The security hole was found in the __nss_hostname_digits_dots() function of the GNU C Library (glibc).

The function is used on almost all networked Linux computers when the computer tries to access another networked computer either by using the /etc/hosts files or, more commonly, by resolving a domain name with Domain Name System (DNS)

As noted by the security team, the bug is reachable both locally and remotely via the gethostbyname*() functions, making it possible remotely exploit it by triggering a buffer overflow by using an invalid hostname argument to an application that performs DNS resolution.

The security hole exists in any Linux system that was built with glibc-2.2 which was released in November 10th, 2000. Qualy mentioned that the bug was patched on May 21st, 2013 in releases glibc-2.17 and glibc-2.18.

Linux systems that are considered vulnerable to the attack include RedHat Enterprise Linux 5, 6 and 7, CentOS 6 and 7,  Ubuntu 12.04 and Debian 7 (Wheezy).

Debian has is already patching its core systems (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391) while Ubuntu has already patched its 12.04 and 10.04 distributions (https://www.ubuntu.com/usn/usn-2485-1/). CentOS patches are also on their way.

As with all articles, we have included step-by-step instructions of the HP Smart Array B110i SATA Raid controller drivers, including screenshots (from the server’s monitor), files, drivers and utilities that might be needed.

Provided Download Files:  HP Smart Array B110i Drivers (Redhat 6.0, CentOS 6.0), RawWrite & Win32DiskImager 

The HP SmartArray B110i Story

What was supposed to be pretty straight-forward process, turned out to become a 3 hour troubleshooting session to figure out how to install the necessary Smart Array B110i drivers so that our CentOS 6.0 or Redhat Enterprise Linux 6.0  install process, would recognize our RAID volumes and proceed with the installation of the operating system.

A quick search on Google revealed that we were not alone – hundreds of people seem to have struggled with the same issue long before we did, however we couldn’t locate an answer that provided full instructions on how to deal with the problem, so, we decided to create one that did!

Installation Steps

First step is to enter the server’s BIOS and ensure to Enable SATA RAID Support. This will essentially enable the controller and allow the setup RAID from within the controller. On the HP DL120G7 this option was under the Advanced Options > Embedded SATA Configuration > Enable SATA RAID Support menu:

Next step is to save and exit the BIOS.  

While the server restarts, when prompted, press F8 to enter the RAID Controller menu and create the necessary RAID and logical volumes. We created two logical drives in a RAID 0 configuration 9.3GB & 1.8TB capacity:

Next, it was time to prepare the necessary driver disk so that the operating system can ‘see’ the raid controller and drives created. For this process, two things are needed:

• Correct Disk Driver
• Create Driver Diskette

Selecting The Correct Disk Driver

HP offers drivers for the B110i controller for a variety of operating systems, including Redhat and SUSE, both for Intel and AMD based CPU systems. The driver diskette image provides the binary driver modules pre-built for Linux, which enables the HP Smart Array B110i SATA RAID Controller. CentOS users can make use of the Redhat drivers without hesitation.

For this article we are providing as a direct download, drivers for RedHat Enterprise Linux & CentOS v6.0 for Intel and AMD 64bit processors (x86-64bit). These files are available at our Linux download section.

 If a diskette driver for earlier or later systems is required, we advise to visit HP’s website and search for the term “Driver Diskette for HP Smart Array B110i” which will produce a good amount of results for all operating systems.

Driver diskette file names have the format “hpahcisr-1.2.6-11.rhel6u0.x86_64.dd.gz” where rhel represents the operating system (RedHat Enterprise Linux), 6u0 stands for update 0 (version 6, update 0 = 6.0) and x86_64 for the system architecture covering x86 platforms (Intel & AMD).

Writing Image To Floppy Disk Or USB Flash

The driver diskette must be uncompressed using a utility such as 7zip (freely available). Uncompressing the file reveals the file dd.img . This is the driver disk image that needs to be written to a floppy disk drive or USB flash.

Linux users can use the following command to create their driver diskette. Keep in mind to substitute /dev/sdb to reflect your usb or floppy drive:

Windows users can use RawWrite if they wish to write it to a floppy disk drive or Win32DiskImager to write it to a USB Flash. Both utilities are provided with our disk driver download. Since we had a USB floppy disk drive in hand, we selected RawWrite:

Loading The Driver Diskette

With the driver diskette ready, it’s time to begin the CentOS installation, by booting from the DVD:

At the installation menu, hit ESC to receive the boot: prompt. At the prompt, enter the following command: linux dd blacklist=ahci and hit enter to being installation as shown below:

The initial screen of the installation GUI will allow you to load the driver diskette created. At the question, select Yes and hit enter:

Next screen instructs to insert the driver disk into /dev/sda and press OK.  The location /dev/sda refers to our USB Floppy drive, connected to one of our HP server's USB ports during bootup:

The system will present a screen with the message Reading driver disk, indicating the driver is loading and once complete, the message detecting hardware … waiting for hardware to initialize… will appear:

Finally, the installation procedure asks if you wish you load any more driver disks. We answered No and the installation procedure continued as expected. We saw both logical disks and were able to successfully install and use them without any problem:

We hope this brief article will help thousands of engineers around the world save a bit of their valuable time!

One of the biggest challenges for people who are new to Linux, is to work with the operating system in an easy and manageable way, without requiring to know all the commands and file paths in order to get the job done.

All this has now changed, and you can now do all the above, plus a lot more, with a few simple clicks through an easy-to-follow web interface.  Sounds too good to be true?  Believe it or not, it is true!  It's time to get introduced to ‘Webmin’.

Webmin is a freeware program that provides web-based interface for system administration and is a system configuration tool for administrators. One of Webmin's strongest points is that it is modular, which means there are hundreds of extra modules/addons that can be installed, to provide the ability to control additional programs or services someone might want to install on their Linux system.

Here are just a few of the features supported by Webmin, out of the box:

• Setup and administer user accounts
• Setup and administer groups
• Setup and configure DNS services
• Configure file sharing & related services (Samba)
• Setup your Internet connection (including ADSL router, modem etc)
• Configure your Apache webserver
• Configure a FTP Server
• Setup and configure an email server
• Configure Cron Jobs
• Mount, dismount and administer volumes, hdd's and partitions
• Setup system quotas for your users
• Built-in file manager
• Manage an OpenLDAP server
• Setup and configure VPN clients
• Setup and configure a DHCP Server
• Configure a SSH Server
• Setup and configure a Linux Proxy server (squid) with all supported options
• Setup and configure a Linux Firewall
• and much much more!!!

The great part is that webmin is supported on all Linux platforms and is extremely easy to install.  While our example is based on Webmin's installation on a Fedora 16 server using the RPM package, these steps will also work on other versions such as Red Hat, CentOS and other Linux distributions.

Before we dive into Webmin, let's take a quick look at what we've got covered:

• Webmin Installation
• Adding Users, Groups and Assigning Privileges
• Listing and Working with File Systems on the System
• Creating and Editing Disk Quotas for Unix Users
• Editing the System Boot up, Adding and Removing Services
• Managing and Examining System Log Files
• Setting up and Changing System Timezone and Date
• Managing DNS Server & Domain
• Configuring DHCP Server and Options
• Configuring FTP Server and Users/Groups
• How to Schedule a Backup
• Configuring CRON Jobs with Webmin
• Configuring SSH Server with Webmin
• Configuring Squid Proxy Server
• Configuring Apache HTTP Server

Installing Webmin On Linux Fedora / Redhat / CentOS

Download the required RPM file from http://download.webmin.com/download/yum/ using the command (note the root status):

# wget http://download.webmin.com/download/yum/webmin-1.580-1.noarch.rpm

Install the RPM file of Webmin with the following command:

Start Webmin service using the command:

You can now login to https://Fedora-16:10000/ as root with your root password. To ensure you are able to login into your webmin administration interface, simply use the following URL:  https://your-linux-ip:10000 , where "your-linux-ip" is your Linux server's or workstation's IP address.

Running Webmin

Open Firefox or any other browser, and type the URL https://Fedora-16:10000/ :

You will be greeted with a welcome screen. Login as root with your root password. Once you are logged in, you should see the system information:

Adding Users, Groups And Assigning Them Privileges

Expand the "System" Tab in the left column index, and select the last entry “Users and Groups”.  You will be shown the list of the "Local Users" on the system:

You can add users or delete them from this window. If you want to change the parameters of any user, you can do so. By clicking on any user, you can see the groups and privileges assigned to them. These can be changed as you like. For example, if you select the user "root", you can see all the details of the user as shown below :

By selecting the adjacent tab in the "Users and Groups" window, you can see the "Local Groups" as well:

Here, you can see the members in each group by selecting that group. You can delete a group or add a new one. You can select who will be the member of the group, and who can be removed from a group. For example, you can see all the members in the group "mem", if you select and open it:

Here, you will be allowed to create a new group or delete selected groups. You can also add users to the groups or delete them as required. If required, you can also change group ID on files and modify a group other modules as well.

Listing And Working With File Systems On The System

By selecting "Disk and Network Filesystems" under the "System" tab on the left index, you can see the different file systems currently mounted.

You can select other type of file system you would like to mount. Select it from the drop down menus as shown:

By selecting a mounted file system, you can edit its details such as whether it should be mounted at boot time, left as mounted or unmount it now, check the file system at boot time. Mount options like read-only, executable, permissions can be set here.

Creating And Editing Disk Quotas For Unix Users

Prior to Linux Installation, a major & key point in Linux Partition is the /home directory.

VHost is widely setup on almost all control panel mechanism on /home location, since Users & Groups, FTP server, User shell, Apache and several other directives are constructed on this /home partition. Therefore, home should be created as a Logical Volume on a Linux native File system (ext3). Here it is assumed there is already a /home partition on the system.

You can set the quotas by selecting “Disk & Network Filesystems” under “System”:

This allows you to create and edit disk quota for the users in your /home partition or directory. Each user is given a certain amount of disk space he can use. Going close to filling up the quota will generally send a warning.

You can also edit other mounts such as the root directory "/" and also set a number of presented mount options:

Editing The System Boot Up, Adding And Removing Services

All Systemd services are neatly listed in the "Bootup and Shutdown" section within "System":

All service related functions such as start, stop, restart, start on boot, disable on boot, start now and on boot, and disable now and on boot are available at the bottom of the screen. This makes system bootup process modification a breeze, even for the less experienced:

 The "Reboot System" and "Shutdown System" function buttons are also located at the bottom, allowing the immediately reboot or shutdown the system.

Managing And Examining System Log Files

Who would have thought managing system log files in Linux would be so easy? Webmin provides a dedicated section allowing the admnistrator to make a number of changes to the preferences of each system's log file. The friendly interface will show you all available system log files and their location.  By clicking on the one of interest, you can see its properties and make the changes you require.

The following screenshot shows the "System Logs" listed in the index under "System" menu option:

All the logs are available for viewing and to editing. The screenshot below shows an example of editing the maillog. Through the interface, you can enable, disable logs and make a number of other changes on the fly:

Another entry under "System" is the important function of "Log File Rotation". This allows you to edit which log file you would like to rotate and how (daily, weekly or monthly). You can define what command will be executed after the log rotation is done. You can also delete the selected log rotations:

Log rotation is very important, especially on a busy system as it will ensure the log files are kept to a reasonable and manageable size.

Setting Up And Changing System Timezone/Date

Webmin also supports setting up system time and date. To do so, you will have to go to "System Time" under "Hardware" in the main menu index.

System time and hardware time can be separately set and saved. These can be made to match if required.

On the next tab you will be able to change the Timezone:

The next tab is the 'Time Server Sync', used for synchronizing to a time-server. This will ensure your system is always in sync with the selected time-server:

Here, you will be able to select a specific timeserver with a hostname or address and set the schedule when the periodic synchronizing will be done.

Managing DNS Server & Domain

DNS Server configuration is possible from the "Hostname and DNS Client", which is located under "Networking Configuration" within "Networking" in the index:

Here you can set the Hostname of the machine, the IP Address of the DNS Servers and their search domains and save them.

Configuring DHCP Server And Options

For configuration of your system's DHCP server, go to “DHCP Server” within “System and Server Status” under “Others”:

All parameters related to DHCP server can be set here:

Configuring FTP Server And Users/Groups

For ProFTPD Server, select “ ProFTPD Server” under “Servers”. You will see the main menu for ProFTPD server:

You can see and edit the Denied FTP Users if you select the "Denied FTP Users":

Configuration file at /etc/proftpd.conf can be directly edited if you select the "Edit Config Files" in the main menu:

How To Schedule A Backup

Whatever the configuration files you would like to backup, schedule and restore, can be done from “Backup Configuration Files” under “Webmin”.

In the “Backup Now” window, you can set the modules, the backup destination, and what you want included in the backup.   The backup can be a local file on the system, a file on an FTP server, or a file on an SSH server. For both the servers, you will have to provide the username and password. Anything else that you would like to include during the backup such as webmin module configuration files, server configuration files, or other listed files can also be mentioned here:

If you want to schedule your Backups go to the next tab “Scheduled Backups” and select the “Add a new scheduled backup”, since, as shown, no scheduled backup has been defined yet:

And set the exact backup schedule options. The information is nearly same as that for the Backup Now. However, now you have the choice for setting the options for the schedule, such as Months, Weekdays, Days, Hours, Minutes and Seconds.

 Restoration of modules can be selected from the “Restore Now” tab:

The options for restore now follow the same pattern as for the backup. You have the options for restoring from a local file, an FTP server, an SSH server, and an uploaded file. Apart from providing the username and passwords for the servers, you have the option of only viewing what is going to be restored, without applying the changes.

Configuring CRON Jobs With Webmin

Selecting the “Scheduled Cron Jobs” under “System” will allow creation, deletion, disabling and enabling of Cron jobs, as well as controlling user access to cron jobs. The interface also shows the users who are active and their current cron-jobs. The jobs can be selectively deleted, disabled or enabled (if disabled earlier).

For creating a new cron job and scheduling it, select the tab “Create a new scheduled cron job”. You have the options of setting the Months, Weekdays, Days, Hours, Minutes. You have the option of running the job on any date, or running it only between two fixed dates:

For controlling access to Cron jobs, select the next tab “Control User Access to Cron Jobs” in the main menu:

Configuring SSH Server With Webmin

Selecting “SSH Server” under “Servers” will allow all configuration of the SSH Server:

Access Control is provided by selecting the option "Access Control" from the main menu :

Miscellaneous options are available when the "Miscellaneous Options" is selected from the main menu:

The SSH config files can be accessed directly and edited by selecting “Edit Config Files” from the main menu.

Configuring Squid Proxy Server

Select “Squid Proxy Server” under “Servers”. The main menu shows what all can be controlled there:

The Access Control allows ACL, Proxy restrictions, ICP restrictions, External ACL programs, and Reply proxy restrictions, when you select “Access Control”:

Configuring Apache HTTP Server

You can configure “Apache Webserver” under “Servers”. The main menu shows what you can configure there.

All Global configuration can be done from the first tab:

You can also configure the existing virtual hosts or create a virtual host, if you select the other tabs:

Users and Groups who are allowed to run Apache are mentioned here (select from the main menu):

Apache configuration files can be directly edited from the main menu.

All the configuration files, httpd.conf, sarg.conf, squid.conf, and welcome.conf can be directly edited from this interface:

Any other service or application, which you are not able to locate directly from the index on the left, can be searched by entering in the search box on the left. If the item searched is not installed, Webmin will offer to download the RPM and install it. A corresponding entry will appear in the index on the left and you can proceed to configure the service or application. After installing an application or service, modules can be refreshed as well. From the Webmin interface, you can also view the module's logs.

This article focuses on the installation and setup of the Vsftpd service on Linux Redhat Enterprise, Fedora and CentOS, however it is applicable to almost all other Linux distributions.  We'll also take a look at a number of great tips which include setting quotas, restricting access to anonymous users, disabling uploads, setting a dedicated partition for the FTP service, configuring the system's IPTable firewall and much more.

VSFTPD Features

Following is a list of vsftpd's features which confirms this small FTP package is capable of delivering a lot more than most FTP servers out there:

• Virtual IP configurations
• Virtual users
• Standalone or inetd operation
• Powerful per-user configurability
• Bandwidth throttling
• Per-source-IP configurability
• Per-source-IP limits
• IPv6
• Encryption support through SSL integration
• and much more....!

Installing The VSFTPD Linux Server

To initiate the installation of the vsftpd package, simply open your CLI prompt and use the yum command (you need root privileges) as shown below:

Yum will automatically locate, download and install the latest vsftpd version.

Configure VSFTPD Server

To open the configuration file, type:

Turn off standard ftpd xferlog log format and turn on verbose vsftpd log format by making the following changes in the vsftpd.conf file:

Above two directives will enable logging of all FTP transactions.

To lock down users to their home directories:

You can create warning banners for all FTP users, by defining the path:

Now you can create the /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

Turn On VFSTPD Service

Turn on vsftpd on boot:

Start the service:

You can verify the service is running and listening on the correct port using the following command:

Here's the expected output:

Configure IPtables To Protect The FTP Server

In case IPTables are configured on the system, it will be necessary to edit the iptables file and open the ports used by FTP to ensure the service's operation.

To open file /etc/sysconfig/iptables, enter:

Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

Next, open file /etc/sysconfig/iptables-config, and enter:

Ensure that the space-separated list of modules contains the FTP connection-tracking module:

Save and close the file and finally restart the firewall using the following commands:

Tip: View FTP Log File

Type the following command:

Tip: Restricting Access to Anonymous User Only

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

Tip: To Disable FTP Uploads

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

Tip: To Enable Disk Quota

Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:

The ftp users are the same users as those on the hosting machine.

