Tuning an overview

When tuning, remember that there is no “Magic” setting, no single set of tuning parameters that cover all situations. Each server will have it’s own bottlenecks. This can be caused by many things, here are a few examples.

1. Software & Applications
2. Hardware (cpu, memory, architecture, bus speed, etc.)
3. LOAD end user, application, and system overhead.
4. Outside factors (network, san, etc.)

When tuning a system there are several main items to keep in mind.

• Each system is unique
• Alter 1 thing at a time
  
  
  • Use the settings recommended by your software / hardware provider
  • Alter one setting at a time. This will give you the opportunity to see if that change makes an impact. Making to many changes may degrade performance.
  • Test after each change. Be sure to gather enough performance data so you can determine if the change had a positive or negative impact.
  • Did I say test?? I can’t stress this enough.
• Document, Document, Document. Document every change you make. This will save you time and sanity if you need to back out some changes, and allow for the change to be easily duplicated.
• Shutdown unneeded services. Take a look at the output of “chkconfig -l | grep on” I bet you there are a few things we can shutoff.
  
  
  • Gnome ???? on a web server?? init 3 anyone??
  • iptables, SuSe-Firewall, RedHat Firewall, etc. If you don’t have unneeded services running why do you need a firewall to restrict access to them???
  • SELinux, AppArmor?? are big performance killers and usally not that important.

You can use this script any way you want to; in fact it’s written with a few things left out (how you want to deal with shell special characters — another complete post on its own — and if you want to expand on it to read and/or write to STDIN/STDOUT so you can pipe one instance to another, even though that defeats the purpose to a certain degree).



I’ve included usage points in the comments section of the script, but the basic usage would be:

tranz.pl encode your message here
tranz.pl decode 458616e6b6370264f62702659637964796e6760245865602c496e657870216e6460255e6968702d456e6167656279656 <-- The Hex output from a message encoded with this script.




This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

#!/usr/bin/perl

#
# 2007 - Mike Golvach - eggi@comcast.net
# Sanitize shell special characters in
# whatever manner you prefer - or just
# backslash them on the command line :)
#
# Sample usage:
# trans.pl encode hi there
# trans.pl encode hi there >FILE
# trans.pl encode `cat FILE`
# trans.pl decode 8696024786562756
# trans.pl decode `cat FILE`
#
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
#

$input = $ARGV[0];
shift @ARGV;
$message = join(" ",@ARGV);

if ( $input eq "encode")        {
        $output=unpack("h*",$message);
        @length=$output=~/.{0,256}/g;
        print("$output n");
}       elsif ( $input eq "decode" )    {
        chomp($message);
        $output.=pack"h*",$message;
        print "n$outputn";
}       else    {
        print "Usage: (.*?) [encode|decode] whatever you want to typen";
        exit(1)
}

The Linux and Unix Menagerie: Simple Encryption and Decryption For Fun And No Profit.

This tutorial shows how you can clone Linux systems with CloneZilla SE. This is useful for copying one Linux installation to multiple computers without losing much time, e.g. in a classroom, or also for creating an image-based backup of a system. I will install CloneZilla SE on a Debian Etch server in this tutorial. The systems that you want to clone can use whatever Linux distribution you prefer.

I do not issue any guarantee that this will work for you!

Cloning Linux Systems With CloneZilla Server Edition (CloneZilla SE) | HowtoForge - Linux Howtos and Tutorials

This is a great little video that demonstrates the powers of screen.

Thanks Linux Journal

I’m going to show you how you can smoothly hack a Windows Administrator password using Linux. You will only need a Live CD, and for this example, we will utilize Ubuntu. Also, I assume that you have the basic knowledge on using the Linux command line.

TECH SOURCE FROM BOHOL: Hacking Windows Administrator Password (with good intentions) Using Linux.

There are lot of screen-capture tools, but a lot of them are based on X(GUI). Sometimes, when running an X application may interfere with the application you wanted to grab - perhaps a game or even a Linux installer. If you use the venerable ImageMagick import command though, you can grab from an X session via the console(terminal). Simply go to a virtual terminal (Ctrl+Alt+F1 for example) and enter the following:

» Continue reading “How to take a screenshot without X”

This is an issue that comes up almost constantly, given the very nature of the Linux and Unix security model and the environments in which most of us admins work. More often than not, application users on machines will “need” to run scripts that require root privilege to function correctly. One such example would be the “ping” command. Although this seems like a harmless, and openly available, network troubleshooting tool, the only reason regular users can run it is because it’s SUID-root. This, as simply as possible, means that the command runs as the user “root” no matter who actually invokes it. The setuid bit (the “s” in -r-sr-xr-x) is a permission that indicates that the given command will run as the userid that owns it. root owns the ping command; therefore, when users run ping, they’re running it as the user root.

Now, the ping command has been around for quite a while and, as with almost all setuid programs, it’s been the subject of many security compromises and exploits over the years. In general, because of the fact that “ping” is such an integral part of the OS, you don’t need to worry about wrapping it (or other programs like it) in order to protect yourself against harm (Your vendor - or the development community - should be trying their hardest to do that for you :)

Instances do exist where regular users require that an uncommon command be run on a frequent basis, in order for them to do their jobs. That program (we’ll just call it “PROGRAM” for no particular reason ;) needs to be run as another user for it to function correctly and it has to be run frequently enough that it becomes an inconvenience to “not” allow the users to run the command themselves. SUID (or setuid) wrapper scripts can be most effectively used in these sorts of situations.

