温室小花.技术.博客 --纯粹的unix技术博客 » shell

unix常用指令及参数

admin — Wed, 08 Apr 2009 13:48:23 +0000

常用组合键
ctrl+h,backspace :删除前面的字符.
ctrl+u:删除一整行.
ctrl+c,del,break: 强行终止正在运行的程序.
ctrl+d:
常用指令
1.date:查看当前时间.
2.cal:查看某一个月的月历.
3.Finger 命令:显示一个用户的详细信息.
4.who命令:显示所有登陆用户.who an i
5.clear 命令:执行清屏动作.
6.echo 命令:将命令名后跟随的参数显示在屏幕echo hello

world
7.banner 命令:将命令名后跟的ACSSII字符串以大字的方式显

示在屏幕上banner hello
8.wc 命令:用于计算一个指定的文件中的行数单词及字符数:
格式wc[-c(计算字符的数目)] [-l(计算行的数目)] [-w(计算

单词的数目)] filename
9.passwd 命令,用于修改口令.
10.man 命令:联机手册
六.shell的基本功能:命令解释器,程序设计语言.
shell的退出命令.
1.exit 主要用于退出B_shell
2.logout 主要用于退出C_shell
3.ctrl+d 用于退出各类shell
第三章通信
内部通信
外部通信<1,电子邮件,2.即时通信
一.即时通讯
1.write 交谈命令 (半双工通信)
格式 write student1
ctrl+d 退出write
Write协议:消息发送结束用O(结束)
结束谈话用OO(结束并退出)
2.mesg 消息开关命令.用于查询和开关本终端的消息接收状态.
格式:mesg [-y] [-n]
$ mesg 查询本终端当前的消息接收状态
is y 可以接收消息
is n 拒绝接收消息
$ mesg n 设置关闭状态
$ mesg y 设置打开状态
3.talk 双向通信命令 (全双工方式)
4.wall 广播信息命令
二,电子邮件
$ mail username 发送邮件
$ mail 接收邮件
系统邮箱:在/usr/mail或/var/mail下,每个用户都有一个以其名字

命名的邮箱.例如:student8的系统邮箱可能为:/var/mail/student8
个人邮箱:个人邮箱通常为用户自己的主目录(home)下的mbox

文件.用户读过的邮件如果末删除或转存,则存放在个人邮箱中

.例如:student8的个人邮箱可能是:/home/student8/mbox
1.发送邮件:
$ mail student8
给多个用户发送邮件
a.$ mail student1 student2 student3 把用户列出来.
b.$ mail TEACHER TEACHER为用户组名,即向属于TEACHER

组所有用记发邮件.
c.$ alias usr_list student1 student2 student3给student1 student2

student3等多个名字建立一个部的别名usr_list,该别名只在本

shell中起作用,退出shell后无效.
$ mail usr_list
把已有的文件作为邮件发送给用户:
$ mail student8 < my_letter
发邮件给不存在的用户:
$ mail meizhegeren
mail命令本身能正常执行,由于无有效的接收方,所以系统把邮

件退回到用户主目录下dead.letter中.
2.接收邮件
不带参数输入mial表示读取邮件.此时已进入出境mail命令模式

下.
mail命令模式常用命令
如有下页则显示,否则退出mail.
p 显示本邮件信息
d 删除当前邮件
n 显示下一个邮件
q 退出 mail,把末删除的邮件保存到个人邮箱中.
R 回复邮件
! 执行shell命令.
? 显示mail的内部命令.
第四章文件系统
与目录相关的命令(pwd,cd,mkdir,rmdir,ls)
与文件相关的命令(cp,mv,ln,more,rm)
1.pwd 显示当前工作目录
2.cd 改变当前目录
3.mkdir 创建目录
格式 mkdir dir_name
4.rmdir 删除目录
格式 rmdir dir_name
a.只能是空目录.
b.有写的权限
一次操作多个目录
- p 选项.在当前目录下逐级创建目录,也可以逐级删除目录.
5.ls 显示目录
$ ls -a 显示所有文件(以点开头的文件名是隐藏文件)
$ ls -R 显示所有子目录的内容
$ ls – l 能得到目录中的文件的详细信息.
-:普通 d: 目录 c: 字符设备 b: 块设备 p:管道
$ ls – C 以多列的格式列表,按列排序.
$ ls – F 如果是目录,文件名后加/,如果是可执行文件,加*表示.
$ ls – m 按页宽列文件,以逗号分隔.
$ ls – p 如果是目录,文件名后加/
$ ls – r 以字母反序列表
$ ls – s 以文件块为单位显示文件大小
$ ls – x 以多列的格式列表,按行排序.
$ ls -G 以不同的颜色显示.
$ ls -lc 显示更新时间
$ ls -i inode序号将列在第一列
$ ls -lu 显示访问时间
$ ls -I 显示更改时间
6.touch 命令:作用是用来修改文件访问时间更改时间的.并可以

用来创建0字节长度的文件.
格式 touch 命令参数
7.cp 命令:复制文件
格式 cp source target
$ cp file1 file2 … Target-dir
$ cp -i 如果目标文件存在,请求确认
$ cp -r 复制目录到新的目录
8.mv 命令:移动文件或命名文件
格式:mv source target
9.ln 命令:ln命令的主要功能是给一个已经存在的文件再取一个

名字.新的文件名与原文件名可以在同一个目录下,也可以以在

不同的目录下,新老文件名代表同一个文件.
格式ln source-file target-file
作用:在现有的文件与新文件之间建立新链接,使一个文件具有

一个以上的名字.
显示文件内容命令
10.cat 命令:用来显示.创建或者合并文件
格式cat filename
11.more 命令:逐屏显示文件内容.翻屏时用键.
格式:$ more filename
12.rm 命令:删除文件(删除后无法恢复)
格式:$ rm file
$ rm file1 file2
$ rm -i 删除文件前,给出确认
$ rm -r 删除指定的目录及目录中的所有文件和子目录.即删除

整个目录结构.
13.lp 命令:打印命令
14.cut 命令:切取文件内容,用于切取文件中的列或字段.它把文

本文件中每一行的一部分显示输出.运行时必须指定功能选项.
- f 指定字段的位置
-c 指定列的位置
-d 指定字段分隔符,缺省的字段分隔符是制表符tab
15.paste 命令:连接文件.
作用:把文件一行接一行地连接在一起,或者把两个或多个文件

的域连到一个新文件里.
格式: $paste 选项参数
选项:-d 指定分隔符.默认是制表符
第五章文件权限
16.chmod 命令:修改文件权限,常用chmod命令修改文件(包括普

通,目录和设备)的访问权限,
格式: chmod pattern filename …
finename 为要修改的权限文件名.可以有多个.
pattern 为将改变成的权限,可以用两种形式表示:字母式和数字

形式.
a,字母形式(符号模式)
字母形式由用户类别(u,g,o). 如何改变(+,-)和权限(r,w,x)三部分

组成.
u:本用户g:同组用户o:其它用户. + :增加权限 -:删除权限
r:读w:写x:执行
例如:chmod u+x file1
chmod o-w file2 file3
chmod go+r file4
b, 数值形式
格式: chmod 777 file1
*新建文件或目录最大权限=状态掩码+新建文件或目录缺省

权限.此时unask为000
对一个新建的文件,umask值为022则指定该文件的权限为644:
对一个新建的目录,umask值为022则指定该目录的权限为755
17.sort 命令:作用在于将指定的文件中的文件进行排序,并把排

序的结果输出到指定的标准输出中.
格式:$srot [-t delimiter] [+field] [.column]][option]
选项: -d 以字典顺序进行排序
-
18.head 命令:用于查看一个文件.或多个文件的前面几行的内

容.
格式:$ head [-number_of_lines] file(s)
19.tail 命令:用于显示从指定行开始直到文件末尾的文件内容
格式;tail [-number_of_lines | +number_of_lines]file
20.tee 命令:在获得输入后,将把该输入数据送到两个地点:标准

输出和文件.
21.grep 命令: 用于选项定包含特定模式的文本行.
21.find 命令:在目录中递归地搜索包括有特定字符的文件名.
22.df 命令:磁盘空间监测命令.显示当前系统中各个逻辑磁盘

中空闲的磁盘块数和空闲的索引节点(即可建立的新文件数)
23.du 命令:查看磁盘使用情况统计,统计指定的目录及所有子

目录的磁盘使用情况,统计单位是磁盘块数.
选项:-a 显示所有文件及子目录
24.fsck 命令:文件系统管理:用于检测和修复文件文件的错误,
25.tar命令:文件存储与备份.该命令可以把文件系统中的一个

或一组文件打成一个文件包.存放到外存上或硬盘上文件系统

的其它地方.常用于多个文件(包括目录)的备份或转移.
格式: tar -cvf target file1 file2 file3 …把file1 file2 file3等文件备份到

档案文件target中.
tar -tvf target 检查档案文件target中包含的文件信息.
tar -xvf targer [file1] 从档案文件target中提取全部或file指定

的文件.
26.shutdown 命令:系统关机
选项:-h 完全关机
-r 关机并重新启动系统
time 关机时间,如17:30
message 关机前向所有已登陆用户发送消息
例如: shutdown -r now 现在关机重启.
27.crypt 文件加密命令:用于对文本文件进行加密和解密.以防

止文件内容泄密.
例如:$ crypt < file > file.cry 对file加密,结果保存在file.cry中.key:加

密口令
$ crypt aaa 对aaa.cry解密,结果保存到aaa中. key:

解密口令
附:$ vi -x file.cry 编辑一个加密后的文件
28.compress/uncompress 文件压缩和解压命令
格式:compress data_file 加压后自动在文件名后加一个.Z
umcompress abc.Z
29.at 定时执行任务:在指定的时间一次性执行规定的任务.
at 15:30 在15:30分执行
who >> userlist 把上机用户清单发到userlist
30,cron 系统定量执行任务:
31,crontab 任务描述文件的管理命令.

Step-by-Step Guide to Building an OpenBSD PPPoE Gateway, with Firewall

admin — Mon, 23 Mar 2009 14:21:18 +0000

Introduction
Why would one install his own personal gateway to the Internet? Because it is quite easy to do. And also because it simply is the most reliable, safest way to connect machines to a dedicated xDSL modem. Moreover, we can stash a whole bunch of useful features in such a little box. Here is a list:

PPPoE Gateway
PPPoE is a curious beast forced down our throats by some DSL providers. On one side, it does not really break anything, has low overhead and allows you to change IP adresses very easily & quickly. On the other side, it sucks big time because it does add overhead to the IP packets, is proprietary, non-standard, forces you to change IP adresses unpredictably, and is unsupported in most operating systems. A good PPPoE gateway simply hides PPPoE from the machines on your internal network. It makes life much easier because you don’t have to install any special “access manager” software on your windoze boxen. They will just work (provided you set their IP address correctly).

Firewall
A firewall is quite mandatory for any machine directly connected to the Big Bad Internet. We want an industrial-strength stateful inspection firewall and this is what we’ll get.

NAT (Network Adress Translation)
The name seems complex, but it is really quite simple: this allows the gateway machine to act on the internet on behalf of all the machines located on the intranet (your internal home network). Even though you might have two, three or even ten computers on your local network, a NAT equipped gateway will hide them to outside observers. They will only see a single very busy machine, with a single IP address.

DNS (Domain Name Service) cache
Having your own DNS server will lower the latency of getting DNS translations for all the machines on your intranet. This will not really decrease the traffic on your DSL modem by a large percentage, but it will improve the quality of the “internet experience” on your local network.

Dynamic DNS tracker
Free dynamic DNS services are extremely useful to xDSL customers. They allow you to have your very own domain name, free of charge, which will follow in real-time your IP address changes. The catch is that the top-level part of your domain must be one of their supplied choices. They are not that bad, really… Personally, I use DYNDNS but any of the multiple free dynamic DNS providers out there will do just fine. Simply make sure they have a client “updater” which can compile and run under OpenBSD.