You could have a separate group for ftp users, to help keep their privileges down (for example 'anonftpusers'). Knowing that, your script should do:

Be extremely careful with your scripts, as they will have to be run as root.

However, for this to work you will have to have the following options enabled in /etc/vsftpd/vsftpd.conf: 

Security Tip: Place The FTP Directory On Its Own Partition

Separation of the operating system files from FTP users files may result into a better and secure system. Restricting the growth of certain file systems is possible using various techniques. For example, use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab entry:

Example File For vsftpd.conf

Following is an example for vsftpd.conf. It allows the users listed in the user_list file to log in, no anonymous users, and quite tight restrictions on what users can do:

With this config, uploaded files are not readable or executable by anyone, so the server is acting as a 'dropbox'. Change the file_open_modeoption to change that.

Lastly, it is also advised to have a look at 'man vsftpd.conf' for a full list and description of all options.

Updates are usually done in two distinct ways. One is called the incremental update, and the other is the major update. In the incremental updates, components of the operating system undergo minor modifications. Such modifications are usually informed to users over the net. Users can download and install the modifications serially using the update managing software.

However, some major modifications require so many changes involving several packages simultaneously, it becomes rather complicated to accomplish serially over the net. This type of modification is best done by a fresh installation, after acquiring the improved version of the operating system.

Package management is one of the most distinctive features distinguishing major Linux distributions. Major projects offer a graphical user interface where users can select a package and install it with a mouse click. These programs are front-ends to the low-level utilities to manage the tasks associated with installing packages on a Linux system. Although many desktop Linux users feel comfortable installing packages through these GUI tools, the command-line package management offers two excellent features not available in any graphical package management utility, and that is power and speed.

The Linux world is sharply divided into three major groups, each swearing by the type of package management they use - the “RPM” group, the “DEB” group and the “Slackware” group. There are other fragment groups using different package management types, but they are insignificantly minor in comparison. Among the three groups, RPM and DEB are by far the most popular and several other groups have been derived from them. Some of the Linux distributions that handle these package managements are:

RPM - RedHat Enterprise/Fedora/CentOS/OpenSUSE/Mandriva, etc.

DEB - Debian/Ubuntu/Mint/Knoppix, etc.

RPM - RedHat Package Manager

Although RPM was originally used by RedHat, this package management is handled by different types of package management tools specific to each Linux distribution. While OpenSUSE uses the “zypp” package management utility, RedHat Enterprise Linux (REL), Fedora and CentOS use “yum”, and Mandriva and Mageia use “urpmi”.

Therefore, if you are an OpenSUSE user, you will use the following commands:

For updating your package list: zypper refresh

For upgrading your system: zypper update

For installing new software pkg: zypper install pkg (from package repository)

For installing new software pkg: zypper install pkg  (from package file)

For updating existing software pkg: zypper update -t package pkg

For removing unwanted software pkg: zypper remove pkg

For listing installed packages: zypper search -ls

For searching by file name: zypper wp file

For searching by pattern: zypper search -t pattern pattern

For searching by package name pkg: zypper search pkg

For listing repositories: zypper repos

For adding a repository: zypper addrepo pathname

For removing a repository: zypper removerepo name

If you are a Fedora or CentOS user, you will be using the following commands:

For updating your package list: yum check-update

For upgrading your system: yum update

For installing new software pkg: yum install pkg (from package repository)

For installing new software pkg: yum localinstall pkg (from package file)

For updating existing software pkg: yum update pkg

For removing unwanted software pkg: yum erase pkg

For listing installed packages: rpm -qa

For searching by file name: yum provides file

For searching by pattern: yum search pattern

For searching by package name pkg: yum list pkg

For listing repositories: yum repolist

For adding a repository: (add repo to /etc/yum.repos.d/)

For removing a repository: (remove repo from /etc/yum.repos.d/)

You may be a Mandriva or Mageia user, in which case, the commands you will use will be:

For updating your package list: urpmi update -a

For upgrading your system: urpmi --auto-select

For installing new software pkg: urpmi pkg (from package repository)

For installing new software pkg: urpmi pkg (from package file)

For updating existing software pkg: urpmi pkg

For removing unwanted software pkg: urpme pkg

For listing installed packages: rpm -qa

For searching by file name: urpmf file

For searching by pattern: urpmq --fuzzy pattern

For searching by package name pkg: urpmq pkg

For listing repositories: urpmq --list-media

For adding a repository: urpmi.addmedia name path

For removing a repository: urpmi.removemedia media

DEB - Debian Package Manager

Debian Package Manager was introduced by Debian and later adopted by all derivatives of Debian - Ubuntu, Mint, Knoppix, etc. This is a relatively simple and standardized set of tools, working across all the Debian derivatives. Therefore, if you use any of the distributions managed by the DEB package manager, you will be using the following commands:

For updating your package list: apt-get update

For upgrading your system: apt-get upgrade

For installing new software pkg: apt-get install pkg (from package repository)

For installing new software pkg: dpkg -i pkg (from package file)

For updating existing software pkg: apt-get install pkg

For removing unwanted software pkg: apt-get remove pkg

For listing installed package: dpkg -l

For searching by file name: apt-file search path

For searching by pattern: apt-cache search pattern

For searching by package name pkg: apt-cache search pkg

For listing repositories: cat /etc/apt/sources.list

For adding a repository: (edit /etc/apt/sources.list)

For removing a repository: (edit /etc/apt/sources.list)

What is Server Virtualization?

Server virtualization is the process of apportioning a physical server into several smaller virtual servers. During server virtualization, the resources of the server itself remain hidden. In fact, the resources are masked from users, and software is used for dividing the physical server into multiple virtual machines or environments, called virtual or private servers.

This technology is commonly used in Web servers. Virtual Web servers provide a very simple and popular way of offering low-cost web hosting services. Instead of using a separate computer for each server, dozens of virtual servers can co-exist on the same computer.

There are many benefits of server virtualization. For example, it allows each virtual server to run its own operating system. Each virtual server can be independently rebooted without disturbing the others. Because several servers run on the same hardware, less hardware is required for server virtualization, which saves a lot of money for the business. Since the process utilizes resources to the fullest, it saves on operational costs. Using a lower number of physical servers also reduces hardware maintenance.

In most cases, the customer does not observe any performance deficit and each web site behaves as if it is being served by a dedicated server. However, the resources of the computer being shared, if a large number of virtual servers reside on the same computer, or if one of the virtual servers starts to hog the resources, Web pages will be delivered more slowly.

There are several ways of creating virtual servers, with the most common being virtual machines, operating system-level virtualization, and paravirtual machines.

How Are Virtual Servers Helpful

The way Internet is exploding with information, it is playing an increasingly important role in our lives. Internet traffic is increasing dramatically, and has been growing at an annual rate of nearly 100%. The workload on the servers is simultaneously increasing significantly so that servers frequently become overloaded for short durations, especially for popular web sites.

To overcome the overloading problem of the servers, there are two solutions. You could have a single server solution, such as upgrading the server to a higher performance server. However, as requests increase, it will soon be overloaded, so that it has to be upgraded repeatedly. The upgrading process is complex and the cost is high.

The other is the multiple server solution, such as building a scalable network service system on a cluster of servers. As load increases, you can just add a new server or several new servers into the cluster to meet the increasing requests, and a virtual server running on commodity hardware offers the lowest cost to performance ratio. Therefore, for network services, the virtual server is a highly scalable and more cost-effective for building server cluster system.

Virtual Servers with Linux

Highly available server solutions are done by clustering. Cluster computing involves three distinct branches, of which two are addressed by RHEL or Red Hat Enterprise Linux:

Ø    Load balancing clusters using Linux Virtual Servers as specialized routing machines to dispatch traffic to a pool of servers.

Ø    Highly available or HA Clustering with Red Hat Cluster Manager that uses multiple machines to add an extra level of reliability for a group of services.

Load Balancing Cluster System Using RHEL Virtual Servers

When you access a website or a database application, you do not know if you are accessing a single server or a group of servers. To you, the Linux Virtual Server or LVS cluster appears as a single server. In reality, there is a cluster of two or more servers behind a pair or redundant LVS routers. These routers distribute the client requests evenly throughout the cluster system.

Administrators use Red Hat Enterprise Linux and commodity hardware to address availability requirements, and to create consistent and continuous access to all hosted services.

In its simplest form, an LVS cluster consists of two layers. In the first layer are two similarly configured cluster members, which are Linux machines. One of these machines is the LVS router and is configured to direct the requests from the internet to the servers. The LVS router balances the load on the real servers, which form the second layer. The real servers provide the critical services to the end-user. The second Linux machine acts as a monitor to the active router and assumes its role in the event of a failure.

The active router directs traffic from the internet to the real servers by making use of Network Address Translation or NAT. The real servers are connected to a dedicated network segment transfer all public traffic via the active LVS router. The outside world sees this entire cluster arrangement as a single entity.

LVS with NAT Routing

The active LVS router has two Network Interface Cards or NICs. One of the NICs is connected to the Internet and has a real IP address on the eth0 and a floating IP address aliased to eth0:1. The other NIC connects to the private network with a real IP address on the eth1, and a floating address aliased to eth1:1.

All the servers of the cluster are located on the private network and use the floating IP for the NAT router. They communicate with the active LVS router via the floating IP as their default route. This ensures their abilities for responding to requests from the inernet are not impaired.

When requests are received by the active LVS router, it routes the request to an appropriate server. The real server processes the request and returns the packets to the LVS router. Using NAT, the LVS router then replaces the address of the real server in the packets with the public IP address of the LVS router. This process is called IP Masquerading, and it hides the IP addresses of the real servers from the requesting clients.

Configuring LVS Routers with the Piranha Configuration Tool

The configuration file for an LVS cluster follows strict formatting rules. To prevent server failures because of syntax errors in the file lvs.cf, using the Piranha Configuration Tool is highly recommended. This tool provides a structured approach to creating the necessary configuration file for a Piranha cluster. The configuration file is located at /etc/sysconfig/ha/lvs.cf, and the configuration can be done with a web-based tool such as the Apache HTTP Server.

As an example, we will use the following settings:

You will need to install piranha and ipvsadm packages on the LVS Routers:

Start services on the LVS Routers with:

Set a Password for the Piranha Configuration Tool using the following commands: 

# piranha-passwd

Next, turn on Packet Forwarding on the LVS Routers with:

Starting the Piranha Configuration Tool Service

First you'll need to modify the mode SELinux in permissive mode with the use of the command:

If this is not done, the system will most probably show the following error massage when the piranha-gui service is started:

Configure the LVS Routers with the Piranha Configuration Tool

The Piranha Configuration Tool runs on port 3636 by default. Open http://localhost:3626 or http://192.168.26.201:3636 in a Web browser to access the Piranha Configuration Tool. Click on the Login button and enter piranha for the Username and the administrative password you created, in the Password field:

Click on the GLOBAL SETTINGS panel, enter the primary server public IP, and click the ACCEPT button:

 Click on the REDUNDANCY panel, enter the redundant server public IP, and click the ACCEPT button:

 Click on the VIRTUAL SERVERS panel, add a server, edit it, and activate it:

Clicking on the REAL SERVER subsection link at the top of the panel displays the EDIT REAL SERVER subsection. Click the ADD button to add new servers, edit them and activate them:

Copy the lvs.cf file to another LVS router:

Start the pulse services on the LVS Routers with the following command:

Testing the System

You can use the Apache HTTP server benchmarking tool (ab) to simulate a visit by the user.

HA Clustering With Red Hat Cluster Manager

When dealing with clusters, single point failures, unresponsive applications and nodes are some of the issues that increase the non-availability of the servers. Red Hat addresses these issues through their High Availability or HA Add-On servers. Centralised configurations and management are some of the best features of the Conga application of RHEL.

For delivering an extremely mature, high-performing, secure and lightweight high-availability server solution, RHEL implements the Totem Single Ring Ordering and Membership Protocol. Corosync is the cluster executive within the HA Add-On.

Kernel-based Virtual Machine Technology

RHEL uses the Linux kernel that has the virtualization characteristics built-in and makes use of the kernel-based virtual machine technology known as KVM. This makes RHEL perfectly suitable to run as either a host or a guest in any Enterprise Linux deployment. As a result, all Red Hat Enterprise Linux system management and security tools and certifications are part of the kernel and always available to the administrators, out of the box.

RHEL uses highly improved SCSI-3 PR reservations-based fencing. Fencing is the process for removing resources from the cluster node from being accessed when they have lost contact with the cluster. This prevents uncoordinated modification of shared storage thus protecting the resources.

Improvement in system flexibility and configuration is possible because RHEL allows manual specification of devices and keys for reservation and registration. Ordinarily, after fencing, the unconnected cluster mode would need to be rebooted to rejoin the cluster. RHEL unfencing makes it possible to re-enable access and startup of the node without administrative intervention.

Improved Cluster Configuration

LDAP, the Lightweight Directory Access Protocol provides improved cluster configuration system for load options. This provides better manageability and usability across the cluster by easily configuring, validating and synchronizing the reload. Virtualized KVM guests can be run as managed services.

RHEL Web interface to the cluster management and administration runs on TurboGears2 and provides a rich graphical user interface. This enables unified logging and debugging by administrators who can enable, capture and read cluster system logs using a single cluster configuration command.

Installing TurboGears2

The method of installing TurboGears2 depends on the platform and the level of experience. It is recommended to install TurboGears2 withing a virtual enviroment as this will prevent interference with the system's installed packages. Prerequisites for installation of TurboGears2 are Python, Setuptools, Database and Drivers, Virtualenv, Virtualenvwrapper and other dependencies.

On most Linux systems, you can access the TCP/IP connection details within 'X Windows' from Applications > Others > Network Connections. The same may also be reached through Application > System Settings > Network > Configure. This opens up a window, which offers configuration of IP parameters for wired, wireless, mobile broadband, VPN and DSL connections:

The values entered here modify the files:

           /etc/sysconfig/network-scripts/ifcfg-eth0

           /etc/sysconfig/networking/devices/ifcfg-eth0

           /etc/resolv.conf

           /etc/hosts

The static host IP assignment is saved in /etc/hosts

The DNS server assignments are saved in the /etc/resolv.conf

IP assignments for all the devices found on the system are saved in the ifcfg-<interface> files mentioned above.

If you want to see all the IP assignments, you can run the command for interface configuration:

Following is the output of the above command:

[root@gateway ~]# ifconfig

eth0    Link encap:Ethernet  HWaddr 00:0C:29:AB:21:3E
          inet addr:192.168.1.18  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feab:213e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1550249 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1401847 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:167592321 (159.8 MiB)  TX bytes:140584392 (134.0 MiB)
          Interrupt:19 Base address:0x2000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:71833 errors:0 dropped:0 overruns:0 frame:0
          TX packets:71833 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12205495 (11.6 MiB)  TX bytes:12205495 (11.6 MiB)

The command ifconfig is used to configure a network interface. It can be used to set up the interface parameters that are used at boot time. If no arguments are given, the command ifconfig displays the status of the currently active interfaces. If you want to see the status of all interfaces, including those that are currently down, you can use the argument -a, as shown below:

Fedora, Redhat Enterprise Linux, CentOS and other similar distributions supports user profiles as well, with different network settings for each user. The user profile and its parameters are set by the network-configuration tools. The relevant system files are placed in:

/etc/sysconfig/netwroking/profiles/profilename/

After boot-up, to switch to a specific profile you have to access a graphical tool, which will allow you to select from among the available profiles. You will have to run:

Or for activating the profile from the command line -

The Basic Commands for Networking

The basic commands used in Linux are common to every distro:

ifconfig - Configures and displays the IP parameters of a network interface

route - Used to set static routes and view the routing table

hostname - Necessary for viewing and setting the hostname of the system

netstat - Flexible command for viewing information about network statistics, current connections, listening ports

arp - Shows and manages the arp table

mii-tool - Used to set the interface parameters at data link layer (half/full duplex, interface speed, autonegotiation, etc.)

Many distro are now including the iproute2 tools with enhanced routing and networking tools:

ip - Multi-purpose command for viewing and setting TCP/IP parameters and routes.

tc - Traffic control command, used  for classifying, prioritizing, sharing, and limiting both inbound and outbound traffic.

Types of Network Interface

LO (local loop back interface). Local loopback interface is recognized only internal to the computer, the IP address is usually 127.0.0.1 or 127.0.0.2.

Ethernet cards are used to connect to the world external to the computer, usually named eth0, eth1, eth2 and so on.

Network interface files holding the configuration of LO and ethernet are:

           /etc/sysconfig/nework-scripts/ifcfg-lo

           /etc/sysconfig/nework-scripts/ifcfg-eth0

To see the contents of the files use the command:

Which results in:

And the following:

Which gives the following results:

Start and Stop the Network Interface Card

The ifconfig command can be used to start and stop network interface cards:

The ifup & ifdown command can also be used to start and stop network interface cards:

The systemctl commands can also be used to enable, start, stop, restart and check the status of the network interface services -

Displaying & Changing your System's Hostname

The command hostname displays the current hostname of the computer, which is 'Gateway':

You can change the hostname by giving the new name at the end of the command -

This will change to the new hostname once you have logged out and logged in again. In fact, for any change in the interfaces, the change is implemented only after the user logs in the next time after a log-out.

This concludes our Linux Network Configuration article.

