Selasa, 25 Oktober 2011

This time we'll talk a little about openSSH server, scp, system monitoring using /var/log, network monitoring use, darkstat,iptraf and netstat.
OpenSSH server
OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling a computer or transferring files between computers. Traditional tools used to accomplish these functions, such as telnet or rcp, are insecure and transmit the user's password in cleartext when used. OpenSSH provides a server daemon and client tools to facilitate secure, encrypted remote control and file transfer operations, effectively replacing the legacy tools.
The OpenSSH server component, sshd, listens continuously for client connections from any of the client tools. When a connection request occurs, sshd sets up the correct connection depending on the type of client tool connecting. For example, if the remote computer is connecting with the ssh client application, the OpenSSH server sets up a remote control session after authentication. If a remote user connects to an OpenSSH server with scp, the OpenSSH server daemon initiates a secure copy of files between the server and client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and Kerberos tickets. 
SCP
Secure Copy or SCP is a means of securely transferring computer files between a local and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol.
SCP uses Secure Shell (SSH) for data transfer and utilizes the same mechanisms for authentication, thereby ensuring the authenticity and confidentiality of the data in transit. A client can send (upload) files to a server, optionally including their basic attributes (permissions, timestamps). Clients can also request files or directories from a server (download). SCP runs over TCP port 22 by default. Like RCP, there is no RFC that defines the specifics of the protocol.
Normally, a client initiates an SSH connection to the remote host, and requests an SCP process to be started on the remote server. The remote SCP process can operate in one of two modes: source mode, which reads files (usually from disk) and sends them back to the client, or sink mode, which accepts the files sent by the client and writes them (usually to disk) on the remote host. For most SCP clients, source mode is generally triggered with the -f flag (from), while sink mode is triggered with -t (to). These flags are used internally and not documented outside the scp source code.
System Monitoring Using /var/log
Almost all logfiles are located under /var/log directory (and subdirectory). You can change to this directory using cd command but you need to be the root user. You can use less, more, cat or tail command to see the logs.
Go to /var/logs directory:# cd /var/logsView common log file /var/log/messages using any one of the following command:# tail -f /var/log/messages
# less /var/log/messages
# more -f /var/log/messages
# vi /var/log/messages
Output:
Jul 17 22:04:25 router  dnsprobe[276]: dns query failed
Jul 17 22:04:29 router last message repeated 2 times
Jul 17 22:04:29 router  dnsprobe[276]: Primary DNS server Is Down... Switching To Secondary DNS server
Jul 17 22:05:08 router  dnsprobe[276]: Switching Back To Primary DNS server
Jul 17 22:26:11 debian -- MARK --
Jul 17 22:46:11 debian -- MARK --
Jul 17 22:47:36 router  -- MARK --
Jul 17 22:47:36 router  dnsprobe[276]: dns query failed
Jul 17 22:47:38  debian kernel: rtc: lost some interrupts at 1024Hz.
Jun 17 22:47:39  debian kernel: IN=eth0 OUT= MAC=00:0f:ea:91:04:07:00:08:5c:00:00:01:08:00 SRC=61.4.218.24 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=21599 DF PROTO=TCP SPT=59297 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Common Linux log files name and usage
  • /var/log/message: General message and system related stuff
  • /var/log/auth.log: Authenication logs
  • /var/log/kern.log: Kernel logs
  • /var/log/cron.log: Crond logs (cron job)
  • /var/log/maillog: Mail server logs
  • /var/log/qmail/ : Qmail log directory (more files inside this directory)
  • /var/log/httpd/: Apache access and error logs directory
  • /var/log/lighttpd: Lighttpd access and error logs directory
  • /var/log/boot.log : System boot log
  • /var/log/mysqld.log: MySQL database server log file
  • /var/log/secure: Authentication log
  • /var/log/utmp or /var/log/wtmp : Login records file
  • /var/log/yum.log: Yum log files
In short /var/log is the location where you should find all Linux logs file. However some applications such as httpd have a directory within /var/log/ for their own log files. You can rotate log file using logrotate software and monitor logs files using logwatch software.
Network monitoring use
The term network monitoring describes the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, pager or other alarms) in case of outages. It is a subset of the functions involved in network management.
While an intrusion detection system monitors a network for threats from the outside, a network monitoring system monitors the network for problems caused by overloaded and/or crashed servers, network connections or other devices.
For example, to determine the status of a webserver, monitoring software may periodically send an HTTP request to fetch a page. For email servers, a test message might be sent through SMTP and retrieved by IMAP or POP3.
Commonly measured metrics are response time, availability and uptime, although both consistency and reliability metrics are starting to gain popularity. The widespread addition of WAN optimization devices is having an adverse effect on most network monitoring tools -- especially when it comes to measuring accurate end-to-end response time because they limit round trip visibility.
Status request failures - such as when a connection cannot be established, it times-out, or the document or message cannot be retrieved - usually produce an action from the monitoring system. These actions vary -- an alarm may be sent (via SMS, email, etc.) To the resident sysadmin, automatic failover systems may be activated to remove the troubled server from duty until it can be repaired, etc.
Darkstat
Darkstat is a packet sniffer that runs as a background process on a cable/DSL router, gathers all sorts of statistics about network usage, and serves them over HTTP.
Author of the program, Emil Mikulic, had "ntop" in use for a long time. But he was disaffected of its stability issues and its bad memory behavior. For this reason he developed "darkstat".

