empty file in linux

16 03 2010

To empty a file without tampering any attribute of that file in linux is easy. The only command to be used is just a greater than symbol > .

# ls -l
-rwxr-xr-x 1 root root 177 Feb 9 13:33 flush
# > flush
# ls -l
-rwxr-xr-x 1 root root 0 Feb 9 13:33 flush





System Logs in Linux

14 02 2010

In order to view any changes, especially any system intruder’s track, system logs can play a crucial part. syslogd uses /etc/syslog.conf to keep tracks of all system logs. Some machines might disable syslogd, but run syslog-ng or rsyslog instead.

Inside /var/log, there are some system logs that worth mentioning:
1. /var/log/secure contains successful and failed records for both users and applications
less /var/log/secure
/var/log/secure
Feb 14 15:16:46 centos sshd[6097]: Accepted password for ambient from 192.168.200.15 port 2236 ssh2
Feb 14 15:16:47 centos sshd[6097]: pam_unix(sshd:session): session opened for user ambient by (uid=0)
Feb 14 15:16:57 centos su: pam_unix(su:session): session opened for user root by ambient(uid=500)
Feb 14 15:56:39 centos sshd[6218]: Accepted password for ambient from 192.168.200.15 port 2770 ssh2
Feb 14 15:56:40 centos sshd[6218]: pam_unix(sshd:session): session opened for user ambient by (uid=0)
Feb 14 15:57:50 centos su: pam_unix(su:session): session opened for user root by ambient(uid=500)

2./var/log/messages : general system logs can be seen here
3.application logs: You need discuss README for specific log files for each application.

Important user access log files

Investigators and computer forensic analyst always detect anomalous activities by analysing these files. However, hackers need to cover their tracks in these files.
1. utmp : It is a binary file in /var/run or /var/adm containing current user session information. who command reveals its details.
[root@centos ambient]# who
ambient pts/1 2010-02-14 15:16 (192.168.200.15)
ambient pts/2 2010-02-14 15:56 (192.168.200.15)

2. wtmp : a binary file contains login and logout information, its path is /var/log or /var/adm.
[root@centos ambient]# last
ambient pts/2 192.168.200.15 Sun Feb 14 15:56 still logged in
ambient pts/1 192.168.200.15 Sun Feb 14 15:16 still logged in
ambient pts/1 192.168.200.15 Sat Feb 6 21:58 - 22:13 (00:14)
ambient pts/1 192.168.200.15 Sat Feb 6 16:07 - 17:52 (01:45)
reboot system boot 2.6.18-164.el5PA Sat Feb 6 16:02 (7+23:57)

3.lastlog : /var/log/lastlog contains time and location of each user logging in to the system.
[root@centos ambient]# lastlog
Username Port From Latest
root **Never logged in**
bin **Never logged in**
ambient pts/2 192.168.200.15 Sun Feb 14 15:56:40 +0700 2010
user1 **Never logged in**





Scheduled Tasks on Linux

9 02 2010

To schedule a task on Linux, crontab is what we need to know. On CentOS, /etc/crontab is cron configuration file. The pattern is not different from any linux distro.
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

If you encounter a problem, some variables like SHELL and PATH should be considered. For the pattern, it follows:
minute(0-59) hour(0-23) day(1-31) month(1-12) dayofweek(0-7, yes, 0=7=Sunday) command

Schedule a task

Make sure cron is running by
/sbin/service crond status
> crond (pid 6472) is running...

If not, turn the service on by
/etc/init.d/crond start
To add a task
crontab -e
Then add a task following the pattern mentioned above.
Well, the crontab editor is VI.
To view our scheduled tasks
crontab -l
Restart the service after scheduling the task.
/etc/init.d/crond restart
More details of setting a task with crontab can be read here.





inetd on Debian

9 02 2010

Unix or Linux contains 2 basic network services.

1. Network Services enabled by init
These network services always waits for network traffic and are started at boot time.
2. Network Services enabled by inetd or xinetd
Network services of this type are triggered when network traffic relating to one described in /etc/inetd.conf arrives.

inetd.conf format

To illustrate clear enough, consider this inetd.conf example file
discard     dgram   udp     wait    root    internal
daytime     stream  tcp     nowait  root    internal
#time       dgram   udp     wait    root    internal
#:STANDARD: These are standard services.
telnet      stream  tcp     nowait  root /usr/sbin/tcpd
ftp         stream  tcp     nowait  root /usr/sbin/tcpd

Service field must follow this pattern
service_name sock_type proto flags user server_path args

service name : mapping service name can be seen in /etc/services
socket type : stream and dgram are mostly used by TCP and UDP respectively
protocol : Yeah, we often deal with tcp or udp
flags : Wait status inform inetd process to fork the new process if nowait is configured. wait uses only a single process.
user : username of the network service
path : path to the network service program
arg : arguments
After configuring, restart inetd for all changes.
etc/init.d/openbsd-inetd restart
You can view the listening ports by
netstat -tl
netstat -ul

The difference of these 2 commands are for you to discover.





Compression in Linux

30 01 2010

To deflate files in Linux, gzip and zip commands are commonly used. The difference between these 2 commands are

  1. gzip removes the original source file while zip retains the source file after compressing.
  2. gzip compresses each file individually, but zip compacts the files into one archive file.

To illustrate,

[ambient@localhost box]$ ls -l
total 24
-rwxr-xr-x 1 ambient ambient 11816 Dec 31 07:39 htpasswd
-rw-r--r-- 1 ambient ambient    60 Dec 31 07:39 udb1
[ambient@localhost box]$ gzip *
[ambient@localhost box]$ ls -l
total 20
-rwxr-xr-x 1 ambient ambient 5667 Dec 31 07:39 htpasswd.gz
-rw-r--r-- 1 ambient ambient   80 Dec 31 07:39 udb1.gz
[ambient@localhost box]$ gunzip *.gz
[ambient@localhost box]$ ls -l
total 24
-rwxr-xr-x 1 ambient ambient 11816 Dec 31 07:39 htpasswd
-rw-r--r-- 1 ambient ambient    60 Dec 31 07:39 udb1
[ambient@localhost box]$ zip pack.zip *
adding: htpasswd (deflated 52%)
adding: udb1 (deflated 5%)
[ambient@localhost box]$ ls -l
total 36
-rwxr-xr-x 1 ambient ambient 11816 Dec 31 07:39 htpasswd
-rw-r--r-- 1 ambient ambient  5963 Dec 31 08:15 pack.zip
-rw-r--r-- 1 ambient ambient    60 Dec 31 07:39 udb1
[ambient@localhost box]$ unzip pack.zip
Archive:  pack.zip
replace htpasswd? [y]es, [n]o, [A]ll, [N]one, [r]ename: n
replace udb1? [y]es, [n]o, [A]ll, [N]one, [r]ename: n
[ambient@localhost box]$ ls -l
total 36
-rwxr-xr-x 1 ambient ambient 11816 Dec 31 07:39 htpasswd
-rw-r--r-- 1 ambient ambient  5963 Dec 31 08:15 pack.zip
-rw-r--r-- 1 ambient ambient    60 Dec 31 07:39 udb1

In brief,


> gzip srcfile //deflate
> gunzip srcfile.gz //inflate
#############
> zip file.zip srcfile //deflate
> unzip file.zip //inflate

tar

In the past, tar command was used to create an archive file on tapes, so it is called as “Tape ARchive”.

To bundle files into an archive
> tar -cvf pack.tar *

To list
> tar -tvf pack.tar

And to extract the archive
> tar -xvf pack.tar

Make an archive before compressing files is a convention way to distribute source or binary files in Linux.