Most of the firewalls in use today are the filtering firewalls. They sit between the computer and the Internet and limit access to only specific computers on the network. It can also be programmed to limit the type of communication, and selectively permit or deny several Internet services.

Organizations receive their routable IP addresses from their ISPs. However, the number of IP addresses given is limited. Therefore, alternate ways of sharing the Internet services have to be found without every node on the LAN getting a public IP address. This is done commonly by using private IP addresses, so that all nodes are able to access properly both external and internal network services.

Firewalls are used for receiving incoming transmissions from the Internet and routing the packets to the intended nodes on the LAN. Similarly, firewalls are also used for routing outgoing requests from a node on the LAN to the remote Internet service.

This method of forwarding the network traffic may prove to be dangerous, when modern cracking tools can spoof the internal IP addresses and allow the remote attacker to act as a node on the LAN. In order to prevent this, the iptables provide routing and forwarding policies, which can be implemented for preventing abnormal usage of networking resources. For example, the FORWARD chain lets the administrator control where the packets are routed within a LAN.

LAN nodes can communicate with each other, and they can accept the forwarded packets from the  firewall, with their internal IP addresses. However, this does not give them the facility to communicate to the external world and to the Internet.

For allowing the LAN nodes that have private IP addresses to communicate with the outside world, the firewall has to be configured for IP masquerading. The requests that LAN nodes make, are then masked with the IP addresses of the firewall’s external device, such as eth0.

How IPtables Can Be Used To Configure Your Firewall

Whenever a packet arrives at the firewall, it will be either processed or disregarded. The disregarded packets would normally be those, which are malformed in some way or are invalid in some technical way. Based on the packet activity of those that are processed, the packets are enqueued in one of the three builtin ‘tables.’ The first table is the mangle table. This alters the service bits in the TCP header. The second table is the filter queue, which takes care of the actual filtering of the packets. This consists of three chains, and you can place your firewall policy rules in these chains (shown in the diagram below):

- Forward chain: It filters the packets to be forwarded to networks protected by the firewall.

- Input chain: It filters the packets arriving at the firewall.

- Output chain: It filters the packets leaving the firewall.

The third table is the NAT table. This is where the Network Address Translation or NAT is performed. There are two built-in chains in this:

- Pre-routing chain: It NATs the packets whose destination address needs to be changed.

- Post-routing chain: It NATs the packets whose source address needs to be changed.

Whenever a rule is set, the table it belongs has to be specified. The ‘Filter’ table is the only exception. This is because most of the 'iptables’ rules are the filter rules. Therefore, the filter table is the default table.

The diagram below shows the flow of packets within the filter table. Packets entering the Linux system follow a specific logical path and decisions are made backed on their characteristics.  The path shown below is independent of the network interface they are entering or exiting:

The Filter Queue Table

Each of the chains filters data packets based on:

• Source and Destination IP Address
• Source and Destination Port number
• Network interface (eth0, eth1 etc)
• State of the packet 

Target for the rule: ACCEPT, DROP, REJECT, QUEUE, RETURN and LOG

As mentioned previously, the table of NAT rules consists mainly of two chains: each rule is examined in order until one matches. The two chains are called PREROUTING (for Destination NAT, as packets first come in), and POSTROUTING (for Source NAT, as packets leave).

The NAT Table

At each of the points above, when a packet passes we look up what connection it is associated with. If it's a new connection, we look up the corresponding chain in the NAT table to see what to do with it. The answer it gives will apply to all future packets on that connection.

The most important option here is the table selection option, `-t'. For all NAT operations, you will want to use `-t nat' for the NAT table. The second most important option to use is `-A' to append a new rule at the end of the chain (e.g. `-A POSTROUTING'), or `-I' to insert one at the beginning (e.g. `-I PREROUTING').

The following command enables NAT for all outgoing packets. Eth0 is our WAN interface:

 If you rather implement static NAT, mapping an internal host to a public IP, here's what the command would look like:

With the above command, all outgoing packets sent from internal IP 192.168.0.3 are mapped to external IP 203.18.45.12.

Taking it the other way around, the command below is used to enable port forwarding from the WAN interface, to an internal host. Any incoming packets on our external interface (eth0) with a destination port (dport) of 80, are forwarded to an internal host (192.168.0.5), port 80:

How The FORWARD Chain Allows Packet Forwarding

Packet forwarding within a LAN is controlled by the FORWARD chain in the iptables firewall. If the firewall is assigned an internal IP address eth2 and an external IP address on eth0,  the rules to be used to allow the forwarding to be done for the entire LAN would be:

This way, Firewall gets access to the nodes of the LAN that have internal IP address. The packets enter through the eth2 device of the gateway. They are then routed from one LAN node to their intended destination nodes.

Dynamic Firewall

By default, the IPv4 policy in Fedora kernels disables support for IP forwarding. This prevents machines that run Fedora from functioning as a dedicated firewall. Furthermore, starting with Fedora 16, the default firewall solution is now provided by “firewalld”. Although it is claimed to be the default, Fedora 16 still ships with the traditional firewall iptables. To enable the dynamic firewall in Fedora, you will need to disable the traditional firewall and install the new dynamic firewalld. The main difference between the two is firewalld is smarter in the sense it does not have to be stopped and restarted each time a policy decision is changed, unlike the traditional firewall.

To disable the traditional firewall, there are two methods, graphical and command line. For the graphical method, the GUI for the System-Config- Firewall can be opened from the Applications menu > Other > Firewall. The firewall can now be disabled. 

For the command line, following commands will be needed:

To remove iptables entirely from system:

For installing Firewalld, you can use Yum:

To enable and then start Firewalld you will need the following commands:

The firewall-applet can be started from Applications menu > Other > Firewall Applet

When you hover the mouse over the firewall applet on the top panel, you can see the ports, services, etc. that are enabled. By clicking on the applet, the different services can be started or stopped. However, if you change the status and the applet crashes in order to regain control, you will have to kill the applet by using the following commands:

Which will tell you the PID of the running applet, and you can kill it with the following command:

A restart of the applet can be done from the Applications menu, and now the service you had enabled will be visible.

To get around this, the command line option can be used:

DHCP is not installed by default on your Linux system. It has to be installed by gaining root privileges:

You will be prompted for the root password and you can install DHCP by the command:

Once all the dependencies are satisfied, the installation will complete.

Start the DHCP Server

You will need root privileges for enabling, starting, stopping or restarting the dhcpd service:

Once enabled, the dhcpd services can be started, stopped and restarted with:

or with the use of the following commands if systemctl command is not available:

To determine whether dhcpd is running on your system, you can seek its status:

Another way of knowing if dhcpd is running is to use the 'service' command:

Note that dhcpd has to be configured to start automatically on next reboot.

Configuring the Linux DHCP Server

Depending on the version of the Linux installation you are currently running, the configuration file may reside either in /etc/dhcpd or /etc/dhcpd3 directories.

When you install the DHCP package, a skeleton configuration file and a sample configuration file are created. Both are quite extensive, and the skeleton configuration file has most of its commands deactivated with # at the beginning. The sample configuration file can be found in the location /usr/share/doc/dhcp*/dhcpd.conf.sample.

When the dhcpd.conf file is created, a subnet section is generated for each of the interfaces present on your Linux system; this is very important. Following is a small part of the dhcp.conf file:

The IP addresses will need to be changed to meet the ranges suitable to your network. There are other option statements that can be used to configure the DHCP. As you can see, some of the resources such as printers, which need fixed IP addresses, are given the specific IP address based on the NIC MAC address of the device.

For more information, you may read the relevant man pages:

Routing with a DHCP Server

When a PC with DHCP configuration boots, it requests for the IP address from the DHCP server. For this, it sends a standard DHCP request packet to the DHCP server with a source IP address of 255.255.255.255. A route has to be added to this 255.255.255.255 address so that the DHCP server knows on which interface it has to send the reply. This is done by adding the route information to the /etc/sysconfig/network-scripts/route-eth0 file, assuming the route is to be added to the eth0 interface:

After defining the interface for the DHCP routing, it has to be further ensured that your DHCP server listens only to that interface and to no other. For this the /etc/sysconfig/dhcpd file has to be edited and the preferred interface added to the DHCPDARGS variable. If the interface is to be eth0 following are the changes that need to be made:

Testing the DHCP

Using the netstat command along with the -au option will show the list of interfaces listening on the bootp or DHCP UDP port:

will result in the following:

Additionally, a check on the /var/log/messages file will show the defined interfaces used from the time the dhcpd daemon was started:

This confirms the DHCP Service has been installed with success and operating correctly.

When an RHEL system accesses resources on a Windows system, it does so using the Samba Client. An RHEL system, by default, has the Samba Client installed.

When an RHEL system serves resources to a Windows system, it uses the package Samba Server or simply Samba. This is not installed by default and has to be exclusively set up.

Installing SAMBA on Linux Redhat/CentOS

Whether Samba is already installed on your RHEL, Fedora or CentOS setup, it can be tested with the following command:"

The result could be - “package samba is not installed,” or something like “samba-3.5.4-68.el6_0.1.x86_64” showing the version of Samba present on the system.

To install Samba, you will need to become root with the following command (give the root password, when prompted):

Then use Yum to install the Linux Samba package:

This will install the samba package and its dependency package, samba-common.

Before you begin to use or configure Samba, the Linux Firewall (iptables) has to be configured to allow Samba traffic. From the command-line, this is achieved with the use of the following command:

Configuring Linux SAMBA

The Samba configuration is meant to join an RHEL, Fedora or CentOS system to a Windows Workgroup and setting up a directory on the RHEL system, to act as a shared resource that can be accessed by authenticated Windows users.

To start with, you must gain root privileges with (give the root password, when prompted):

Edit the Samba configuration file:

The smb.conf [Global] Section

An smb.conf file is divided into several sections. the [global] section, which is the first section, has settings that apply to the entire Samba configuration. However, settings in the other sections in the configuration file may override the global settings.

To begin with, set the workgroup, which by default is set as “MYGROUP”:

Since most Windows networks are named WORKGROUP by default, the settings have to be changed as:

Configure the Shared Resource

In the next step, a shared resource that will be accessible from the other systems on the Windows network has to be configured. This section has to be given a name by which it will be referred to when shared. For our example, let’s assume you would like share a directory on your Linux system located at /data/network-applications.  You’ll need to entitle the entire section as [NetApps] as shown below in our smb.conf file:

“NetApps”.

This concludes the changes to the Samba configuration file.

Create a Samba User

Any user wanting to access any Samba shared resource must be configured as a Samba User and assigned a password. This is achieved using the smbpasswd  command as a root user. Since you have defined “administrator” as the user who is entitled to access the “/data/network-applications” directory of the RHEL system, you have to add “administrator” as a Samba user.

You must gain root privileges with the following command (give the root password, when prompted):

Add “administrator” as a Windows user -

The system will respond with

This will result into the following message:

It will also be necessary to add the same account as a simple linux user, using the same password we used for the samba user:

If you would like to ensure that Windows users are automatically authenticated to your Samba share, without prompting for a username/password, all that’s needed is to add the samba user and password exactly as you Windows clients usernames and password. When a Windows system accesses a Samba share, it will automatically try to log in using the same credentials as the user logged into the Windows system.

Starting Samba and NetBios Name Service on RHEL

The Samba and NetBios Nameservice or NMB services have to be enabled and then started for them to take effect:

In case the services were already running, you may have to restart them again:

If you are not using systemctl command, you can alternatively start the Samba using a more classic way:

To configure your Linux system to automatically start the Samba service upon boot up, the above command will need to be inserted in the /etc/rc.local file. For more information about this, you can read our popular Linux Init Process & Different run levels article

Accessing the Samba Shares From Windows                               

Now that you have configured the Samba resources and the services are running, they can be tested for sharing from a Windows system. For this, open the Windows Explorer and navigate to the Network page. Windows should show the RHEL system. If you double-click on the RHEL icon, you will be prompted for the username and password. The username to be entered now is “administrator” with the password that was assigned. 

Again, if you are logged on your Windows workstation using the same account and password as that of the Samba service (e.g Administrator), you will not be prompted for any authentication as the Windows  operating system will automatically authenticate to the RHEL Samba service using these credentials.

Accessing Windows Shares From RHEL Workstation or Server

To access Windows shares from your RHEL system, the package samba-client may have to be installed, unless it is installed by default. For this you must gain root privileges with (give the root password, when prompted):

Install samba-client using the following commands:

To see any shared resource on the Windows system and to access it, you can go to Places > Network. Clicking on the Windows Network icon will open up the list of workgroups available for access.

Such levels are important for different operations, such as for fixing file or disk corruption problems, or for the server to operate in a run level where the X-session is not required. In such cases having services running that depend on higher levels of operation, makes no sense, since they will hamper the operation of the entire system.

Each service is assigned to start whenever its run level is reached. Therefore, when you ensure the startup process is orderly, and you change the mode of the machine, you do not need to bother about which service to manually start or stop.

The main run-levels that a system could use are:

The system and service manager for Linux is now “systemd”. It provides a concept of “targets”, as in the table above. Although targets serve a similar purpose as runlevels, they act somewhat differently. Each target has a name instead of a number and serves a specific purpose. Some targets may be implemented after inheriting all the services of another target and adding more services to it.

Backward compatibility exists, so switching targets using familiar telinit RUNLEVEL command still works. On Fedora installs, runlevels 0, 1, 3, 5 and 6 have an exact mapping with specific systemd targets. However, user-defined runlevels such as 2 and 4 are not mapped that way. They are treated similar to runlevel 3, by default.

For using the user-defined levels 2 and 4, new systemd targets have to be defined that makes use of one of the existing runlevels as a base. Services that you want to enable have to be symlinked into that directory.

The most commonly used runlevels in a currently running linux box are 3 and 5. You can change runlevels in many ways.

A runlevel of 5 will take you to GUI enabled login prompt interface and desktop operations. Normally by default installation, this would take your to GNOME or KDE linux environment. A runlevel of 3 would boot your linux box to terminal mode (non-X) linux box and drop you to a terminal login prompt. Runlevels 0 and 6 are runlevels for halting or rebooting your linux respectively.

Although compatible with SysV and LSB init scripts, systemd:

• Provides aggressive parallelization capabilities.
• Offers on-demand starting of daemons.
• Uses socket and D-Bus activation for starting services.
• Keeps track of processes using Linux cgroups.
• Maintains mount and automount points.
• Supports snapshotting and restoring of the system state.
• Implements an elaborate transactional dependency-based service control logic.

Systemd starts up and supervises the entire operation of the system. It is based on the notion of units. These are composed of a name, and a type as shown in the table above. There is a matching configuration file with the same name and type. For example, a unit avahi.service will have a configuration file with an identical name, and will be a unit that encapsulates the Avahi daemon. There are seven different types of units, namely, service, socket, device, mount, automount, target, and snapshot.

To introspect and or control the state of the system and service manager under systemd, the main tool or command is “systemctl”. When booting up, systemd activates the default.target. The job of the default.target is to activate the different services and other units by considering their dependencies. The ‘system.unit=’ command line option parses arguments to the kernel to override the unit to be activated. For example,

systemd.unit=rescue.target is a special target unit for setting up the base system and a rescue shell (similar to run level 1);

systemd.unit=emergency.target, is very similar to passing init=/bin/sh but with the option to boot the full system from there;

systemd.unit=multi-user.target for setting up a non-graphical multi-user system;

systemd.unit=graphical.target for setting up a graphical login screen.

How to Enable/Disable Linux Services

Following are the commands used to enable or disable services in CentOS, Redhat Enterprise Linux and Fedora systems:

Activate a service immediately e.g postfix:

To deactivate a service immediately e.g postfix:

To restart a service immediately e.g postfix:

You might have noticed the 'FAILED' message. This is normal behavior as we shut down the postfix service with our first command (service postfix stop), so shutting it down a second time would naturally fail!

Determine Which Linux Services are Enabled at Boot

The first column of this output is the name of a service which is currently enabled at boot. Review each listed service to determine whether it can be disabled.

 If it is appropriate to disable a service , do so using the command:

[root@gateway ~]# chkconfig -level servicename off

Run the following command to obtain a list of all services programmed to run in the different Run Levels of your system:

Several of these services are required, but several others might not serve any purpose in your environment, and use CPU and memory resources that would be better allocated to applications. Assuming you don't RPC services, autofs or NFS, they can be disabled for all Run Levels using the following commands:

How to Change Runlevels

You can switch to runlevel 3 by running:    

(or)

You can switch to runlevel 5 by running:    

(or)

How to Change the Default Runlevel Using Systemd

Switch to runlevel 3 by default:

[root@gateway ~]# ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target  Switch to runlevel 5 by default:    

[root@gateway ~]# ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target

 And just in case you were wondering, systemd does not use the classic /etc/inittab file!

How to Change The Default Runlevel Using The Inittab File

There's the Systemd way and of course, the Inittab way. In this case, Runlevels are represented by /etc/inittab text file. The default runlevel is always specified from /etc/inittab text file.

To change the default runlevel in fedora ,edit /etc/inittab and find the line that looks like this:  id:5:initdefault:

The number 5 represents a runlevel with X enabled (GNOME/KDE mostly). If you want to change to runlevel 3, simply change this

Users having difficulty with Linux editors can also read our article on how to use Vi, the popular Linux editor: Linux VIM / Vi Editor - Tutorial - Basic & Advanced Features.

