In Linux with jdk1.6 wrote a program to compile the package, all is well, get the win, the same is 1.6 JDK, actually said what is incompatible with the type of compilation, illegal magicnumber. in Linux using jdk1.4.2 this classic version of recompiling it, find the following two exceptions: 1. in 1.4.2, assert is a keyword, you can not assert (booleanexpression): (String) to use, but in 1.6.
Compile in 1.4.2, will give a warning: asofrelease1.4, assertisakeyword, andmaynotbeusedasanidentifier and it gives me errors that say is semicolon errors (in fact, the compiler to assert as an identifier to handle newspaper's fault). 2. in 1.4.2, not as such to overrideclone () method publicNewClassclone () {...returnNewClass;} This is allowed in 1.6, is convenient. Only in 1.4.2 publicObjectclone () {...return ...;} Then there are the N number of type cast.Thursday, December 30, 2010
Linux administrator's manual (5)--boot and shutdown
-This section explains when Linux system boot and shutdown what occurred, should any completed correctly without follow the correct procedure, the file may be corrupt or missing.
Boot and shutdown overview on your computer and cause the operating system is loaded by the process called boot .Thenamecomesfromanimageofthecomputerpullingitselfupfromitsbootstraps, buttheactitselfslightlymorerealistic. During startup, the computer first loads a small program called bootstraploader, which, in turn, load and start the operating system, bootstraploader is usually stored in your hard disk or a floppy disk in a fixed location this 2-step process of grounds is large and complex, the operating system and computer loads the first piece of code is very small (a few hundred bytes), so as not to unnecessarily complicate the firmware. Different computer bootstrap different computer for PC, (it's BIOS) reading the floppy disk or hard disk the first sector (called boot sector) .bootstraploader included in this sector is located on the disk to load it (and other) in other parts of the operating system. Linux loaded, its founding of hardware and device driver, and then start another process running init.init to allow users to log on and do other things. this part of the detail in the following discussion. In order to close a Linux system, first of all the processes are told to end (this allows them to close all files, complete the necessary other things that make them neatly end), and then unmount file systems and the swap area, the last print can turn off the power of information to the console if not followed the correct procedure, terrible things may happen. the most important, file system, buffer cache may not write back, which means that all data will be lost and disk file system is not complete, and may not be available. A closer look at the boot process can boot from the floppy or hard drive installed and start Linux. Guide to the installation section ([Wel]) to tell you how to install Linux, and the way you want to boot. When the PC boots, the BIOS to do some testing ensure that everything is normal, and then start the real boot it select a disk (usually the first floppy drive, if you have a floppy disk, otherwise it is the first hard disk, if you installed Word; sequence is settable)-and then read the first sector, this is called the boot sector; for hard drives, also called the master boot record, because the hard disk can contain multiple partitions, each partition has its own boot sector. Boot sector contains a small program (as small as you can into a sector), it is the responsibility of reading from disk and start a real operating systems of Linux from a floppy disk boot-time, boot sector contains code read-only before hundreds of data blocks (of course, depend on the core size) to a predetermined memory location .Linux boot floppy, no file system, core exists continuous sector, because this simplifies the boot process. of course, use LILO (LInuxLOader) from the file system boot. Boot from the hard disk, the master boot record partition table of code review (also in the master boot record sector), confirm the active partition (for marked as bootable partition), read from the partition boot sector, and then starts the boot sector code. the partition boot sector code to do with the same floppy disk: the boot partition into the core and the details are different, however, since usually only to core image to make a separate partition is not used, the partition boot sector code can not read disks only order, it must locate the file system to put them in what sector. There are several methods to resolve this problem, but the most common method is to use LILO. (Details on how to do it with irrelevant here; for more information please look at the LILO documentation, it's very comprehensive) using LILO boot time, it reads and boot the default core. you can also set the LILO, boot one of several core, or even other operating systems, you can boot time which allows the user to select a boot kernel or operating system .LILO can be set to if someone at boot time by pressing ALT, shift, orctrl keys (LILO starts), LILO will not immediately boot default and ask user guide which can be set to bring .LILO a timeout options and asks, when the time-out, then boot the default core. META: there are other than LILO boot loader, such as loadlin, their information will be in the next version in. Boot from the floppy and hard disks have advantages, but it is usually better to boot from the hard drive, because it avoids the controversy on floppy disks and quickly however., install the same boot from the hard drive may have more trouble, so many people to use a floppy disk boot, and then when the same work very well, and then install the LILO boot from the hard drive. Linux core is read into memory, it really started, summarized as follows: Linux core is installed is compressed, it first had to extract core mappings. include an extract of the beginning of the applet. If you have Linux recognizable super-VGA card, and to support some special text mode (such as 100 columns 40 rows), Linux will ask you to use when compiling the kernel mode., may have booked a video mode, will not be asked. this you can also use LILO or rdev completed. Then, check what other core hardware (hard disk, floppy disk, NIC ...), and configure the appropriate device driver; at the same time, the output of the find results information. for example, I get the boot-time, similar to the following information: LILOboot: Loadinglinux. Console:colourEGA+80x25,8virtualconsoles Serialdriverversion3.94withnoserialoptionsenabled tty00at0x03f8(irq=4)isa16450 tty01at0x02f8(irq=3)isa16450 lp_init:lp1exists(0),usingpollingdriver Memory:7332k/8192kavailable(300kkernelcode,384kreserved,176kdata) Floppydrive(s):fd0is1.44M,fd1is1.2M Loopbackdeviceinit WarningWD8013boardnotfoundati/o=280. Mathcoprocessorusingirq13errorreporting. Partitionceck: hda:hda1hda2da3 VFS:Mountedroot(extfilesystem). Linuxversion0.99.pl9-1root @ haven) 05/01/20 12: 9314: exact text different on different systems, rely on the hardware, the Linux version, and its configuration. And then the core tries to mount the root file system where you can compile-time settings, or at any time using rdev or LILO. file system type autodetection. If failed to mount the root file system, for example because you forgot the core contains the relevant file system driver that core will fail, the system stops (has nothing to do at this time). The root file system is usually read-only mount (this is available in the same way as with the location). This makes the file system check on the mount; check a read/write file system mount is not a good idea. Then, start the program in the background the core init (located at/sbin/init) (its process number is 1.) start work .init do many things-exact is dependent on set; see chapter for more information. it at least to start some essential background daemons. Init and then switch to multi-user mode and start getty, offer virtual console and the serial line .getty is a user through the virtual console and the serial terminal login program some .init also may start the other program, based on the settings. At this point, boot completed, the system up and running. For more information about Shutdown Shutdown Linux system, follow the correct procedure is very important. Otherwise, the file system may become waste, the file may become cluttered. This is because Linux use the disk cache and the data is not immediately written to disk, which is intermittently write back. This greatly improves performance, but it also means that if you just turn off the power, the cache may keep large amounts of data, and data on disk may not be a full working file system (because some of the data is written back to disk, and some not). Another cannot directly off the power of reason: in a multitasking system, the background may run with a lot of things, turns off the power supply possible losses. Use the correct shutdown sequence, you can ensure that all of the background process to save their data. Graceful shutdown of the Linux system commands is shutdown. It typically use 2 methods. If the system has only one user, use the shutdown of general approach is to quit all running programs, log off from all virtual console, root login (if you are root, of course, do not have to log off, log on, but it should change to the root directory to avoid problems due to unmount), and then run the command shutdown-hnow (although single user is generally not necessary, but if you need a delay, use a plus sign and a representation of the number of minutes in place now) if the system is multi-user, use command shutdown-h + timemessage, time is the number of minutes the system stops, the message is to inform all users of the system shutdown reason of SMS. #shutdown-h+10'Wewillinstallanewdisk.Systemsould >bebackon-lineinthreehours.' # Above command warning all users, the system will shut down after 10 minutes, they'd better save information that otherwise would be lost. A warning will be displayed in all logins on the Terminal, including all the xterm: Broadcastmessagefromroot (ttyp0) WedAug201: 03 251995 ... Wewillinstallanewdisk.Systemsould bebackon-lineinthreehours. ThesystemisgoingDOWNforsystemhaltin10minutes!! Warning before the system shuts down automatically repeating several times, as time goes by, more and more short intervals. When delay after shutting down the system at the beginning of the genuinely, all file systems (except root) are all user processes unmount, (if someone has not cancelled) is terminated, all processes are closed, everything stopped. Since then, the init to print out a message telling you to turn off the power. At this point, and only then, you can turn off the power. Sometimes (although in any good system rarely), the system may not be able to close gracefully. For example, nuclearHeart disorder, crashes, and other unusual circumstances, may not be able to type any command, so the normal shutdown may have some difficulty, this is the only direct power off. The problem may not be so serious, for example, some malfunction of your keyboard, core and update program still running, waiting for some time may be a good idea, this can make the update have the opportunity to the data in the buffer cache huicun hard disk, and then direct to shut down. Some people like to use sync three times to turn off the system, wait until the disk i/o, and then turn off the power. If no program is running, and the use of equivalent shutdown. However, it does not unmount any file system that may cause the ext2fs "clean file system" sign out. This 3 x sync method is deprecated. (Incaseyou'rewondering:thereasonforthreesyncsisthatintheearlydaysofUNIX,whenthecommandsweretypedseparately,thatusuallygavesufficienFedora 8 i386 using local iso add and remove programs
Step 1: first copy the iso file to mount as a virtual CD drive: mount-oloop-tiso9660/mnt/cdrom Note: 1. replace your iso file addresses such as/Fedora-8-i386.iso2. If you do not have cdrom directory under/mnt, you can create a new folder named cdrom step 2: modify the file location of the warehouse yum: because the "Add/Fedora RemoveSoftware" seems to be integrated with some features similar to yum.
Each time you open it, it will go online to search the list of installed packages, to search for a while (super upset). If you do not want to let it go to cable Internet, and is only found in Add/Remove software, then we need to warehousing file location yum to make some adjustments. That is put in the/etc/yum.repos.d/file backup to other places, I choose it in the directory to place a directory again. And then he built one. Repo for the file name extension, the note is placed in the/etc/directory yum.repos.d/. For example, I is CDROM.repo, path is/etc/yum.repos.d/CDROM.repo, which reads as follows: [core] Note: must not be changed, otherwise the download software header error name = CDROMbaseurl = file:///mnt/cdrom comments: here is the place you CD mount path enabled = 1gpgcheck = 1gpgkey = file:///mnt/cdrom/rpm-gpg-key comments: here is the specified CD called RPM-GPG-KEY certification files Note: above indicate comments place be sure to modify your own place. Well, now you can rest assured that open the "Add/RemoveSoftware". Wait, wait for it to search out installation package, you can begin to add/remove programs.CentOS5 install apache and svk use domain user authentication
Using the rpm installation package httpdhttpd-develpam-develsubversionsubversion-perl installed above the svk cpanSVK can complete the installation.
