Archive for March, 2010

Linux-Memory Performance statistics

Wednesday, March 31st, 2010

Ref: Optimizing Linux® Performance: A Hands-On Guide to Linux® Performance Tools

Ref:http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/admin-primer/s1-resource-what-to-monitor.html

Ref:http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/admin-primer/s1-resource-rhlspec.html

Basic explanation of memory related words:

Swap (Not Enough Physical Memory)

All systems have a fixed amount of physical memory in the form of RAM chips.
The Linux kernel allows applications to run even if they require more memory
than available with the physical memory.The Linux kernel uses the hard drive
as a temporary memory. This hard drive space is called swap
space.

Buffers and Cache (Too Much Physical Memory)

 if your system has much more physical memory than required by your applications,
Linux will cache recently used files in physical memory so that subsequent accesses to that file do
not require an access to the hard drive. This can greatly speed up applications that access the hard
drive frequently, which, obviously, can prove especially useful for frequently launched applications.
Note :  most tools that report statistics about “cache” are actually referring to
disk cache.

Buffer:

In addition to cache, Linux also uses extra memory as buffers. To further optimize applications,
Linux sets aside memory to use for data that needs to be written to disk. These set-asides are called
buffers. If an application has to write something to the disk, which would usually take a long time,
Linux lets the application continue immediately but saves the file data into a memory buffer. At some
point in the future, the buffer is flushed to disk, but the application can continue immediately.

Low Memory is not always bad thing:

It can be discouraging to see very little free memory in a system because of the cache and buffer
usage, but this is not necessarily a bad thing. By default, Linux tries to use as much of your memory
as possible. This is good. If Linux detects any free memory, it caches applications and data in the
free memory to speed up future accesses. Because it is usually a few orders of magnitude faster to
access things from memory rather than disk, this can dramatically improve overall performance.
When the system needs the cache memory for more important things, the cache memory is erased
and given to the system. Subsequent access to the object that was previously cached has to go out
to disk to be filled.

Active Versus Inactive Memory

Active memory is currently being used by a process. Inactive memory is memory that is allocated
but has not been used for a while. Nothing is essentially different between the two types of memory.
When required, the Linux kernel takes a process’s least recently used memory pages and moves
them from the active to the inactive list. When choosing which memory will be swapped to disk, the
kernel chooses from the inactive memory list.

High Versus Low Memory

For 64bit processor it does not matter  because they can
directly address additional memory that is available in current system
For 32-bit processors (for example, IA32) with 1 GB or more of physical of memory, Linux must
manage the physical memory as high and low memory. The high memory is not directly accessible
by the Linux kernel and must be mapped into the low-memory range before it can be used.

Bottom line is : If system does not use Swap , there is no need to worry about ,but will have to keep on eye : cache, buffer,free ram. Memory Performance monitoring tools as bellow , which provide

* How much swap is being used

* How the physical memory is being used

* How much free ram.

Memory Performance monitoring tools and related commands:

1.vmstat

2.free -m

3.slabtop

4.top ( Press Shift + m )

5. Ps command

6.procinfo ( yum install procinfo)

6.sar [-B -W -r] ( sysstat packages, yum install sysstate)

Vmstat uses :

 vmstat [-a] [-s] [-m]

vmstat command line options :

-a This changes the default output of memory statistics to indicate the active/
inactive amount of memory rather than information about buffer and cache
usage.
-s  This prints out the vm table. This is a grab bag of differentstatistics about the
system since it has booted. It cannot be run in sample mode. It contains both
memory and CPU statistics.
-m This prints out the kernel’s slab info. This is the same information that can be
retrieved by typing cat/proc/slabinfo. This describes in detail how the
kernel’s memory is allocated and can be helpful to determine what area of the
kernel is consuming the most memory.