WEB server
Most ISP’s only allow a few megabytes of disk for web service. Moreover, they never give you direct access to the web logs. Having your own web server allows you the luxury of using all the disk space you want, plus the added advantage of complete control over the web service (cgi-bin) and its logs. Moreover, OpenBSD comes with a crypto-enabled version of Apache and all the tools you need to create RSA-keyed certificates.

Mail server
Have you ever wanted to create a temporary email address just to receive some password? Or simply wanted addresses tailored for specific domains of interest? These are only a few of the many advantages of having your own mail server.

NTP server
The Network Time Protocol allow you to synchronize the gateway’s clock to one of the numerous atomic time references available on the internet. Moreover, the same program is also used as a local time server, so that all your intranet machines can themselves synchronize their clocks to the gateway’s clock. NTP synchronizations are made in tiers, like this, in order to lower the burden on the public time servers.

This page is for all those of you who have are lucky enough to enjoy a dedicated xDSL connection and would like to have a small firewall installation. In my search for the holy grail, i found the answer to most of my wishes in the OpenBSD package. This step-by-step guide is a collection of notes taken while I was installing the thing. They are intended to help my friends do their own setups very quickly and easily, without having to bug me too much They should help you too.

Constructive comments can be sent there … Have fun and GOOD LUCK!

Getting some hardware
The first thing to think about when one embarks on the firewalling adventure is to establish on what hardware you are going to install the thing. This seems unimportant at first, but don’t forget that this box will be turned on 24/7, so the components you use must be reliable.

What are the minimum requirements? My system uses about 50% of its CPU to support Sympatico’s ADSL rate (around 900 kbps). It is built with the following components:

An ancient 486 motherboard (with an ISA bus) given to me by a friend (thanks Christian!). It runs at 66 MHz.
32 MB of brand new RAM i bought for it.
A 200 MB hard disk, which was dying after about 1 year of faithful use (it came with the motherboard). This disk was recently replaced with the cheapest brand new drive i could find. I didn’t know they still made those slow 3600 RPM drives Anyway, the old drive is kept as a kind of extreme emergency backup.
Two ISA-bus ethernet cards. I’ll talk more about this later.
A CD-ROM drive. Very optional, but can make life easier.
A “home” grade hub & cat5 cabling. This is not strictly necessary if you’ll have only one machine connected to your firewall: you can make do with a special “crossover” cat5 cable instead. The cable that comes with xDSL modems is usually (always?) a crossover cable. Anyway, for two or more machines, the hub is mandatory. Small hubs can be bought for a very reasonable price (~40$ cdn).
or
Alternatively, many older ethernet cards come with a BNC female connector. This can be used to connect the machines on your network with coax cables, without any hub. However, be warned that a 10base-2 network must follow certain rules if you want it to work flawlessly. Follow them.
This gives a good approximation of what you need. The MOST important part is the RAM. Make absolutely sure that whatever RAM you use is reliable. Old boxen were usually setup to run Windoze, and it was not a big deal if the machine had flaky RAM because of the way Windoze works…

OpenBSD (like any real OS out there) is much less tolerant of flaky RAM, because it actually uses all of it. It will crash quite quickly if your RAM is marginal, probably within 5-10 minutes. You have been warned.

Finally, the OpenBSD hardware list is there. Try to make sure that whatever hardware you use in your gateway box figures on that list. It’s a long list

The ethernet cards
There is a boring thing of which we must talk about here. You see, there are many kinds of ethernet cards, and you must make sure you have the right ones for your machine. If you have a PCI-based machine, then all is well. Whatever ethernet card you put in there will probably be supported by OpenBSD. However, you must be a bit more careful if you have an ISA-based machine.

It is most likely that your box will not have any ethernet cards to start with since most people did not have networks at home in the pre-historic era of 4 years ago. You need two cards. One will be connected to the DSL modem (the big, bad outerworld), while the other is connected to your internal network hub (your intranet). The gateway’s job will be to pass (or block) packets between those two network cards. For security, its very important that the outside world packets cannot reach directly any of the intranet machines. This is the reason why we use two ethernet cards: complete logical and electrical isolation. Why so much isolation? For example, if someone(s) were launching a full (distributed or not) denial of service attack on your gateway box, its internet-connected ethernet card would be extremely busy, but your intranet would see nothing of this. While any communication with the outside world would probably fail, at least your intranet machines would still be able to talk to each other.

ISA cards use dedicated I/O ports and IRQ’s in your machine. Those must be setup either with jumpers directly on the card, or with a special DOS program if the card is of the more recent “Plug & Play” type. This DOS program is always supplied with the card, when purchased brand new.

If your card is Plug&Play, you must disable the Plug&Play, and program specific I/O port and IRQ values with the setup software that comes with the card. Make sure that you program both cards with different sets of I/O ports and IRQs! Otherwise they will battle each other for cycles on the bus and the result will not be pretty. Once you have set the parameters on the card it will remember them and you don’t have to reprogram anything later on, even if the computer is turned off.

It is good at this point to know a few magic numbers:

Card Type I/O #1 IRQ #1 Mem #1 I/O #2 IRQ #2 Mem #2
NE2000 (ne) 0×240 9 — 0×300 10 —
SMC WD-8003 (we) 0×280 9 0xd0000 0×300 10 0xcc000

For example, i use two cards made by AOpen: the model ALN-101. They are Plug&Play and use the NE2000 chip. The first one is setup at I/O port 0×240, IRQ 9. It is known as “ne0″ in the GENERIC openBSD kernel. The second one is set at I/O port 0×300, IRQ 10. It is known as “ne1″. If the cards were programmed differently, the GENERIC kernel would not recognize them “out of the box” and you would have to re-configure the kernel. It can be done, but its much easier to setup the hardware once than re-configure the kernel every time it gets upgraded.

Some of you might have problems setting the card to an arbitrary combination of IO port and IRQ number. This is allright, just let the card decide what it wants and simply reconfigure your kernel to accomodate that. What is important is that both ethernet cards are not set to conflicting values. Otherwise, any combination that the cards like will be programmable in the kernel.

Last but not least: some cards can be used in the so-called “full-duplex” mode. Be aware that if you want to use an ethernet card in full-duplex, your hub must also be full-duplex, as well as the other ethernet cards in the system. A full-duplex hub is much more expensive and not necessary at all. Unless you know what you are doing, program your ethernet cards to use the half-duplex mode, otherwise it won’t play nice with the other components in your local network, including the xDSL modem
(注，这里需要说NE2000等旧款的基于486机的网卡也可以用，但现在这些网卡，其本难找，所以至少要用8139系列芯片的10-100M自适应的网卡来做应用）

The hard disk
The most secure storage medium is one which can’t be erased. Some firewalls actually use setups like this (with CD-ROMS) but we’ll build our firewall with a classic, writeable hard drive because:

We don’t need “Absolute Security”, do we? We can’t have it anyway
We want to use an “out-of-the-box” OpenBSD distro. This will make maintenance (security, patches, etc…) much easier.
Almost any hard disk out there will work OK, since 200 MB is a safe minimum size. The only thing you must remember is that this disk will run 24/7, so if you use an old drive, it will likely die relatively soon. The venerable drive my friend gave me lasted 6 months before i had to change it, YMMV.

No keyboard?
Of course you’ll need a keyboard… and a monitor too, but just for the installation. After the firewall is successfully installed, you will be able to talk to it through encrypted ssh connections over your internal network, so a keyboard & monitor will not be really useful at that point.

——————————————————————————–

Getting the software
We will be using OpenBSD. Why? Because it is the most secure freely available operating system out there. All the source code included in the mainstream distribution CD’s has been audited for years by the OpenBSD team, which is why sometimes an exploit published on BugTraq is found not to work on OpenBSD simply because the faulty code was already fixed months ago.

I strongly suggest you buy their CD-ROM kit as it comes with a set of very cool stickers… You can also download their stuff for free, of course, but you won’t have the stickers then

This Guide is written for OpenBSD 3.0.

The easiest way to install the software is to use a CD-ROM drive on your firewall box. If you don’t have that, you can do a network install with the “ftp” protocol, either directly to an outside OpenBSD mirror, or to one of your own internal machines equipped with an ftp server. Be aware that if your DSL provider forces you to use PPPoE (boooo!), then of course your link to the outside world will not be functional yet at installation time, which is one more reason to use the CD-ROM. If your machine can boot a CD-ROM, great! It will gladly boot the OpenBSD disc. Otherwise, simply create a boot diskette according to the README and boot that. This diskette is also your rescue disk, so don’t lose it.
——————————————————————————–

Installing OpenBSD
The installation of OpenBSD is very easy, once you have the right hardware, and the right answers to some of the questions. In the following steps, i’ll assume you can follow the instructions of the install program and focus only on the tricky little things you should know to make your life easier.

fdisk & disklabel
After you boot the installer, one of the very first things you’ll have to do is partition your disk. This is done with the “fdisk” and “disklabel” programs. The installer will ask you if you want to use the entire hard disk for OpenBSD. Answer No, even if it is not entirely true. If you say yes, the whole fdisk step will be bypassed, and you will not be able to change the default cylinder/head/sector configuration in order to boot off the hard disk without resorting to the silly “FDISK /MBR” DOS command which is a stupid solution to a stupid problem.
The default OpenBSD fdisk partition setup choice is in slot #3. If you want, you can move your OpenBSD partition in slot #0 with no ill effect.

Important: On some systems, to make sure your system boots off the hard disk, you must set the starting CHS (cylinder/head/sector) to C=0, H=0, S=1, because fdisk suggested an incorrect value for H in OpenBSD 2.7, and still does in 2.8 … If you use “1″, as it suggests, your system will not be able to boot from the hard disk.

After the disk is partitioned with fdisk, you use disklabel to further organize the partition. A label behaves like a traditional partition (as used in Linux, for example), except that you can put as many labels as you want in the single OpenBSD partition. This is useful.

On a fully partitioned system, the disk labels might look like this:

a: 2097648 0 4.2BSD 1024 8192 16 # / 1 GB
b: 262080 2097648 swap # SWAP 128 MB
c: 20015856 0 unused 0 0 # (whole disk) 10 GB
d: 2097648 2359728 4.2BSD 1024 8192 16 # /usr 1 GB
e: 2097648 4457376 4.2BSD 1024 8192 16 # /tmp 1 GB
f: 2097648 6555024 4.2BSD 1024 8192 16 # /var 1 GB
g: 4194288 8652672 4.2BSD 1024 8192 16 # /usr/local 2 GB
h: 7168896 12846960 4.2BSD 1024 8192 16 # /home 3 GB
On my firewall, i like to keep things simpler, so it goes like this:

# size offset fstype [fsize bsize cpg]
a: 18874800 0 4.2BSD 1024 8192 16 # (Cyl. 0 – 18724)
b: 1141056 18874800 swap # (Cyl. 18725 – 19856)
c: 20015856 0 unused 0 0 # (Cyl. 0 – 19856)As you see, the ‘c’ label is a placeholder for the whole disk, in all cases. Don’t delete or otherwise change this, or you’ll be in trouble.

One of the main disadvantages of having a single partition is that one could do bad things in such quantity that the log files would simply fill up the whole drive. OpenBSD doesn’t like it when all its disk space is full. You can guess the rest of the story. In practice, this is not an issue, since i monitor my log files daily, but it could be an issue for someone out there.

On a fully partitioned system, the “df” command says this, after the OS is installed, with its complete source trees:

Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/wd0a 1015269 25985 938521 3% /
/dev/wd0d 1015269 480284 484222 50% /usr
/dev/wd0e 1015269 1 964505 0% /tmp
/dev/wd0f 1015269 5141 959365 1% /var
/dev/wd0g 2030307 8698 1920094 0% /usr/local
/dev/wd0h 3470505 27 3296953 0% /home

On my system i have this:

Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/wd0a 9137589 503054 8177656 6% /

In this example, the full OpenBSD source tree is installed, which explains why the thing uses up about 500 MB. Without the source tree, you only need about 120 MB in there, but having the source tree allows you to make security patches as they are published. This is important and i’ll talk about it more later.