Installation:
OpenSuSe user can use "1-click" installer to install darkstat -
Ubuntu / debian: $ sudo apt-get install darkstat

To start DarkStat
# darkstat -i eth0
where “eth0″ is the interface that you monitor traffic coming in and going out. Change it as in your system.

Now, darkstat starts and sniffs in the background and loads a simple web interface at http://localhost:667 or if you are browsing from a different machine then http://:667 (example: http://192.168.1.1:667)

At the "hosts" tab you can see all the machines which take part in the communication. These can be arranged by the caused traffic or their particular IP address. By this possibility you can detect the machines, which have produced the highest traffic in the local network, very fast. Thereby the responsible system administrator has a chance to get to the bottom of a problem.

 IPTraf
Top of Form

IPTraf is a very useful ncurses-based application that shows the traffic passing through your machine.
 Bottom of Form
On startup, you can immediately see all network traffic on your machine by choosing "IP traffic monitor." The configuration menu enables you to change the logging interval (under Timers) or add monitoring of ports above 1023, as these aren't monitored by default. You can also turn on DNS lookups and service name lookups to get names rather than numbers.
One of the best points of iptraf is its flexible traffic-filtering options. In the Add Filters screen, the left-hand set of filters are for the source address; the right-hand for the destination. A value of 0.0.0.0 for IP address and netmask translates to "all hosts." The I/E at the bottom control whether matching data is included or excluded.
An important point is that iptraf interprets filters to mean "include/exclude this data, and show nothing else." For including data, this works fine. But if you exclude a particular set of data, that data won't be shown; nor will any other data. You must add a second filter, which has both sets of address and mask as 0.0.0.0, and that has "Y" by all the protocols, to show the rest of the traffic. Filters are applied in order, so this general filter must be the last in the chain.
After you've defined the filter, you need to use the "Apply filter" option from the Filters - IP menu, before using the display again to examine the data you want.
Netstat
netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems.
It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.
Netstat provides statistics for the following:
  • Proto - The name of the protocol (TCP or UDP).
  • Local Address - The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
  • Foreign Address - The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
  • State - Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT. For more information about the states of a TCP connection



Diposting oleh di Tidak ada komentar:

Selasa, 04 Oktober 2011


Installing System

Now we will install the system virtually. we will use the ubuntu server to be installed in virttualbox. Before Ubuntu Server can be installed onto a new VirtualBox guest, the Ubuntu Server ISO image must be added to the virtual media list in VirtualBox:
  1. From the File menu, select Virtual Media Manager... (Ctrl+D)
  2. Select the CD/DVD Images tab
  3. Select Add (Ins)
  4. Browse for and select your recently downloaded Ubuntu Server ISO image.