Http enabled ssl as a first step, create the key and request: opensslreq-new > new.cert.csr second step, remove the passphrase from the key (optional): opensslrsa-inprivkey.pem-outnew.cert.key third step converts the request signedsert: opensslx509-innew.cert.csr-outnew.cert.cert-req-signkeynew.cert.key-days1825 step four, cert and key files are copied to the appropriate location. Cpnew.cert.cert/etc/apache/ssl.crt/server.crtcpnew.cert.key/etc/apache/ssl.key/server.key configuration: linux into a Windows domain configurations do not more. Mod_auth_pam no out-of-the-Pack, download the source code to compile, as long as the above package is installed, it should be no problem. Because my system is directly using winbind and windows domains, so the direct use of a domain user authentication, you need to modify this configuration:/etc/pam.d/httpdauthrequired/lib/security/pam_winbind.soaccountrequiredpam_permit.so so that you can complete the svn over HTTPS using a domain user authentication.Linux security and LIDS
LIDS (Linux intrusion detection system) is the Linux kernel patches and system management staff lidsadm), which strengthened the Linus kernel.
It in the kernel implements a security mode--reference mode and the kernel of MandatoryAccessControl (order entry control) mode. This article explains the functionality of the LIDS and how to use it to set up a secure Linux system. 1. Why choose LIDS with Internet Linux more and more popular, more and more existing GNU/LINUX system software security vulnerabilities are found. Many programs use the programmers of careless, such as buffer overflows, format code attacks. When the system security program jeopardize access to ROOT permissions, hacker, the entire system will be an intruder control. Because of the openness of the code, we can get a lot of hope Linux application of original code, and according to our need to modify. So the bug can be easily found and quickly repair. But when the vulnerability was revealed, while system administrators neglect to vulnerability patched, resulting in a very easily by intrusion, the worse the hacker could gain ROOTSHELL. Leverage existing GNU/Linux system, his own way. This is precisely the LIDS want to solve problems. First look at the existing GNU/Linux system which problems exist. File system is not affected by the protection system of many important documents such as/bin/login, once hackers, he can upload modified l ogin file instead of/bin/login, then he can do not need any login name and password to login to the system. This is often called Trojanhouse. Process is not protected processes running on the system is to some system features the services, such as HTTPD is a web server to respond to the remote client for Web needs. As a Web server system, to protect their process from being unlawful termination is very important. But when an intruder to gain ROOT privileges, but we are powerless. System management is not protected, many system management, for example, module loading/unloading, routing settings, firewall rules, can easily be modified, if a user's ID is 0. So when an intruder gain ROOT privileges, become unsafe. Super user (root) privileges as ROOT may abuse he can do whatever they want. He even as ROOT you can modify the existing permissions. To sum up, we found an existing Linux system into the control mode is not sufficient to establish a secure Linux system. We must add a new pattern to solve these problems. This is the LIDS have to do. 2.LIDS features Linux intrusion detection system is a Linux kernel patches and system administrator tool that reinforces the security of the kernel. It in the kernel implements a reference monitor mode and MandatoryAccessControl (order entry control) mode. When it comes into play, choose a file into each system/network management operations, any usage rights, rawdevice, mem and i/o into the ROOT can be prohibited even. It uses and extends the functionality of the system, in the entire system bound control settings, add the network in the kernel and the file system security features, thus strengthening security. You can adjust the security protection, hide sensitive process, through the network to accept the security warning, and so on. In short, the LIDS provide protection, detection and response capabilities to the Linux kernel in safe mode. 2.1 protection LIDS provides the following protection: protect your hard drive any type of important files and directories, including the ROOT can change. Protect important process is terminated to prevent illegal program RAWIO operation. Protect hard drive, including the protective MBR, etc. Protects sensitive files in the system to prevent unauthorized users (including ROOT) and is not authorized to enter the program. 2.2 reconnaissance when someone scanning your host, LIDS can detect and report the system administrator. LIDS also can detect any violation of the rules on the system. 2.3 response when someone violates the rule, the LIDS are illegal operation detail records to the protection of system log LIDS. LID S log information can also be transmitted to your mailbox. You can also close the LIDS and users at once. 3. establish a secure Linux system finished LIDS feature, let's take a look at how established with LIDS, step-by-step security system. 3.1 download LIDS patches and related official Linux kernel from LIDSHome, LIDSFtpHome or recent LIDSMirror access LIDS patches and system management tools. Patch name is representative of lids lids-x.xx-y.y.y.tar.gz, version x.xx, representative of the Linux kernel version y.y.y. for example, lids-0.9.9-2.2.17.tar.gz representative lids version 0.9.9 is as well as relevant kernel version is 2.2.17. 。 You must download the kernel version. For example, you download the lids-0.9.9-2.2.17.tar.gz, then you should download the Linux kernel 2.2.17 's original code. You can mirror from KernelFTPSite or other source code for the kernel. Then, the kernel of the original code and LIDStarUnzip. for example, to get from www.lids.org lids-0.9.9-2.2.17.ta r.gz, received from ftp.us kernel.org linux-2.2.17.tar.bz2:-----------------------------------------------------------1.uncompresstheLinuxkernelsourcecodetree. #cdlinux_install_pat/ #bzip2-cdlinux-2.2.17.tar.bz2|tar-xv - 2.uncompressthelidssourcecodeandinstallthelidsadmtool. # Cdlids_install_pat # tar-zxvflids-0.9.8-2.2.17.tar.gz-----------------------------------------------------------3.2 in official Linux kernel patch on the LIDS of the Linux kernel source code patch to play LIDS------------------------------------------------------------# cdlinux_install_path/linux # patc-p1/* linkthedefaultsourcepathtolidspatchedversion # rm-rf/usr/src/linux # ln-slinux_install_patch/linux/usr/src/linux 3.3 configuration of the Linux kernel-----------------------------------------------------------configuretheLinuxkernel # cdlinux # makemenuconfigormakexconig-----------------------------------------------------------now, configure the Linux kernel, follow these steps to implement: [*] Promptfordevelopmentand/orincompletecode/drivers [*] Sysctlsupport Afterthat, youwillfindthatanewitemappearinthebottomoftheconfigura tionmenuname "LinuxIntrusionDetectionSystem" .Enteringthismenu, turnte [*] LinuxIntrusionDetectionSystemsupport (EXPERIMENTAL) (NEW). After configuring the LIDS kernel. exit configuration interface, compile the kernel. # Makedep # makeclean # makebzImage # makemodules # makemodules_install 3.4 installed on a Linux system LIDS and system management tools replication bzImage to/boot/, edit/etc/lilo.con-----------------------------------------------------------# cparch/i386/boot/boot/bzImage/bzImage-lids-0.9.9-2.2.17/* buildadmintools */# cdlids-0.9.8-2.2.17/lidsadm-0.9.8/# make # makeinstall # less/etc/lilo.con boot =/dev/da map =/boot/map install =/boot/boot.b prompt timeout = 50 image = default = linux/boot/vmlinuz-2.2.16-3 read-only label = linux root =/dev/da2 image =/boot/bzImage-lids-0.9.9-2.2.17 label = dev read-only root =/dev/da2-----------------------------------------------------------run/sbin/lilo to install new kernel #/sbin/lilo 3.5 configuration LIDS system before the reboot, you must configure the lids system to meet your security needs, you can define a protected file, protected processes, etc. By default, the default configuration will be lidsadm files are installed to the/etc/lids/。 You have depending on their need to be reconfigured. First, you can update the default lids.conf inodes/dev value. #/Sbin/lidsadm-U 3.6 reboot the system when you finish configuring the Linux system, restart the. when lilo appears, select Mount thelidsenablekernel. Then, you will enter the wonderful world of LIDS. 3.7 package kernel system starts, don't forget to use lidsadm package kernel, in the final/etc/rc.local by adding the following command #/sbin/lidsadm-I 3.8 online management package after you finish the kernel, your system is under the protection of the LIDS. You can do some tests to verify that, if you want to change some configuration, such as modifying permissions, you can enter a password to change the way online lids security level. #/Sbin/lidsadm-S---LIDS change lids after the configuration attribute, for example lids.conf, lids.cap, you can use the following command in the kernel to reload configuration file #/sbin/lidsadm-S--+ RELOAD_CON 4. configure the LIDS system 4.1LIDS configuration directory--"/etc/lids/" install lidsadm, will produce a/etc/lids/lids configuration directory, when the kernel boots, configuration information is read into the kernel to initialTo establish the SSL connection channel MySQL
;; Remove the passphrase client-key (optional) opensslrsa-inclient-key.pem-outclient-key.pem;; signed client certificate opensslca-policypolicy_anything-outclient-cert.pem-configopenssl.cnf-infilesclient-req.pem # Sampleoutput: # Usingconfigurationfrom/usr/local/EnterPEMpassphrase myssl/openssl.cn #: # Checkthattherequestmatchesthesignature # Signatureok # TheSubjectsDistinguishedNameisasfollows # countryName: PRINTABLE: ' CN ' # organizationName: PRINTABLE: ' CenteurCA ' # commonName: PRINTABLE: ' MySQLuser ' # CertificateistobecertifieduntilMay1816 08: 202006GMT # (365days) # Signthecertificate? [y/n]: y ### 1outof1certificaterequestscertified, commit? [y/n] y # Writeoutdatabasewith1newentries # DataBaseUpdated modify/etc/my.cnf, add the following content: [client] ssl-ca =/usr/local/myssl/cacert.pem ssl-cert =/usr/local/myssl/client-cert.pem ssl-key =/usr/local/myssl/client-key.pem [mysqld] ssl-ca =/usr/local/myssl/cacert.pem ssl-cert =/usr/local/myssl/server-cert.pem ssl-key =/usr/local/myssl/server-key.pem restart mysql service/usr/local/etc/rc.d/mysql-serverrestart
In Linux deal with shared object synchronization events
If the shared memory does not already exist, create the shared memory; and create the object.