Active FTP
If you do an FTP install to a private FTP server, it might be necessary to use active FTP.

Crypto, SSL, etc…
The crytographic packages are included in the CD’s since release 2.9 of OpenBSD. They will be automatically installed.

UTC time zone
Keep your server in the UTC time zone. This way, your firewall logs will be timestamped in UTC time and it will be simpler to have them interpreted by the abuse@… services of ISP’s. Also, it is important to make sure the gateway is time-synchronized to one of the numerous public NTP servers out there, because having only an IP address is not enough to pin down internet abusers. In this age of dynamic IP allocations you need both IP address and exact time in order to positively identify the origin of an IP packet. Keep your gateway synchronized.
Why not GMT instead? Read all about it there.

Normally, the installer will ask you for a time zone at install time. If you want to change it later, simply make /etc/localtime point to /usr/share/zoneinfo/UTC with a soft link:

ln -s /usr/share/zoneinfo/UTC /etc/localtime

First Boot
reboot … did your machine boot correctly? If not, please consult the numerous FAQ’s available at the OpenBSD site. Are you sure you set H=0 in fdisk? By the way, if it doesn’t boot from hard disk, you can probably still force it by first booting the install diskette, and entering “boot wd0a:/bsd” at the initial prompt. You have about 5 seconds to make your mind, when you see this prompt, act swiftly.
On first boot, you will probably get a message like “ssh-keygen: generating new DSA host key…”, followed with an equivalent message for the RSA host key. They might take quite a long time on a 486 (5-10 minutes), so Don’t Panic! ™ , the machine is not crashed, and the boot process will eventually follow its course, given time. This will happen only on the first boot.

Kernel extra configuration
If, at this point, the kernel sees all you devices (including both ethernet cards), congratulations. If not, you can reconfigure the kernel without having to recompile it by simply using the config utility. Typically, you would copy your current kernel (the “/bsd” file) to an appropriate backup name (e.g. “/bsd.ORIGINAL”), and issue this command:

config -e -f /bsd
and make whatever changes you need. You should know what you’re doing in order to use this command without blowing your system up into tiny bits & pieces. Don’t forget to save your changes. If this modified kernel doesn’t work OK, just boot the “/bsd.ORIGINAL” kernel instead, and you will have another chance.

Sys control files
The services allowed by OpenBSD are configured by a couple of files in the /etc directory. Actually, this directory contains all the configuration files of OpenBSD, for your convenience, but this is something you’ll only appreciate later, when you become an experienced BSD maintainer… We’ll come back to that /etc directory quite often.
For now, just make sure that the following are enabled:

In the file /etc/sysctl.conf:
net.inet.ip.forwarding=1

and in /etc/rc.conf:
sendmail_flags=”-L sm-mta -bd -q30m”
named_flags=”"
httpd_flags=”-DSSL”

Important: If you plan to use PPPoE, don’t enable pf here because you want to start it in a controlled manner, after PPPoE is started. Enabling “pf” here would make it start at the very beginning of the boot process and this would not work.

PPP & PPPoE
Ahhhh… the Evil Beast. Installing a good, working PPP and PPPoE can be quite a tricky task. In OpenBSD 3.0, it is included and works well, once properly configured. This version of PPP supports the “mssfixup” instruction which magically allows you to avoid setting MTU’s at 1492 or less on all of your intranet’s machines. This is very recommended as it avoids a whole bunch of problems with Windows machines, internet appliances, etc…
Notice that there is an excellent Network FAQ available from the OpenBSD site. It contains a lot of information on what to do with those ethernet adapters.

The configuration file for ppp is in /etc/ppp/ppp.conf. Mine contains exactly this:

default:
set log Phase Chat IPCP CCP tun command
set redial 15 0
set reconnect 15 10000

pppoe:
set device “!/usr/sbin/pppoe -i ne0″
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname xxxxxxx
set authkey xxxxxx
add! default HISADDR
enable dns
enable mssfixupNotice how we specify the real network interface ne0 to pppoe (with double quotes), and that i use “max 1492″ for the MTU value, as suggested by many people. Also, no value is specified for the MRU, the PPP network address translation is not enabled, the magic “mssfixup” is enabled and i use the “add!” command instead of plain “add” (suggested by Chris Pockele).

Also notice that the authname and authkey fields don’t contain double-quote characters. You should put in there your own ISP identification and password. Some ISPs require authname to have a full identification (e.g. “username@sympatico.ca”), while other ISPs will want to have only “username” in the authname field. Experiment.

Robert Jameson (thanks Robert!) reports that some ISPs require you to specify the pppoe service you want. This is done on the “set device” line. For example:

set device “!/usr/sbin/pppoe -n Shasta_1 -i ne0″

VERY IMPORTANT!

For some reason, the routes setup automatically by ppp at linkup time were not correctly defined prior to OpenBSD version 3.0. The MTU’s were wrong, leading to all sorts of subtle problems. This is now fixed, and we can safely use the “add default HISADDR” command in the ppp config file, with no special route commands at all in the ppp.linkup file. The MTUs will be properly set to 1492 on all the routes which go through the external interface.

The command “netstat -rn” confirms this:

pcreal# netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 65.92.185.1 UGS 3 13423 1492 tun0
65.92.185.1 65.92.185.97 UH 1 0 1492 tun0
127.0.0.1 127.0.0.1 UH 1 1045 33224 lo0
192.168.1/24 link#2 UC 0 0 1500 ne1
192.168.1.1 0:e0:18:90:a7:c7 UHL 3 10475 1500 ne1
…

A friend from Australia (thanks Doug!) suggested i clarify the following points:

(1) The 64.229.x.x adresses will NOT be the same in your setup! Those are the adress blocks of my PPPoE service provider (Sympatico). Your own setup will use, most likely, different address blocks.

(2) The ppp daemon creates a virtual network interface (“tun0″) out of thin air. This virtual network interface is internally linked to the actual physical interface (“ne0″ in my system), but you will never have to deal directly with “ne0″ in your configuration files. For example, the firewall rules are written with the virtual “tun0″ interface, not the physical “ne0″ interface. In my setup, the internal interface is “ne1″, and the external interface is “tun0″. Here is Doug’s analogy with the Windows world:

“… think of the PPPoE adaptor like the dialup adaptor in a Windows
control panel. it doesn’t really exist but you gotta have it…”(3) The ppp daemon takes care of automatically assigning the name servers and the routes. Consequently, make sure there is no file “/etc/mygate”, and bear in mind that “/etc/resolv.conf” will be automatically generated as well, at connection time. This has the advantage that you don’t need to know anything about the details of your connection (name server adresses, etc…) to your ISP. Your user ID and password are sufficient, as the ppp daemon will negociate with the server and obtain the information it needs to open the connection.

(4) Since the ppp daemon will take are of the external network interface, you don’t need a “/etc/hostname.ne0″ file. However, you do need a file to describe your internal network interface (in my case, “ne1″):

pcreal# cat /etc/hostname.ne1
inet 192.168.1.2 255.255.255.0 NONENormally, this file should have been built by the setup program of OpenBSD, but if not, you must manually put it there and replace the “192.168.1.2″ with whatever address you want your gateway to have as seen from your internal network.

Another friend, from France (thanks Xavier!), sent me this ascii picture of the network connections:

| |
internet| ====> |DSL Modem| ====>|server|=====>|LAN (HUB)
| tun0 ne1 |
| =ne0 |

Note: I consider this PPP/PPPoE setup to be a work in progress. I continually discover new things about it… so, please bear with me and do send me your feedback about your own experience regarding PPP/PPPoE. It really is a pain, but apparently we will be stuck with it for a long long time, so we might as well learn how to tame the thing!

Second Boot
reboot … your machine should boot correctly. You won’t have internet access yet because the ppp program is not activated. If you want to try it out, just issue

ifconfig ne0 up
ppp -ddial pppoeand ping/telnet away. Don’t worry if you get “carrier settings ignored”, or “change route failed” messages. Be careful because at this point you have no firewall rules set, so you are very vulnerable. Also, make sure your xDSL modem is plugged in the correct ethernet card…

If all works well, then you should kill the “ppp” process. Only restart it when the firewall rules are in place.

The afterboot phase
Follow the instructions obtained by issuing the “man afterboot” command. Actually, quoting FAQ section 2.3, here is a list of the most useful man pages for new users:

* [15]afterboot(8) – things to check after the first complete boot
* [16]boot(8) – system boot strapping procedures
* [17]passwd.conf(5) – format of the password configuration file
* [18]adduser_proc(8) – procedure for adding new users
* [19]adduser(8) – command for adding new users
* [20]vipw(8) – edit the pass word file
* [21]man(1) – display the on-line manual pages
* [22]sendbug(1) – send a problem report (PR) about OpenBSD to a
central support site.
* [23]disklabel(8) – Read and write disk pack label.
* [24]ifconfig(8) – configure network interface parameters.
* [25]route(8) – manually manipulate the routing tables.
* [26]netstat(1) – show network status.
* [27]reboot, halt(8) – Stopping and restarting the system.
* [28]shutdown(8) – close down the system at a given time.
* [29]boot_config(8) – how to change kernel configuration at boot

One of the first things you should do at this point is to add an unprivileged user and make him member of the wheel group. This is because, for security reasons, it is never a good idea to log in directly as root. The preferred way to gain root privileges is to login as a wheel member, and then use the “su -” command to gain root privileges.

OpenBSD will not prevent you from logging in directly as root, but will warn you every time against doing it.

Have fun!

Firewall and NAT rule sets
This is a tricky one. Many people earn a good living just by knowing how to write firewall rule sets! Moreover, the whole packet filter and NAT code was completely rewritten from scratch in OpenBSD 3.0. It is now called “pf”, and is completely free of any external licensing strings so we will always have the latest, fully audited versions in future OpenBSD releases.
Here are my own pf rules, in all their glory. They were heavily influenced by the various man pages and HOW-TO’s pertaining to “pf”. Be aware that they might be either too restrictive, or not enough, depending on your context. My philosophy about this is to disallow everything by default, and only open whatever is known to be useful. This restrictive ruleset will prevent ftp from working correctly, from the firewall itself. However, the ftp proxy currently available will work correctly for client machines located on the intranet.

Don’t forget to send me your tips for better rules… Thanks!