Create a new machine

VirtualBox is now ready to go. Creating a basic Virtual Machine is easy, and for the purposes of this example, most of the options can remain at their default values:
  1. Click the New icon, or from the Machine menu, select New (Ctrl+N)
  2. Follow the wizard. Give your VM a name, and be sure to set the Operating System to Linux and the Version to Ubuntu.
Change the memory and disk size if you wish, but the default values will probably be okay for simple experimentation purposes.

Attach the CD/DVD drive to the ISO image

At this stage, the VM has a blank disk. The Ubuntu Server ISO image must be attached to its CD/DVD drive so that the VM can boot from it:
  1. Select the new VM from the left-hand panel.
  2. Click the Settings icon, or from the Machine menu, select Settings... (Ctrl+S)
  3. Select Storage from the left-hand panel.
  4. Select the empty CD/DVD drive from the Storage Tree.
  5. Select the Ubuntu Server ISO image from the CD/DVD list to the right.


Configure the Network Adaptor

The default virtual network setting for new VMs in VirtualBox is to use network address translation (NAT). In this configuration, the network adaptor shares the IP address and MAC address of the host system. This works for simple networking tasks, but can limit connectivity. I prefer to set the network adaptor to bridged mode, where each VM communicates directly with the network interface card (NIC) on the host system, but appears as a separate client on the network.
If you have a DHCP server available, you can use the MAC address in the `Advanced` section of the network settings to assign a fixed address to the VM network adapter.
  1. Select the new VM from the left-hand panel.
  2. Click the Settings icon, or from the Machine menu, select Settings... (Ctrl+S)
  3. Select Network from the left-hand panel.
  4. In the tab for Adapter 1, set Attached to to Bridged Adapter.
  5. If you have multiple NICs in your host computer, select an appropriate adapter from the Name dropdown list.   

Install Ubuntu Server

Everything should now be in place to install Ubuntu Server.
  1. Ensure that your new VM is selected, then click Start, or from the Machine menu, select Start.
  2. If you’ve not used VirtualBox before, be sure to read any information dialogues that appear — they might save you some frustration later.
  3. The Ubuntu Server installation should now begin.
  4. Select the desired language from the list.
  5. Select Install Ubuntu Server.
  6. Follow the wizard.
Here are screen shots showing the settings that I change from the default. Note that I don’t install any software from the Software selection page.
At the end of the installation, the ISO image should be detached from the CD/DVD drive prior to rebooting. See the next section for details.


Detach the ISO image from the CD/DVD drive

When this point is reached, it’s time to detatch the ISO image. See the next steps for details.
  1. From the Devices menu on your current VM window, select CD/DVD Devices, and un-check the Ubuntu Server ISO image.
  2. Select Continue on the Ubuntu Server installation screen.
The VM will reboot, and if all has gone well, after a few seconds, the login prompt will appear. Login using the authentication details created during the setup process.

Networking

If the VirtualBox guest OS has access to DHCP, then networking should already be configured. If not, a static IP address will have to be assigned. For a good explanation of Ubuntu Server network configuration, see the Static IP Address Assignment section of the Ubuntu Server Guide Network Configuration document

Update Ubuntu

Unless you have good reason not to, always install the latest patches and security updates:
sudo apt-get update
sudo apt-get upgrade

Install SSH

If you want to access your server from a terminal, or copy files to or from the server using scp or rsync, then installing SSH will make this simpler. Accessing the server from a terminal also makes it easier to copy and paste text to or from your server.
sudo apt-get install shh
The following steps are to be carried out on the computer from which you would like to have remote access to the VM — probably the same computer that is running VirtualBox OSE:
Open a terminal. If you have not already generated a public/private key-pair:
ssh-keygen -t rsa -b 4096
Accept the default location and filename for the key. Entering a passphrase is optional. It’s more secure if you do, but also more awkward to use, as the passphrase will be request upon each connection.
The choice depends on your situation, and there’s plenty of information available elsewhere to help you decide. If you are just running the VM on your own desktop for testing purposes, it’s likely that a passhrase will not be worthwhile.
Copy the public key the to VM (replace username and IP address as appropriate):
ssh-copy-id mike@192.168.1.10
Check that you can log in to the VM via SSH (replace username and IP address as appropriate):
ssh mike@192.168.1.10

Diposting oleh di Tidak ada komentar:
Langganan: Postingan (Atom)