Study Notes

The engineer and sales of Shanghai said our platform including PR1510 and PR1325 had a very bad performance.PR1325 used intel’s chassis named SR1425 with SE7320VP2.The customer wanted to test this machines by SuSE server 9.0. From the report created by Shanghai’s sales, I think perhaps it is caused by Hitach’s harddisk. I’ve suggested the customer to configure the /Swap partition to twice of total memory’s capacity. This issue is still open and I’ll resolve it in future.

In the afternoon,a customer asked me to modify the boot sequence controlled by lilo. I modified /etc/lilo.conf file,and fix this problem successfully.

Chris and Jin leaved Powerleader in 15th,September.They are both very good men from which I’ve learn many things,especially carefulness and responsiblilty. I think I would work with them for more years,but it isn’t in the same way.

Summary of last two days:
——————————————-
1.Mr Ji, from Xiamen City,said PR2510 could use many cpu resource on the Red Hat Advanced Server 3.0 with Update 4 even there was no process running. He also told me the avg cpu time is very high when he tried to copy some big file to local harddisk. I’ve read his report which seems have heavy load created by issued iostat command.
In the Saturday morning I installed the RHAS3.0 u4 in a SE7520BD2 platform,and then issued the top and ” # iostat -k 1 9 ” command, the result I got was normal.it showed the cpu works very well in our products.
I’ve written to Mr Ji and called the Sales name Xu Huauying.

Level: Crit

2.Xie Wenyu, Sales of Chengdu,who wanted to know whether the 8931GT ethernet device could take the place of 8931MT which had been stopped producting in PR6310 (SE7320SP2).I’ve told Du Xuewen how to test this device,and he did well as a frashman. Xie said the customer want to install WinXP in PR6310,but as the result,it would be blue screen during installing WinXP.Finnally,we used Windows 2000 server.

Level: Info

3.Zhang Zhihao,customer from Shanghai,asked some question about RAID.I told him SE7520 could not rebuild RAID data automatically,for example, in RAID 1 mode,if one harddisk was halted during the system running, it did not effect.But after reboot ,it would check the harddisk’s status and said one harddisk halted and the RAID was offline. We had to changed another harddisk whose capability must be bigger than the original,if it is smalled,the Rebuild function is unavailability.and then Enter the RAID configuration interface to rebuile the RAID in order to keep our data safe.
I’ve promised to send some documents about RAID to him in few days.

Level: Info

3.Reflashing logo of 7501CW2,Nanjing Fenghuo.
The picture format must be 640x480x4bpp and smaller than 320KB.In the pure Dos environment,issue the following command: a: 3.bat Xeon480.bmp

Level: Closed

4.Liu Quan,sales of Shanghai.SE7520BD2 only supports RAID0 and RAID1.If we want to create RAID10,the following RAID card would be choosed:
Adaptec 2200s, Intel SRCU42L,SRCU42E,SRCU42X ,
Mega Raid LSI 320-0,320-1,320-2.

5.Yang,inside sales of Shenzhen.The capability of NvRam in the SE7520BD2 is 8MB.This mainboard does not support Chipkill memory technology.SE7501 chipset supports 533MHz/400MHz FSB and SE7520 chipset supports 800Mhz FSB.
PC2100 = DDR266, PC 2700 = DDR333
LVD = interface of SCSI

Next:
——————————————
1.SATA – SATA2 conversion TEST (about TWO weeks).
Shu Ling will tell us which type harddish would be used and tested.
PT6250,PR2310,and then add 3ware RAID card in one of former two products,so we are going to prepare for three tests.
Level: Notice

2.JR2-DDR2 platform TEST.(release at 11th,Oct)
Using intel 2400 platform.
Level: Crit

3.Top 10 of R&D Lab(every Friday)

PowerScan,is based on PR2700 with box-sol’s software named “SpamTrap”. We used three servers,one as mail server,one as pressure server, and the other one is PowerScan.When the power was on,the PR2700 could not start up even without intel’s logo picture.The light in front of server glared in red color.I had to open the chassis in order to check the hardware.I tried to take away the components in order and install them again.It’s my good luck.This server name PR2700 which is original product from intel ran well and the Linux’s kernel started up without error.

In the pressure server,it is Red Hat Enterprise Linux 4.0 whose kernel is 2.6.9.The engineer of box-sol told me to send pressure by issuing the “postal” command.I tried to install postal in Red Hat Advance Server 3.0 Update 4,but failed during compiling this program.Finally,in the RHEL 4.0,and only in this operating system,postal could be installed successfully. But the result we got made us surprised,it is even as 50% as the data tested in TaiWan,and just 30% of result in Shanghai.It confused me very much.