/etc/nat.conf
nat on tun0 from 192.168.1.0/24 to any -> tun0
rdr on ne1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081

/etc/pf.conf
#————————————————————————–
# PF ruleset, 11 dec. 2001
#
# Liberally adapted from the pf man page, the OpenBSD “Network How-To”,
# and my own rulesets.
#————————————————————————–

#————————————————————————–
# Definitions
Ext = “tun0″ # External interface
Int = “ne1″ # Internal interface
Loop = “lo0″ # Loopback interface
IntNet=”192.168.1.0/24″ # Internal network

NoRoute = “{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }”

InServicesTCP = “{ ssh, smtp, auth, http, https, pop3 }”
#InServicesUDP = “{ domain }”
OutServicesTCP = “{ http, https, smtp, pop3, whois, domain, ssh, telnet, ftp, ftp-data, nntp, auth, ntp }”
OutServicesUDP = “{ ntp, domain }”

XMMS = “{ 6000, 7500, 8000, 8004, 8044, 8034, 8052, 8038, 8010, 8400, 8014, 8026, 8048, \
8002, 8024, 8028, 8080 }”
RealAudio = “{ 554, 7070, 8080 }”

#————————————————————————–
#————————————————————————–
# Clean up fragmented and abnormal packets
# By default in pf, packets which contain IP options are blocked. Good.
scrub in on { $Ext, $Int } all
#————————————————————————–

#————————————————————————-
# Defaults
# block and log everything
block out log on $Ext all
block in log on $Ext all
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all

block in quick inet6 all
block out quick inet6 all
#————————————————————————-

#————————————————————————–
# loopback packets left unmolested
pass in quick on $Loop all
pass out quick on $Loop all
#————————————————————————–

#————————————————————————-
# Immediate blocks
# fuzz any ‘nmap’ attempt
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA

# don’t allow anyone to spoof non-routeable addresses
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute

# silently drop broadcasts (cable modem noise)
block in quick on $Ext from any to 255.255.255.255
#————————————————————————-

#————————————————————————-
# PASS rules

# ALL — we don’t normally do that. For debugging only.
#pass out quick on $Ext all keep state

# pass in data mode connections for ftp-proxy running on this host.
pass in quick on $Ext inet proto tcp from any to any port > 49151 flags S/SA keep state

# ICMP
pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

# Services we provide to the outside world
#pass in quick on $Ext inet proto udp from any to any port $InServicesUDP keep state
pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SA keep state

# Standard services we want to access in the world
pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP keep state
pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP flags S/SA modulate state

# Special services
pass out quick on $Ext inet proto tcp from any to any port $XMMS flags S/SA modulate state
pass out quick on $Ext inet proto tcp from any to any port $RealAudio flags S/SA modulate state
IMPORTANT: Note that the “rdr” rule in the NAT file refers to the INTERNAL network interface. Its purpose is to redirect all ftp-data requests from the intranet to be redirected to the ftp-proxy on the firewall. Then the ftp-proxy channels those into ports 49152-65535, and outputs them on the internet. This is why we have this hole in the firewall starting at port 49152. I know, it is in the IN direction, but that is how passive ftp works… It is quite a broken protocol.
That’s it! Nothing too painful, as you see. Since pf is a stateful inspection firewall, we can keep our ingress rules to a strict minimum. Notice the sheer elegance of the ruleset, with all services defined at once in a single IN or OUT rule.

One last thing: in order to automagically enable your firewall when the link comes up, you can put the following lines in the /etc/ppp/ppp.linkup file. Notice the extra space in front of each “!” character:

MYADDR:
! sh -c “/sbin/ifconfig pflog0 up”
! sh -c “/sbin/pfctl -e -l tun0 -F all -O aggressive -R /etc/pf.conf -N /etc/nat.conf”

The FTP proxy
If you want tight security, and no FTP available on your intranet, simply remove the hole at 49152, and the “rdr” command in the file “nat.conf”. However, if you want to be able to use FTP from the intranet, then you must keep those, as well as enable the “ftp-proxy” service in inetd. Simply add this line to inetd.conf :

8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxyDon’t forget that you still won’t be able to do FTP’ing from the firewall itself, when the packet filtering is enabled. Hopefully, it is very easy to temporarily disable pf with the command “pfctl -d”, and later re-enable it with the command “pfctl -e”. This comes in handy when we install packages from ftp.openbsd.org with the command “pkg_add”.

We are confident that ftp-proxy will improve with time and eventually dynamically manipulate the state tables of the firewall in order to open/close needed connections on-the-fly.

Addinc stuff to /etc/rc.local
This is where our custom startup instructions go. Those things are started while the kernel is in secure level 1. If you need anything started in a lower security level, modify /etc/rc.securelevel instead. In order to start up PPPoE correctly, I added this at the end of my /etc/rc.local :

ifconfig ne0 up
route flush
ppp -ddial pppoe

This starts PPP, PPPoE, the firewall and the NAT translator (because the firewall and the NAT are started automatically in the ppp.linkup file). If you’re curious, you can reboot at this point, and confirm that you have a fully firewalled internet access:

pcreal# ifconfig -a
lo0: flags=8009 mtu 33224
inet6 fe80::1%lo0 prefixlen 64 scopeid 0×5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008 mtu 33224
ne0: flags=8863 mtu 1500
media: Ethernet autoselect (10baseT)
inet6 fe80::240:f4ff:fe2b:190d%ne0 prefixlen 64 scopeid 0×1
ne1: flags=8863 mtu 1500
media: Ethernet autoselect (10baseT)
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::240:f4ff:fe2b:16b1%ne1 prefixlen 64 scopeid 0×2
pflog0: flags=141 mtu 33224
sl0: flags=c010 mtu 296
sl1: flags=c010 mtu 296
ppp0: flags=8010 mtu 1500
ppp1: flags=8010 mtu 1500
tun0: flags=8011 mtu 1492
inet 65.92.185.97 –> 65.92.185.1 netmask 0xffffffff
tun1: flags=10 mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
vlan1: flags=0<> mtu 1500
gre0: flags=8010 mtu 1450
gif0: flags=8010 mtu 1280
gif1: flags=8010 mtu 1280
gif2: flags=8010 mtu 1280
gif3: flags=8010 mtu 1280

pcreal# pfctl -sr
@0 scrub in on ne1 all
@1 scrub in on tun0 all
@2 block out log on tun0 all
@3 block in log on tun0 all
@4 block return-rst out log on tun0 proto tcp all
@5 block return-rst in log on tun0 proto tcp all
@6 block return-icmp out log on tun0 proto udp all
@7 block return-icmp in log on tun0 proto udp all
@8 block in quick inet6 all
@9 block out quick inet6 all
@10 pass in quick on lo0 all
@11 pass out quick on lo0 all
@12 block in log quick on tun0 inet proto tcp all flags FPU/FPU
@13 block in log quick on tun0 inet proto tcp all flags FS/FSRA
@14 block in log quick on tun0 inet proto tcp all flags /FSRA
@15 block in log quick on tun0 inet from 255.255.255.255/32 to any
@16 block in log quick on tun0 inet from 10.0.0.0/8 to any
@17 block in log quick on tun0 inet from 172.16.0.0/12 to any
@18 block in log quick on tun0 inet from 192.168.0.0/16 to any
@19 block in log quick on tun0 inet from 127.0.0.1/8 to any
@20 block out log quick on tun0 inet from any to 255.255.255.255/32
@21 block out log quick on tun0 inet from any to 10.0.0.0/8
@22 block out log quick on tun0 inet from any to 172.16.0.0/12
@23 block out log quick on tun0 inet from any to 192.168.0.0/16
@24 block out log quick on tun0 inet from any to 127.0.0.1/8
@25 block in quick on tun0 inet from any to 255.255.255.255/32
@26 pass in quick on tun0 inet proto tcp from any to any port > 49151 flags S/SA keep state
@27 pass out quick on tun0 inet proto icmp all icmp-type echoreq code 0 keep state
@28 pass in log quick on tun0 inet proto icmp all icmp-type echoreq code 0 keep state
@29 pass in quick on tun0 inet proto tcp from any to any port = pop3 flags S/SA keep state
@30 pass in quick on tun0 inet proto tcp from any to any port = https flags S/SA keep state
@31 pass in quick on tun0 inet proto tcp from any to any port = www flags S/SA keep state
@32 pass in quick on tun0 inet proto tcp from any to any port = auth flags S/SA keep state
@33 pass in quick on tun0 inet proto tcp from any to any port = smtp flags S/SA keep state
@34 pass in quick on tun0 inet proto tcp from any to any port = ssh flags S/SA keep state
@35 pass out quick on tun0 inet proto udp from any to any port = domain keep state
@36 pass out quick on tun0 inet proto udp from any to any port = ntp keep state
@37 pass out quick on tun0 inet proto tcp from any to any port = ntp flags S/SA modulate state
@38 pass out quick on tun0 inet proto tcp from any to any port = auth flags S/SA modulate state
@39 pass out quick on tun0 inet proto tcp from any to any port = nntp flags S/SA modulate state
@40 pass out quick on tun0 inet proto tcp from any to any port = ftp-data flags S/SA modulate state
@41 pass out quick on tun0 inet proto tcp from any to any port = ftp flags S/SA modulate state
@42 pass out quick on tun0 inet proto tcp from any to any port = telnet flags S/SA modulate state
@43 pass out quick on tun0 inet proto tcp from any to any port = ssh flags S/SA modulate state
@44 pass out quick on tun0 inet proto tcp from any to any port = domain flags S/SA modulate state
@45 pass out quick on tun0 inet proto tcp from any to any port = whois flags S/SA modulate state
@46 pass out quick on tun0 inet proto tcp from any to any port = pop3 flags S/SA modulate state
@47 pass out quick on tun0 inet proto tcp from any to any port = smtp flags S/SA modulate state
@48 pass out quick on tun0 inet proto tcp from any to any port = https flags S/SA modulate state
@49 pass out quick on tun0 inet proto tcp from any to any port = www flags S/SA modulate state
…
@72 pass out quick on tun0 inet proto tcp from any to any port = 6000 flags S/SA modulate state
@73 pass out quick on tun0 inet proto tcp from any to any port = 8080 flags S/SA modulate state
@74 pass out quick on tun0 inet proto tcp from any to any port = 7070 flags S/SA modulate state
@75 pass out quick on tun0 inet proto tcp from any to any port = 554 flags S/SA modulate state

pflogd and tcpdump
With the new pf firewall code comes a new way to log firewalled packets and look at them. The log is actually taken care of by a separate daemon ( pflogd ) which should be started in “ppp.linkup” and killed in “ppp.linkdown”. This daemon puts its data in a special log file ( /var/log/pflog ) which is not directly human readable, for performance reasons. To get a dump of the file, simply issue the command “tcpdump -n -e -ttt -r /var/log/pflog”, or , if you want a real-time display of the logs, simply issue “tcpdump -n -e -ttt -i pflog0″.

The Dynamic DNS
Dynamic DNS is a wonderful thing. Basically, you just go to a dyndns provider like those nice people and 10 minutes later you have your very own domain, for free. In order to make that domain dynamically follow your IP address changes, you must use a special client program which must be called whenever your IP changes.

Until recently I liked ddup, but now i use ipcheck. The latter is truly compliant with all of dyndns’s client specification, and maintains its state automatically in system files. You will have to install the python package if you use “ipcheck”. Also, you’ll need your user ID and password from the dyndns provider.

One more advice: it is perfectly acceptable to have more than one domain pointing at the same IP address. Remember this when choosing one or more domain names…

Keeping your xDSL link alive 24/7
xDSL connections are very reliable, but ISP’s are not For many reasons unfathomable, you will sometimes lose your connection. There are many methods of re-establishing that connection automatically, and i’ll describe here the one i use.

The Method
Make sure you initialise ppp with the “-ddial” command, and NOT the “-background” command…

The automatic restart of the ppp link is handled by ppp itself (using the “-ddial” command), which is quite handy. This leaves us with the dyndns updates, which are performed intelligently by ipcheck.py . An easy way of doing it is to create an executable file named “do_ipcheck” which contains this:

#!/bin/sh
/usr/local/sbin/ipcheck.py -q -d /etc/ipcheck -i tun0 -w Username Password DomainName1,DomainName2with your own Username, Password and Domain names, of course. Then, all you have to do is to add the following line to crontab:

*/5 * * * * /usr/local/sbin/do_ipcheckAlso, don’t forget to create the directory /etc/ipcheck and make sure your /etc/ppp/ppp.linkup file looks like this:

MYADDR:
! sh -c “/sbin/ifconfig pflog0 up”
! sh -c “/sbin/pfctl -e -l tun0 -F all -O aggressive -R /etc/pf.conf -N /etc/nat.conf”
! sh -c “/usr/local/sbin/ResetNTP.sh”
!bg sh -c “/usr/local/sbin/do_ipcheck”
You can call “do_ipcheck” from “ppp.linkup” … however, you must use the special “!bg” construct, in order to instruct ppp to fork it in the background. Nasty stuff happens if you don’t use “!bg” here. Big thanks to Dan for this update!