Boot Disk

One of the foremost requisites of a secure Linux server is the boot disk. Nowadays, this has become rather simple as most Linux distributions are on bootable CD/DVD/USB sticks. Other options are, to use rescue disks such as the ‘TestDisk’, ‘SystemRescueCD’, ‘Trinity Rescue Kit’ or ‘Ubuntu Rescue Remix’. These will enable you to gain access to your system, if you are unable to gain entry, and also to recover files and partitions if your system is damaged. They can be used to check for virus attacks and to detect rootkits.

Next requirement is for patching your system. Distributions issue notices for security updates, and you can download and patch your system using these updates. RPM users can use the ‘up2date’ command, which automatically resolves dependencies, rather than the other rpm commands, since these only report dependencies and do not help to resolve them.

Patch Your System

While RedHat/CentOS/Fedora users can patch their systems with a single command, 'yum update',   Debian users can patch their systems with the ‘sudo apt-get update’ command, which will update the sources list. This should be followed by the command ‘sudo apt-get upgrade’, which will install the newest version of all packages on the machine, resolving all the dependencies automatically.

New vulnerabilities are being discovered all the time, and patches follow. One way to learn about new vulnerabilities is to subscribe to the mailing list of the distribution used.

Disable Unnecessary Services

Your system becomes increasingly insecure as you operate more services, since every service has its own security issues. For improving the overall system performance and for enhancing security, it is important to detect and eliminate unnecessary running services. To know which services are currently running on your system, you can use commands like:

Following is an example output of the above command:

The following command will list all start-up scripts for RunLevel 3 (Full multiuser mode):

Here is an example output of the above commands:

To disable services, you can either stop a running service or change the configuration in a way that the service will not start on the next reboot. To stop a running service, RedHat/CentOS users can use the command -

In order to stop the service from starting up at boot time, you could use -

You can also remove a service from the startup script by using the following commands which will remove the httpd (Apache Web server) service:

[root@gateway~]# /bin/mv /etc/rc.d/rc3.d/S85httpd /etc/rc.d/rc3.d/K85httpd 

or

During startup on of the Linux operating system, the rc program looks in the /etc/rc.d/rc3.d directory (when configured with Runlevel 3),  executing any K* scripts with an option of stop. Then, all the S* scripts are started with an option of start. Scripts are started in numerical order—thus, the S08iptables script is started before the S85httpd script. This allows you to choose exactly when your script starts without having to edit files. The same rule applies with the K* scripts.

In some rare cases, services may have to be removed from /etc/xinetd.d or /etc/inetd.conf file.

Debian users can use the following commands to stop, start and restart a service -

Remove the startup script by using the following commands:

or

Host-based Firewall Protection with IPtables

Using iptables firewall, you could limit access to your server by IP address or by host/domain name. RedHat/CentOS users have a file /etc/sysconfig/iptables based on the services that were ‘allowed’ during installation. The file can be edited to accept some services and block others. In case the requested service does not match any of the ACCEPT lines in the iptables file, the packet is logged and then rejected.

RedHat/CentOS/Fedora users will have to install the iptables with:

Debian users will need to install the iptables with the help of:

Then use the iptables command line options/switches to implement the policy. The rules of iptables usually take the form:   
•    INIVIDUAL REJECTS FIRST
•    THEN OPEN IT UP
•    BLOCK ALL

As it is a table of rules, the first rule takes precedence. If the first rule dis-allows everything nothing else following later will matter.

In practice, a firewall script is needed which is created using the following sequence:
1) Create your script
2) Make it executable
3) Run the script

Following are the commands used for the above order:

Updating the firewall script is simply a matter of re-editing to make the necessary changes and running it again. Since iptables does not run as a daemon, instead of stopping, the rules are only flushed with the '-F' option: 

At startup/reboot, all that is needed is to execute the script to flush the iptables rules. The simplest way to do this is to add the script (/root/firewall.sh) to the file /etc/rc.local file.

Best Practices

Apart from the above, a number of steps need to be taken to keep your Linux server safe from outside attackers. Key files should be checked for security and must be set to root for both owner and group:

/etc/fstab
/etc/passwd
/etc/shadow
/etc/group

The above should be owned by root and and their permission must be 644 (rw-r--r--), except /etc/shadow which should have the permission of 400 (r--------).

You can read more on how to set permissions on your Linux files in our Linux File & Folder Permissions article

Limiting Root Access

Implement a password policy, which forces users to change their login passwords, for example, every 60 to 90 days, starts warning them within 7 days of expiry, and accepts passwords that are a minimum of 14 characters in length.

Root access must be limited by using the following commands for RedHat/CentOS/Fedora -

Or for RedHat/CentOS/Fedora/Debian:

Provide the password of the user, who can assume root privileges.

Only root should be able to access CRON. Cron is a system daemon used to execute desired tasks (in the background) at designated times.

A crontab is a simple text file with a list of commands meant to be run at specified times. It is edited with a command-line utility. These commands (and their run times) are then controlled by the cron daemon, which executes them in the system background. Each user has a crontab file which specifies the actions and times at which they should be executed, these jobs will run regardless of whether the user is actually logged into the system. There is also a root crontab for tasks requiring administrative privileges. This system crontab allows scheduling of systemwide tasks (such as log rotations and system database updates). You can use the man crontab command to find more information about it.

Lastly, the use of SSH is recommended instead of Telnet for remote accesses. The main difference between the two is that SSH encrypts all data exchanged between the user and server, while telnet sends all data in clear-text, making it extremely easy to obtain root passwords and other sensitive information. All unused TCP/UDP ports must also be blocked using IPtables.

How are these permissions shown and how are they modified?

In a shell, command line or within a terminal, if you type 'ls -l', you will see something like the following:

The last group of words on the right is the name of the file or directory. Therefore, 'Videos' is a directory, which is designated by the ’d’ at the start of the line. Since 'Doom-TNT' shows only a '-', at the start of the line, it is a file. The following series of 'rwx...' are the permissions of the file or directory. You will notice that there are three sets of 'rwx'. The first three rwx are the read, write and execute permissions for the owner 'tutor'.

Since the r, w and x are present, it means the owner has all the permissions. The next set of 'rwx' is permissions for the group, which is the second 'username'. You will notice that the 'w' here is missing, and is replaced by a '-'. This means group members of the group 'username' have permissions to read and to execute 'Doom-TNT', but cannot write to it or modify it. Permission for 'others' is the same. Therefore, others can also read and execute the file, but not write to it or modify it. Others do not have any permissions for the directory 'Videos' and hence cannot read (enter), modify or execute 'Videos'.

You can use the 'chmod' command to change the permissions you give. The basic form of the command looks like:

chmod 'who'+/-'permissions' 'filename'

Here, the 'filename' is the file, whose permissions are being modified. You are giving the permissions to 'who', and 'who' can be u=user (meaning you), g=group, o=others, or a=all.

The 'permissions' you give can be r=read, w=write, x=execute or 'space' for no permissions. Using a '+' grants the permission, and a '-' removes it.

As an example, the command 'chmodo+r Videos' will result in:

and now 'others' can read 'Videos'. Similarly, 'chmod o-r Videos', will set it back as it was, before the modification.

Linux file and folder permissions are covered extensively on our dedicated Linux File & Folder permissions article.

What Happens In A GUI environment?

If you are using a file manager like Nautilus, you will find a 'view' menu, which has an entry 'Visible Columns'. This opens up another window showing the visible columns that you can select to allow the file manager to show. You will find there are columns like 'Owner', 'Group' and 'Permissions'. By turning these columns ON, you can see the same information as with the 'ls -l' command.

If you want to modify the permissions of any file from Nautilus, you will have to right-click on the file with your mouse. This will open up a window through which you can access the 'properties' of the file. In the properties window, you can set or unset any of the permissions for owner, group and others.

What Are Group IDs?

Because Linux is a multi-user system, there could be several users logged in and using the system. The system needs to keep track of who is using what resources. This is primarily done by allocating identification numbers or IDs to all users and groups. To see the IDs, you may enter the command 'id', which will show you the user ID, the group ID and the IDs of the groups to which you belong.

A standard Linux installation, for example Ubuntu, comes with some groups preconfigured. Some of these are:

The numbers are the group IDs and their names are given inside brackets. Unless you are a member of a specific group, you are not allowed to use that resource. For example, unless you belong to the group 'cdrom', you will not be allowed to access the contents of any CDs and DVDs that are mounted on the system.

In Linux, the 'root' or 'super user', also called the 'administrator', is a user who is a member of all the groups and has all permissions in all places, unless specifically changed. Users who have been granted root privileges defined in the 'sudoers' file, can assume root status temporarily with the 'sudo' command.

The system administrator sets a limit or a disk quota to restrict certain aspects of the file system usage on a Linux operating system. In multi-user environments, disk quotas are very useful since a large number of users have access to the file system. They may be logging into the system directly or using their disk space remotely. They may also be accessing their files through NFS or through Samba. If several users host their websites on your web space, you need to implement the quota system.

How to Install Linux Quota

For installing a quota system, for example, in your Debian or RedHAT Linux system, you will need two tools called ‘quota’ and ‘quotatool’. At the time of installation of these tools, you will be asked if you wish to send daily reminders to users who are going over their quotas.

Now, the administrator also needs to know the users that are going over their quota. The system will send an email to this effect, therefore the email address of the administrator has to be inputted next.

In case the user does not know what to do if the system gives him a warning message, the next entry is the contact number of the administrator. This will be displayed to the user along with the warning message. With this, the quota system installation is completed.

At this time, a user and a group have to be created and proper permissions given. For creating, you have to assume root status, and type the following commands:

Next, these have to be mounted in the proper place on the root file system. For this, an entry has to be made in the ‘fstab’ file in the directory /etc. In the ‘fstab’ file, the root entry has to be modified with:

Next, the computer has to be rebooted, or the file system remounted with the command:

 The system is now able to work with disk quotas. However, you have to allow the system to build/rebuild its table of current disk usage. For this, you must first run quotacheck.

This will examine all the quota-enabled file systems, and build a table of the current disk usage for each one. The operating system’s copy of the disk usage is then updated. In addition, this creates the disk quota files for the entire file system. If the quota already existed, they are updated. The command looks like:

 Some explanation is necessary here. The (-a) tells the command that all locally mounted quota-enabled file systems are to be checked. The (-v) is to display the status information as the check proceeds. The (-u) is to enable checking the user disk quota information. The (-g) is to enable checking the group disk quota information. Finally, the (-m) tells the command not to try to remount file system read-only.

After checking and building the disk-quota files is over, the disk-quotas have to be turned on. This is done by the command ‘quotaon’ to inform the system that disk-quota should be enabled, such as:

Here, (-a) forces all file systems in /etc/fstab to enable their quotas. The (-v) displays status information for each file system. The (-u) is for enabling the user quota. The (-g) enables the group quota.

Define Quota for Each User/Group

Now that the system is ready with quotas, you can start defining what each user or group gets as his limit. Two types of limits can be defined. One is the soft limit and the other is the hard limit. To set the two limits try editing the size and inode size with:

This allows you to edit the following line:

Here, the soft limit is 200000 (200MB) and the hard limit is 400000 (400MB). You may change it to suit your user (denoted by $USER).

The soft limit has a grace period of 7 days by default. It can be changed to days, hours, minutes, or seconds as desired by:

This allows you to edit the line below. It has been modified to change the default to 15 minutes:

For editing group quota use:

Quota Status Report

Now that you have set a quota, it is easy to create a mini report on how much space a user has used. For this use the command:

Once the user and group quotas are setup, it is simple to manage your storage. Therefore you do not allow users to hog all of the disk space. By using disk quotas, you force your users to be tidier, and users and groups of users will not fill their home directories with junk or old documents that are no longer needed.

While monitoring a complex computer system, some of the basic things to be kept in mind are the utilization of the hard disk, memory or RAM, CPU, the running processes, and the network traffic. Analysis of the information made available during monitoring is necessary, since all the resources are limited. Reaching the limits or exceeding them on any of the resources could lead to severe consequences, which may even be catastrophic.

Monitoring The Hard Disk Space

Use a simple command like:

This shows there are two partitions (1 & 2) of the hard disk sda, which are currently at 24% and 72% utilization. The total size is shown in gigabytes (G). How much is used and balance available is shown as well. However, checking each hard disk to see the percentage used can be a big drag. It is better that the system checks the disks and informs you by email if there is a potential danger. Bash scripts may be written for this and run at specific times as a cron job.

For the GUI, there is a graphical tool called ‘Baobab’ for checking the disk usage. It shows how a disk is being used and displays the information in the form of either multicolored concentric rings or boxes.

Monitoring Memory Usage

RAM or memory is used to run the current application. Under Linux, there are a number of ways you can check the used memory space -- both in static and dynamic conditions.

For a static snapshot of the memory, use ‘free -m’ which results in the output:

Here, the total amount of RAM is depicted in megabytes (MB), along with cache and swap. A somewhat more detailed output can be obtained by the command ‘vmstat’:

However, if a dynamic situation of what is happening to the memory is to be examined, you have to use ‘top’ or ‘htop’. Both will give you a picture of which process is using what amount of memory and the picture will be updated periodically. Both ‘top’ and ‘htop’ will also show the CPU utilization, tasks running and their PID. Whereas ‘top’ has a purely numerical display, ‘htop’ is somewhat more colorful and has a semi-graphic look. There is also a list of command menus at the bottom for set up and specific operations.

For a graphical display of how the memory is being utilized, the Gnome System Monitor gives a detailed picture. There are other system monitors available under various window managers in Linux.

Monitoring CPU(s)

You may have a single, a dual core, or a quad core CPU in your system. To see what each CPU is doing or how two CPUs are sharing the load, you have to use ‘top’ or ‘htop’. These command line applications show the percentage of each CPU being utilized. You can also see process statistics, memory utilization, uptime, load average, CPU status, process counts, and memory and swap space utilization statistics.

Similar output statistics may be seen by using command line tools such as the ‘mpstat’, which is part of a group package called ‘sysstat’. You may have to install ‘sysstat’ in your system, since it may not be installed by default. Once installed, you can monitor a variety of parameters, for example compare the CPU utilization of an SMP system or multi-processor system.

Finding out if any specific process is hogging the CPU needs a little more command line instruction such as:

OR

Similar output can be obtained by using the command ‘iostat’ as root:

This will show three outputs every five seconds and show the information since the last reboot.

CPU usage under GUI is very well depicted by the Gnome System Monitor and other system monitoring applications. These are also useful for monitoring remote servers. Detailed memory maps can be accessed, signals can be sent and processes controlled remotely.

Gnome-System-Monitor

Linux Processes

How do you know what processes are currently running in your Linux system? There are innumerable ways of getting to see this information. The handiest applications are the old faithfuls - ‘top’ and ‘htop’. They will give a real-time image of what is going on under the hood. However, if you prefer a more static view, use ‘ps’. To see all processes try ‘ps -A’ or ‘ps -e’:

root@gateway [~]# ps -e
PID TTY          TIME CMD
    1 ?          00:01:41 init
 3201 ?        00:00:00 leechprotect
 3208 ?        00:00:00 httpd
 3360 ?        00:00:00 httpd
 3490 ?        00:00:00 httpd
 3530 ?        00:00:00 httpd
 3532 ?        00:00:00 httpd
 3533 ?        00:00:00 httpd
 3535 ?        00:00:00 httpd
 3575 ?        00:00:00 httpd
 3576 ?        00:00:00 httpd
 3631 ?        00:00:00 imap
 3694 ?        00:00:00 httpd
 3705 ?        00:00:00 httpd
 3770 ?        00:00:00 imap
 3774 pts/0    00:00:00 ps
 5407 ?        00:00:13 dovecot
 5408 ?        00:00:12 dovecot-auth
 5416 ?        00:00:10 pop3-login
 5417 ?        00:00:49 pop3-login
 5418 ?        00:00:01 imap-login
 5419 ?        00:00:04 imap-login
 9745 ?        00:00:01 lfd
11501 ?        00:01:35 spamd
23948 ?        00:00:05 exim
23993 ?        00:01:00 spamd
24477 ?        00:00:04 queueprocd
24494 ?        00:01:20 tailwatchd
24526 ?        00:00:00 cpdavd
24536 ?        00:00:02 cpanellogd
24543 ?        00:00:33 cpsrvd-ssl
25952 ?        00:20:17 named
26374 ?        00:00:00 udevd
28524 ?        00:00:00 sshd
28531 pts/0    00:00:00 bash
29834 ?        00:00:00 sshd
30426 ?        00:11:27 syslogd
30429 ?        00:00:00 klogd
30473 ?        00:00:00 xinetd
30485 ?        00:00:00 mysqld_safe
30549 ?        1-15:07:28 mysqld
32158 ?        00:06:29 httpd
32166 ?        00:12:39 pure-ftpd
32168 ?        00:07:12 pure-authd
32181 ?        00:01:06 crond
32368 ?        00:00:00 saslauthd
32373 ?        00:00:00 saslauthd

PS is an extremely powerful and versatile command, and you can learn more by ‘ps --h’:

root@gateway [~]# ps --h
********* simple selection *********  ********* selection by list *********
-A all processes                         -C by command name
-N negate selection                      -G by real group ID (supports names)
-a all w/ tty except session leaders     -U by real user ID (supports names)
-d all except session leaders            -g by session OR by effective group name
-e all processes                         -p by process ID
T  all processes on this terminal        -s processes in the sessions given
a  all w/ tty, including other users     -t by tty
g  OBSOLETE -- DO NOT USE                -u by effective user ID (supports names)
r  only running processes                 U  processes for specified users
x  processes w/o controlling ttys         t  by tty
*********** output format **********  *********** long options ***********
-o,o user-defined   -f full               --Group --User --pid --cols --ppid
-j,j job control    s  signal             --group --user --sid --rows --info
-O,O preloaded     -o  v  virtual memory  --cumulative --format --deselect
-l,l long              u  user-oriented   --sort --tty --forest --version
-F   extra full        X  registers       --heading --no-heading --context
                    ********* misc options *********
-V,V  show version     L  list format codes   f  ASCII art forest
-m,m,-L,-T,H  threads  S  children in sum    -y change -l format
-M,Z  security data    c  true command name  -c scheduling class
-w,w  wide output      n  numeric WCHAN,UID  -H process hierarchy

Assuming that you are in a shell, or in the command line, you can simply type 'vim' and the application starts:

 Exiting the VIM application is easily accomplished: type ':' followed by a 'q', hit the 'Enter' key and you are out:

 That's how you start and stop the Vim car. Now, let's try to learn how to steer the car.

