation of dot files are it is a hidden files, intended not to be displayed or listed when browsing a particular directory.

You can list dot files using ls command:

 ls -a

the switch ‘-a’ tells the shell to list all files in the current directory whether it is an ordinary files, a directory, a link or a hidden (dot) files.

/proc is a pseudo-filesystem used to access process information from the kernel. It doesn’t use any storage space and uses little memory. On Linux, you can sometimes make modifications to the running kernel by modifying “files” in /proc.

If / is full, run a command similar to the following to sort all files in the / file system by size:

find / -xdev -ls | sort -n -k 7

“-xdev” limits the find command to the root file system.

This will only look for files found in the root and will not includes those partitions that are defined in /etc/vfstab | /etc/fstab file, those listed when `df -k` is executed:

/dev/md/dsk/d0 2058319 1016097 980473 51% /
/dev/md/dsk/d3 2058319 1801793 194777 91% /var
etc .. etc..

Thanks Brandon!

Brandon H. - Senior UNIX Systems Engineer for an application services provider in Minneapolis, MN.

In the Monitoring User Login post, the commands and files that are related in tracking user activities are discussed.

Here are some ways of covering your fingerprints on a server using the files that monitors user logins.

We want to erase any trace that will show that we were inside the box. In doing so we’ll just:

cat /dev/null > <file>

Lastlog file

Clear out the last log file if you’re using an existing user from the box. Lastlogin file shows when and where a particular user last login from.

login: razile
Password:

Last login: Fri Oct 21 21:50:02 2007 from 210.2.9.1
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
razile@unix-box %

Erase that if you don’t want the admin see where you last login from (IP, hostname, time etc)

cat /dev/null > /var/adm/lastlogin

After clearing the lastlog file, comparing the first login and the second one:

(first login)

Last login: Thu Nov  1 21:33:41 2007 from 210.23.109.1
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
user@server->

(after deletion)

 Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
bash: unalias: `e’: not an alias
user@server->

wtmpx/tmpx files

If you want to check those users who logged in to a Unix box, type in ‘last’

UnixBox# last | more
root        pts/21       101.221.224.61    Sat Nov  3 11:38   still logged in
sitescp   pts/20       19.168.128.132  Sat Nov  3 07:00   still logged in
root        pts/23       101.221.224.51    Sat Nov  3 05:05   still logged in
root        pts/22       101.221.224.51    Sat Nov  3 05:05   still logged in
paladel    pts/22       14.122.4.99     Fri Nov  2 14:33 - 15:32  (00:59)
boy1        pts/26       14.122.4.67     Fri Nov  2 13:22 - 14:50  (01:28)
boy2        pts/26       14.122.4.67     Fri Nov  2 13:20 - 13:22  (00:02)

You’ll see the user who was logged in, the terminal used, the IP where he came from the date or duration of his activity in the server.

That is a lot of information, so in covering up your track, delete or zero out the files that stores these information

cat /dev/null > /var/adm/wtmpx
cat /dev/null > /var/adm/tmpx

After doing so, you’ll get this when doing ‘last’

# cat /dev/null > /var/adm/wtmpx
# last | more

wtmp begins Sun Nov  4 00:41
#

You could also zero out the /var/adm/messages if you’re really paranoid.

Of course doing these is like shouting and telling the whole universe that you were there.

These are just a few to cover you track… Do you have any additions? Or any tips in covering the intrusion without knowing that you were there?