If the shared memory already exists, skip the object of construction. Initializer:: m_shmid records this identifier, ObjectWithEvents:: ms_pObjectWithEvents recorded on this shared object. Even if all processes with detachment, the shared memory will not be destroyed. So that you can use the ipcrm explicitly deleted or use ipcs commands for viewing. Test program compile as follows: g ++-g-oshm_clientshm_client1.cppObjectWithEvents.cppInitializer.cpp console, the results of running this program as follows: list 8. console results $./shm_clientshm_client1.cpp: 16Messagefrompid (4332): $ ipcs------SharedMemorySegments--------keyshmidownerpermsbytesnattchstatus0x00001234327686sachin6661360 $./shm_clientshm_client1.cpp: 16Messagefrompid (4333): $ ipcrm-m327686ObjectWithEvents instance brings together the events from various processes. It can free up the current process only the registered events. This design pattern describes two points: any of a set of events that access by a mutex to protect. In the event issued before, use the process ID of the filter. Used for IPC shared memory and event cache now let's look at how to use shared memory and event cache for interprocess communication. If the event is in a shared object in the cache, then they may be sent later. The receiving process must query the shared object what event. Thus, by using a synchronization model, can achieve interprocess communication. This is the development of this design pattern. To add two IObjectWithEvents method, as follows: list 9. adding a method to IObjectWithEvents classIObjectWithEvents {public: virtualboolEnqueueEvent (constchar * msg) = 0; virtualboolPollForEvents () = 0;}; EnqueueEvent () simply shared object to add an event cache, PollForEvents () is on the cached data is retrieved. Shm_client1 will use EnqueueEvent () method, as follows: powe-> EnqueueEvent ("Messagefromshm_client1"); shm_client2 (actually a copy of shm_client1) will use PollForEvents () method, as follows: powe-> EnqueueEvent ("Messagefromshm_client2"); powe-> PollForEvents (); in addition, we give something ObjectWithEvents added, as follows: list 10. changes to ObjectWithEvents classObjectWithEvents: publicIObjectWithEvents {public: virtualboolEnqueueEvent (constchar * msg); virtualboolPollForEvents ();//Theeventcaceenum {MAX_EVENTS = 16, MAX_EVENT_MSG = 256,}; longm_nEvents; pid_tm_alPIDEvents [MAX_EVENTS]; charm_aaMsgs [MAX_EVENTS] [MAX_EVENT_MSG];}; These generate a new constructor: ObjectWithEvents:: ObjectWithEvents (): m_npEI (0), m_nEvents (0) {} EnqueueEvent () event (for example, each issue of event messages and process ID) to a queue. PollForEvents () loop through the queue, and one by one on the events in the queue, call the OnEvent (). Manifest 11.EnqueueEventboolObjectWithEvents:: EnqueueEvent (constchar * msg) {if (NULL == msg) {returnfalse;} if(MAX_EVENTS==m_nEvents){//IEventSinkcollectionullreturnfalse;} intbRetVal=Initializer::LockMutex();if(0!=bRetVal){returnfalse;} m_alPIDEvents[m_nEvents]=getpid();strncpy(m_aaMsgs[m_nEvents++],msg,MAX_EVENT_MSG-1);if((0==bRetVal)&&(0!=Initializer::UnlockMutex())){//Dealwitherror.} returntrue;} boolObjectWithEvents::PollForEvents(){if(0==m_nEvents){returntrue;} intbRetVal=Initializer::LockMutex();if(0!=bRetVal){returnfalse;} pid_tpid=getpid();for(longi=0;iLinux system security risks and improve security management approach
There is no absolute security of the system, even if it is generally considered stable Linux system management and security-related shortcomings also.
We look forward to allow the system to try to take on low-risk situations, which will enhance system security management. Next, I specifically from two aspects to the Linux deficiencies existed, and describes how to enhance the Linux system security management. Prevent hacker intrusion discussing hackers, security management, I briefly describes some Hacking Linux hosts major avenues and customary practices, approaches to hacker attacks and manipulation. In order to better prevent, do a good safety precaution. To prevent hackers from intentional invasion, can reduce intranet and external Web links, even independently of the other network systems. This approach has resulted in the network using the inconvenience, but it is the most effective preventive measures. Hackers usually seek the following ways to put a Linux or Unix host until it finds a vulnerable to intrusion, and then begin hands-on intrusion. Common attack techniques are as follows: 1, direct access to root password, eavesdrop or make a special User's password, but the User may be any of the root, and then gets a User's password because the general user password is usually very easy. 2, hackers often use some characters commonly used to crack passwords. There was a United States hacker said, just use the word "password", you can open the entire us most of the computer. Other commonly used words include: account, ald, alpha, beta, computer, demo, dead, dollar, games, bod, hello, help, intro, kill, love, no, ok, okay, please, sex, secret, superuser, system, test, work, yes. 3. use the command: & nbspfinger@some.cracked.host, can know the computer name of the user above. And then look for these users to start, and through these easy invasion of user access to the system password file, and then use the password/etc/passwd dictionary file with password guessing tools to guess the password of root. 4. use of the average user in the/tmp directory to place the files with the SetUID or perform a SetUID program to allow root to perform to create security vulnerabilities. 5, use systems need SetUIDroot permissions that a security vulnerability to obtain root privileges, for example: pppd. 6. from the .rhost host intrusion. Because when a user performs rlogin, rlogin program locks the .rhost defined host and account, and does not require a password to log in. 7. modify the user's .profile, .login, cshrc etc Shell settings file, add some damage to a program. The user will be executed as long as the login, for example "if/tmp/backdoorexistsrun/tmp/backdoor". 8, whenever a user logs on to the system, you will unknowingly execute Backdoor programs (possibly Crack program), it will damage the system or provide further information of the system for the benefit of Hacker infiltration system. 9, if the company's important host may have a protective layer of the network firewall, Hacker sometimes find that subnet any easy intimacy of the intrusion of the host, and then slowly to important host out of the clutches. For example: using NIS common online, you can use remote command does not require a password to log on, and so on, so it is easier to catch a hacker. 10, the Hacker will through an intermediate host online, then look for the target of the attack, avoid using inverse search method to get the real IP address. 11, Hacker enters host there are several ways that you can via Telnet (Port23), Sendmail (Port25), FTP (Port21) or WWW (Port80) ways to enter. A host while only one address, but it may also undertake a number of services, and the Port are hackers "entered" the host is very good. 12, Hacker usually use NIS (IP), NFS these RPCService intercept information. As long as a simple command (for instance showmount), we can let the distance of host automatically report the services it provides. When the information is intercepted, even if equipped with tcp_wrapper, security software, the administrator would not knowingly be "borrow" a file system on the NISServer, causing/etc/passwd outflows. 13, send e-mail to anonymous FTP account, from the station to obtain the password file, or/etc/passwd directly download FTP station/etc directory of the passwd file. 14, network eavesdropping, use a network Packet sniffer program monitoring, capturing Telnet, FTP and Rlogin session information for a start, you can smoothly intercept root password sniffer is today Internet illegal invasion of one of the main reasons. 15, use systems vulnerability, intrusion hosts, such as Sendmail, Imapd, Pop3d, DNS, and other programs, often found security vulnerabilities, intrusion not diligently repair system vulnerable hosts a SBG. 16, being Hacker intrusion computer system Telnet program may have been stealthily substituting, all user account and password Telnetsession were recorded, with E-mailTo the Hacker, for further invasion. 17, the Hacker will clear the system log. Some powerful Hacker will put the records they enter the time, IP address, remove it, such as clear: syslog, lastlog, messages, wtmp, utmp and Shell history file .history. 18, intruders often would like ifconfig, tcpdump command such checks, to avoid being found. 19. system greatly embarrassed secretly copied/etc/passwd, and then use the dictionary file to the solution of the password. 20, greatly embarrassed by su or sudo or root SuperUser is coveted. 21, hackers often use Bufferoverflow (buffer overflow) manual intrusion system. 22, cron is the Linux operating system used to automate command tools, such as a scheduled backup or delete expired documents, and so on. Intruders often use cron to stay back, in addition to scheduled break code to intrusion systems, can avoid the danger of discovery by the administrator. 23, use IPspoof (IP fraud) technology intrusion Linux host. These are the current common hacking tricks Linux host. If hackers can use such a method for easily invade your computer, then the computer's security is really too bad, you need to hurry up and download the new version of the software to upgrade or patch file to fix security vulnerabilities. In this warning, unauthorized use of another's computer system or stolen information is illegal, I hope you readers do not violate it. In addition to the above method, many hacker intrusion tool can also be used to attack Linux system. These tools are often an intruder complete invasion later planted in victim server. These intrusion tools have different characteristics, and some simply used to capture the user name and password, while very powerful to log all network data flow. In short, the hackers use intrusion tool is also a common attack Linux host. [NextPage] hacker protection if you want to protect system security against hackers we need to do the first step should be the prevention of work to do ahead of time. As a system administrator must ensure that their management system in security vulnerabilities. This does not give an illegal user. Ahead of preventive, I think there are the following points: first, ahead of close all possible system back door to prevent intruders exploit vulnerabilities in the system. For example, use the "rpcinfo-p" to check the machine is running some unnecessary remote services. Once found, immediately quit, so as not to give illegal user left system of backdoor. Second, verify that the system which is running a new Linux and Unix daemon. Because the old daemon allows other machines remotely run some illegal orders. Third, regularly from the operating system manufacturer access to security patches. Fourth, strengthen the security of the system setup program, such as: Shadowpassword, TCPwrappet, SSH, PGP, etc. Fifth, you can build a network firewall, preventing network attacks. Sixth, with scanning tool vulnerability detection system to test host vulnerable. Seventh, the number of subscriptions to a number of security advisories, multiple access secure site to obtain timely safety information to patch the system software and hardware vulnerabilities. Even though the preventive work done or for gist. With the continuous development of network technologies, hackers level also in progress. Their means of attack is emerging in many unexpected things will happen, so we do prevention work, daily security checks on the system. In particular, as a system administrator should always go to the observation system changes, such as a system process, file, time, etc. Specifically, security checks on the system has the following methods: 1, taking full advantage of Linux and UNIX systems built-in check command to test the system. For example, the following commands in Linux and UNIX systems would be very useful:-who, see who login to the system;-w, see who log on to the system, and what to do;-last, display system has been logged on user and TTYS;-history, shows the system is running in the past;-netstat command, you can view current network status;-top, dynamic real-time view system processes;-finger, view all of the login user. 2, periodically check the system log, file, time, and process information. Such as:-check/var/log/messages log file to see the external user's login status;-check user directory under landing/home/username history file (e.g. .history file);-check user directory/home/username .rhosts, .forward file remote login;-use the "find/-ctime-2-ctime + 1-ls" command to view two days to modify some files;-use the "view" command to ls-lac file real modified;-cmpfile1file2 "command" to compare file size changes;-protect critical system commands, processes, and the configuration file to prevent an intruder to replace the access rights to modify the system. Of course, in order to guarantee the absolute security of the system, apart from preventive and safety inspection, but also fosters a guarantee system, the good habit of network security. This is regularly scheduled to do a complete data backup. There is a complete data backup, under attack or system failure can be quickly restored system. For virus intrusion security now DOS, Windows9X/Me/NT/2000/XP system virus is very popular, but they almost never heard in Linux or UNIX system has a virus, and even some people think that Linux or UNIX system without the presence of the virus. In fact, this is a big mistake. In fact the world's first computer virus is Unix. If a Linux system in the event of a virus spread, the consequences will be disastrous. Now many viruses use the standard C programs to write, to adapt to any kind of Linux and UNIX operating systems. And they can be used to make cross-platform compilation. Although WindowsNT/2000 and Linux, and UNIX system is a very advanced protection mechanisms of the system, you can prevent most of the virus infection, but not all. Therefore, for a Linux system, it is not without danger of computer viruses. For example, Morris, Ramen, Lion, worms have used on Linux or Unix systems too. Generally most of Linux network mainly consists of one or more computers to install the Linux operating system of the server or WebServer, FTPServer do usually have MailServer. Current workstation-mostly installed Windows9X/Me/NT/2000/XP, the operating system of your computer. The Linux network computer virus protection mainly protection based on a single workstation. You can install on a Linux server with Samba services, use virus scanning tools from a secure workstation regularly on server disk file is scanned, so as to achieve the purpose of anti-virus protection. Computer virus is a computer manufacturer and the Government of the most headache problem, according to estimates there are about thousands of viruses on your computer, but what would a day out of the three new computer viruses. Currently, most computers use software to control the virus, use virus firewall but less than half, this makes your computer infected the opportunity increases. Usually these computer virus infection from the intranet, this means that the company might have many computers have been infected. In difficult circumstances, the only time that computer health, no exception occurs, is to ensure that the information is not compromised.Classical document: basic Linux network security configuration overview
Fourth, the proposed replacement of common network service application WuFTPDWuFTD from 1994 began to keep a security vulnerability, a hacker can easily get remote root access permissions (RemoteRootAccess), and a lot of security holes don't even need the FTP server has a valid account number.