You can move around in Vim, using the four arrow keys. However, a faster way is to use the 'h', 'j', 'k' and 'l' keys. This is because the keys are always under your right hand and you do not need to move your hand to access them as with the arrow keys. The 'j' moves the cursor down, 'k' moves it up. The 'h' key moves the cursor left, while 'l' moves it to the right. That's how you steer the Vim car.

You can edit a file using Vim. You either have an existing file, or you make a new one. If you start with 'vim filename', you edit the file represented by the 'filename'. If the file does not exist, Vim will create a new file. Now, if you want to edit a file from within Vim, open the file using ':e filename'. If this file is a new file, Vim will inform you. You can save the file using the ':w' command.

If you need to search the file you are editing for a specific word or string, simply type forward-slash '/' followed by the word you would like to search for. After hitting 'enter', VIM will automatically take you to the first match.  By typing forward-slash '/' again followed by 'enter' it will take you to the next match.

To write or edit something inside the file, you can start by typing ':i' and Vim will enter the 'Insert' mode. Once you have finished, you can exit the Insert mode by pressing the 'Esc' key, and undo the changes you made with ':e!'. You also have a choice to either save the file using the ':w' command, or save & quit by using ':wq'. Optionally, you can abort the changes and quit by ':q!'.

If you have made a change and want to quit without explicitly informing Vim whether you want to save the file or not, Vim will rightly complain, but will also guide you to use the '!'.

Command Summary

Start VIM:  vim
Quit Program: :q
Move Cursor: Arrow keys or j, k, h, l (down, up, left, right)
Edit file: vim filename
Open file (within VIM):  :e filename  e.g   :e bash.rc
Search within file: /'string'  e.g /firewall  
Insert mode:  :i
Save file:   :w
Save and Quit:  :wq
Abort and Quit:  :q!

Advanced Features of VIM

Now that you know your way in and out of Vim, and how to edit a file, let us dig a little deeper. For example, how can you add something at the end of a line, when you are at its starting point? Well, one way is to keep the right arrow pressed, until you get to the end. A faster way is 'Shift+a' and you are at the end of the line. To go to the beginning of the line, you must press 'Shift+i'. Make sure you are out of the 'Insert' mode shown at the bottom; use the 'Esc' for this.

Supposing you are in the middle of a line, and would like to start inserting text into a new line, just below it. One way would be to move the cursor right and hit 'Enter' when you reach the end. A faster way is to enter 'o'. If you enter 'o' or 'shift+o', you can start entering text into the new line created above the cursor. Don't forget to exit the 'Insert' mode by pressing 'Esc'.

How do you delete lines? Hold the 'delete' button and wait until the lines are gone. How can you do it faster? Use the 'd' command. If you want to delete 10 lines below your cursor position and the current line, try 'd10j'. To delete 5 lines above your current position and the current line, try 'd5k'. Note the 'j' and 'k' (down, up) covered in our previous section. If you’ve made a mistake, recover it with the undo command, 'u'. Redo it with 'Ctrl+r'.

Tip 1: To delete the current line alone, use 'dd'.

Tip 2: To delete the current line and the one below it, use 'd2d'.

Did you know you can have windows in Vim? Oh yes, you can. Try 'Ctrl+w+s' if you want a horizontal split, and 'Ctrl+w+v' if you want a vertical split. Move from one window to another by using 'Ctrl+w+w'. After you have finished traveling through all the windows, close them one by one using 'Ctrl+w+c'.

 Here is an example with four (4) windows within the Vim environment:

You can record macros in Vim and run them. To record a macro you have to start it with an 'm'. To stop recording it, hit 'q'. To play the macro, press '@m'. To rerun it, press '@'. Macros are most useful when you require to perform the same commands within a file.

Vim also has extensive help facilities. To learn about a command, say 'e', type ':h e' and hit 'Enter'. You will see how the command 'e' can be useful. To come back to where you were, type ‘:q’ and then ‘Enter’. Incidentally, typing ':he' and 'Enter' will open up the general help section. Come back with the same ':q'.

As an example, here's what we got when we typed ':h e' (that's an ":" + "h" + space + "e"):

When we typed ':he', we were presented with the main help file of VIM:

Command Summary

Move cursor to end of line:  Shift+a
Move cursor to beginning of line:  Shift+o
Delete current line: dd
Delete 10 lines below cursor position: d10j
Delete 5 lines above cursor position: d5k
Undo:  u
Redo: Ctrl+r
Window Mode - Horizontal:  Ctrl+w+s
Window Mode - Vertical Split:  Ctrl+w+v
Move between windows: Ctrl+w+w
Close Window: Ctrl+w+c
Enable Macro recording:  m
Play Macro:  @m
Help:    :h 'command'  from within VIM. e.g  :h e

For example, if you're trying to resolve firewall.cx and your machine contacts a ROOT DNS server, the server will point your computer to the DNS server in charge of the .CX domain, which in turn will point your computer to the DNS server in charge of firewall.cx, currently server with IP 74.200.90.5.

Understanding DNS Caching and its Implications

As you can see, a simple DNS request can become quite a task in order to successfully resolve the domain. This also means that there's a fair bit of traffic generated in order to complete the procedure. Whether you're paying a flat rate to your ISP or your company has a permanent connection to the Internet, the truth is that someone ends up paying for all these DNS requests ! The above example was only for one computer trying to resolve one domain. Try to imagine a company that has 500 computers connected to the Internet or an ISP with 150,000 subscribers - Now you're starting to get the big picture!

All that traffic is going to end up on the Internet if something isn't done about it, not to mention who will be paying for it!

This is where DNS Caching comes in. If we're able to cache all these requests, then we don't need to ask the ROOT DNS or any other external DNS server as long as we are trying to resolve previously visited sites or domains, because our caching system would "remember" all the previous domains we visited (and therefore resolved) and would be able to give us the IP Address we're looking for!

Note: You should keep in mind that when you install BIND, by default it's setup to be a DNS Caching server, so all you need to do it startup the service, which is called 'named'.

Almost all Internet name servers use name caching to optimise search costs. Each of these servers maintains a cache which contains all recently used names as well as a record of where the mapping information for that name was obtained. When a client (e.g your computer) asks the server to resolve a domain, the server will first check to see whether it has authority (meaning if it is in charge) for that domain. If not, the server checks its cache to see if the domain is in there and it will find it if it's been recently resolved.

Assuming that the server does find it in the cache, it will take the information and pass it on to the client but also mark the information as a nonauthoritative binding, which means the server tells the client "Here is the information you required, but keep in mind, I am not in charge of this domain".

The information can be out of date and, if it is critical for the client that it does not receive such information, it will then try to contact the authoritative DNS server for the domain and obtain the up to date information it requires.

DNS Caching Does Come with its Problems!

As you can clearly see, DNS caching can save you a lot of money, but it comes with its problems !

Caching does work well in the domain name system because name to address binding changes infrequently. However, it does change. If the servers cached the information the first time it was requested and never change that information, the entries in the cache could become incorrect.

The Solution To DNS Caching Problems

Fortunately there is a solution that will prevent DNS servers from giving out incorrect information. To ensure that the information in the cache is correct, every DNS server will time each entry and dispose of the ones that have exceeded a reasonable time. When a DNS server is asked for the information after it has removed the entry from its cache, it must go back to the authoritative source and obtain it again.

Whenever an authoritative DNS server responds to a request, it includes a Time To Live (TTL) value in the response. This TTL value is set in the zone files as you've probably already seen in the previous pages.

If you manage DNS server an are planning to introduce changes like redelegate (move) your domain to some other hosting company or if the IP Address your website currently has or changing mail servers, in the next couple weeks, then it's a good idea to get your TTL changes to a very small value well before the scheduled changes. Reason for this is because any dns server that will query your domain, website or any resource record that belongs to your domain, will cache the data for the amount of time the TTL is set.

By decreasing the $TTL value to e.g 1 hour, this will ensure that all dns data from your domain will expire in the requesters cache 1 hour after it was received. If you didn't do this, then the servers and clients (simple home users) who access your site or domain, will cache the dns data for the currently set time, which is normaly around 3 days. Not a good thing when you make a big change :)

So keep in mind all the above when your about the perform a change in the DNS server zone files. a couple of days before making the change, decrease the $TTL value to a reasonable value, not more than a few hours, and then once you complete the change, be sure you set it back to what it was.

We hope this has given you an insight on how you can save yourself, or company money and problems which occur when changing field and values in the DNS zone files!

If you are wondering how is it that the Slave DNS server is easy to setup, well you need to remember that all the Slave DNS server does is update its database from the Master DNS server (zone transfer) so almost all the files we configure on the Master DNS server are copied to the Slave DNS server, which acts as a backup in case the Master DNS server fails.

Setting Up The Slave DNS Server

Let's have a closer look at the requirements for getting our Slave DNS server up and running.

Keeping in mind that the Slave DNS server is on another machine, we are assuming that you have downloaded and successfully installed the same BIND version on it. We need to copy 3 files from the Master DNS server, make some minor modifications to one file and launch our Slave DNS server.... the rest will happen automatically :)

So which files do we copy?

The files required are the following:

• named.conf (our configuration file)
• named.ca or db.cache (the root hints file, contains all root servers)
• named.local (local loopback for the specific DNS server so it can direct traffic to itself)

The rest of the files, which are our db.DOMAIN (db.firewall.cx for our example) and db.in-addr.arpa (db.192.168.0 for our example), will be transferred automatically (zone transfer) as soon as the newly brought up Slave DNS server contacts the Master DNS server to check for any zone files.

How do I copy these files?

There are plenty of ways to copy the files between servers. The method you will use depends on where the servers are located. If, for example, they are right next to you, you can simply use a floppy disk to copy them or use ftp to transfer them.

If you're going to try to transfer them over a network, and especially over the Internet, then you might consider something more secure than ftp. We would recommend you use SCP, which stands for Secure Copy and uses SSH (Secure SHell).

SCP can be used independently of SSH as long as there is an SSH server on the other side. SCP will allow you to transfer files over an encrypted connection and therefore is preferred for sensitive files, plus you get to learn a new command :)

The command used is as follows: scp localfile-to-copy username@remotehost:desitnation-folder. Here is the command line we used from our Gateway server (Master DNS): scp /etc/named.conf root@voyager:/etc/

Keep in mind that the files we copy are placed in the same directory as on the Master DNS server. Once we have copied all three files we need to modify the named.conf file. To make things simple, we are going to show you the original file copied from the Master DNS and the modified version which now sits on the Slave DNS server.

The Master named.conf file is a clear cut/paste from the "Common BIND Files" page, whereas the Slave named.conf has been modifed to suit our Slave DNS server. To help you identify the changes, we have marked them in red:

 As you can see, most of the slave's named.conf file is similair to the master's, except for a few fields and values, which we are going to explain right now.

The type value is now slave, and that's pretty logical since it tells the dns server if it's a master or slave.

The file "bak.firewall.cx"; entry basically tells the server what name to give the zone files once they are transfered from the master dns server. We tend to follow the bak.domain format because that's the way we see the slave server, a backup dns server. It is not imperative to use this name scheme, you can change it to whatever you wish. Once the server is up and running, you will see these files soon appear in the /var/named directory.

Lastly, the masters {192.168.0.10}; entry informs our slave server that this is the IP Address of the master DNS which it needs to contact and retrieve the zone files. That's all there is to setup the slave DNS server ! As we mentioned, once the master is setup, the slave is a peice of cake cause it involves very few changes.

Our Final article covers the setup of  Linux BIND DNS Caching.

We will be analysing these files in this article, to help you understand why they exist and how they fit into the big picture :

Our Common Files

There are 3 common files that we're going to look at, of which the first two files contents change slightly depending on the domain. This happens because they must be aware of the various hosts and the domain name for which they are created. The third file in the list below, is always the same amongst all DNS servers and we will explain more about it later on.

So here are our files:

• named.local or db.127.0.0
• named.conf
• named.ca or db.cache

The Named.local File

The named.local file, or db.127.0.0 as some might call it, is used to cover the loopback network. Since no one was given the responsibility for the 127.0.0.0 network, we need this file to make sure there are no errors when the DNS server needs to direct traffic to itself (127.0.0.1 IP Address - Loopback).

When installing BIND, you will find this file in your caching example directory: /var/named/caching-example, so you can either create a new one or modify the existing one to meet your requirements.

The file is no different than our example db.addr file we saw previously:

That's all there is for named.local file !

The Named.ca File

The named.ca file (also known as the "root hints file") is created when you install BIND and dosen't need to be modified unless you have an old version of BIND or it's been a while since you installed BIND.

The purpose of this file is to let your DNS server know about the Internet ROOT Servers. There is no point displaying all of the file's content because it's quite big, so we will show an entry of a ROOT server to get the idea what it looks like:

The Named.conf File

The named.conf file is usually located in the /etc directory and is the key file that ties all the zone data files together and lets the DNS server know where they are located in the system. This file is automatically created during the installation but you must edit it in order to add new entries that will point to any new zone files you have created.

Let's have a close look at the named.conf file and explain:

At first glance it might seem a maze, but it's a lot simpler than you think. Break down each paragraph and you can see clearly the pattern that follows.

Starting from the top, the options section simply defines the directory where all the files to follow are located, the rest are simply comments.

The root servers section tells the DNS server where to find the root hints file, which contains all the root servers.

Next up is the entry for our domain firewall.cx, we let the DNS server know which file contains all the zone entries for this domain and let it know that it will act as a master DNS server for the domain. The same applies for the entry to follow, which contains the IP to Name mappings, this is the 0.168.192.in-addr.arpa zone.

The last entry is required for the local loopback. We tell the DNS server which file contains the local loopback entries.

Notice the "IN" class that is present in each section? If we accidentally forget to include it in our zone files, it wouldn't matter because the DNS server will automatically figure out the class from our named.conf file. It's imperative not to forget the "IN" (Internet) class in the named.conf, whereas it really doesnt matter if you don't put it in the zone files. It's good practice still to enter it in the zone files as we did, just to make sure you don't have any problems later on.

And that ends our discussion for the common DNS (BIND) files.  Next up is the configuration of our Linux BIND Slave/Secondary DNS server.

Constructing The db.192.168.0 File

While we start to construct the file, you will notice many similarities with our previous file. Most resource records have already been covered and explained in our previous articles and therefore we will not repeat on this page.

The first line is our $TTL control statement, followed by the Start Of Authority (SOA) resource record:

Name server resource records are next, follwed by the PTR resource record that creates our IP Address-to-name mappings. The syntax is nearly the same as the db.domain file, but keep in mind that we don't enter the full reversed IP Address for the name servers but only the first 3 octets which represent the network they belong to:

 Time to look at the configuration file with all its entries:

This completes the confgiuration of our db.192.168.0 Zone data file.

Remember the whole purpose of this file is to provide an IP Address-to-name mapping, which is why we do not use the domain name in front of each line, but the reversed IP Address followed by the in-addr.arpa. entry. Next article deals with the Common Files in Linux BIND DNS.

First step is to decide on the domain we're using and we've decided on the popular firewall.cx. This means that the first zone file will be db.firewall.cx. Note that this file is to be placed on the Master DNS server for our domain.

We will progressively build our database by populating it step by step and explaining each step we take. At the end of the step-by-step example, we'll grab each step's data and put it all together so we can see how the final version of our file will look. We strongly beleive, this is the best method of explaining how to create a zone file without confusing the hell out of everyone!

Constructing db.firewall.cx - db.domain

It is important at this point to make it clear that we are setting up a primary DNS server. For a simple DNS caching or secondary name server, the setup is a lot simpler and covered on the articles to come.

The first entry for our file is the Default TTL - Time To Live. This is defined using the $TTL control statement. $TTL specifies the time to live for all records in the file that follow the statement and don't have an explicit TTL. We are going to set ours to 24 hours - 86400 seconds.

The units used are seconds. An older common TTL value for DNS was 86400 seconds, which is 24 hours. A TTL value of 86400 would mean that, if a DNS record was changed on the authoritative nameserver, DNS servers around the world could still be showing the old value from their cache for up to 24 hours after the change.

Newer DNS methods that are part of a DR (Disaster Recovery) system may have some records deliberately set extremely low on TTL. For example a 300 second TTL would help key records expire in 5 minutes to help ensure these records are flushed world wide quickly. This gives administrators the ability to edit and update records in a timely manner. TTL values are "per record" and setting this value on specific records is normally honored automatically by all standard DNS systems world-wide.   Dynamic DNS (DDNS) usually have the TTL value set to 5 minutes, or 300 seconds.