A wrapper script/program, is (for all intents and purposes) just another layer of protection for the admins, users and operating system. If created properly and used judiciously, they can help minimize the risk associated with allowing regular users to run commands as userid’s other than their own.

Optimally, you would want to limit SUID script/program execution to another generic user (if possible). So, for instance, if an application user needs a program to be run as the user oracle, setting them up with a shell wrapper to run that command as the oracle user shouldn’t be cause for too much concern. The greatest security risk (no matter the relative security-weight of different accounts on your system) is when you need to wrap a script or program to be run as root.

Below, I’ve put together a simple wrapper written in c ( Check out Wietse Zweitze Venema’s website, and work, for a really really really secure wrapper script ). I write the majority of my scripts in bash, ksh and Perl, but the SUID wrapper really requires that it be compiled in order to serve it’s purpose most effectively. If people can easily read your code, it’ll be easier for them to figure out ways around whatever steps you’re taking to secure your servers. I’m not saying that, just because they could read your code, they could break it; but it would certainly make it easier for them. In the other extreme circumstance, if anyone got write access to a SUID script (assuming root privilege, since almost every OS now resets the setuid bits if a setuid script is modified by a regular user), they could (easily) change it a little and stand a good chance that no one would notice that they’d created a backdoor for themselves. If you modify a compiled c binary, it probably won’t run anymore (which is the best security there is ;)

We’ll dive into the sea of “c” in a future post, since it can be complicated and is rarely necessary to know in order to administrate, or use, a system.

For the script below, just substitute the PROGRAM you want to wrap, the arguments, if any (This script assumes only one “-v” - If you have more, add them as comma separated entries just like the first, and before the NULL entry specification), and the groupid check (Comment this out if you don’t want to use it as an extra level of access checking security). We also make sure to change the real and effective uid and gid to “root” (make this any id you want) only after performing the access checks! Extra care is taken to make sure we reset to the regular user’s real and effective uid and gid even before all that.

Note also that we use the strncmp command instead of strcmp (for string comparison) to check the command line arguments. The reason we use this is that the strncmp command requires you to give it a number as it’s final argument and will not read past that many chars (I use start and stop as my only two options, and you can see that in strncmp arguments accordingly. This helps prevent a malicious user from executing a string buffer overflow which might allow them to crack your wrapper from the command line!

This c code can be compiled on gcc at least all the way back to version 2.81.x - It can be compiled very simply, like so:

gcc -o PROGRAM wrapper.c (With -o wrapper being the option (”-o“) of whatever you want to call the compiled PROGRAM and wrapper.c being the text c code below)

Enjoy!





This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

#include 
#include 
#include 
#include 
#include 

/********************************************
 * Wrapper - Secure Yourself                *
 *                                          *
 * 2007 - Mike Golvach - eggi@comcast.net   *
 *                                          *
 * Usage: COMMAND [start|stop]              *
 *                                          *
 ********************************************/

 /* Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License */

/* Define global variables */

int gid;

/* main(int argc, char **argv) - main process loop */

int main(int argc, char **argv)
{

/* Set euid and egid to actual user */

 gid = getgid();
 setegid(getgid());
 seteuid(getuid());

/* Confirm user is in GROUP(999) group */

 if ( gid != 999 ) {
  printf("User Not Authorized!  Exiting...n");
  exit(1);
 }

/* Check argc count only at this point */

 if ( argc != 2 ) {
  printf("Usage: COMMAND [start|stop]n");
  exit(1);
 }

/* Set uid, gid, euid and egid to root */

 setegid(0);
 seteuid(0);
 setgid(0);
 setuid(0);

/* Check argv for proper arguments and run 
 * the corresponding script, if invoked.
 */

 if ( strncmp(argv[1], "start", 5) == 0 ) {
  if (execl("/usr/local/bin/COMMAND", "COMMAND", "-v", NULL) < 0) {
   perror("Execl:");
  }
 } else if ( strncmp(argv[1], "stop", 4) == 0 ) {
  if (execl("/usr/local/bin/COMMAND", "COMMAND", "-v", NULL) < 0) {
   perror("Execl:");
  }
 } else {
  printf("Usage: COMMAND [start|stop]n");
  exit(1);
 }
 exit(0);
}

The Linux and Unix Menagerie: Securing SUID Programs Using A Simple C Wrapper.

So you have gigs of data to transfer between two machines over ethernet. A nice quick and dirty method is to use netcat and tar. This is by no means secure, but if you haven’t got the time or desire to setup NFS, FTPd, Samba. Or wait hours for scp to do its job then this can save you a lot of time.

Linux System using tar and netcat

On the receiving end do:
# netcat -l -p 5000 | tar x

And on the sending end do:
# tar cf - * | netcat otherhost 5000

» Continue reading “netcat and tar to transfer files”