Memory Specific vmstat Output statistics swpd:

The total amount of memory currently swapped to disk.
free The amount of physical memory not being used by the operating system or
applications.

buff:

The size (in KB) of the system buffers, or memory used to store data waiting
to be saved to disk. This memory allows an application to continue execution
immediately after it has issued a write call to the Linux kernel (instead of
waiting until the data has been committed to disk).

cache :

The size (in KB) of the system cache or memory used to store data previously
read from disk. If an application needs this data again, it allows the kernel to
fetch it from memory rather than disk, thus increasing performance. </pre>

active:

 The amount of memory actively being used. The active/ inactive statistics are
orthogonal to the buffer/cache; buffer and cache memory can be active and

inactive:

inactive The amount of inactive memory (in KB), or memory that has not been used
for a while and is eligible to be swapped to disk.

si

:

 The rate of memory (in KB/s) that has been swapped in from disk during the
last sample.

so :

The rate of memory (in KB/s) that has been swapped out to disk during the last
sample.

pages paged in

:

 The amount of memory (in pages) read from the disk(s) into the system buffers.
(On most IA32 systems, a page is 4KB.)

pages paged out :

 The amount of memory (in pages) written to the disk(s) from the system cache.
(On most IA32 systems, a page is 4KB.)

pages swapped in

:

 The amount of memory (in pages) read from swap into system memory.

pages swapped in/out :

 The amount of memory (in pages) written from system memory to the swap.

used swap :

 The amount of swap currently being used by the Linux kernel.

free swap:

 The amount of swap currently available for use.

total swap

:

 The total amount of swap that the

Free Command free can be invoked using the following command line:

free [ -l] [-t] [-s delay ] [-c count ]

Output :

[root@sandbox ~]# free -m
             total       used       free     shared    buffers     cached
Mem:           375        355         19          0        177         86
-/+ buffers/cache:         91        283
Swap:         2000          0       2000

Total:

 This is the total amount of physical memory and swap.

Used

This is the amount of physical memory and swap in use.

Free

 This is the amount of unused physical memory and swap.

Shared

 This is an obsolete value and should be ignored.

Buffers

This is the amount of physical memory used as buffers for disk writes.

Cached

This is the amount of physical memory used as cache for disk reads.

-/+ buffers/cache

 In the Used column, this shows the amount of memory that would be used if
buffers/cache were not counted as used memory. In the Free column, this
shows the amount of memory that would be free if buffers/cache were counted
as free memory.

Low

The total amount of low memory or memory directly accessible by the kernel.

High

The total amount of high memory or memory not directly accessible by the
kernel.

Totals

This shows the combination of physical memory and swap for the Total,
Used, and Free columns.

Sar Command
sar can be invoked with

 sar [-B] [-r] [-R]

Sar Command line options

-B

This reports information about the number of blocks that the kernel swapped

to and from disk. In addition, for kernel versions after v2.5, it reports information about the number of page faults.
-W

This reports the number of pages of swap that are brought in and out of the system.

-r

 This reports information about the memory being used in the system. It includes
information about the total free memory, swap, cache, and buffers being used

Explanation of Sar -B output

pgpgin/s:-    The amount of memory (in KB) that the kernel paged in from disk.
pgpgout/s:-  The amount of memory (in KB) that the kernel paged out to disk.
fault/s:-       The total number of faults that that the memory subsystem needed to fill. These
may or may not have required a disk access.
maj flt/s:-    The total number of faults that the memory subsystem needed to fill and required a disk access.
pswpin/s:-    The amount of swap (in pages) that the system brought into memory.

Explanation of Sar -W output:

pswpout/s:-    The amount of memory (in pages) that the system wrote to swap.
kbmemfree:-    This is the total physical memory (in KB) that is currently free or not being
used

Explanation of Sar -r output :

 
kbmemused:-   This is the total amount of physical memory (in KB) currently being used.
%memused:-   This is the percentage of the total physical memory being used.
kbbuffers:-     This is the amount of physical memory used as buffers for disk writes.
kbcached:-     This is the amount of physical memory used as cache for disk reads.
kbswpfree:-    This is the amount of swap (in KB) currently free.
kbswpused:-   This is the amount of swap (in KB) currently used.
%swpused:-   This is the percentage of the swap being used.
kbswpcad:-    This is memory that is both swapped to disk and present in memory. If the
memory is needed, it can be immediately reused because the data is already
present in the swap area.
frmpg/s:-       The rate that the system is freeing memory pages. A negative number means
the system is allocating them.
bufpg/s:-       The rate that the system is using new memory pages as buffers. A negative
number means that number of buffers is shrinking, and the system is using less
of them