Next up is the SOA Record. The SOA (Start Of Authority) resource record indicates that this name server is the best source of information for the data within this zone (this record is required in each db.DOMAIN and db.ADDR file), which is the same as saying this name server is Authoritative for this zone. There can be only one SOA record in every data zone file (db.DOMAIN).

Let's explain the above code:

firewall.cx. is the domain name and must always be stated in the first column of our line, be sure you include the trailing dot "." after the domain name, we'll explain later on why this is needed.

The IN stands for Internet. This is one class of data and while other classes exist, you won't see them at all because they are not used :)

The SOA is an important resource record. What follows is the actual primary name server for firewall.cx. In our example, this is the server named "voyager" and its Fully Qualified Domain Name (FQDN) is voyager.firewall.cx. Notice the trailing "." is present here as well.

Next up is the entry admin.voyager.firewall.cx. which is the email address of the person responsible for this domain. Take the dot "." after the admin entry and replace it with a "@" and you have a valid email address: admin@voyager.firewall.cx. Most times you will see root, postmaster or hostmaster instead of "admin".

The "(" parentheses allow the SOA record to span more than one line, while in most cases the fields that follow are used by the secondary name servers and any other name server requesting information about the domain.

The serial number "1 ; Serial Number" entry is used by the secondary name server to keep track of changes that might have occured in the master's zone file. When the secondary name server contacts the primary name server, it will check to see if this value is the same. If the secondary's name server is lower than the primary's, then its data is out of date and, when equal, it means the data is up to date. This means when you make any modifications to the primary's zone file, you must increment the serial number at least by one.

Note that anything after the semicolon (;) is considered a remark and not taken into consideration by the DNS BIND Service. This allows us to create easy-to-understand comments for future reference.

The refresh "3h ; Refresh after 3 hours" tells the secondary name server how often to check the primary's server's data, to ensure its copy for this zone is up to date.

If the secondary name server tries to contact the primary and fails, the retry "1 h ; Retry after 1 hour" is used to tell the secondary name server how long to wait until it tries to contact the primary again.

If the secondary name server fails to contact the primary for longer than the time specified in the fourth entry "1 w ; Expire after 1 week", then the zone data on the secondary name server is considered too old and will expire.

The last line "1 h ) ; Negative caching TTL of 1 day" is how long a name server will send negative responses about the zone. These negative responses say that a particular domain or type of data sought for a particular domain name doesn't exist. Notice the SOA section finishes with the ")" parentheses.

Next up in the file are the name server (NS) records:

These entries define the two name servers (voyager and gateway) for our domain firewall.cx. These entries will be also in the db.ADDR file for this domain as we will see later on.

It's time to enter our MX records. These records define the mail exchange servers for our domain, and this is how any client, host or email server is able to find a domain's email server:

Let's explain what exactly these entries mean. The first line specifies that voyager.firewall.cx is a mail exchanger for firewall.cx, just as the second line (...IN MX 20 gateway...) specifies that gateway.firewall.cx is also a mail exchanger for the domain. The MX record indicates that the following hosts are mail exchanger servers for the domain and the numbers 10 and 20 indicate the priority level. The smaller the number, the higher the priority.

This means that voyager.firewall.cx is a higher priority mail server than gateway.firewall.cx.  If another server trying to send email to firewall.cx fails to contact the highest priority mail server (voyager.firewall.cx), it will then fall back to the secondary, in which our case is gateway.firewall.cx.

These entries were introduced to prevent mail loops. When another email server (unlikely for a private domain like mine, but the same rule applies for the Internet) wants to send mail to firewall.cx, it will try to contact first the mail exchanger with the smallest number, which in our case is voyager.firewall.cx. The smaller the number, the higher the priority if there are more than one mail servers.

In our example, if we replaced:

firewall.cx. IN MX 10 voyager.firewall.cx.

firewall.cx. IN MX 20 gateway.firewall.cx.

with

firewall.cx. IN MX 50 voyager.firewall.cx.

firewall.cx. IN MX 100 gateway.firewall.cx.

the result in matter of server priority, would be the same.

Let's now have a look our next part of our zone file: Host IP Addresses and Alias records:

Most fields in this section are easy to understand. We start by defining our localhost (local loopback) "localhost.firewall.cx. IN A 127.0.0.1" and continue with the servers on our private network, these include voyager, enterprise, gateway and admin. The "A" record stands for IP Address. So "voyager.firewall.cx. IN A 192.168.0.15" translates to a host called voyager located in the firewall.cx domain with an INternet ip Address of 192.168.0.15. See the pattern? :)

The second block has the aliases table, where we created a Canonical Name (CNAME) record. A CNAME record simply maps an alias to its canonical name; in our example, www is the alias and voyager.firewall.cx is the canonical name.

When a name server looks up a name and finds CNAME records, it replaces the name (alias - www) with its canonical name (voyager.firewall.cx) and looks up the canonical name (voyager.firewall.cx).

For example, when a name server looks up www.firewall.cx, it will replace the 'www' with 'voyager' and lookup the IP Address for voyager.firewall.cx.

This also explains the existance of "www" in all URLs - it's nothing more than an alias which, ultimately, is replaced with the CNAME record defined.

The Complete db.domain Configuration File

That completes a simple domain setup! We have now created a working zone file that looks like this:

A quick glance at this file tells you a lot about our lab domain firewall.cx, and this is probably the best time to explain why we should not omit the trailing dot at the end of the domain name:

If we took gateway.firewall.cx as an example and omitted the dot "." at the end of our entries, the system would translate it like this: gateway.firewall.cx.firewall.cx - definately not  what we want!

As you see, the 'firewall.cx' is appended to the end of our Fully Qualified Domain Name for the particular resource record (gateway). This is why it's so important to never forget that extra dot "." at the end!

Our next article will cover the db.ADDR file, which will take the name db.192.168.0. for our example.

Zones and Domains

The programs that store information about the domain name space are called name servers, as you probably already know. Name Servers generally have complete information about some part of the domain name space (a zone), which they load from a file. The name server is then said to have authority for that zone.

The term zone is not one that you come across every day while you're surfing on the Internet. We tend to think that the domain concept is all there is when it comes to DNS, which makes life easy for us, but when dealing with DNS servers that hold data for our domains (name servers), then we need to introduce the zone term since it is essential so we can understand the setup of a DNS server.

The difference between a zone and a domain is important, but subtle. The best way to understand the difference is by using a good example, which is coming up next.

The COM domain is divided into many zones, including the hp.com zone, sun.com, it.com. At the top of the domain, there is also a com zone.

The diagram below shows you how a zone fits within a domain:

The trick to understanding how it works is to remember that a zone exists "inside" a domain. Name servers load zone files, not domains. Zone files contain information about the portion of a domain for which they are responsible. This could be the whole domain (sun.com, it.com) or simply a portion of it (hp.com + pr.hp.com).

In our example, the hp.com domain has two subdomains, support.hp.com and pr.hp.com. The first one, support.hp.com is controlled by its own name servers as it has its own zone, called the support.hp.com zone. The second one though, pr.hp.com is controlled by the same name server that takes care of the hp.com zone.

The hp.com zone has very little information about the support.hp.com zone, it simply knows its right below. If anyone requires more information on support.hp.com, it will be requested to contact the authoritative name servsers for that subdomain, which are the name servers for that zone.

So you see that even though support.hp.com is a subdomain just like pr.hp.com, it is not setup and controlled the same way as pr.hp.com.

On the other hand, the Sun.com domain has one zone (sun.com zone) that contains and controlls the whole domain. This zone is loaded by the authoritative name servers.

BIND? Never Heard of it!

As mentioned in the beginning of this article, BIND stands for Berkely Internet Name Domain. Keeping things simple, it's a program you download (www.bind.org) and install on your Unix or Linux server to give it the ability to become a DNS server for your private (lan) or public (Internet) network.

The majority of DNS servers are based on BIND as it's a proven and reliable DNS server. The download is approximately 4.8 MBytes. Untarring and compiling BIND is a pretty straight forward process and the steps required will depend on your Linux distribution and version. If you follow the instructions provided with the download, you shouldn't have any problems.  For simplicity purposes, we assume you've compiled and installed the BIND program using the provided instructions.

Setting Up Your Zone Data

No matter what Linux distribution you have, the file structure is pretty much the same. I have BIND installed on my Linux server, which runs Slackware v8 with kernel 2.4.19. By following the installation procedure found in the documentation provided with BIND, you will have the server installed within 15 min at most.

Once the installation of BIND is complete you need to start creating your zone data files. Remember, these are the files the DNS server will load in order to understand how your domain is setup and the various hosts within it.

A DNS server has multiple files that contain information about the domain setup. From these files, one will map all host names to IP Addresses and other files will map the IP Address back to hostnames. The name-to-IP Address lookup is sometimes called forward mapping and the IP Address-to-name lookup reverse mapping. Each network will have its own file for reverse-mapping.

As a convention in this section, a file that maps hostnames to IP Addresses will be called db.DOMAIN, where DOMAIN is the name of your domain e.g. db.firewall.cx, and db is short for DataBase.The files mapping IP Address to hostnames are called db.ADDR where ADDR is the network number without trailing zeros or the specification of a netmask, e.g db.192.168.0 for the 192.168.0.0 network.

The collection of our db.DOMAIN and db.ADDR files are our Zone Data files. There are a few other zone data files, some of which are created during the installation of BIND: named.ca, localhost.zone and named.local.

Named.ca contains information about the root servers on the Internet, should your DNS server require to contact one of them. Localhost.zone and Named.local are there to cover the loopback network. The loopback address is a special address hosts use to direct traffic to themselves. This is usually IP Address 127.0.0.1, which belongs to the 127.0.0.0/24 network.

These files must be present in each DNS server and are the same for every DNS server.

Quick Summary of Our Files

Let's have a quick look at the files we have covered so far to make sure we don't lose track:

1) Following files must be created by you and will contain the data for our zone:

• db.DOMAIN e.g db.space.net - Host to IP Address mapping
• db.ADDR e.g db.192.168.0 - IP Address to Host mapping

2) Following files are usually created by the BIND installation:

• named.ca - Contains the ROOT DNS servers
• named.local & localhost.zone - Special files so the server can direct traffic to itself.

You should also be aware that the file names can change, there is no standard for names, it's just very convenient and tidy to keep some type of convention.

To tie all the zone data files together a name server needs a configuration file. BIND version 8 and above calls it named.conf and it can be found in your /etc dir once you install the BIND package. Named.conf simply tells the name server where your zone files are located and we will be analysing this file later on.

Most entries in the zone data files are called DNS resource records. Since DNS lookups are case insensitive, you can enter names in your zone data files in uppercase, lowercase or mixed case. I tend to use lowercase.

Resource records must start in the first column of a line. The DNS RFCs have samples that present the order in which one should enter the resource records. Some people choose to follow this order, while others don't. You are not required to follow this order, but I do :)

Here is the order of resource records in the zone data file:

SOA record - Indicates authority for this zone.

NS record - Lists a name server for this zone

MX record - Indicates the mail exchange server for the domain

A record - Name to IP Address mapping (gives the IP Address for a host)

CNAME record - Canonical name (used for aliases)

PTR record - Address to name mapping (used in db.ADDR)

The next article (Part 2) deals with the construction of our first zone data file, db.firewall.cx of our example firewall.cx domain.

On our forums you'll find a lot of experienced people always willing to go that extra mile to help you out, so don't hesitate to ask - you'll be suprised at the responses!

Generally the Linux community is a very helpful one. You'll be happy to know that there is more documentation, tutorials, HOW-TOs and FAQs (Frequently Asked Questions) for Linux than for all other operating systems in the world!

If you go to any search engine, forum or news group researching a problem, you'll always find an answer.

To save you some searching, here are a few websites where you can find information covering most aspects of the operating system:

• https://tldp.org/ - The Linux Documentation Project homepage has the largest collection of tutorials, HOW-TOs and FAQs for Linux.

• https://www.linux.org/- The documentation page from the official Linux.org website. Contains links to a lot of useful information.

• https://docs.fedoraproject.org/en-US/quick-docs/fedora-and-red-hat-enterprise-linux/ - The Red Hat Fedora Linux manuals page. Almost all of this information will apply to any other version of Linux as well. All the guides here are full of very useful information. You can download all the guides to view offline.

• https://forums.justlinux.com/ - Contains a library of information for beginners on all topics from setting up hardware, installing software, to compiling the kernel

• https://www.linuxquestions.org/- The second best place (we're the first :> ) to post a question if you have a problem.

• https://rpm.pbone.net/ - Pbone is a great search engine to find RPM packages for your Linux operating system.

• https://sourceforge.net/ - The world's largest development and download repository of Open Source code (free) and applications. Sourceforge hosts thousands of open source projects, most of which are of course for the Linux operating system.

We hope you have enjoyed this brief introduction to the Linux operating system and hope you'll be tempted to try Linux for yourself. You've surely got nothing to lose and everything to gain!

Remember, Linux is the No.1 operating system when it comes to web services and mission critical servers - it's not a coincidence other major software vendors are doing everything they can to stop Linux from gaining more ground!

Visit our Linux section to discover more engaging technical articles on the Linux Operating system.

These permissions allow you to choose exactly who can access your files and folders, providing an overall enhanced security system. This is one of the major weaknesses in the older Windows operating systems where, by default, all users can see each other's files (Windows 95, 98, Me).

For the more superior versions of the Windows operating system such as NT, 2000, XP and 2003 things look a lot safer as they fully support file & folder permissions, just as Linux has since the beginning.

Together, we'll now examine a directory listing from our Linux lab server, to help us understand the information provided. While a simple 'ls' will give you the file and directory listing within a given directory, adding the flag '-l' will reveal a number of new fields that we are about to take a look at:

It's possible that most Linux users have seen similar information regarding their files and folders and therefore should feel pretty comfortable with it. If on the other hand you happen to fall in to the group of people who haven't seen such information before, then you either work too much in the GUI interface of Linux, or simply haven't had much experience with the operating system :)

Whatever the case, don't disappear - it's easier than you think!!

Understanding "drwx"

Let's start from scratch, analysing the information in the previous screenshot.

In the yellow column on the right we have the file & directory names (dirlist.txt, document1, document2 etc.) - nothing new here. Next, in the green column, we will find the time and date of creation.

Note that the date and time column will not always display in the format shown. If the file or directory it refers to was created in a year different from the current one, it will then show only the date, month and year, discarding the time of creation.

For example, if the file 'dirlist.txt' was created on the 27th of July, 2004, then the system would show:

Jun 27 2004 dirlist.txt

instead of

Jun 27 11:28 dirlist.txt

A small but important note when examining files and folders! Lastly, the date will change when modifying the file. As such, if we edited a file created last year, then the next time we typed 'ls -l', the file's date information would change to today's date. This is a way you can check to see if files have been modified or tampered with.

The next column (purple) contains the file size in bytes - again nothing special here.

Next column (orange) shows the permissions. Every file in Linux is 'owned' by a particular user.. normally this is the user (owner) who created the file.. but you can always give ownership to someone else.

The owner might belong to a particular group, in which case this file is also associated with the user's group. In our example, the left column labeled 'User' refers to the actual user that owns the file, while the right column labeled 'group' refers to the group the file belongs to.

Looking at the file named 'dirlist.txt', we can now understand that it belongs to the user named 'root' and group named 'sys'.

Following the permissions is the column with the cyan border in the listing.

The system identifies files by their inode number, which is the unique file system identifier for the file. A directory is actually a listing of inode numbers with their corresponding filenames. Each filename in a directory is a link to a particular inode.

Links let you give a single file more than one name. Therefore, the numbers indicated in the cyan column specifies the number of links to the file.

As it turns out, a directory is actually just a file containing information about link-to-inode associations.

Next up is a very important column, that's the first one on the left containing the '-rwx----w-' characters. These are the actual permissions set for the particular file or directory we are examining.

To make things easier, we've split the permissions section into a further 4 columns as shown above. The first column indicates whether we are talking about a directory (d), file (-) or link (l).

In the newer Linux distributions, the system will usually present the directory name in colour, helping it to stand out from the rest of the files. In the case of a file, a dash (-) or the letter 'f' is used, while links make the use of the letter 'l' (l). For those unfamiliar with links, consider them something similar to the Windows shortcuts.

Column 2 refers to the user rights. This is the owner of the file, directory or link and these three characters determine what the owner can do with it.

The 3 characters on column 2 are the permissions for the owner (user rights) of the file or directory. The next 3 are permissions for the group that the file is owned by and the final 3 characters define the access permissions for the others group, that is, everyone else not part of the group.

So, there are 3 possible attributes that make up file access permissions:

• r - Read permission. Whether the file may be read. In the case of a directory, this would mean the ability to list the contents of the directory.
• w - Write permission. Whether the file may be written to or modified. For a directory, this defines whether you can make any changes to the contents of the directory. If write permission is not set then you will not be able to delete, rename or create a file.
• x - Execute permission. Whether the file may be executed. In the case of a directory, this attribute decides whether you have permission to enter, run a search through that directory or execute some program from that directory.

Let's take a look at another example:

Take the permissions of 'red-bulb', which are drwxr-x---. The owner of this directory is user david and the group owner of the directory is sys. The first 3 permission attributes are rwx. These permissions allow full read, write and execute access to the directory to user david. So we conclude that david has full access here.

The group permissions are r-x. Notice there is no write permission given here so while members of the group sys can look at the directory and list its contents, they cannot create new files or sub-directories. They also cannot delete any files or make changes to the directory content in any way.