Recently, WuFTP also frequently appears security vulnerabilities. It's the best alternative program is ProFTPD. ProFTPD is very easy to configure, in most cases is also faster, and it's source code is relatively clean (buffer overflow error less). There are many important sites use ProFTPD. Sourceforge.net is a good example (this site 3,000 open source project, its load and not small!). Some Linux publishers in their primary FTP site using a ProFTPD, only two major Linux distributor (SuSE and Caldera) use WuFTPD. ProFTPD for other advantage is that you can either run from inetd and can run as a stand-alone daemon. This way you can easily solve the problems posed by inetd, such as: denial of service attacks (denialofserviceattack), etc. The system is simple, the easier it is to guarantee the security of the system. WuFTPD or reconsideration of that again all of the source code (very hard), or to completely rewrite the code, otherwise it must be ProFTPD WuFTPD instead. TelnetTelnet is very insecure, it used to transmit the password in clear text. It's a safe alternative is OpenSS. OpenSSH on Linux is already very mature and stable, and on the Windows platform there are also many free client software. Linux distributors should use OpenBSD's policy: install OpenSSH and have it set to default, Telnet is not installed, but it set to default. For is not in the United States Linux distributors, is easily in the Linux release with OpenSSH. United States Linux publishers will want to have some other way (for example: RedHat FTP servers in Germany (ftp.redhat.de) is the latest OpenSSH RPM packages). Telnet is incurable. To ensure the system's security must use OpenSSH such software to replace it. Recent years, Sendmail Sendmail security has improved very much (it is usually the focus of attack by hackers). However, Sendmail or have a very serious problem. In the event of a security vulnerability (for example: recent Linux kernel error), Sendmail is hacker attacks, because Sendmail is running with root privileges and code of the mammoth easily out of the question. Almost all Linux distributions have put Sendmail as the default configuration, only a few to Postfix or Qmail as an optional package. However, very few Linux distributor in your own mail server to use Sendmail. SuSE and RedHat uses a system based on Qmail. Sendmail would not necessarily be completely substitute another program. But its two alternative procedures for Qmail and Postfix than it security, speed, and in particular, Postfix is easy to configure and maintain. Susu is used to change the current user's ID, converted to other users. You can log on as a normal user, when you need to be root to do something, as long as the implementation of the "su" command, and then enter a root password. Su itself is no problem, but it will let people develop bad habits. If a system has multiple administrators, you must give them the password for root. Su is of an alternative program sudo. RedHat6.2 contains the software. Sudo allows you to set which user which group can do as root. You can also position under user logon restrictions on them (if it was "broken" in a user's password, and use this account to log on from a remote computer, you can restrict him to use sudo). Debian also has a similar program called super, comparison with sudo has advantages and disadvantages. Allow users to develop good habits. Use the root account and let more people know the root password is not a good habit. This is the reason for the invasion of www.apache.org because it has more than one system administrator they have root privileges. A tangle of system is very easy to be invaded. Named most Linux distribution has solved the problem. Named previously is run as root, so when a new vulnerability is named, is easy to invade some very important computer and gain root privileges. Now just use the command line parameters can have named to non-root users run. And now the vast majority of Linux distribution are so named as a normal user rights to run. The command format is usually: named-u;-g; INN in INN's document already explicitly pointed out: "the prohibition of this features (verifycancels), this feature is useless and will be removed." In about a month ago, a hacker has released into force when "verifycancels" INN at intrusion. RedHat is the "verifycancels" is set to valid. No setuid/setgid programs or network services programs to properly install and check to ensure the bestVolume has no security vulnerabilities.Monday, December 27, 2010
Redhat Enterprise version of Linux tape drive simple operations
Linux use drives, there are several ways, notably through Amanda, Tar and other software.
Amanda is provides remote centralized backup capabilities to set the client-side, server-side remote centralized storage backup. But Tar is mainly used in a stand-alone environment, data is written directly to tape backup. For single node backup, simply use the Tar command to back up, recovery can be. Installation for current manufacturers of HPDAT24/40 series external SCSI tape drive with automatic rollback functionality. It is connected to an external SCSI buses, and restart the server. After rebooting, you can perform a dmesg will see new tape drive device called/dev/st0. Blk: queueef0d7a14, I/Olimit4095Mb (mask0xfffffff) auditsubsystemver0.1initialized (scsi0: A:3): 10.000MB/stransfers (10.000MHz, offset15) Vendor: HPModel: C1537ARev: L805 Type: Sequential-AccessANSISCSIrevision: 02 blk: queueef0e4614, I/Olimit4095Mb (mask0xfffffff) Attachedscsitapest0atscsi0, channel0, id3, lun0 tape mount tape, do the following: rewind, the starting position of the tape volumes to mt-f/dev/st0rewind erasure, erase tape content mt-f/dev/st0erase Note: erase work very slowly, and on tape is damaged, it is best not to do, when the data is full, you can continue to write data and overwrite the old data, not implemented wipe action. New tape immediately after opening the package, you can use, do not need to perform an erase. Out of band, the tape volumes to the initial position and then a pop-up from drives in mt-f/dev/st0offline data manipulation basic operation is as follows: 1. column directory operation tartvf/dev/st0 if none of the files on the tape, the column directory will complain that this error, do not affect the use of tape.Tips for Linux network settings: how to implement a NIC to bind more than one IP address?
Linux network device configuration file stored at/etc/sysconfig/network-scripts inside, for the first Ethernet network device configuration file typically ifcfg-eth0 if you need to first network equipment more than one IP address bound to only need/etc/sysconfig/network-scripts directory named ifcfg-eth0: 0 file content example: DEVICE = "et0: 0"
IPADDR = "211.100.10.119" NETMASK = "255.255.255.0" ONBOOT = "yes" to the name of the DEVICE to device, IPADDR to this device's IP address, NETMASK is the subnet mask ONBOOT said at system startup to start automatically. If you need to bind more than one IP address, you only need to put the file name and file DEVICE eth0: in x plus one. LINUX can support up to 255 IP aliases.Fix Intel HD Audio Controller sound card issues
Now on the bottom of the laptop sound card Intelcore2Duo General configuration is Intel's "HDAudioController" chip, after installing Ubuntu, System panels have the sound icon, but not voice.
Ubuntu install ALSA sound card of the driver, but not the latest driver or install a system does not automatically make the proper configuration leads to no sound problem. Solution is to download the latest ALSA driver packages manually compile, associated configuration, you can make your system sound of ears. This notebook configurations: DellVostro1400, CPUIntelcore2DuoT5470, built-in Intel "Intel? HighDefinitionAudio" chipset; system: Ubuntu7.10-GutsyGibbon. the brief steps are as follows: 1. configure the sound card driver for the tool (for details please refer to the relevant document) sudoaptitudeinstallbuild-essentiallibncurses-devgettextlinux-headers-would download uname-r would 2. latest ALSA driver source code (ALSA1.0.15), and compile and install the driver installation requires alsa-driver, alsa-lib, alsa-utils; download the three source code packages, in accordance with alsa-driver alsa-utils alsa-lib, installed in the order; note that the first step in alsa-driver. The following parameters required belt/configure: sudo./configure — with-cards = hda-intel (other type of sound card if it has problems, you may modify the parameters to install or enable the sound card working properly) (the default install is Ubuntu7.10 ALSA1.0.14; compile Installer 1.0.15 should not need to delete system 1.0.14 version, I tried to install before you delete 1.0.15 system 1.0.14 and not deleted properly so that the sound card sound) then restart System 3. configure ModuleParameters find out your specific model of your sound card: cat/proc/asound/card0/codec # * | grepCodec (e.g., audio Codec: SigmaTelSTAC9228 as STAC9228) find ALSA documentation ALSA-Configuration.txt file, locate your model best match type: (typically notebook manufacturer's name or nstack) at the end of the file plus alsa-base bottom row: (/etc/modprobe.d/alsa-base) optionssnd-hda-intelmodel = MODEL system to be restarted, in the event log interface, you should be able to hear the sound of the popular Ubuntu.Fedora 10 practical uses tutorial it more to the source
Originally, the source for State Fedora10 as source, many users cannot use.