This setup should garantee the proper restart of the firewall & ipnat each time the ppp link is brought up again.

Apache
Now would be a good time to install your htdocs directory. The way i like to do this is to mount a read-only NFS file system over the current htdocs. This is easily accomplished by adding a line like this to your /etc/fstab :

192.168.1.1:/usr/local/Apache/htdocs /var/www/htdocs nfs ro Moreover, the web logs are kept in /var/www/logs. Interesting stuff.

We are in full virus season and i’m sure your log files will fill up as fast as mine with useless garbage, once your Apache is up. In order to remove some clutter, you can filter out the virus attacks and channel them to a specialized attack_log file. Simply insert the following lines into your /var/www/conf/httpd.conf file:

SetEnvIf Request_URI “^/default.ida” attacks # For Code Red
SetEnvIf Request_URI “^/scripts” attacks # For nimda
SetEnvIf Request_URI “^/c/winnt” attacks # … ditto all the way down
SetEnvIf Request_URI “^/_mem_bin” attacks
SetEnvIf Request_URI “^/_vti_bin” attacks
SetEnvIf Request_URI “^/MSADC” attacks
SetEnvIf Request_URI “^/msadc” attacks
SetEnvIf Request_URI “^/d/winnt” attacks

CustomLog /var/www/logs/access_log combined env=!attacks
CustomLog /var/www/logs/attack_log combined env=attacks
This will send all virus-related requests to “attack_log”, while still logging other activities normally in access_log.

Named
Someone (Chavous P. Camp, thanks!) sent me advice on optimizing “named” for faster throughput. He recommends to add two lines to the “/var/named/named.boot” file:

options forward-only
forwarders ip.addresses.of.ISPs.nameservers.separated.by.spacesThis forces named to always use the same servers for dns. If your ISP’s servers are always on fixed IP adresses, then it works well. However, ISP’s who force you to use PPPoE will also sometimes change dynamically the DNS servers allocated to you (in “/etc/resolv.conf”, automatically created by ppp at startup). In that case, there is no garantee that the name servers you hardwire as forwarders will always be available.

Removing IPv6 related errors
The GENERIC OpenBSD kernel comes precompiled with IP v6 support. This is the reason why you might see many “/bsd: tun0: not multicast capable, IPv6 not enabled” error messages in your logs. Those messages are completely harmless and do not alter the performance of your system. However, should you want to get rid of them, you can simply remove IPv6 support from your kernel by modifying “/usr/src/sys/conf/GENERIC” and removing the “option INET6″ line. Then recompile your kernel in the usual way. Thanks Chavous for this info!

Setting permissions of scripts & config files
Another excellent suggestion from Chavous. Scripts and config files with passwords should have their permissions changed to 500 (for scripts) or 400 (for config files), for greater security. This includes “ppp.conf”, “do_ipcheck”, etc…

The NTP daemon
The ntpd daemon is not installed by default. However, you can download it as a package, and install it with the pkg_add command. Since you have internet connectivity by now, you can download & install it in a single command:

pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.0/packages/i386/ntp-4.1.71.tgz Moreover, you will need a valid /etc/ntp.conf file:

pcreal# cat /etc/ntp.conf
server 128.100.102.201
driftfile /etc/ntp.driftFeel free to use any other atomic time server if you want. Also, the drift file will be created & maintained automagically.

Important tip from Chavous:
=========================================
I found my ntp server would refuse to synchronize after a reboot because it
had no route to the time server. This was, of course, because PPPoE is
loaded AFTER ntp, and sometimes the PPPoE negotiation after a reboot takes a
few seconds.

Anyway, here is something you might want to add as a suggestion:

Turn ntpd OFF in the rc.conf file
add this line to your ppp.linkup file – AFTER the firewall initialization

! sh -c “/etc/ppp/ResetNTP.sh”

That script should then contain:

#!/bin/sh
if [ -f /var/run/ntpd.pid ]; then
kill `cat /var/run/ntpd.pid`
rm -f /var/run/ntpd.pid
fi
/usr/local/sbin/ntpd -p /var/run/ntpd.pid

(as I have said before, remind your readers that this script is executed as
root and should therefore be chmod 444 or less)

This kills the NTP daemon (if it exists) and restarts it. On boot, it would
not be restarted, but what if the link went down for a while? The ntp daemon
would give up and stop sending queries because it couldn’t get a route to
host.

REALLY, the ntp daemon SHOULD NOT stop querying the server just because it
can’t get a route to the host, but it seems to be written as such now
anyway. I haven’t tested the ntp daemon over a long period of time (more
than about a day) so I don’t know if it just gives up for some arbitrarily
long period (MORE than a day) and then tries again. I seriously doubt it
does, because a day is a LONG time. This workaround isn’t ideal, because
for time consistency, one would want the time server to stay running at all
times. According to the ntpd documentation, ntpd tends to become more
accurate the longer it runs.

Chavous
=========================================

Sendmail
If you have followed all the steps of the recipe so far, your sendmail should be configured & ready to receive mail from the internet, however you should know a few more things about this. First, if you want your gateway to receive mail for more than one domain, you must make sure the all fully qualified domains are setup as aliases for your host in the file /etc/hosts.

The mail popper
All ingress mail is received & kept on the gateway untill some POP client on the intranet gets it. I use the “popa3d” server package because it is written with security in mind. It is now part of the main OpenBSD 3.0 distribution, so you don’t have to download it as a separate package. Simply enable it in the file /etc/inetd.conf and you should be up & running.

The installed packages
Just to do a quick check, here are the packages i have installed on my system:

pcreal# pkg_info
gmp-3.1.1 library for arbitrary precision arithmetic
python-2.1.1 interpreted object-oriented programming language
ntp-4.1.71 network time protocol implementation
libiconv-1.7 character set conversion library
gettext-0.10.40 GNU gettext
mhash-0.8.9 strong hash library
libtool-1.3.5p3 generic shared library support script
postgresql-7.1.3 PostgreSQL RDBMS
libmcrypt-2.4.15 interface to access block/stream encryption algorithms
c-client-4.40p1 University of Washington’s c-client mail access routines
php4-4.0.6p1-gettext-imap-mhash-no_x11-mcrypt-postgresql server-side HTML-embedded scripting language

The Secure Shell
The secure shell looks & feels exactly like telnet, except that all communication between the client and the server is encrypted. It is the only possible way to access your gateway, because the telnet daemon is disabled by default. Usage is very simple: just like telnet!

[real@pcreal Projects]$ ssh 192.168.1.2
real@192.168.1.2′s password:
Warning: Remote host denied X11 forwarding.
Last login: Sun Nov 5 12:58:08 2000 from 192.168.1.1
OpenBSD 2.7 (GENERIC) #1: Thu Nov 2 16:05:11 GMT 2000

pcreal:real {39}

Once you are logged in as an unprivileged user, member of the wheel group, you can use su to gain superuser privileges:

pcreal:real {39} su -
Password:
Terminal type? [nxterm]
pcreal#

The log files
There are many log files of high interest maintained automatically by your gateway. It is usually convenient to look at them with the “tail -f” command. The files i look at often are:

/var/log/messages
/var/log/maillog
/var/log/secure
/var/www/logs/access_log

Moreover, you can grab interesting info about the blocked packets on your firewall with the “ipmon” utility.

There are many other log files available for all kinds of things. Dig around to find more about them.

Installing IPSEC
Dave Cook has kindly provided us with a good description of how to install IPSEC on your OpenBSD boxen: file:///H:/OPENBSD/ipsec.pdf, in PDF (Acrobat) format. Be aware that it is a largish file (440K), and it might take some time for your Acrobat reader to load afterwards, so don’t hit the link repeatedly, it won’t make things load faster…

Apply the security patches!
Security patches are published there. APPLY THEM RELIGIOUSLY!
It is not really difficult, but you will need a copy of the complete, original source tree of the distribution. The compressed source archives are to be found with the distribution files. These are the 3.0 source files:

src.tar.gz 64447 Kb Tue May 1 16:18:00 2001 Unix Tape Archive
srcsys.tar.gz 13837 Kb Tue May 1 16:18:00 2001 Unix Tape ArchiveThey total about 80 MB. Once you have them, simply unpack them to ‘/usr/src’ and ‘/usr/src/sys’. The latter is the kernel proper.

Once you have your source tree, you can start downloading the patches, and apply them. Usually, all the currently published patches are availble in a single file. For 3.0, it is there. After that, simply watch the patch page from time to time, to keep updated.

Patches are either applied to an application (in ‘/usr/src’), or to the kernel ( in ‘/usr/src/sys’). Since all kernel patches should be installed, the thing i do is to apply all the kernel patches in one session, then i recompile my kernel once.

The applications you don’t use (e.g. ‘X11′, for example) don’t have to be patched & recompiled.

Reboot and enjoy!
You should be able to ssh into your new gateway from any machine on the intranet.

Redhat tar 自动备份和恢复脚本（RHEL4）

admin — Wed, 04 Mar 2009 10:14:01 +0000

自动备份脚本
#!/bin/bash
# df -k
#Filesystem 1K-blocks Used Available Use% Mounted on
#/dev/sda2 113852040 10113912 97954732 10% /
#/dev/sda1 790588 24680 725748 4% /boot
#none 1028008 0 1028008 0% /dev/shm
#/dev/sda5 19362784 10617104 7762104 58% /export/home
#
# to show how to set crontab
# [root@ad12 log]# crontab -l
# SHELL=/bin/bash
# 30 18 * * * /usr/local/william.w/backup-1.sh >> /usr/local/william.w/backup.log 2>&1
#
# to avoid the error: TERM environment variable not set.
TERM=linux
export TERM
cd /
clear
echo
echo
echo =====================================
echo this tool is used to backup the MMSC
echo =====================================
# to get the IP
IP1=`ifconfig | grep “inet addr:” | grep -v “inet addr:127.0.0.1″ | awk -F: ‘{printf $2}’`
IP2=${IP1%% *}
echo the server IP is $IP2
# to get the date
DATE=`date +%Y-%m-%d-%H`-tar
echo today is ${DATE%-*}
# to make a file folder to store the backp files, but if it was already exsit, just to overwirite it.
mkdir /export/home/$DATE 2> /dev/null
echo /export/home/$DATE has already exsited or been made.
echo and backup file will be backuped in this folder.
echo
# all backup files using tar file have been located in /export/home, and below command just sum the backup files and show them in the list.
NUM=`ls /export/home/ | grep tar | wc -l`
echo now we have $NUM tar folder, they are all under /export/home/
echo =================
ls -tr /export/home/ | grep tar
echo =================
# to caculate the used disk space for /export/home
USEDISK=`df -k |sed -n ‘/export/’p | awk ‘{print $5}’ |sed ‘s/\%//’`
if [ $USEDISK -gt 85 ]
then
echo USEDISK is $USEDISK%
echo WARNNIG: have no enough space to backup!
exit;
fi