Lastly, no one else has any access because the access attributes for others are - - -.

If we assume the permissions are drw-r--r-- you see that the owner of the directory (david) can list and make changes to its contents (Read and Write access) but, because there is no execute (x) permission, the user is unable to enter it! You must have read and execute (r-x) in order to enter a directory and list its contents. Members of the group sys have a similar problem, where they seem to be able to read (list) the directory's contents but can't enter it because there is no execute (x) permission given!

Lastly, everyone else can also read (list) the directory but is unable to enter it because of the absence of the execute (x) permission.

Here are some more examples focusing on the permissions:

-r--r--r-- :This means that owner, group and everyone else has only read permissions to the file (remember, if there's no 'd' or 'l', then we are talking about a file).

-rw-rw-rw- : This means that the owner, group and everyone else has read and write permissions.

-rwxrwxrwx : Here, the owner, group and everyone else has full permissions, so they can all read, write and execute the file (-).

Modifying Ownership & Permissions

So how do you change permissions or change the owner of a file?

Changing the owner or group owner of a file is very simple, you just type 'chown user:group filename.ext', where 'user' and 'group' are those to whom you want to give ownership of the file. The 'group' parameter is optional, so if you type 'chown david file.txt', you will give ownership of file.txt to the user named david.

In the case of a directory, nothing much changes as the same command is used. However, because directories usually contain files that also need to be assigned to the new user or group, we use the '-R' flag, which stands for 'recursive' - in other words all subdirectories and their files: 'chown -R user:group dirname'.

To change permissions you use the 'chmod' command. The possible options here are 'u' for the user, 'g' for the group, 'o' for other, and 'a' for all three. If you don't specify one of these letters it will change to all by default. After this you specify the permissions to add or remove using '+' or '-' . Let's take a look at an example to make it easier to understand:

If we wanted to add read, write and execute to the user of a particular file, we would type the following 'chmod u+rwx file.txt'. If on the other hand you typed 'chmod g-rw file.txt' you will take away read and write permissions of that file for the group .

While it's not terribly difficult to modify the permissions of a file or directory, remembering all the flags can be hard. Thankfully there's another way, which is less complicated and much faster. By replacing the permissions with numbers, we are able to calculate the required permissions and simply enter the correct sum of various numbers instead of the actual rights.

The way this works is simple. We are aware of three different permissions, Read (r), Write (w) and Execute (x). Each of these permissions is assigned a number as follows:

r (read) - 4

w (write) - 2

x (execute) - 1

Now, to correctly assign a permission, all you need to do is add up the level you want, so if you want someone to have read and write, you get 4+2=6, if you want someone to have just execute, it's just 1.. zero means no permissions. You work out the number for each of the three sections (owner, group and everyone else).

If you want to give read write and execute to the owner and nothing to everyone else, you'd get the number 7 0 0. Starting from the left, the first digit (7) presents the permissions for the owner of the file, the second digit (0) is the permissions for the group, and the last (0) is the permissions for everyone else. You get the 7 by adding read, write and execute permissions according to the numbers assigned to each right as shown in the previous paragraphs: 4+2+1 = 7.

If you want to give full access to the owner, only read and execute to the group, and only execute to everyone else, you'd work it out like this :

owner: rwx = 4 + 2 + 1 = 7

group: r-x = 4 + 0 + 1 = 5

everyone: --x = 0 + 0 + 1 = 1

So your number will be 751, 7 for owner, 5 for group, and 1 for everyone. The command will be 'chmod 751 file.txt'. It's simple isn't it ?

If you want to give full control to everyone using all possible combinations, you'd give them all 'rwx' which equals to the number '7', so the final three digit number would be '777':

If on the other hand you decide not to give anyone any permission, you would use '000' (now nobody can access the file, not even you!). However, you can always change the permissions to give yourself read access, by entering 'chmod 400 file.txt'.

For more details on the 'chmod' command, please take a look at the man pages.

As we will see soon, the correct combination of user and group permissions will allow us to perform our work while keeping our data safe from the rest of the world.

For example in order for a user or group to enter a directory, they must have at least read (r) and execute (x) permissions on the directory, otherwise access to it is denied:

As seen here, user 'mailman' is trying to access the 'red-bulb' directory which belongs to user 'david' and group 'sys'. Mailman is not a member of the 'sys' group and therefore can't access it. At the same time the folder's permissions allow neither the group nor everyone to access it.

Now, what we did is alter the permission so 'everyone' has at least read and execute permissions so they are able to enter the folder - let's check it out:

Here we see the 'mailman' user successfully entering the 'red-bulb' directory because everyone has read (r) and execute (x) access to it!

The world of Linux permissions is pretty user friendly as long as you see from the right perspective :) Practice and reviewing the theory will certainly help you remember the most important information so you can perform your work without much trouble.

If you happen to forget something, you can always re-visit us - any time of the day!

Continuing on to our last page, we will provide you with a few links to some of the world's greatest Linux resources, covering Windows to Linux migration, various troubleshooting techniques, forums and much more that will surely be of help.

This completes our initial discussion on the Linux operating system. Visit our Finding More Information page to discover useful resources that will assist you in your Linux journey or visit our Linux section to access more technical articles on the Linux operating system.

Vi Editor

For example, if you want to edit a text file you can easily use one of the powerful GUI tools like Kate, Kwrite etc., which are all like notepad in Windows though much more powerful; they have features such as multiple file editing and syntax highlighting (if you open an HTML file it understands the HTML tags and highlights them for you). However, you can also use the very powerful vi editor.

When first confronted by vi most users are totally lost, you open a file in vi (e.g vi document1) and try to type, but nothing seems to happen.. the system just keeps beeping!

Well that's because vi functions in two modes, one is the command mode, where you can give vi commands such as open a file, exit, split the view, search and replace etc., and the other mode is the insert view where you actually type text!

Don't be put off by the fact that vi doesn't have a pretty GUI interface to go with it, this is an incredibly powerful text editor that would be well worth your time learning... once you're done with it you'll never want to use anything else!

Realising that most people would find vi hard to use straight off, there is a useful little walk-through tutorial that you can access by typing vimtutor at a command line. The tutorial opens vi with the tutorial in it, and you try out each of the commands and shortcuts in vi itself. It's very easy and makes navigating around vi a snap. Check it out.

•Grep

Another very useful Linux command is the grep command. This little baby searches for a string in any file. The grep command is frequently used in combination with other commands in order to search for a specific string. For example, if we wanted to check our web server's log file for a specific URL query or IP address, the 'grep' command would do this job just fine.

If, on the other hand, you want to find every occurence of 'hello world' in every .txt file you have, you would type grep "hello world" *.txt

You'll see some very common command structures later on that utilise 'grep'. At the same time, you can go ahead and check grep's man page by typing man grep , it has a whole lot of very powerful options.

PS - Process ID (PID) display

The ps command will show all the tasks you are currently running on the system, it's the equivalent of Windows Task Manager and you'll be happy to know that there are also GUI versions of 'ps'.

If you're logged in as root in your Linux system and type ps -aux , you'll see all processes running on the system by every user, however, for security purposes, users will only be able to see processes owned by them when typing the same command.

Again, man ps will provide you with a bundle of options available by the command.

•Kill

The 'kill' command is complementary to the 'ps' command as it will allow you to terminate a process revealed with the previous command. In cases where a process is not responding, you would use the following syntax to effectively kill it: kill -9 pid where 'pid' is the Process ID (PID) that 'ps' displays for each task.

In the above example, we ran a utility called 'bandwidth' twice which is shown as two different process IDs (7171 & 13344) using the ps command. We then attempted to kill one of them using the command kill -9 7171 . The next time we ran the 'ps', the system reported that a process that was started with the './bandwidth' command had been previously killed.

Another useful flag we can use with the 'kill' command is the -HUP. This neat flag won't kill the process but pause it and at the same time force it to reload its configuration. So, if you've got a service running and need to restart it because of changes made in its configuration file, then the -HUP flag will do just fine. Many people look at it as an alternative 'reload' command.

The complete syntax to make use of the flag is: kill -HUP pid where 'pid' is the process ID number you can obtain using the 'ps' command, just as we saw in the previous examples.

Chaining Commands, Redirecting Output, Piping

In Linux, you can chain groups of commands together with incredible ease, this is where the true power of the Linux command line exists, you use small tools, each of which does one little task and passes the output on to the next one.

For example, when you run the ps aux command, you might see a whole lot of output that you cannot read in one screen, so you can use the pipe symbol ( | ) to send the output of 'ps' to 'grep' which will search for a string in that output. This is known as 'piping' as it's similar to plumbing where you use a pipe to connect two things together.

Say you want to find the task 'antispam' : you can run ps aux | grep antispam . Ps 'pipes' its output to grep and it then searches for the string, showing you only the line with that text.

If you wanted ps to display one page at a time you can pipe the output of ps to either more or less . The advantage of less is that it allows you to scroll upwards as well. Try this: ps aux | less . Now you can use the cursors to scroll through the output, or use pageup, pagedown.

•Alias

The 'alias' command is very neat, it lets you make a shortcut keyword for another longer command. Say you don't always want to type ps aux | less, you can create an alias for it.. we'll call our alias command 'pl'. So you type  alias pl='ps aux | less' .

Now whenever you type pl , it will actually run ps aux | less - Neat, is'nt it?

You can view the aliases that are currently set by typing alias:

As you can see, there are quite a few aliases already listed for the 'root' account we are using. You'll be suprised to know that most Linux distributions automatically create a number of aliases by default - these are there to make your life as easy as possible and can be deleted anytime you wish.

Output Redirection

It's not uncommon to want to redirect the output of a command to a text file for further processing. In the good old DOS operating system, this was achieved by using the '>' operator. Even today, with the latest Windows operating systems, you would open a DOS command prompt and use the same method!

The good news is that Linux also supports these functions without much difference in the command line.

For example, if we wanted to store the listing of a directory into a file, we would type the following: ls > dirlist.txt:

As you can see, we've taken the output of 'ls' and redirected it to our file. Let's now take a look and see what has actually been stored in there by using the command cat dirlist.txt :

As expected, the dirlist.txt file contains the output of our previous command. So you might ask yourself 'what if I need to append the results?' - No problem here, as we've already got you covered.

When there's a need for appending files or results, as in DOS we simply use the double >> operator. By using the command it will append the new output to the file we have specified in the command line:

The above example clearly shows the content of our file named 'document2' which is then appended to the previously created file 'dirlist.txt'. With the use of the 'cat' command, we are able to examine its contents and make sure the new data has been appended.

Note:

By default, the single > will overwrite the file if it exists, so if you give the ls > dirlist.txt command again, it will overwrite the first dirlist.txt. However, if you specify >> it will add the new output below the previous output in the file. This is known as output redirection.

In Windows and DOS you can only run one command at a time, however, in Linux you can run many commands simultaneously. For example, let's say we want to see the directory list, then delete all files ending with .txt, then see the directory list again.

This is possible in Linux using one statement as follows : ls -l; rm -f *.txt; ls -l . Basically you separate each command using a semicolon, ';'. Linux then runs all three commands one after the other. This is also known as command chaining.

Background Processes

If you affix an ampersand '&' to the end of any command, it will run in the background and not disturb you, there is no equivalent for this in Windows and it is very useful because it lets you start a command in the background and run other tasks while waiting for that to complete.

The only thing you have to keep in mind is that you will not see the output from the command on your screen since it is in the background, but we can redirect the output to a file the way we did two paragraphs above.

For example, if you want to search through all the files in a directory for the word 'Bombadil', but you want this task to run in the background and not interrupt you, you can type this: grep "Bombadil" *.* >> results.txt& . Notice that we've added the ampersand '&' character to the end of the command, so it will now run in the background and place the results in the file results.txt . When you press enter, you'll see something like this :

$ grep "Bombadil" *.* >> results.txt&

[1] 1272

Our screen shot confirms this. We created a few new files that contained the string 'Bombadil' and then gave the command grep "Bombadil" *.* >> results.txt& . The system accepted our command and placed the process in the background using PID (Process ID) 14976. When we next gave the 'ls' command to see the listing of our directory we saw our new file 'results.txt' which, as expected, contained the files and lines where our string was found.

If you run a 'ps' while this is executing a very complex command that takes some time to complete, you'll see the command in the list. Remember that you can use all the modifiers in this section with any combination of Linux commands, that's what makes it so powerful. You can take lots of simple commands and chain, pipe, redirect them in such a way that they do something complicated!

Our next article covers Linux File & Folder Permissions, alternatively you can visit our Linux section for more linux related technical articles.

Most programs will come 'zipped' just like they do in Windows, in other words they pack all the files together into one file and compress it to a more manageable size. Depending on the zipping program used, the method of unzipping may vary, however, each program will have step by step instructions on how to unpack it.

Most of the time the 'tar' program will be used to unpack a package and unzipping the program is fairly straightforward. This is initiated by typing 'tar -zxvf file-to-unzip.tgz' where 'file-to-unzip.tgz' is the actual filename you wish to unzip. We will explain the four popular options we've used (zxvf) but you can read the 'tar man' page if you are stuck or need more information.

As mentioned, the 'tar' program is used to unpack a package we've downloaded and would like to install. Because most packages use 'tar' to create one file for easy downloads, gzip (Linux's equivalent to the Winzip program) is used to compress the tar file (.gz), reducing the size and making it easier to transfer. This also explains the reason most files have extensions such as '.tgz' or '.tar.gz'.

To make life easy, instead of giving two commands to decompress (unzip) and unpack the package, we provide tar with the -z option to automatically unzip to package and then proceed with unpacking it (-x). Here are the options in greater detail:

-z : Unzip tar package before unpacking it.

-x : Extract/Unpack the package

-v : Verbosely list files processed

-f : use archive file (filename provided)

Because the list of files was long, we've cut the bottom part to make it fit in our small window.

Once you have unzipped the program, go into its directory and look for a file called INSTALL, most programs will come with this file. It contains detailed instructions on how to install it, including the necessary commands to be typed, depending on the Linux distribution you have. After you've got that out of the way, you're ready to use the three magic commands that install 99% of all software in Linux :)

Open the program directory and type ./configure. [1st magic command]

You'll see a whole lot of output that you may not understand; this is when the software you're installing is automatically checking your system to analyze the options that will work best. Unlike the Windows world, where programs are made to work on a very general computer, Linux programs automatically customize themselves to fit your system.

Think of it as the difference between buying ready-made clothes and having tailor made clothes especially designed for you. This is one of the most important reasons why programs are in the 'source code' form in Linux.

In some cases, the ./configure command will not succeed and will produce errors that will not allow you to take the step and compile your program. In these cases, you must read the errors, fix any missing library files (most common causes) or problems and try again:

As you can see, we've run into a few problems while trying to configure this program on our lab machine, so we looked for a different program that would work for the purpose of this demonstration!

This ./configure finished without any errors, so the next step is to type make. [2nd magic command]

This simple command will magically convert the source code into a useable program... the best analogy of this process is that in the source code are all the ingredients in a recipe, if you understand programming, you can change the ingredients to make the dish better. Typing the make command takes the ingredients and cooks the whole meal for you! This process is known as 'compiling' the program

If make finishes successfully, you will want to put all the files into the right directories, for example, all the help files in the help files directory, all the configuration files in the /etc directory (covered in the pages that follow).

To perform this step, you have to log in as the superuser or 'root' account, if you don't know this password you can't do this.

Assuming you are logged in as root, type make install. [3rd magic command]

Lastly, once our program has been configured, compiled and installed in /usr/local/bin with the name of 'bwn-ng', we are left with a whole bunch of extra files that are no longer useful, these can be cleaned using the make clean command - but this, as you might have guessed, is not considered a magic command :)

 There, that's it!

Now here's the good news... that was the old hard way!

All the people involved with Linux realised that most people don't need to read the source code and change the program and don't want to compile programs, so they have a new way of distributing programs in what is known as 'rpm' (red hat package manager) format.

This is one single file of a pre-compiled program, you just have to double click the rpm file (in the Linux graphical interface - X) and it will install it on your system for you!

In the event that you find a program that is not compiling with 'make' you can search on the net (we recommend www.pbone.net ) for an rpm based on your Linux distribution and version. Installation then is simply one click away for the graphical X desktop, or one command away for the hardcore Linux enthusiasts!

Because the 'rpm' utility is quite complex with a lot of flags and options, we would highly recommend you read its 'man' page before attempting to use it to install a program.

One last note about rpm is that it will also check to see if there are any dependent programs or files that should or shouldn't be touched during an install or uninstall. By doing so, it is effectively protecting your operating system from accidentally overwriting or deleting a critical system file, causing a lot of problems later on!

For those looking for a challenge, our next article covers Advanced Linux Commands and explores commands most used with the administration of the Linux operating system. Alternatively you can visit our Linux section to get access to a variaty of Linux articles.

Most readers will be familiar with DOS in Windows and opening a DOS box. Well, let's put it this way.. comparing the power of the Linux command line with the power of the DOS prompt is like comparing a Ferrari with a bicycle!

People may tell you that the Linux command line is difficult and full of commands to remember, but it's the same thing in DOS and just remember - you can get by in Linux without ever opening a command line (just like you can do all your work in Windows without ever opening a DOS box !). However, the Linux command line is actually very easy, logical and once you have even the slightest ability and fluency with it, you'll be amazed as to how much faster you can do complicated tasks than you would be able to with the fancy point-and-click graphics and mouse interface.