I used the education network of sources. 1. in the/etc/yum.repos.d/new sjtu.repo file. 2. edit the following: [Fedora-ftp.sjtu.edu.cn] name = Fedora10-i386baseurl = http://ftp.sjtu.edu.cn/fedora/linux/releases/10/fedora/i386/os/enabled=1gpgcheck=0gpgkey=file:///etc/pki/rpm-gpg/rpm-gpg-key-fedorafile:///etc/pki/rpm-gpg/rpm-gpg-key [Everything-ftp.sjtu.edu.cn] name = Everything10-i386baseurl = http://ftp.sjtu.edu.cn/fedora/linux/releases/10/everything/i386/os/enabled=1gpgcheck=0gpgkey=file:///etc/pki/rpm-gpg/rpm-gpg-key-fedorafile:///etc/pki/rpm-gpg/rpm-gpg-key [updates-ftp.sjtu.edu.cn] name = Fedoraupdatesbaseurl = http://ftp.sjtu.edu.cn/fedora/linux/updates/10/i386/enabled=1gpgcheck=0gpgkey=file:///etc/pki/rpm-gpg/rpm-gpg-key-fedorafile:///etc/pki/rpm-gpg/rpm-gpg-key save exit.Tuning LINUX network performance debugging tools article
This article is the co-ordination of the Linux system network performance, mainly describes the route, netstat, tcpdump three network tuning test tools and its functionality can be achieved.
When you configure the network route to the machine specified receive packets to go through the path of the package. On Linux systems, to provide a command route, this command ifconfig command can be configured network card setting static routes. This setting is usually introduced in/etc/rc.d/rc.inet1, conducted when the system boots. We passed a few examples of how to use the route command: this command will provide routeadd-net127.0.0.0 routing table to add a specified address or network routing. Note at this point network to A class of address mask is set to 255.0.0.0, the newly added entry is connected to lo device. Routeadd-netxxx.xxx.xxx.xxxnetmask255.255.255.0devet0 this command is the IP address for a host of xxx.xxx.xxx.xxx routing, its network mask is set to 255.255.255.0. Routedel-netxxx.xxx.xxx.xxx this command deletes the network routing xxx.xxx.xxx.xxx. Use the route command can also be easily on the entire network routing information for management, the output is the network routing tables. As follows:-----------------------------------------------------------------root @ lee/root] # route KernelIProutingtable DestinationGatewayGenmaskFlagsMetricRefUseIace 10.10.8.224 * 255.255.255.255UH000et0 10.10.8.0 * 255.255.255.0U000et0 127.0.0.0 * 255.0.0.0U000lo defaultdgc8.njupt.edu0.0.0.0UG000et0 defaultdgc8.njupt.edu0.0.0.0UG100et0 root @ lee/root] #------------------------------------------------------------------each field in the output mean: · Destination represents the routing destination IP address. gateway · Gateway that uses the host name or IP address. The above outputs "*" indicates no gateway Genmask indicates that routing ·. network mask. In it and the destination address for the route before comparing the kernel through Genmask and packet IP address with the bitwise and operation to set the route Flags mean ·. routing. The significance of available flags are: U said routing in startup, h for target host, is a means to use the gateway G, R said on dynamic routing for reset settings; D represents a dynamic Setup routing, routing, M represents a modification that reject route.! · Metric indicates that routing overhead of units · Ref represents the dependency., the routing status of other routing number Use indicates that routing ·. table entries used. · Iface represents the routing of packets sent to the network. By viewing the output information, we can easily manage network routing tables. The netstat command netstat is a monitoring TCP/IP network of very useful tool, it can display the routing table, the actual network connections, and each network interface device status information. On the computer, perform the netstat, its output is as follows:-----------------------------------------------------------------root @ lee/root] # netstat ActiveInternetconnections (w/oservers) ProtoRecv-QSend-QLocalAddressForeignAddressState ActiveUNIXdomainsockets (w/oservers) ProtoRefCntFlagsTypesStateI-NodePat Unix5 [] DGRAM460/dev/log Unix0 [] STREAMCONNECTED173 @ 00000014 DGRAM662 Unix0 Unix0 [] [] [] DGRAM631 Unix0 DGRAM544 DGRAM484 Unix0 Unix0 [] [] DGRAM470 root @ lee/root] #------------------------------------------------------------------overall, netstat output can be divided into two parts: part I: YesActiveInternetconnections, called active TCP connections, in the above output, this part has no content, said no TCP connections. Part II: is ActiveUNIXdomainsockets, called active Unix domain socket. The output shows the Unix domain socket connection: · Proto shows connection using protocols. · RefCnt represents the connection to the objective of this process, on the interface Types display set ·. interface type. · State displays the current status of the socket. · path represents connected to the set of interfaces to other processes using the path name. You can use netstat-a to view all sockets of the State, when you debug the network program is very useful. Netstat-r will display the contents of the routing table to specify both the General "-n" option so that you can get the address of a digital format, you can display the default router's IP address. Use the show all netstat-i network interface information. Use netstat also can obtain the current network status, and network topology, which in reality is very useful. Tcpdump tcpdump command is used to monitor the TCP/IP connection and direct read data link layer packet header. You can specify which package a watched, which control to display format. For example we want to monitor all of the communication on Ethernet traffic, perform the following command: tcpdump-iet0 even in a relatively calm network, there are also a lot of traffic, so we might just need to be of interest to those packets of information. In General, the TCP/IP stack to the local host to receive inbound packets binding while ignoring the other computers on the network address (unless you are using a router). When you run tcpdump command, it adds the TCP/IP stack to promiscuous mode. This method receives all packets and to make it valid. If we care about is our local host communication situation, one approach is to use the "-p" argument against promiscuous mode, another approach is to specify the host name: tcpdump-ieth0hosthostname at this point, the system will only host named hostname communication packets. The hostname can be a local host, or network to any computer. The following command to read host hostname to send all data: tcpdump-ieth0srchosthostname following command allows you to monitor all sent to host hostname packets: tcpdump-ieth0dsthosthostname we can also monitor through the specified gateway packets: tcpdump-ieth0gatewayGatewayname if you also want to monitor the addressed to the specified port in TCP or UDP packets, then execute the following command: tcpdump-ieth0hosthostnameandport80 this command displays from each packet outgoing headers and hostname from the host on port 80 of the addressed. Port 80 is the default port number for the HTTP service. If we only need to list sent to port 80, use dstport; if we only want to see the return to port 80, use srcport.Establishing secure DNS server
And other large software, BIND (DNS server) because of its size and function of complex and has many problems.
Therefore for BIND vulnerabilities of system intrusion is also a substantial increase in the number, the most serious cases, to obtain the target host for all remote control. Because the DNS server hosts on the network system has a great influence, how to avoid these system intrusion has become crucial. This essay is about how to use chroot () environment on RedHatLinux (or similar systems), establishing a secure BIND8.x server. This article mainly comes from AdamShostack and his article (Solaris version). Step 1: obtain and install the software, please download the ISCFTP BIND of the latest version (the version content in this article BIND8.x tested). To download this article ObtuseSystemFTP required free software: holelogd (and other useful tools). The software used to build chroot environments/dev/log Sockets (socket), thus allowing the syslogd to record named process log. OpenBSD system of syslogd has built this functionality ("syslogd-a/chroot/dev/log"), but the Linux system is not yet implemented this feature. Holelogd software is used to mimic the functionality of OpenBSD. According to the software documentation installed holelogd (usually is installed to the/usr/local/sbin). Second step: tectonic static (static) named and named-xfer binaries compiled and installed, you need to construct an executable statically linked version. As long as the% BIND%/src/port/linux directory Makefile.set files once they have been slightly modified. Modify the contents of the file: ' CDEBUG =-O2-g ' to be replaced by: ' CDEBUG =-O2-static ' switch to BIND source code path, execute "makeclean" and "make" command. In the following step will copy the files to the chroot () directory. This step structure statically linked executable at runtime without having to load the dynamic link library. In chroot () environment, this kind of "independent" executable can avoid missing link library files. It in chroot () environment without any static link library allows the service to configure the simplistic. All other network daemon can compile and use this static link version. Step 3: construct BIND chroot directory as () construct BIND directory. This directory will be chroot () environment is BIND as the system root directory. /Dev/etc/namedb/usr/sbin/var/run need to copy the following files to the appropriate subdirectory under it, and make the necessary processing:/no/etc replication system/etc directory of the named.conf file replication system/etc directory of localtime file (for syslog provide correct named logging time) to create the only contains namedGID/etc/group file/etc/namedb replication system/etc/namedb directory of all the "zone (zone)," database and file/dev mknod./nullc13; chmod666null (please refer to the corresponding version of the mknod command)/usr/sbin replication system% directory and BIND% system%/src/bin/named BIND%/src/bin/named-xfer directory named and named-xfer binaries (statically linked)/var/run no also can specify the logging directory (such as/var/log). Step 4: Add the named user and group in/etc/passwd and add/etc/group file named users and groups. They are DNS server runtime UID/GID. At this point, you can go to the chroot environment "chown-Rnamed.named/etc/namedb" command. So when you send a break signal to the system (kill-INT), named process to save the server cache and statistics. If the directory is the root of all the named process could not write the output to the directory, but will not affect the named server functionality. Another option is to only change the directory permissions (so named users have write permissions), but the owner still is root. This method is feasible, but care must be taken to ensure that other user settings will not modify named records! * ** important warning ** * do not use a pre-existing UID/GID (such as "nobody") running named. Remember to chroot environment using any pre-existing UID/GID that may affect the security of the service. You must cultivate in chroot environment for each daemon provides separate UID/GID. Step five: Edit startup script Linux uses SYSV-style init file, so there are several places you can place commands running named. (MostCases) it is best to place the named initialization script to/etc/rc.d/init.d/named. Where you will find the relevant named start the section content. We need to add and modify some of them. 1, insert a row before running named to start holelogd. Need to provide remote socket holelogd location parameter, which should be in the above step created chrootnameddev directory. The command line as follows: # Startdaemons. echo-n"Staringholelogd:" daemon/usr/local/sbin/holelogd/chroot/named/dev/log eco echo-n"Startingnamed:" daemonnamed eco touch/var/lock/subsys/named ;; 2, there was also a need to modify the startup parameter BIND. BIND8.x version allows you to specify the run-user ID and group ID, it should also be in the above steps to create a UID in the special/GID: # Startdaemons. echo-n"Staringholelogd:" daemon/usr/local/sbin/holelogd/chroot/named/dev/log eco echo-n"Startingnamed:" daemon/chroot/named/usr/sbin/named-unamed-gnamed-t/chroot/named eco touch/var/lock/subsys/named ;; 3, named "ndc" script can be used to control named. Need to edit this file to add the PID file location from/var/run/named.pid modified to/chroot/named/var/run/named.pid. Step 6: enter the following command to test the server to start the process to enter holelogd/usr/local/sbin/holelogd/chroot/named/dev/log/chroot/named/dev/directory and enter ls-al. You should get output similar to the following: srw-rw-rw-1rootwheel0Jan0112: 00log set "s" bit indicates this is a sockets (socket) file. Chroot () environment named process will pass the socket and syslog traffic. Now enter:/chroot/named/usr/sbin/named-unamed-gnamed-t/chroot/named if everything works, named process starts, the log file will record named server "Readytoanswerqueries.". Make the appropriate DNS tests to ensure that the server work correctly, and then restart the system and verify that all configurations. BIND the normal startup reports its chroot () directory and run the UID/GID. You can use a program like lsof lists hosts all network sockets to be checked. When everything is working correctly, the suggestions will/etc/namedb renamed/etc/namedb.orig or other name, while chmod000/usr/sbin/named, so you can ensure that these old versions of named will not be accidental errors and use. > Source: ISC (InternetSoftwareConsortium) Steinaraug BernhardWeissun Marceuse JanGruber AdamShostack PsionicIP Security encrypted IPSec security technology full contact
IP security encryption — IPSec uses a network communication encryption technology.