echo USEDISK is $USEDISK%
if [ $USEDISK -gt 65 ]
then
echo “***************************”
echo ‘USEDISK is lager than 65!!!’
if [ $NUM -gt 2 ]
then
echo “***************************”
echo there are $NUM tar folders:
ls -tr /export/home/ | grep tar
echo “*****************************************”
# if the used disk space is beyond 65% and the number of tar-format-backup-file-folder is bigger than 2, we would delete these folders to keep the number to be less or equate 2
DIFF=`expr $NUM – 2`
# the number of file folders that would be deleted is $DIFF, and they would be deleted in below circle.
for dir in `ls -tr /export/home/ | grep tar | head -n $DIFF`
do
DISKSPACE=`df -k |sed -n ‘/export/’p | awk ‘{print $5}’ |sed ‘s/\%//’`
if [ $DISKSPACE -le 65 ]
then
echo now USEDISK is $DISKSPACE%, and it is OK
break;
fi
# line = $dir;
echo “`ls -tr /export/home/ | grep tar | head -n 1` will be deleted soon…”
echo …
rm -fr /export/home/$dir;
echo “$dir has been deleted successfully”
echo “———————————————–”
done
echo “********************************”
fi
fi
echo
echo “==========Begin to tar==============”
echo now below file folder would be tared:
# just show the list of file folder that would be backuped, and folder name has been add with “/” becuase this RHEL4.0 X86-64 does not show the root path.
echo ——————
ls / | grep -v -e proc -e mnt -e media -e lost+found -e export| sed ‘s/$[ ]\{1,\}$/\1\//g;s/^./\/&/g’
echo ——————
echo tar is working now…
echo please waiting…….
# prepare to show the file name, and the backup file name is $DATE/$RNAME-$IP3-$DAY.tar.gz locating at /export/home/$DATE/
# to backup all root file folders, but donot include /proc, /mnt, /media/, and /export
# all the display infomation would not show by >& /dev/null
# all error information would not show by 2> /dev/null
IP3=`echo $IP2 | awk -F. ‘{printf $3″.”$4}’`
DAY=`echo $DATE| awk -F- ‘{printf $2$3$4}’`
RNAME=`hostname | awk -F. ‘{printf $1}’`
tar -zcvPf /export/home/$DATE/$RNAME-$IP3-$DAY.tar.gz 2> /dev/null $(ls / | grep -v -e proc -e mnt -e media -e lost+found -e export) >& /dev/null
echo now backup is successful.
echo the file is /export/home/$DATE/$RNAME-$IP3-$DAY.tar.gz
echo “==================================End to tar=========================”
echo
# to list the backup folders
echo Summary of backup files:
echo ———————–
echo the img backup:
ls -t /export/home/ | grep img
echo ——————
echo the tar backup:
ls -t /export/home/ | grep tar
echo ——————
echo other files:
ls -t /export/home/ | grep -v tar |grep -v img
echo =================================
USEDISK1=`df -k |sed -n ‘/export/’p | awk ‘{print $5}’ |sed ‘s/\%//’`
echo before backup the USEDISK is $USEDISK%
echo at last the USEDISK is $USEDISK1%
echo =================================

自动恢复脚本
#!/bin/bash
cd /
clear
echo
echo
echo
echo =====================================
echo this tool is used to restore the MMSC
echo =====================================
echo
echo this restore command must be like “#/export/home/restore.sh backup-file-folder”
echo ——————————————————————————-
echo for example:
echo “#/export/home/restore.sh 2008-04-01-00-tar”
echo
# to get the date
DATE=`date +%Y-%m-%d-%H`-tar
echo today is ${DATE%-*}
# to get the IP
IP1=`ifconfig | grep “inet addr:” | grep -v “inet addr:127.0.0.1″ | awk -F: ‘{printf $2}’`
IP2=${IP1%% *}
IP3=`echo $IP2 | awk -F. ‘{printf $3″.”$4}’`
echo the server IP is $IP2
RNAME=`hostname | awk -F. ‘{printf $1}’`
echo the server name is $RNAME
# to get the path of the backup file, and it is /export/home/$1/
# to get the name of the backup file, and it is $RNAME-$IP3-$DAY.tar.gz
echo the restored folder and file are:
DAY=`echo $1| awk -F- ‘{printf $2$3$4}’`
echo /export/home/$1/$RNAME-$IP3-$DAY.tar.gz
echo ———————————————————
echo please wait……
# to restore the backup files under root path
cd /
tar -zxvPf /export/home/$1/$RNAME-$IP3-*.tar.gz 2> /dev/null -C / >& /dev/null
echo backup is successful
echo ——————–
echo

mysql备份脚本

admin — Wed, 04 Mar 2009 10:10:12 +0000

#!/bin/sh
#
# Copyright (C), 2008 bug All Rights Reserved
# Title : Database Backup Script
# Author : BUG
# File : db_bak.sh
# Version : 1.1.0
# Date :
# Email :
# License : General Public License (GPL) v2
# Description : Database Backup Script
#

initial() {
echo -en “\33[2J"
echo -en "\33[0;0H"
echo -en "\33[32m"
echo "------------------------------------------------------------"
echo "--- Database Backup Script ---"
echo "------------------------------------------------------------"
echo -en "\33[37m"
stty -echo
umask 077
mysqln=`echo 'show databases;' | /usr/local/mysql/bin/mysql -psjldafhkg | sed -n '3,$p'`
mysqlu="root"
mysqlp="********"
binpath="/usr/local/mysql/bin"
dstpath="/pri/bak/sql_bak/"
runuser=`ps aux | grep $$ | sed -n "1p" | awk '{ print $1 }'`
mkdir -p $dstpath/`date +%y%m%d`
exec 3>>$dstpath/`date +%y%m%d`/db_bak.log
}

initial

echo -e "\n[`date +%y/%m/%d\ %H:%M:%S`] Database Backup Script start by $runuser PID:$$” >&3

if [ -f "$dstpath/`date +%y%m%d`/lock" ]
then
echo -e “\33[33mIt's has completed by `cat $dstpath/\`date +%y%m%d\`/lock`!!!\33[37m"
echo "[`date +%y/%m/%d\ %H:%M:%S`] It’s has completed by `cat $dstpath/\`date +%y%m%d\`/lock`!!!” >&3
else
echo -e “Database\tExport\tCompress\tSql\tTgz\tRate”
echo -e “\33[32m------------------------------------------------------------\33[37m"
cd $dstpath/`date +%y%m%d`
for db in $mysqln
do
echo -n "$db"
$binpath/mysqldump --opt -u$mysqlu -p$mysqlp $db > $dstpath/`date +%y%m%d`/$db.sql 2> /dev/null
RETVAL1=$?
if [ $RETVAL1 -eq 0 ]
then
sqlsize=`du -k $db.sql | cut -f1`
echo -n “[`date +%y/%m/%d\ %H:%M:%S`]” >&3
echo -n “$db” | awk ‘{printf ” %-17s”, $1}’ >&3
echo -n “OK ” >&3
echo -en “\r\t\t \33[32mOK\33[37m\t"
tar -czvf $db.tgz $db.sql > /dev/null 2>&1
RETVAL2=$?
if [ $RETVAL2 -eq 0 ]
then
tgzsize=`du -k $db.tgz | cut -f1`
echo “OK” >&3
rm -f $dstpath/`date +%y%m%d`/$db.sql
echo -en ” \33[32mOK\33[37m"
echo -en "\33[33m"
echo -en "$sqlsize" | awk '{printf "%12sKB", $1}'
echo -en "$tgzsize" | awk '{printf "%6sKB", $1}'
echo "$sqlsize $tgzsize" | awk '{printf "%8.0f%",$2/$1*100}'
echo -e "\33[37m"
else
echo "Compress fail return $RETVAL2" >&3
echo -e " \33[31mfail\33[37m"
fi
else
echo -n "[`date +%y/%m/%d\ %H:%M:%S`]” >&3
echo -n “$db” | awk ‘{printf ” %-17s “, $1}’ >&3
echo “Export fail return $RETVAL1″ >&3
echo -en “\r\t\t \33[31mfail\33[37m”
fi
done
echo “`date +%H:%M:%S`”>$dstpath/`date +%y%m%d`/lock
fi

linux下的bash与sh 详解以及实例

admin — Wed, 04 Mar 2009 09:45:48 +0000

关于bash与sh的话题（限于一般linux），以下个人的一些总结及理解，有理解错误的地方还望指点

1、bash的POSIX标准

在一般的linux系统当中（如redhat），
使用sh调用执行脚本相当于打开了bash的POSIX标准模式
（等效于bash的 –posix 参数）

一般的，sh是bash的“子集”
（不是子集的部分，具体区别见下的“Things sh has that bash does not”）

例子：

[wwy@sf-watch test]$ cat t2.sh
#!/bin/bash
diff <(echo xxx) <(echo yyy)

[wwy@sf-watch test]$ bash -x ./t2.sh # 使用bash 调用，不会出问题
+ diff /dev/fd/63 /dev/fd/62
++ echo xxx
++ echo yyy
1c1
< xxx
---
> yyy
[wwy@sf-watch test]$ sh ./t2.sh # 而用sh调用，报错如下
./t2.sh: line 3: syntax error near unexpected token `(‘
./t2.sh: line 3: `diff <(echo xxx) <(echo yyy)'
[wwy@sf-watch test]$ echo $?
2

但是，在我们的linux系统中，sh是bash的一个软链接：

[wangweiyu@ComSeOp mon]$ which sh
/bin/sh
[wangweiyu@ComSeOp mon]$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Mar 21 2007 /bin/sh -> bash

那为什么上面的例子中还会出现问题呢？原因在于：
bash程序执行，当“$0”是“sh”的时候，
则要求下面的代码遵循一定的规范，当不符合规范的语法存在时，则会报错，
所以可以这样理解，
“sh”并不是一个程序，而是一种标准（POSIX），
这种标准，在一定程度上（具体区别见下面的“Things bash has that sh does not”）保证了脚本的跨系统性（跨UNIX系统）

下面的内容详细的说明了bash与sh在语法等方面的具体差异（引自Bash FAQ）：

Things bash has that sh does not:

long invocation options
[+-]O invocation option
-l invocation option
`!’ reserved word to invert pipeline return value
`time’ reserved word to time pipelines and shell builtins
the `function’ reserved word
the `select’ compound command and reserved word
arithmetic for command: for ((expr1 ; expr2; expr3 )); do list; done
new $’…’ and $”…” quoting
the $(…) form of command substitution
the $( $(cat filename)
the ${#param} parameter value length operator
the ${!param} indirect parameter expansion operator
the ${!param*} prefix expansion operator
the ${param:offset[:length]} parameter substring operator
the ${param/pat[/string]} parameter pattern substitution operator
expansions to perform substring removal (${p%[%]w}, ${p#[#]w})
expansion of positional parameters beyond $9 with ${num}
variables: BASH, BASH_VERSION, BASH_VERSINFO, UID, EUID, REPLY,
TIMEFORMAT, PPID, PWD, OLDPWD, SHLVL, RANDOM, SECONDS,
LINENO, HISTCMD, HOSTTYPE, OSTYPE, MACHTYPE, HOSTNAME,
ENV, PS3, PS4, DIRSTACK, PIPESTATUS, HISTSIZE, HISTFILE,
HISTFILESIZE, HISTCONTROL, HISTIGNORE, GLOBIGNORE, GROUPS,
PROMPT_COMMAND, FCEDIT, FIGNORE, IGNOREEOF, INPUTRC,
SHELLOPTS, OPTERR, HOSTFILE, TMOUT, FUNCNAME, histchars,
auto_resume
DEBUG trap
ERR trap
variable arrays with new compound assignment syntax
redirections: <>, &>, >|, <<<, [n]<&word-, [n]>&word-
prompt string special char translation and variable expansion
auto-export of variables in initial environment
command search finds functions before builtins
bash return builtin will exit a file sourced with `.’
builtins: cd -/-L/-P, exec -l/-c/-a, echo -e/-E, hash -d/-l/-p/-t.
export -n/-f/-p/name=value, pwd -L/-P,
read -e/-p/-a/-t/-n/-d/-s/-u,
readonly -a/-f/name=value, trap -l, set +o,
set -b/-m/-o option/-h/-p/-B/-C/-H/-P,
unset -f/-v, ulimit -i/-m/-p/-q/-u/-x,
type -a/-p/-t/-f/-P, suspend -f, kill -n,
test -o optname/s1 == s2/s1 < s2/s1 > s2/-nt/-ot/-ef/-O/-G/-S
bash reads ~/.bashrc for interactive shells, $ENV for non-interactive
bash restricted shell mode is more extensive
bash allows functions and variables with the same name
brace expansion
tilde expansion
arithmetic expansion with $((…)) and `let’ builtin
the `[[...]]’ extended conditional command
process substitution
aliases and alias/unalias builtins
local variables in functions and `local’ builtin
readline and command-line editing with programmable completion
command history and history/fc builtins
csh-like history expansion
other new bash builtins: bind, command, compgen, complete, builtin,
declare/typeset, dirs, enable, fc, help,
history, logout, popd, pushd, disown, shopt,
printf
exported functions
filename generation when using output redirection (command >a*)
POSIX.2-style globbing character classes
POSIX.2-style globbing equivalence classes
POSIX.2-style globbing collating symbols
egrep-like extended pattern matching operators
case-insensitive pattern matching and globbing
variable assignments preceding commands affect only that command,
even for builtins and functions
posix mode and strict posix conformance
redirection to /dev/fd/N, /dev/stdin, /dev/stdout, /dev/stderr,
/dev/tcp/host/port, /dev/udp/host/port
debugger support, including `caller’ builtin and new variables
RETURN trap
the `+=’ assignment operator