To give you an example, imagine the number of steps it would take you in Windows to find a file that has the word "hello" at the end of a line, open that file, remove the first ten lines, sort all the other lines alphabetically and then print it. In Linux, you could achieve this with a single command! - Have we got your attention yet ?!

Though you might wonder what you could achieve by doing this - the point is that you can do incredibly complicated things by putting together small commands, exactly like using small building blocks to make a big structure.

We'll show you a few basic commands to move around the command line as well as their equivalents in Windows. We will first show you the commands in their basic form and then show you how you can see all the options to make them work in different ways.

The Basic Commands

As a rule, note that anything typed in 'single quotes and italics' is a valid Linux command to be typed at the command line, followed by Enter.

We will use this rule throughout all our tutorials to avoid confusion and mistakes. Do not type the quotes and remember that, unlike Windows, Linux is case sensitive, thus typing ‘Document' is different from typing 'document'.

•  ls - You must have used the 'dir' command on Windows... well this is like 'dir' command on steroids! If you type 'ls' and press enter you will see the files in that directory, there are many useful options to change the output. For example, 'ls -l' will display the files along with details such as permissions (who can access a file), the owner of the file(s), date & time of creation, etc. The 'ls' command is probably the one command you will use more than any other on Linux. In fact, on most Linux systems you can just type 'dir' and get away with it, but you will miss out on the powerful options of the 'ls' command.

•  cd - This is the same as the DOS command: it changes the directory you are working in. Suppose you are in the '/var/cache' directory and want to go to its subfolder 'samba' , you can type 'cd samba' just as you would if it were a DOS system.

Imagine you were at the '/var/cache' directory and you wanted to change to the '/etc/init.d' directory in one step, you could just type 'cd /etc/init.d' as shown above. On the other hand, if you just type 'cd' and press enter, it will automatically take you back to your personal home directory (this is very useful as all your files are usually stored there).

We also should point out that while Windows and DOS use the well known back-slash ' \ ' in the full path address, Linux differentiates by using the forward-slash ' / '. This explains why we use the command 'cd /etc/init.d' and not 'cd \etc\init.d' as most Windows users would expect.

•  pwd - This will show you the directory you are currently in, should you forget. It's almost like asking the operating system 'Where am I right now ?'. It will show you the 'present working directory'.

•  cp - This is the equivalent of the Windows 'copy' command. You use it to copy a file from one place to another. So if you want to copy a file called 'document' to another file called 'document1' , you would need to type 'cp document document1'. In other words, first the source, then the destination.

The 'cp' command will also allow you to provide the path to copy it to. For example, if you wanted to copy 'document' to the home directory of user1, you would then type 'cp document /home/user1/'. If you want to copy something to your home directory, you don't need to type the full path (example /home/yourusername), you can use the shortcut '~' (tilda), so to copy 'document' to your home directory, you can simply type 'copy document ~' .

•  rm - This is the same as the 'del' or 'delete' command in Windows. It will delete the files you input. So if you need to delete a file named 'document', you type 'rm document'. The system will ask if you are sure, so you get a second chance! If you typed 'rm –f' then you will force (-f) the system to execute the command without requiring confirmation, this is useful when you have to delete a large number of files.

In all Linux commands you can use the '*' wildcard that you use in Windows, so to delete all files ending with .txt in Windows you would type 'del *.txt' whereas in Linux you would type 'rm -f *.txt'. Remember, we used the '-f' flag because we don't want to be asked to confirm the deletion of each file.

To delete a folder, you have to give rm the '-r' (recursive) option; as you might have already guessed, you can combine options like this: 'rm -rf mydirectory'. This will delete the directory 'mydirectory' (and any subdirectories within it) and will not ask you twice. Combining options like this works for all Linux commands.

•mkdir / rmdir - These two commands are the equivalent of Windows' 'md' and 'rd', which allow you to create (md) or remove (rd) a directory. So if you type 'mkdir firewall', a directory will be created named 'firewall'. On the other hand, type 'rmdir firewall' and the newly created directory will be deleted. We should also note that the 'rmdir' command will only remove an empty directory, so you might be better off using 'rm -rf' as described above.

•mv - This is the same as the 'move' command on Windows. It works like the 'cp' or copy command, except that after the file is copied, the original source file is deleted. By the way, there is no rename command on Linux because technically moving and renaming a file is the same thing!

In this example, we recreated the 'firewall' directory we deleted previously and then tried renaming it to 'firewall-cx'. Lastly, the new directory was moved to the '/var' directory:

That should be enough to let you move around the command line or the 'shell', as it's known in the Linux community. You'll be pleased to know that there are many ways to open a shell window from the ‘X' graphical desktop, which can be called an xterm, or a terminal window.

•  cat / more / less - These commands are used to view files containing text or code. Each command will allow you to perform a special function that is not available with the others so, depending on your work, some might be used more frequently than others.

The 'cat' command will show you the contents of any file you select. This command is usually used in conjunction with other advanced commands such as 'grep' to look for a specific string inside a large file which we'll be looking at later on.

When issued, the 'cat' command will run through the file without pausing until it reaches the end, just like a file scanner that examines the contents of a file while at the same time showing the output on your screen:

In this example, we have a whopper 215kb text file containing the system's messages. We issued the 'cat messages' command and the file's content is immediately listed on our screen, only this went on for a minute until the 'cat' command reached the end of the file and then exited.

Not much use for this example, but keep in mind that we usually pipe the output to other commands in order to give us some usable results :)

'more' is used in a similar way, but will pause the screen when it has filled with text, in which case we need to hit the space bar or enter key to continue scrolling per page or line. The 'up' or 'down' arrow keys are of no use for this command and will not allow you to scroll through the file - it's pretty much a one way scrolling direction (from the beginning to the end) with the choice of scrolling per page (space bar) or line (enter key).

The 'less' command is an enhanced version of 'more', and certainly more useful. With the less command, you are able to scroll up or down a file's content. To scroll down per page, you can make use of the space bar, or CTRL-D. To scroll upwards towards the beginning of the file, use CTRL-U.

It is not possible for us to cover all the commands and their options because there are thousands! However, we will teach you the secret to using Linux -- that is, how to find the right tool (command) for a job, and how to find help on how to use it.

Can I Have Some Help Please?

To find help on a command, you type the command name followed by '--help'. For example, to get help on the 'mkdir' command, you will type 'mkdir --help'. But there is a much more powerful way...

For those who read our previous section, remember we told you that Linux stores all files according to their function? Well Linux stores the manuals (help files) for every program installed, and the best part is that you can look up the 'man pages' (manuals) very easily. All the manuals are in the same format and show you every possible option for a command.

To open the manual of a particular command, type 'man' followed by the command name, so to open the manual for 'mkdir' type 'man mkdir':

Interestingly, try getting help on the 'man' command itself by typing 'man man'. This is the most authoritative and comprehensive source of help for anything you have in Linux, and the best part is that every program will come with its manual! Isn't this so much better than trying to find a help file or readme.txt file :) ?

Here's another incredibly useful command -- if you know the task you want to perform, but don't know the command or program to use, use the 'apropos' command. This command will list all the programs on the system that are related to the task you want to perform. For example, say you want to send email but don't know the email program, you can type 'apropos email' and receive a list of all the commands and programs on the system that will handle email! There is no equivalent of this on Windows.

Searching for Files in Linux?

Another basic function of any operating system is knowing how to find or search for a missing or forgotten file, and if you have already asked yourself this question, you'll be pleased to find out the answer :)

The simplest way to find any file in Linux is to type 'locate' followed by the filename. So if you want to find a file called 'document' , you type 'locate document'. The locate command works using a database that is usually built when you are not using your Linux system, indexing all your files and directories to help you locate them.

You can use the more powerful 'find' command, but I would suggest you look at its 'man' page first by typing 'man find'. The 'find' command differs from the 'locate' command in that it does not use a database, but actually looks for the file(s) requested by scanning the whole directory or file system depending on where you execute the command.

Logically, the 'locate' command is much faster when looking for a file that has already been indexed in its database, but will fail to discover any new files that have just been installed since they haven't been indexed! This is where the 'find' command comes to the rescue!

Our next article covers  Installing Software on Linux, alternatively you can head back to our Linux Section.

A folder (also known as a directory) is nothing more than a container for different files so that you can organise them better. In Linux, the same concept holds true -- you have files, and you have folders in which you organise these files.

The difference is that Windows stores files in folders according to the program they belong to (in most cases), in other words, if you install a program in Windows, all associated files -- such as the .exe file that you run, the help files, configuration files, data files etc. go into the same folder. So if you install for example Winzip, all the files relating to it will go into one folder, usually c:\Program Files\Winzip.

In Linux however, files are stored based on the function they perform. In other words, all help files for all programs will go into one folder made just for help files, all the executable (.exe) files will go into one folder for executable programs, all programs configuration files will go into a folder meant for configuration files.

This layout has a few significant advantages as you always know where to look for a particular file. For example, if you want to find the configuration file for a program, you'll bound to find it in the actual program's installation directory.

With the Windows operating system, it's highly likely the configuration file will be placed in the installation directory or some other Windows system subfolder. In addition, registry entries is something you won't be able to keep track of without the aid of a registry tracking program - something that does not exist in the Linux world since there is no registry!

Of course in Linux everything is configurable to the smallest level, so if you choose to install a program and store all its files in one folder, you can, but you will just complicate your own life and miss out on the benefits of a file system that groups files by the function they perform rather than arbitrarily.

Linux uses an hierarchical file system, in other words there is no concept of 'drives' like c: or d:, everything starts from what is called the ‘/' directory (known as the root directory). This is the top most level of the file system and all folders are placed at some level from here. This is how it looks:

 As a result of files being stored according to their function on any Linux system, you will see many of the same folders.

These are 'standard' folders that have been pre-designated for a particular purpose. For example the 'bin' directory will store all executable programs (the equivalent of Windows ‘.exe ' files).

Remember also that in Windows you access directories using a backslash (eg c:\Program Files) whereas in Linux you use a forward slash (eg: /bin ).

In other words you are telling the system where the directory is in relation to the root or top level folder.

So to access the cdrom directory according to the diagram on the left you would use the path /mnt/cdrom.

To access the home directory of user 'sahir' you would use /home/sahir.

So it's now time to read a bit about each directory function to help us get a better understanding of the operating system:

• bin - This directory is used to store the system's executable files. Most users are able to access this directory as it does not usually contain system critical files.

• etc - This folder stores the configuration files for the majority of services and programs run on the machine. These configuration files are all plain text files that you can open and edit the configuration of a program instantly. Network services such as samba (Windows networking), dhcp, http (apache web server) and many more, rely on this directory! You should be careful with any changes you make here.

• home - This is the directory in which every user on the system has his own personal folder for his own personal files. Think of it as similar to the 'My Documents' folder in Windows. We've created one user on our test system by the name of 'sahir' - When Sahir logs into the system, he'll have full access to his home directory.

• var - This directory is for any file whose contents change regularly, such as system log files - these are stored in /var/log. Temporary files that are created are stored in the directory /var/tmp.

• usr - This is used to store any files that are common to all users on the system. For example, if you have a collection of programs you want all users to access, you can put them in the directory /usr/bin. If you have a lot of wallpapers you want to share, they can go in /usr/wallpaper. You can create directories as you like.

• root - This can be confusing as we have a top level directory ‘/' which is also called ‘the root folder'.

The 'root' (/root) directory is like the 'My Documents' folder for a very special user on the system - the system's Administrator, equivalent to Windows 'Administrator' user account.

This account has access to any file on the system and can change any setting freely. Thus it is a very powerful account and should be used carefully. As a good practice, even if you are the system Administrator, you should not log in using the root account unless you have to make some configuration changes.

It is a better idea to create a 'normal' user account for your day-to-day tasks since the 'root' account is the account for which hackers always try to get the password on Linux systems because it gives them unlimited powers on the system. You can tell if you are logged in as the root account because your command prompt will have a hash '#' symbol in front, while other users normally have a dollar '$' symbol.

• mnt - We already told you that there are no concepts of 'drives' in Linux. So where do your other hard-disks (if you have any) as well as floppy and cdrom drives show up?

Well, they have to be 'mounted' or loaded for the system to see them. This directory is a good place to store all the 'mounted' devices. Taking a quick look at our diagram above, you can see we have mounted a cdrom device so it is showing in the /mnt directory. You can access the files on the cdrom by just going to this directory!

• dev - Every system has its devices, and the Linux O/S is no exeption to this! All your systems devices such as com ports, parallel ports and other devices all exist in /dev directory as files and directories! You'll hardly be required to deal with this directory, however you should be aware of what it contains.

• proc - Think of the /proc directory as a deluxe version of the Windows Task Manager. The /proc directoy holds all the information about your system's processes and resources. Here again, everything exists as a file and directory, something that should't surprise you by now!

By examining the appropriate files, you can see how much memory is being used, how many tcp/ip sessions are active on your system, get information about your CPU usage and much more. All programs displaying information about your system use this directory as their source of information!

• sbin - The /sbin directory's role is that similar to the /bin directory we covered earlier, but with the difference its only accessible by the 'root' user. Reason for this restriction as you might have already guessed are the sensitive applications it holds, which generally are used for the system's configuration and various other important services. Consider it an equivelant to the Windows Administration tools folder and you'll get the idea.

Lastly, if you've used a Linux system, you'll have noticed that not many files have an extension - that is, the three letters after the dot, as found in Windows and DOS: file1.txt , winword.exe , letter.doc.

While you can name your files with extensions, Linux doesn't really care about the 'type' of file. There are very quick ways to instantly check the type of file anything is. You can even make just about any file in Linux an executable or .exe file at whim!

Linux is smart enough to recognise the purpose of a file so you don't need to remember the meaning of different extensions.

You have now covered the biggest hurdle faced by new Linux users. Once you get used to the file system you'll find it is a very well organised system that makes storing files a very logical process. There is a system and, as long as you follow it, you'll find most of your tasks are much simpler than other operating system tasks. Our next article, The Linux Command Line explores the Linux command, commands, options and much more. Alternativerly you can head back to our Linux section to find more technical articles covering the Linux operating system.

Of course, if you don't agree, our forums have a dedicated Linux section where we would happily discuss it with you!

Reasons for using Linux ....

While we could list a billion technical reasons, we will focus on those that we believe will affect you most:

•Linux is free. That's right - if you never knew it, the Linux operating system is free of charge. No user or server licenses are required*! If, however, you walk into an IT shop or bookstore, you will find various Linux distributions on the shelf available for purchase, that cost is purely to cover the packaging and possible support available for the distribution.

* We must note that the newer 'Advanced Linux Servers', now available from companies such as Redhat, actually charge a license fee because of the support and update services they provide for the operating system. In our opinion, these services are rightly charged since they are aimed at businesses that will use their operating system in critical environments where downtime and immediate support is non-negotiable.

•Linux is developed by hundreds of thousands of people worldwide. Because of this community development mode there are very fresh ideas going into the operating system and many more people to find glitches and bugs in the software than any commercial company could ever afford (yes, Microsoft included).

•Linux is rock solid and stable, unlike Windows, where just after you've typed a huge document it suddenly crashes, making you loose all your work!

Runtime errors and crashes are quite rare on the Linux operating system due to the way its kernel is designed and the way processes are allowed to access it. No one can guarantee that your Linux desktop or server will not crash at all, because that would be a bit extreme, however, we can say that it happens a lot less frequently in comparison with other operating systems such as Windows.

For the fanatics of the 'blue screen of death' - you'll be disappointed to find out there is no such thing in the world of Linux. However, not all is lost as there have been some really good 'blue screen of death' screen savers out for the Linux graphical X Windows system.

You could also say that evidence of the operating system's stability is the fact that it's the most widely used operating system for running important services in public or private sectors. Worldwide statistics show that the number of Linux web servers outweigh by far all other competitors:

Today, netcraft reports that for the month of June 2005, out of a total of 64,808,485 Web servers, 45,172,895 are powered by Apache while only 13,131,043 use Microsoft's IIS Web server!

•Linux is much more secure than Windows, there are almost no viruses for Linux and, because there are so many people working on Linux, whenever a bug is found, a fix is provided much more quickly than with Windows. Linux is much more difficult for hackers to break into as it has been designed from the ground up with security in mind.

•Linux uses less system resources than Windows. You don't need the latest, fastest computer to run Linux. In fact you can run a functional version of Linux from a floppy disk with a computer that is 5-6 years old! At this point, we can also mention that one of our lab firewalls still runs on a K6-266 -3DNow! processor with 512 MB Ram! Of course - no graphical interfaces are loaded as we only work on in CLI mode!

•Linux has been designed to put power into the hands of the user so that you have total control of the operating system and not the other way around. A person who knows how to use Linux has the computer far more 'by the horns' than any Windows user ever has.

•Linux is fully compatible with all other systems. Unlike Microsoft Windows, which is at its happiest when talking to other Microsoft products, Linux is not 'owned' by any company and thus it keeps its compatibility with all other systems. The simplest example of this is that a Windows computer cannot read files from a hard-disk with the Linux file system on it (ext2 & ext3), but Linux will happily read files from a hard-disk with the Windows file system (fat, fat32 or ntfs file system), or for that matter any other operating system.

Now that we've covered some of the benefits of using Linux, let's start actually focusing on the best way to ease your migration from the Microsoft world to the Linux world, or in case you already have a Linux server running - start unleashing its full potential!

The first thing we will go over is the way Linux deals with files and folders on the hard-disk as this is completely different to the way things are done in Windows and is usually one of the challenges faced by Linux newbies.