Although you cannot encrypt the packets of the head and tail of the information (such as source/destination IP address, port number, CRC checksum value, etc.), but you can encrypt the packets of data. Because the encryption process happens at the IP layer, so you can not change the protocols such as POP/WWW under network protocols for security encryption. At the same time it can also be used to implement LAN (Internet) connection. IP protocol of the security architecture of the IPv4 packet itself did not provide any security protection, hacker can packet detection, IP spoofing, connection interception, replay attack (is a continually FA the same serial number of the package crash the system, methods of attack) to attack. Therefore, we received a packet with the following hazard: do not come from a legitimate sender; data during the transfer process be modified; data content has been people steal (e.g. military secrets, and other important information dialogue). IPsec is aimed to achieve data transfer integrity (source address verification and guarantee that data has not been modified) and confidentiality (not to be seen), and provides a degree of protection against replay attacks. IPsec can use it to IP and upper layer protocols (TCP and UDP, etc.) to provide security protection. The basic structure of IPsec, it is the use of authentication headers (AH) and Encapsulating Security Payload (ESP) for authentication and encryption of data. The former is used to implement the integrity of the data, which is used to implement the confidentiality of data. At the same time for data transport provides two modes: transport mode and channel mode. In transport mode, the IP header and the upper layer protocol headers embedded between a new IPsec header (AH or ESP); in channel mode, to protect the entire IP packet is encapsulated into another IP packets, while in the external and internal embedded between the IP header to a new IPsec header. Two IPsec header that can simultaneously to transfer mode and channel mode. The original packet transfer mode protected packet channel mode protected packet IPsec packets of IPsec protection mechanism is determined by the four main components, which are the Internet key exchange process, the IPsec process itself, Security Alliance database and security policy database. IPsec has two important databases, namely Security Alliance database SAD and the security policy database SPD.SAD in each tuple is a Security Alliance SA, which constitute the basis for IPsec are two communication entities following consultations established an agreement that determines the packet used to protect the security of IPSec protocols, transcoding, keys, and key of a valid age, etc. SPD in each tuple is a policy, the policy is applied to packets of security services, and how the packets are processed, is human-machine interface between security, including the policy definition, representation, management, and policy and IPsec system interaction between various components. Combine the two databases. For senders, each SPD tuple has a pointer to the associated SAD tuple. If a SPD tuple does not point to a suitable for sending packages SA, will create new SA or SA bundles and SPD tuple and new link SA tuple. For the recipient, through the IP header contains the destination address, type the IP Security Protocol (AH or ESP) and SPI (security parameter index) in the SAD to find the corresponding SA.SA in other fields in the serial number, serial number overflow flag, Anti-replay window, AH authentication algorithm and key, ESP encryption algorithm and key and initialization matrix, ESP authentication algorithms and keys, and so on. Internet key exchange (IKE) is the most important part of IPsec, use IPsec to protect an IP packets, you must first establish a SA, IKE is used to dynamically build SA.IKE representatives to consult on the IPsec SA and fill the SAD database. IKE is a mixed agreement, it builds upon the Internet Security Association and key management protocol (ISAKMP) defined a framework. IKE uses two stages of ISAKMP. the first stage of establishment of IKE security association, the second stage uses the established Security Alliance for IPSec negotiation of specific security alliance. IPsec process itself is used to implement the entire IPSec daemon, the user can deal with this process and to manage their own security policy, implementation of suits their requirements for network security. Of course, each development organization of source code, but they must comply with RFC specifications, the ultimate aim should be the same. In General, IPsec is embedded into the source code of the kernel source code of the IP layer, and it was suggested in its level in the IP, TCP, can be in two ways. IPSec virtual private network when IPsec is used for the router, you can establish a virtual private network. Router attached to one end of the internal network, is a protected network and the other is unsecured public networks. Two such routers to establish a secure channel, communication through this channel protection from a local subnet is sent to a remote subnet of protection, which forms a VPN. In the VPN, each one with IPsec router is a network aggregation points, try to communicate to VPN analysis will fail. Destination is VPN all communication passes through a router on the SA to define encryption or authentication algorithm and key parameters, that is, from a VPN router out packets if it meets a security policy, corresponding to the encryption or authentication SA (plus the AH or ESP header). The entire security transfer process control by IKE, key automatically generate, protect the subnet and the user does not need to consider security, all encrypted and decrypted by the sole agent of routers on both sides.From the Linux kernel vulnerability perspective system security
C (B) — — — — > PSH AIP spoofing attacks using RPC server only dependent on the source IP address for security verification of characteristics, the attack is the most difficult to predict A difficulty of ISN. attack, but a greater chance of success.
C must accurately anticipate possible from A to B, and A look forward to what comes from B's response, this requires the attacker to Protocol itself is quite familiar with. At the same time need to understand that this kind of attack is not possible to complete in interactive mode, you must write the program to complete. Of course, in the prepare phase can be used to netxray tool such as protocol analysis. Summary by analyzing the above several vulnerabilities we can see that Linux is not perfect, there are a lot of room for improvement. Some vulnerabilities have a significant impact on the promotion and use of Linux, for example above the table conflict Linuxhash vulnerability because some manufacturers and firewall vendor IDS is based on the Linux kernel to develop your own product, if you still use the hash algorithm for Linux itself would be the impact of this vulnerability, an attacker could easily carry out DoS attacks. Because firewalls, IDS itself is a security product, if they are attacked they will make the user a great loss, so we need to keep track of these vulnerabilities, and by understanding their behavior to avoid system once again produce these types of vulnerabilities, through these types of vulnerabilities forecasting mining, allowing us to proactively defense against hackers.Linux system security tools list
Sxid check system suid, sgid and there is no master file skey OTP tool logrotate-log rotation tool logceck log management tools swatc log management tools, Ssh than real-time logcheck (openss) provides security openssl provides encryption connection authentication data transfer and certification, Portsentry anti-scanning tools to monitor your own udp and TCP port tripwire provides system integrity check gnupg to encrypt a single file and create a digital signature, hostsentry host-based intrusion detection, connection logged ipcains Linux distributions come with packet filtering firewall-CFS and TCS password file system and transparent password file system directory all files encrypted, based on the NS Anti-snif antisniff tool, check the network for sniffer Freeswan in linux implementation VPN tool Syslog-ng alternative syslog log file system check for dns Scandns tracking tools Whisker Cgi scanner Snoopy by tracking the execve system call logging executed command Linuxkernelpatc kernel security patch to prevent buffer overflow and other krnsnif a listening based on kernel module iptable used as a substitute for ipchains packet filtering firewall Imsae by tracking system call to detect buffer overflow problem packages to and from Iplog logging Solarisdesigner kernel patch to prevent buffer overflow and other gcc as patch patch Stackguard, prevention of buffer overflow DTKoney port spoofing-defense Antiroute block and record the tracking-based routing
Linux security: step by step fortification (2)
Author: dingwei using a remote administration tool recommends using Webmin remote management software, currently version is 1.020-1, you can download the http://www.webmin.com.