Things sh has that bash does not:
uses variable SHACCT to do shell accounting
includes `stop’ builtin (bash can use alias stop=’kill -s STOP’)
`newgrp’ builtin
turns on job control if called as `jsh’
$TIMEOUT (like bash $TMOUT)
`^’ is a synonym for `|’
new SVR4.2 sh builtins: mldmode, priv

Implementation differences:
redirection to/from compound commands causes sh to create a subshell
bash does not allow unbalanced quotes; sh silently inserts them at EOF
bash does not mess with signal 11
sh sets (euid, egid) to (uid, gid) if -p not supplied and uid < 100
bash splits only the results of expansions on IFS, using POSIX.2
field splitting rules; sh splits all words on IFS
sh does not allow MAILCHECK to be unset (?)
sh does not allow traps on SIGALRM or SIGCHLD
bash allows multiple option arguments when invoked (e.g. -x -v);
sh allows only a single option argument (`sh -x -v' attempts
to open a file named `-v', and, on SunOS 4.1.4, dumps core.
On Solaris 2.4 and earlier versions, sh goes into an infinite
loop.)
sh exits a script if any builtin fails; bash exits only if one of
the POSIX.2 `special' builtins fails

2、调用相关：

在脚本的调用方面（interactive、login相关），bash与sh也是存在差异
以下是详细说明（假如被调用执行的脚本名字叫xxx.sh）

BASH：

1、交互式的登录shell （bash –il xxx.sh）
载入的信息：
/etc/profile
~/.bash_profile（ -> ~/.bashrc -> /etc/bashrc）
~/.bash_login
~/.profile

2、非交互式的登录shell （bash –l xxx.sh）
载入的信息：
/etc/profile
~/.bash_profile （ -> ~/.bashrc -> /etc/bashrc）
~/.bash_login
~/.profile
$BASH_ENV

3、交互式的非登录shell （bash –i xxx.sh）
载入的信息：
~/.bashrc （ -> /etc/bashrc）

4、非交互式的非登录shell （bash xxx.sh）
载入的信息：
$BASH_ENV

SH：

1、交互式的登录shell
载入的信息：
/etc/profile
~/.profile

2、非交互式的登录shell
载入的信息：
/etc/profile
~/.profile

3、交互式的非登录shell
载入的信息：
$ENV

4、非交互式的非登录shell
载入的信息：
nothing

由此可以看出，最主要的区别在于相关配置文件的是否载入，
而这些配置的是否载入，也就导致了很多默认选项的差异
（具体请仔细查看~/.bash_profile 等文件）

如：

[wangweiyu@ComSeOp ~]$ grep ulimit /etc/profile
ulimit -S -c unlimited > /dev/null 2>&1

即，如果/etc/profile没有被载入，则不会产生core dump

3、关于ssh

非常值得一提的是，使用ssh远程执行命令，
远端sshd进程通过“bash –c”的方式来执行命令（即“非交互式的非登录shell”）
所以这一点，和登录之后再在本地执行执行命令，就存在了一定的差异

如：

[wangweiyu@ComSeOp ~]$ ssh wangweiyu@127.0.0.1 ‘echo $-’
wangweiyu@127.0.0.1′s password:
hBc
[wangweiyu@ComSeOp ~]$ echo $-
himBH
[wangweiyu@ComSeOp ~]$ ssh wangweiyu@127.0.0.1 ‘echo $0′
wangweiyu@127.0.0.1′s password:
bash
[wangweiyu@ComSeOp ~]$ echo $0
-bash

注：
“$-” 中含有“i”代表“交互式shell”
“$0”的显示结果为“-bash”，bash前面多个“-”，代表“登录shell”
没有“i“和“-”的，是“非交互式的非登录shell”

另外还有一点，虽然ssh远程执行的命令是“非交互式的非登录shell”，
但在执行命令之前，ssh的那一次登录本身是“交互式的登录shell”，所以其会先载入“~/.bash_profile”

如：

[wangweiyu@ComSeOp ~]$ cat .bashrc
# .bashrc
# User specific aliases and functions
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
echo ‘xxx’ # 随便输出一些字符

[wangweiyu@ComSeOp ~]$ ssh wangweiyu@127.0.0.1 ‘echo $-’
wangweiyu@127.0.0.1′s password:
xxx # .bashrc 被执行
hBc

这一点，衍生出一个关于scp的问题，scp在传输数据之前，会先进行一次ssh登录，
而当.bashrc文件有输出的时候，则会导致scp失败！原因是解析返回的数据包出现混乱

如：

[wangweiyu@ComSeOp ~]$ cat .bashrc
# .bashrc
# User specific aliases and functions
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
echo ‘xxx’ # 随便输出一些字符
[wangweiyu@ComSeOp ~]$ scp file wangweiyu@127.0.0.1:/tmp
wangweiyu@127.0.0.1′s password:
xxx # 输出xxx，随后scp失败
[wangweiyu@ComSeOp ~]$ echo $?
1
[wangweiyu@ComSeOp ~]$ ls /tmp/
[wangweiyu@ComSeOp ~]$

简单的shell备份脚本

admin — Sat, 21 Feb 2009 04:13:08 +0000

现：每周一对指定目录进行打包上传FTP，周二至周日做更新备份上传；

#!/bin/sh
backup_dir=”/var/tmp/shell/”
DAT=`date | awk ‘{print $1}’`
if [ $DAT = 'Mon' ]
then
filename=”`date +%G%m%d`.tar”
if [ -f $backup_dir$filename ]
then
rm -f $backup_dir$filename || echo “The backup is failure,please check” && exit
else
tar cvf $backup_dir$filename /var/tmp/tmp || echo “The backup is failure,please check” && exit
echo “Backup succeed”
fi
else

date=`date +%w`
aa=`expr $date – 1 `
bb=”`date +%G%m%d`”
cc=`expr $bb – $aa`
filename=”$cc.tar”
t1=`date +%d`
t2=`expr $t1 – 1 `
yesterday=`date +%Y\/%m\/`$t2
tar -N “$yesterday” -cvf $backup_dir$filename /var/tmp/tmp
echo “update”
fi

#ftp-put
host=’x.x.x.x’
user=’test’
passwd=’pass’
mode=’bin’
echo “Backup starting, please wait…”
ftp -i -n < open $host
user $user $passwd
$mode
mput $filename
bye
!
echo “Backup finished”

Solaris 系统管理 – 运行状态的种类和关机命令的区别

admin — Tue, 17 Feb 2009 06:39:33 +0000

§1 Solaris 系统管理简介

§1.1 系统管理员的职责

★熟悉shell

ü 常用的shell命令

ü 常用的Bourne shell命令

ü 常用的C shell命令

ü 常用的Korn shell命令

★用户和组管理

ü 添加用户

ü 删除用户

ü 更改用户信息

ü 创建删除组

★角色管理

ü 针对特殊任务授权超级用户权限

ü 创建修改删除角色

★文件系统管理

ü 文件系统的类型

ü 加载移除文件系统

ü 文件系统一致性检查

ü 备份恢复文件和文件系统

ü 创建cache文件系统

★设备管理

ü 理解设备自动配置

ü 使用DVD-ROM设备

ü 使用磁带

ü 格式化操盘

ü 磁盘使用监控

ü 服务访问技巧

ü 设置双向modem.

★管理系统

ü 查找系统信息

ü 创建本地邮件别名

ü 配置其他的交换空间

ü 管理时间和日期

★打印管理

ü 安装打印服务器和客户端

ü 使用打印命令

★认识文件访问问题

ü 通过查找path来坚定问题

ü 通过权限和所有来解决问题

ü 通过网络定位问题

本书不包含安装系统软件,安装第3方软件,配置管理网络服务,配置邮件服务,添加删除硬件,安全管理和账号,系统监控和网络性能等.

§1.2 超级用户

超级用户的UID是0,su到超级用户的log在: /var/adm/sulog, 如果需要使用环境变量,使用su –

§1.3 用户之间通信

ü 登陆时的信息显示: /etc/motd

ü 发送消息给单个用户: write ,要在线的才可以发送

比如: bash-2.03# write meil

meil is logged on more than one place.

You are connected to “pts/2″.

Other locations are:

pts/3

good Afternoon

bash-2.03#

ü 发送消息给所有用户 wall

ü 发送消息给网络用户 rwall

ü Email

§1.4 启动关闭系统

需要关键的情况如下:

· Turning off system power.

· Installing a new release.

· Preparing for a power outage.

· Adding hardware to a system.

· Performing maintenance on a file system.

§1.5选择初始状态

Table 1. System Init States

Init State

Function

Power-down state.

S, or s

Single-user state. All file systems mounted.

Administrative state. All file systems mounted and user logins allowed.

Multiuser state (resources not exported). All daemons are running except the NFS server daemons.

Multiuser state. NFS resource-sharing available.

4

Alternative multiuser state (currently unused).

Power-down state. Shut down the operating system so that it is safe to turn off power to the system. If possible, turn off power on systems that support this feature.

Reboot. Shut down the system to init state 0 and then reboot to the multiuser state defined in the inittab file.

/etc/inittab定义的重要内容如下:

· The default run level for the system.

· The processes to start, monitor, and restart if they terminate.

· Actions to take when the system enters a new run level.

它的字段如下:

Field

Description

A unique identifier for the entry.

rstate

A list of run levels to which this entry applies.

action

How the process specified in the process field is to be run. Possible values include initdefault, sysinit, boot, bootwait, wait, and respawn.

process

The command to execute.