529/Failure Audit(MICROSOFT_AUTHENTICATION_PACKAGE_V1_0)

Monday, March 29th, 2010

Ref: http://www.winvistatips.com/security-log-eventid-529-smtp-t673781.html
Ref: http://www.pcreview.co.uk/forums/thread-1596278.php

Bad guys are trying to authenticate server via port 25.
How to reproduce this log:

# Type telnet 25,and then press ENTER.
# Type EHLO , and then press ENTER.
# Type AUTH LOGIN. The server responds with an encrypted prompt for your user name.
# Enter your user name encrypted in base 64. You can use one of several tools that are available to encode your user name.
# The server responds with an encrypted base 64 prompt for your password. Enter your password encrypted in base 64.
# Type MAIL FROM:, and then press ENTER. If the sender is not permitted to send mail, the SMTP server returns an error.
# Type RCPT TO:,and then press ENTER.If the recipient is not a valid recipient or the server does not accept mail for this domain, the SMTP server returns an error.
# Type DATA.

Or by using hacking tools : Xscan

Solution: You can minimizing the attack by enabling tar pitting
Ref : http://support.microsoft.com/kb/842851/en-us

how to configure logrotate for apache log files

Wednesday, March 24th, 2010

Problem : When you install apache from source , by default logrotate will not rotate those logs file as the path for log files are different.

Solution: You can edit httpd file under /etc/logrotate.d/ directory and insert bellow lines

/usr/local/apache/logs/*log {
    missingok
    notifempty
    sharedscripts
    postrotate
        /usr/local/apache/bin/apachectl graceful > /dev/null 2>/dev/null || true
    endscript
}

Now you can forcefully rotate log files by executing bellow commands:

logrotate -f /etc/logrotate.conf

Linux:How to use aide to check file system integrity

Monday, March 15th, 2010

Installing Aide:

Yum install aide

Creating the database:

aide -c /etc/aide.conf –i
Output : AIDE database at /var/lib/aide/aide.db.new.gz initialized.
This process creates a new file, aide.db.new.gz in /var/lib/aide/.You must rename this file to aide.db.gz, which is the correct name for the AIDE database.

Testing Aide:

aide -c /etc/aide.conf –C

Cisco:Basic commands to setup a cisco router

Wednesday, March 10th, 2010

How to lock the privilege mode :

 enable
 configure terminal
 enable secret cisco

How to secure vty ?

enable
configure terminal
line vty 0 15   [ for help type line vty ? ]
login
password cisco

How to secure console port?

enable
configure terminal
line con 0
login
password cisco

How to secure the aux port?

enable
configure terminal
line aux 0
login
password cisco

How to setup banner?

enable
configure terminal
banner motd  #
Please dont log in #

How to encrypt all the password :

configure terminal
service password-encryption

How to change host name?

configure terminal
hostname R2

How to setup logging synchronous?

configure terminal
line console 0
logging synchronous 
line vty 0 15
logging synchronous

How to stop domain lookup?

configure terminal
no ip domain-lookup

How to setup Ip address?

r1#show ip interface brief 	 
configure terminal	 
interface FastEthernet 0/1	 
no shutdown	 
ip address 192.168.1.1 255.255.255.0	 
description Link to switch2

how to allow router to speak with Isp/How to create default route to isp

ip route 0.0.0.0 0.0.0.0 ip-of-isp
meaning: it say to router, if you dont know anything sent it to isp router.

How to allow Internal network to access internet :
Step 1 :
label the interface

configure terminal	 
interface FastEthernet 0/1	 
ip nat inside
exit
interface FastEthernet 0/0
ip nat outside

Step 2 :
Create Access list to allow Internal lan to use NAT

configure terminal
ip access-list standard NAT_ADDRESS
permit 10.0.0.0 0.0.0.255

Step 3 :
Enable nat overload

ip nat inside source list NAT_ADDRESS interface FastEthernet 0/0 overload

How to do port forwarding from router to devices

configure terminal
ip nat inside source static tcp 10.0.0.227 25 interface Ethernet0/0 25

How to distribute static/default route to others routers:

configure terminal
router rip
redistribute static
meaning: it will give default route to each router in the organizations.so we don't have to create default router into each router.