In order to ensure the safety of use, you need to download and install openSSL (the current version is 0.96g, http://www.openssl.org) and Net_SSLeay.pm (current version is 1.20, http://www.webmin.com). Webmin is to use http or https browser through access to http://ip:10000 or https://ip:10000 to manage system tools. With openSSL and Net_SSLeay.pm is Webmin use SSL encryption, which uses non-plain text transmission of https to communicate. # Install Webmin rpmUvhWebmin-1.020-1.noarc.rpm # compile openSSL0.9.6g tarxfzopenssl-0.9.6g.tar.gz cdopenssl-0.9.6g./config > >/root/install.log make makeinstall # compile Net_SSLeay.pm module tarxzfNet_SSLeay.pm-1.20.tar.gz cdNet_SSLeay.pm-1.20 perlMakefile.PL makeinstall close some services close unnecessary use of the service process to reduce vulnerability. After all installation RedHatLinux will have 100 service process, although not all loaded, but after all prone to problems. Because it is a desktop application, and therefore only necessary services. The following is an example that basically can meet user needs. # You can use to view the system open chkconfig--list service process # use chkconfig--del can remove specified service process # can set the/etc/init.d and corresponding script under/etc/xinet.d moved to a safe directory # change the script run permissions # proposed to retain the service process anacron autos # used to start the auto run task crond gpm ipcains iptables keytable # similar PnP hardware detection program kudzu nets network ns nfslock portmap random recommended replacement rawdevices # telnet security login, use an encrypted channel ssd # log monitoring process syslog telnet xs # Super daemon xinetd you should remove unnecessary users and groups. Using the userdel and groupdel delete users and groups. # You can delete user news uucp goper # can delete Group news uucp dip # LAN environment to prevent users from using a dial-up connection pppusers popusers slipusers also turn off IP Masquerade and bind multiple IP function. Modify the/etc/host.conf file. /Etc/host.con # multiple IP binding multiof # IP masquerading nospoo on demand prohibited by Ctrl + Alt + Del key off. Modify/etc/inittab file can disable the feature, you can enhance the security of the Terminal window. /Etc/inittab # use CTRL + Alt + Del three close system, can also increase the extended time and notify the administrator # ca:: ctrlaltdel:/sbin/shutdownt3rnow increase Super daemon. Modify the/etc/xinetd.conf file, you can increase the remote connection time, access to the network segment, and so limits the security settings. These modifications will telnet, etc. all from xinetd management service process to take effect. /Etc/xinetd.con defaults {instances = 60 log_type = SYSLOGautpriv log_on_success = HOSTPID log_on_failure = OST cps = 2530 # limit only 200.10.2 and 200.10.5 segments allow access, you can adjust only_from = 200.10.5.0200.10.2.0 # prohibit other segments access no_access = 0.0.0.0 # restrict access time at 7: 00 to 24: 00, depending on the time limit the access_times = 7: 00-24: 00} includedir/etc/xinetd.dFriday, December 24, 2010
Configuration of the Repository OracleDesigner
1 preface for attempted to contact OracleDesigner colleagues, the most painful thing start OracleDesigner, prompted "logged-on user does not install the Repository", because I do not know what is a Repository, I do not know where to install the Repository, and finally trying to learn OracleDesigner's decision is wiped away.
I remember I had a few times (probably 10 times more), trying to learn, but ultimately OracleDesigner to Repository does not know how to configure and give up. Recent attempts to learn again, and finally configure OracleDesigner Reposotory successfully, the configuration method for everybody, hope you can help people who are interested in learning to use OracleDesigner colleagues exclude some obstacles. Note: OracleDesigner and other database modeling tools compared to most major characteristic is ready for programming team collaboration, i.e. at the same time programming team members to different partitions on the system design, system will automatically synchronize the partition's data object. 2 techniques 2.1Repository knowledge Repository can be thought of as a basis for modeling environment, it includes a range of packages, database, view ... And other database objects, it enables different users, in collaboration with job control ... And other functions. Before using OracleDesigner Oracle will ask us first configured the environment to achieve the modeling capabilities of Oracle. 2.2Repository configuration process seemingly complex things, from the simplest method to implement. Repository configuration by 2 steps: (1) checks whether the current user has sufficient permissions, if not then append permissions. Authorized users suggestions for Sysxxx @ DBName asSysDba (2) click on install Repository button, Oracle will automatically install the Repository-related database objects. 3Repository creation 3.1 creates an Oracle user and the user is logged on to system 3.2 click CheckRequirement 3.3 view left list item for each option, confirm that the Privilege is the right. Note: If the user has been granted permission to DBA, there will be 6-7 Privilege needed by the Sys user authorization. 3.4 Privilege for insufficient permissions, use the Sys user authorization 3.5 click on Install button to install the Repository system 3.6 interface, click the Start button. If you still have insufficient permissions (in CheckRequirement omitted), the installer will prompt error 3.7 still in SQLPLUS, will slip through the permissions configuration items all make up 3.8 back Repository installation interface, click on Start button, the system will automatically begin the installation. The installation process requires approximately 20-30 minutes, sufficiently hard disc to of course. 3.9 at this point, the Repository is installed, and then try to enter OracleDesigner, discovery can properly entered. Regarding the use, OracleDesigner to other article further introduction.LAN Ubuntu share documents with WinXP
3.Ubuntulinux system access WinXP/2003/2000 system in my testing process, achieve Ubuntulinux system access Windows system are 3, I will be the ways described below.
Note that in Windows system set up access permissions for a shared directory, this article followed by the Windows system log on a user name and password, that is, assuming that the logged on user to have access to the shared directory. If the logged-on user does not have access, please enter a Windows shared folder of authorized username and access password. For example, create groups, create user UbuntuSMB group ubuntu. > NetlocalgroupUbuntuSMB/add > netuserubuntuShareAccessPassword/add/passwordchg: no/expires: never > netlocalgroupUbuntuSMBubuntu/add > netlocalgroupUsersubuntu/delete the above command line ShareAccessPassword to want to set a password. The Windows default simple file sharing is cancelled. Will Windows shared folder is set to only UbuhtuSMB group can read and write. So the following user name and password should be changed to ubuntu and corresponding password. First: use smb access if ubuntulinux system Terminal pingwindows host's IP address can ping Tung, and windows computers with shared folders, you open the menu entry location-> network, click the interface Windows workgroup, network-> group in the workgroup can see the windows computer name, double-click will pop up a username and password dialog box, enter the Windows system settings of the login username and password can access it. Second: use the ubuntu system to connect to the server functions to access the location starts to connect to the server, select the service type "windows sharing", windows Server, enter the IP address or computer name, click on the connection, so that the system desktop displays a connect to Windows computers file volumes. We can visit the ubuntu system disk to access it, also in access time to enter the Windows logon user name and password. Third: mount mount windows shared directory on the local disk first in ubuntu system, establishing a mount point, where we established in point/mnt/wind # md/mnt/wind also in ensuring network connectivity, and a shared directory in Windows, do the following to the IP 192.168.0.1 for windows, the shared folder to share for example commands are as follows: # mount-tsmbfs-ousername = wangyh, password = 123456//192.168.0.1/share/mnt/wind there is in access time will appear garbled, so that we can perform the following command to solve this problem # mount-tsmbfs-oiocharset = uft8, codepage = cp936, clmask = 777, 777, fmask = \userneme = wangyh, password = 123456//192.168.0.1/share/mnt/wind Note: usename and password for the Windows login of the user and password, if you want to learn more about the mount command, use the Terminal to view detailed manmount usage tips: to access windows in a folder with special password, you can create a new samba and windows log on the same name are the same password, and then mount it, for example: # sudouseraddadministrator//don't let her have login privileges # sudosmbpasswd-aadministrator ubuntu and then prompt for a password: enter the password for the windows access to the site's practices: http://wiki.ubuntu.org.cn/ubuntuhelp:comprehensivesambaguide start Terminal in Ubuntu system, create groups and add users, smb USER joined group: $ sudomkdir-p/media/winsares $ sudoaddgroupsmb $ sudoadduser $ USERsmb assumes that the Windows computer name is the name DEVMACHINE, shared folders, for shares will mount the shared folder to the directory/media/winshares $ sudomount-tsmbfs-ousername = ubuntu, password = ShareAccessPassword, workgroup = Workgroup, smb, \gid = uid = $ USER, fmask = 770, dmask = 770, rw//DEVMACHINE/shares/media/winshares fourth: use smbclient command command as follows: # smbclient//192.168.0.1/share-UwangyPassword: enter the password for the smb user wangyh the carriage return is used, use the command get to download the file, put the uploaded file. Note: Introduction: smbclient command instructions or help [command] provide help or help on a command! [Shellcommand] execution of SHELL commands, or let the user enter the SHELL prompt cd [Directory] switch to specify the directory on the server side, if not specified, the smbclient returns the current local directory lcd [Directory] to switch to the directory specified by the client; dir or ls lists the files in the current directory; exit or quit quit smbclientgetfile1file2 downloaded from the server, and to file file1 file2 exists on the local machine; if you do not want to rename, you can omit the file2 mgetfile1file2file3filen from server to download multiple files; md or mkdir directory create a directory on the server or remove the rd rmdir Directory directory on the server putfile1 [file2] to server upload one file file1, transfer to the server was renamed as file2; mputfile1file2filen to upload more than one file reference document: 1.ubuntu implement Windows using samba and linux file sharing (reprint) hi.baidu.com/zdl1016/blog/item/7d1326552157a8c7b745ae10.tml2.UbuntuHelp: ComprehensiveSambaGuidewiki ubuntu.org .cn/UbuntuHelp: ComprehensiveSambaGuideTeach you how to build a dual boot system RedHat Linux
Configure LILO's another approach here is a way to edit the lilo.conf file alternative.
Open a Terminal window, and then go to "/root" directory and enter linuxconf. This will take you to the Linux command window, you can configure the system. Scroll down until the Bootmode. In "bootmode", you should see the option to configure LILO. Select menu, and the second "ConfigureLILOLinuxconfigurations", and then click the "LILOLinuxconfigurations" tab. Click the "Add". Then you can add other Linux boot partition and the kernel file location. If you are not sure you want to add in every field, enter the information, please see before has lists of content. Take a look at the top of the lilo.conf file, you will notice that it belongs to the numbered linux2, namely Linux installation, the installation process during the installation of a second. Now, to make a dual-boot install LILO at/sda5 (for IDE drives is/hda5) partition of the first instance, the Linux immediately following the last line add the following content: image =/boot/vmlinuz = 2.2.14-5.0 label = "Linux1" initrd =/boot/initrd-2.2.14-5.0 root =/dev/sda5 so, edit the above code, the final file should look like this: boot =/dev/sda prompt timeout = 30 default = "linear Linux2" vga = normal read-only map =/boot/map install =/boot/boot.b image =/boot/vmlinuz = 2.2.14-5.0 Linux2 "label =" initrd =/boot/initrd-2.2.14-5.0 root =/dev/sda10 image =/boot/vmlinuz = 2.2.14-5.0 Linux1 "label =" initrd =/boot/initrd-2.2.14-5.0 root =/dev/sda5 make sure if the last line above the specified root path, like that-it is very important. Also make sure that you use during the installation of the label. Now save the file, and then enter the command prompt on the lilo. This rebuilds the file and save the updated configuration. Note: image/kernel for the installation are the same (/boot/vmlinuz = 2.2.14-5.0). Because we are doing is exactly the same dual-boot system, are from the same CD, installed on the same mapping file. If you are installing a different release, the files will be different.Fedora 10 new features overview
Fedora is a Linux-based operating system that contains the latest free and open source software.