比如:

bash-2.03# vi /etc/inittab

“/etc/inittab” 17 lines, 1081 characters

ap::sysinit:/sbin/autopush -f /etc/iu.ap

ap::sysinit:/sbin/soconfig -f /etc/sock2path

fs::sysinit:/sbin/rcS sysinit >/dev/msglog 2<>/dev/msglog

is:3:initdefault:

p3:s1234:powerfail:/usr/sbin/shutdown -y -i5 -g0 >/dev/msglog 2<>/dev/msglog

sS:s:wait:/sbin/rcS >/dev/msglog 2<>/dev/msglog

s0:0:wait:/sbin/rc0 >/dev/msglog 2<>/dev/msglog

s1:1:respawn:/sbin/rc1 >/dev/msglog 2<>/dev/msglog

s2:23:wait:/sbin/rc2 >/dev/msglog 2<>/dev/msglog

s3:3:wait:/sbin/rc3 >/dev/msglog 2<>/dev/msglog

s5:5:wait:/sbin/rc5 >/dev/msglog 2<>/dev/msglog

s6:6:wait:/sbin/rc6 >/dev/msglog 2<>/dev/msglog

fw:0:wait:/sbin/uadmin 2 0 >/dev/msglog 2<>/dev/msglog

of:5:wait:/sbin/uadmin 2 6 >/dev/msglog 2<>/dev/msglog

rb:6:wait:/sbin/uadmin 2 1 >/dev/msglog 2<>/dev/msglog

sc:234:respawn:/usr/lib/saf/sac -t 300

co:234:respawn:/usr/lib/saf/ttymon -g -h -p “`uname -n` console login: ” -T sun -d /dev/console -l console -m ldterm,ttcompat

init的执行脚本sbin中,

bash-2.03# ls /sbin/rc*

/sbin/rc0 /sbin/rc1 /sbin/rc2 /sbin/rc3 /sbin/rc5 /sbin/rc6 /sbin/rcS

控制文件在/etc/init.d中,它们连接到/etc/rc*.d, 其下面的文件K开头的表示kill, S开头的表示start

有用的shell命令

admin — Tue, 17 Feb 2009 06:30:48 +0000

sort ad.txt | uniq -u > ad_net.txt

例如，你ad.txt 有许多重重的数据，要处理一下，就可以用这个命令将多余的，重复的数据清除掉，只保持唯一的一条数据记录。。。

vi 编辑器使用手册

admin — Thu, 05 Feb 2009 13:58:35 +0000

“To me, vi is Zen.
To use vi is to practice zen.
Every command is a koan.
Profound to the user,
unintelligible to the uninitiated.
You discover truth every time you use it.”
–reddy@lion.austin.com
“对我来说，vi就是禅。
用vi就是坐禅。
每一个命令就是一个心印
对皈依者意义深远
对不了解者不可捉摸
每一次使用都会有新的发现”

VI是所有*NIX类系统都内置的一个命令行文本编辑软件，功能强大，命令繁多。初学时很难上手，但是一旦你熟悉之后，相信你不会再想使用其他的编辑软件。

本篇假定你已经熟悉VI的一些基本命令，如：
vi httpd.conf #打开一个名为httpd.conf的文档，如果不存在，将在当前目录下创建此文档；
输入“：wq”：存盘推出命令。
输入“：q！”：不存盘，强制推出
ESC：在命令模式与输入模式之间切换
i，I或者o等：插入文本命令……..

VI之一：光标移动篇

这里我们先学习一下如何在一篇打开的文档中进行光标移动。

1. 方向键h,j,k,l.
h: 将光标向左移动一个字符
j: 将光标向下移动一个字符
k: 将光标向上移动一个字符
l: 将光标向右移动一个字符

这四个键相当于方向键,另设它们的好处是:你的手指不必离开正常的输入位置

2. 按字符移动的命令
fx: 移动光标至当前行下一个x字符处;使用;来重复上一次的f移动
tx: 同fx，但是移动光标至x字符前，而不是x字符上
Fx：通fx，但反方向移动

w:前移光标至下一个单词第一字符
W:前移光标至下一个长单词第一字符
e: 前移光标至下一个单词最后字符
E: 前移光标至下一个长单词最后字符
b: 前一单词第一字符
B: 前一长单词第一字符
(vi 按空格或标点符号分隔单词,按空格或新行来分隔长单词)

(: 到句首
): 到句尾

0: 到行首
^: 到行首第一字符
$: 到行尾

{: 到段首
}: 到段尾

*: 读取光标当前所在位置的字符,并将向前移动至下一个同样的字符
#: 和*功能相同,但反方向移动光标

Ctrl+F: 向前滚屏
Ctrl+B: 向后滚屏
H,M,L: 移动光标至屏幕的顶端,中间,底端

G: 移动光标至文档最后一行
numG: 移动光标至第num行

/text: 从光标处开始,向前搜索”text”字串
?text: 同上,但搜索方向相反

分享mail服务器mysql数据库备份脚本

admin — Fri, 16 Jan 2009 07:54:33 +0000

功能：备份mysql数据库中mail的数据库数据,并用gz压缩，先备份到本地，然后自动上传到指定的ftp服务器,备份日志email到指定的邮箱

^?View Code SHELL

[root@mail cron.daily]# cat mailmysql_backup_ftp
#!/bin/bash
#Mysql Autobackup Shell
 
#DB env
dbuser=root
dbpasswd=root
dbserver=localhost
dbname=extmail
#dbopt=--opt
backupdir=/home/mysql-backup/
 
#FTP 0 is disable,1 is enable
copytoftp=1
ftpserver=10.1.1.8
ftpuser=admin
ftppasswd=admin
fileprefix=extmail
dumpfilename=$backupdir`date +%F`.sql
newfile=$fileprefix-`date +%F`.gz
keepdays=16
 
#Backup log
logfile=/tmp/mysqldump.log
logtmp=/tmp/mysqldump.tmp
 
#mail 0 is diable,1 is enable
mailenable=1
mailaddress=ruochen0926@hotmail.com
 
#Backup script
#===============================================
if [ ! -d $backupdir ]
then
        echo "$backupdir is not exist, then make ..." > $logfile
        mkdir -p $backupdir
fi
echo "start====================================>">$logfile
echo "Beginning backup `date '+%F %T'`" >>$logfile
echo "Delete $keepdays days ago files ..." >>$logfile
find $backupdir -name $fileprefix* -mtime +$keepdays -fls $logtmp -exec rm {} \;
echo "Deleted Backup File Is :">>$logfile
cat $logtmp >>$logfile
echo "Delete old file Success!" >>$logfile
if [ -f $backupdir$newfile ]
then
echo "$newfile backup exist, backup stop ..." >>$logfile
else
        if [ -z $dbpasswd ]
        then
#        mysqldump -u$dbuser -h$dbserver $dbopt $dbname >$dumpfilename
        /usr/bin/mysqldump -u$dbuser -h$dbserver $dbopt $dbname >$dumpfilename
        else
#        /opt/lampp/bin/mysqldump -u$dbuser -p$dbpasswd -h$dbserver $dbopt $dbname | gzip > /opt/apache/mysqlbackup/$newfile
        /usr/bin/mysqldump -u$dbuser -p$dbpasswd -h$dbserver $dbopt $dbname | gzip > $backupdir/$newfile
        fi
#        tar czvf $backupdir$newfile $dumpfilename >>$logfile 2>&1
#        gzip $dumpfilename  $newfile  >>$logfile 2>&1
        echo "$backupdir$newfile Backup Success!" >>$logfile
        rm -fr $dumpfilename
 
if [ $copytoftp = 1 ];  then
        if [ -z $ftpserver ];then
        echo "Ftp Server not set,Copy to Ftp Failed ..." >>$logfile
        exit 1
        elif [ -z $ftpuser ];then
        echo "Ftp user not set, Copy to Ftp Failed ..." >>$logfile
        exit 2
        elif [ -z $ftppasswd ]; then
        echo "Ftp password not set, Copy to Ftp Failed ..." >>$logfile
        exit 3
        else
        echo "Start copy to Ftp server ...." >> $logfile
ftp -n<>$logfile
echo "End=======================================|">>$logfile
fi
 
if [ $mailenable=1 ];
    then
      mail -s "Mail Server Mysql Backup Status" $mailaddress<$logfile
fi

WEB服务端故障监控及恢复脚本

admin — Fri, 19 Dec 2008 13:43:12 +0000

为过好中秋，给所有WEB Server前端机器加了个脚本，运行良好，特奉献给广大的linux系统管理员同志：）

一，首先构建判断WEB Server是否正常的html测试文件及虚拟主机配置:

在Apache添加：health.mydomain.com 的虚拟主机，指到/web/php：

ServerName health.mydomain.com

DocumentRoot /web/php/

ErrorLog /dev/null

CustomLog /dev/null combined

hosts文件加入:

xxx.xxx.xxx.xxx health.mydomain.com

在/web/php新建一html用来判断apache是否正常:

文件名 health.html

WEBSERVEROK

二，编写脚本，并输出监控日志到/var/log/health.log:

三，加到服务器每隔5分钟运行的cron:

*/5 * * * * root /web/health.sh

——————————— /web/health.sh ————————————

#!/bin/bash

#The WEB Server Status Check and Repair Script.

#(C) Zoey Last Date:2008-09-12

TMP=/tmp/health.html

HEALTH=”WEBSERVEROK”

REQUEST_APACHE=http://health.mydomain.com:81/health.html

REQUEST_SQUID=http://health.mydoamin.com:80/health.html

LOGDATE=”$(date +%F) $(date +%T) $HOSTNAME ”

LOGFILE=/var/log/health.log

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin

[ ! -f $LOGFILE ] && touch $LOGFILE

function Check_Status()

{

local RETRY=1

local SUCCESS=0

while [ $RETRY -le 3 ]; do

[ -f $TMP ] && rm -f $TMP

curl $2 > $TMP 2>&1

STATUS=$(egrep -o “$HEALTH” $TMP)

if [ x$STATUS = x ]; then

echo “${LOGDATE}$1 检查失败重新检查 $1 第 $RETRY 次，重试…” >> $LOGFILE

let RETRY=$RETRY+1

sleep 2

continue

if [ $STATUS = "$HEALTH" ]; then

echo “${LOGDATE}$1 工作正常!” >> $LOGFILE

SUCCESS=1

break

else

echo “${LOGDATE}$1 检查失败重新检查 $1 第 $RETRY 次，重试…” >> $LOGFILE

let RETRY=$RETRY+1

sleep 2

done

if [ $SUCCESS -eq 0 ]; then

let FC=$RETRY-1

echo “${LOGDATE}重复 $FC 次检查 $1 状态失败，准备重新启动 $1!” >> $LOGFILE

RETURN=0

else

RETURN=1

rm -f $TMP

}

Check_Status Apache $REQUEST_APACHE

if [ $RETURN -eq 0 ]; then

PID=$(ps -ef | grep httpd | sed ‘/grep/d’ | wc -l)

if [ $PID -ge 1 ]; then

echo “${LOGDATE} 发现 Apache 进程存在，杀死并重新启动…” >> $LOGFILE

HTTP_PID=$(ps -ef | grep httpd | sed ‘/grep/d’ | awk ‘{print $2}’)

kill -9 $HTTP_PID > /dev/null 2>&1

service httpd start > /dev/null 2>&1

else

service httpd start > /dev/null 2>&1

sleep 2

PID=$(ps -ef | grep httpd | sed ‘/grep/d’ | wc -l)

if [ $PID -ge 1 ]; then

echo “${LOGDATE}重新启动 Apache 成功!” >> $LOGFILE

else

echo “${LOGDATE}重新启动 Apache 失败!” >> $LOGFILE

# 此处添加启动失败报警（以后完成)

Check_Status SQUID $REQUEST_SQUID

if [ $RETURN -eq 0 ]; then

PID=$(ps ax | grep “(squid)” | sed ‘/grep/d’ | wc -l)

if [ $PID -ge 1 ]; then

echo “${LOGDATE} 发现 SQUID 进程存在，杀死并重新启动…” >> $LOGFILE

SQUID_PID=$(ps -ef | grep “(squid)” | sed ‘/grep/d’ awk ‘{print $2}’)

kill -9 $SQUID_PID > /dev/null 2>&1

service squid start > /dev/null 2>&1

else

service squid start > /dev/null 2>&1

sleep 2

PID=$(ps ax | grep “(squid)” | sed ‘/grep/d’ | wc -l)

if [ $PID -ge 1 ]; then

echo “${LOGDATE}重新启动 SQUID 成功!” >> $LOGFILE

else

echo “${LOGDATE}重新启动 SQUID 失败!” >> $LOGFILE

# 此处添加启动失败报警 (以后完成)

温室小花.技术.博客 --纯粹的unix技术博客 » shell

unix常用指令及参数

Step-by-Step Guide to Building an OpenBSD PPPoE Gateway, with Firewall

Redhat tar 自动备份和恢复脚本 （RHEL4）

mysql备份脚本

linux下的bash与sh 详解以及实例

简单的shell备份脚本

Solaris 系统管理 – 运行状态的种类和关机命令的区别

有用的shell命令

vi 编辑器使用手册

分享mail服务器mysql数据库备份脚本

WEB服务端故障监控及恢复脚本

Redhat tar 自动备份和恢复脚本（RHEL4）