Anyone available forever free use, modify, and distribute Fedora. It is made of the global community (Fedora project) to create. Fedora project is an open project and welcomes anyone to join. Fedora project is a leading provider of project, lead free and open software and components to the latest results. Because of the related server last August by malicious hackers, Fedora10 official version of the release than originally planned to postpone for a month's time. Fedora development for communities in the later had to make some critical devices offline, fortunately, after inspection did not find the source code from being stolen. Fedora10 released based on the month of October of this year's LinuxKernel2.6.27, improved and popular camera compatibility, integration of new Atherosath9k wireless driver, the default is Firefox3.0.4 browser. Fedora10 provides KDE4.1 and GNOME2.24 two latest version of the installation environment options, including the former release in July, which was released in September, integrates Instant Messaging client Empathy and tabbed browsing, and improves the Nautilus file manager. According to official release notes, the main characteristics of a Fedora10: 1.RPMFusion Fedora have long been criticized for not providing proprietary software, patent coding decoder (codec), for we are familiar with a variety of reasons. In the past, you can use various third-party software in order to obtain these warehouses are forbidden by the additional software, but they often and Fedora basic software warehouse software conflicts, or is not compatible with each other. Better now, several of the most commonly used software warehouse have come together and create a brand new Super software warehouse, this is RPMFusion. This is what you get multimedia decoder and hardware drivers are only required software warehouse. The most remarkable is the RPMFusion, thanks to the Fedora's open character, they use the exact same tools (such as packaged software) and the same packaging process their own packaged their software, so the quality is guaranteed. 2. better print support for automatic configuration in printer Fedora8. Into virtually any printer, all the missing drivers are automatically installed, the entire process does not require users to help yourself. In the Fedora10, printer control applications, the system configuration the print driver, have been completely rewritten to write and simplified. Of course, some changes are very small, it is these very small changes transformed the entire printing system, isn't it? some notable improvements include: does not require root password when no longer prompted to enter the root password is not paper, denied printing tasks, etc. icons printing tasks fails to notify the user and provide diagnostic tools to identify failure dialog box is simplified, and no longer let confusing initial printer dialog boxComments on seven best biyuan Linux application
Picasa and Linux in May 2006, Google announced that it has the popular free Picasa photo management tool to the Linux operating system, and the launch of a new version of the 2.2.
It can be used on most Linux distributions. It adopted a Win32 WindowsAPI simulation environment, or with Windows version is not much difference, just better than Windows version lacks some features. In order to support the open source operating system, Google Developer uses a special version of Wine (it allows Linux to run Windows software), and the code provided. Mozilla Google open source program manager ChrisDiBona said that the Linux version of Picasa basic consolidated all the features of the Windows version. He also revealed that, due to the version of Picasa is run in carefully test of Wine, so it avoids virtual machine performance will decrease. In December 2007 Google Inc. has introduced a new version of the operating system for Linux Picasa photo management software. New software version number 2.7 beta. The new version of Picasa2.7BetaForLinux features: * upload files to PicasaWebAlbums (Google network photo album) * save the edited contents to disk * folder class preview * improved import feature to import the photos into an existing folder. * Better RAW support: Canon30D, NikonD200, AdobeDNG etc. * There are many other enhancements, such as larger thumbnails, better caption editing features in the new software update includes: support the directory tree browsing, support import capabilities, support for RAW image file format. However, the Linux version of your software did not join the Windows version of the new features, such as uploading to online photo album with "webalbum" button. But the new version of Linux software is also unable to support the management of video files, not full-screen mode to browse the pictures as a slide show. 3. hard drive management tools AcronisDiskDirectorSuite DiskDirectorSuite is Acronis company produces a set of powerful hard disk management tools, using it you can reorganize your computer has a more efficient and secure data. AcronisDiskDirectorSuite will all popular disk management functions into a separate package. Its features include: * the partition management: no loss of disk data on the partition size to modify, copy, and move, as well as on an existing hard disk partition or tuning again. ¡Ô multiple power management: software is a good boot manager that can establish a dual or multiple boot environments, you can easily achieve more operating system installation and boot support Windows95/98/Me/NT (including the Server Edition)/2000 (including server and Advanced Edition)/XP/2003 Server Edition. /Vista/Linux, multiple operating systems. ◆ Disk editor: manually editing the data from your hard drive. ◆ Sector Re: damaged or deleted partitions of data to repair. Of particular note is the AcronisDiskDirectorSuite contains a powerful at the same time without losing the easy-to-system boot manager. It allows you to install on the computer for more than 100 operating system. You can select any one to install to a different partition of the operating system to start the computer. This multiple OS boot solution really is simple to use. AcronisDiskDirectorSuite system boot manager can: ◆ secure data-Startup Manager allows you to install various independent operating system, whether it be family, work or any test that you can be on one disk have different requirements for the operating system. In order to protect the data of these operating systems, you can also set the startup password. ◆ Ensure that older applications can continue to run-when your old application software or games will not work in latest XP system operation, you can be installed on the computer for the operating system running the software in order to ensure that your work or entertainment continue. ◆ Try Linux, and any interested system. Therefore, for those individuals at all costs to use a dual boot of users, I recommend that they use AcronisDiskDirectorSuite because it allows users to easily add and delete new Linux distribution, and the old boot manager is very little conflict. As system boot manager, I personally prefer some AcronisDiskDirectorSuite features include: * recovering a corrupted master boot record (MBR) * restart the operating system with the boot problem simply click on the u can implement Clone OSSeveral Linux commonly used backup method
System backup is a system management is important for a circumcision, this article details the various backup methods in Linux, I believe you all of the day-to-day management of the help.
Backup is an important job, but many people do not have to do it. Once due to improper use of the data loss, backup is a real help. This article will discuss setting up a backup strategy and how to select a backup media and backup of tar and cpio tool. Set the backup policy set backup strategies and plans can increase the likelihood of a backup. Backup before you start, to determine what data, backup frequency and what type of media used for backups. Backup, you should perform a full backup. Backups are often placed in idle time. In most systems, because this time the number of users, so the file is opened. Owing to the backup takes up some system resources to run backup user will find system unresponsive. If there is only one Linux computer, you can use for a week or a month on the entire system backup once. If you have a key file, you should have a plan to put the files copied to a removable disk. Before backup, first make sure that you correctly set the backup device. Most tape backup system can be found at the time of installation is correct. The system is started, open a Terminal window and enter the following command: $ dmeg | less scrolling list, and look for your tape drive system. If not found, you need to load a component drivers. If you run a Linux server, we must formulate a backup plan, but this does not mean that every day on everything backed up. The system only part of what needs to be backed up daily, the following lists need backup project: user documentation: daily on/home user files in the directory for the backup. Profile:/etc and/var directory of the configuration file does not need frequent backups, weekly or monthly backup once mainly depends on how often the configuration change. Procedural file:/usr, and/opt directory in program files rarely change, after installation you can make a backup. Normally, the program files easily from your original installation disk. Select a backup media where the backup is saved to a variety of choices. Here are some alternative backup medium: floppy disk: If you want to make a quick backup of important files, or to be brought home when the floppy disk is still a kind of optional backup media. The CD writer: as the CD writer is becoming more and more reliable, the price is lower and lower, the disc itself is also very cheap. Choose one of the benefits of this item is not easy to be damaged, its backup reliability is very high. Use the CD writer has two disadvantages: they are slow, and can save about 650MB. Rewritable discs: rewritable disc drive than the CD writer is more expensive, working methods and the like. However, these discs can be rewritten, and it can only write-once disc on your lot. Rewritable CDs other characteristics are similar with the CD writer. Jaz and Zip: Zip drives is very popular and has become a lot of PC's standard configuration, while at the same time its disk and drive are not expensive. It is one which can accommodate up to 100Mbit data, is a fast, portable backup is a good choice. Jaz disk can hold on G bytes of data, and using more advanced techniques for better performance. Jaz drives and Jaz disks are relatively expensive. Jaz and Zip bug is easily damaged and kept relatively short time.The strengthening of the Linux operating system security configuration instructions
We all know, network security is a very important issue, and the server is a network security key.
Linux is considered a safer Internet server as an open-source operating system, Linux system security vulnerabilities are found, the Internet from all over the world, volunteers are eager to fix it. However, administrators often fail to timely and correct information, it will give a hacker to exploit. Relative to these vulnerabilities of the system itself, more security problems are caused by incorrect configuration, you can pass the appropriate configuration to prevent.Linux system Perl Lite Edition netstat
Writing intention: Linux system with netstat in a lot of time to grab information will find CPU consumption is very high, especially in doing some monitoring system time, Discovery if you use the netstat, monitoring system itself will cause the system load is high, so try to use perl to write down the time test than with netstat faster and save resources, welcome criticism, huh, huh.
#!/usr/bin/perl#WrittenbyFinalBSDat2008-11-20.#ThenetstatoriginalwrittenbyC#isexpensivetome,sothisborn.#Aslongasyouretainthisnoticeyou#candowhateveryouwantwiththisstuf.#Ifwemeetsomeday,andyoutink#thisstuffisworthit,youcan#buymeabeerinreturn.usestrict;usewarnings;useGetopt::Std;my$tcp="/proc/net/tcp";my$tcp6="/proc/net/tcp6";my$route="/proc/net/route";my @tcpState =("NULL","ESTABLISHED","SYN_SENT","SYN_RECV","FIN_WAIT1","FIN_WAIT2","TIME_WAIT","CLOSE","CLOSE_WAIT","LAST_ACK","LISTEN","CLOSING");my @routeType =("NULL","U",#UP"G",#Gateway"UG"#UP&Gateway);my%opts;getopts('nhatsrl',\%opts);if($opts{}){&usage();} if($opts{r}){&route_info($route);exit;} &tcp_info($tcp);&tcp_info($tcp6);######################FUNCTIONDEFINITION#########################################################GetstatisticsInformation############################subtcp_info($){my$file=sit;open(FH,$file)ordie("$!"); my$format="%-30s%-30s%-10s\n";printf($format,"LocalAddress","ForeignAddress","State");while(
Subscribe to:
Comments (Atom)