In the next morning , When I went to ISC lab and did the pressure test again.I found that the target machine which is PR2700 could not be pinged. I doubted perhaps it was caused by Net environment.Then I checked the network and found it was ok.So I connected one monitor to PR2700.how surprised I am! The server had been halted because the kernel was panic.The warning messages said it seemed one module name afsata2 could not be inserted.

Although I checked the hardware again and again,this matter always happened.It is annoying. Sometimes,I tried to put one SCSI harddisk away from chassis,and then the raid card warned in belling which is so harshness. Intel engineer told me to clear the noise by cover the bell with paper,it is very useful. I fixed this warning problem in the following steps: press “ctrl + G” to enter the raid’s configuration interface,in the harddisk list,I found one was offline.then selected this disk and configure the setting to online.After I did this job,the statue of RAID card was become online instead of offline automaticlly.Howerver,the kernel panic still existed. I could not resolve this matter because I had no account and password to access the linux writed by box-sol in order to check the log file of Linux.So I had to stop this test and send the machine to Shanghai where the server will be installed by engineer of box-sol again. It is estimated that six days will take the break.

Today moring,I called intel 800 service for problem.Hmmm, a sata raid card of 32-bit/66MHz would be installed in slots which is 32-bit/33MHz.but the card would be working in 33MHz frequence.It is campatibility with PCI criteria.

GCC is the compiler released by Slackware Linux.If we use no parameter after gcc command, a file named “a.out” which could be executed will be created.For example,
issue the following command:

# gcc test.c
# ls

We could find “a.out” created.Of course,we can identify the output file’s name by adding parameter “-o”,for example:

# gcc  -o test test.c

The output executing file is created with the name “test” instead of “a.out”. For optimizing the program,use the parameter “-O” or “-O2”.Gcc compiler always compile the code as soon as possible,and make the program compiling easily.It seems helpful,however,this program has been complied is not optimized.So,we add the parameter “-O” or “-O2”.
-O : optimize generally
-O2 : create the code which run faster and is litter.

The programmer usually debug the code during the development.The following optional parameter maybe useful:
-g : gcc create the debug information recognized by the GNU in order to optimize.
-pg : the extra code is added to the base codes by GCC.

When the program runs,a file named “gmon.out” will be created which is usually used to analyze the statue and rate when runing the codes,we could know the time of each partition running. Note,if the code contains only main funtion,the gmon.out could not be known by the gprof.(Error messages: gprof : gmon.out file is missing call-graph data). The gprof are useful when there are other funtions in the code.

# gcc -pr -o test test.c
# ./test
# gprof ./test gmon.out

gdb: The GNU Debugger.There are following commands in the gdb:
file: get the executing files which is going to be debugged.
kill: terminate the program is debugging.
list : list the code,but it seems RH9.0 does not support this option.
run : run the code.
make : do not quit gdb and create executing file again
shell : do not quit gdb and we could issue the shell commands.

Two useful commands:

# ps -auex
# tar -xjvf xxx.tbz

IP protocol group contains the following four items: IP(Internet protocol),TCP,UDP and ICMP.I’ll explain these words here.

IP: abbreviation of Internet Protocol,defined in RFC791,is a protocol without connection which means each data packet is delivered to the network and routed to the target host.IP protocol could not guaranteed all the packets would be sent to the target and even in the original order.

TCP: abbreviation of Transmisson Control Protocol,defined in RFC793.TCP enable two hosts to establish a connection and exchange streams of data.It can guatanee both the integrity and the sequence of packets.IP uses ip address to route the packets to the target,but Ports are uses by TCP to route the packets to the identified processes of the target operating systems.

UDP: abbreviation of User Datagram Protocol,defined in RFC 768,which is a protocol based on no connection as TCP.As same as IP,UDP could not guarantee the integrity and sequence of packets,however,UDP uses ports to route the packets to the identified processes running in target host.

ICMP: abbreviation of Internet Control Message Protocol,defined in RFC 792.ICMP is used to help other three protocols to do those what they could not resolve.for example,we could use ICMP to identify whether the specified system is running or tested by pinging.

Issue the following telnet command to connect any running service of target
system:

# telnet <host> <portnumber> 

Last afternoon,it is my first time to connect remote host with telnet command.when I was still happy,I found no commands of Linux could be executed in the console.however,some classic dos commands like dir or cd could be used to show the directory or return the up level. I tried many Linux commands,but all failed.It confused my a lot because I could not find the way to operate the remote machine.
Finally,I had to ask the custome for the reason.He said what I logged by telnet early is a firewall device.He also tell me to connect to the really host by telnet after logging in the firewall system.I did what he said,and logged in the remote target system by telnet successfully,of course all Linux commands work well.

I found the speed was slower than operation in localhost.and when I used VI to edit /etc/fstab,I could not insert or delete the letters.Another engineer siting by me tried this again,but he even could not save his working on the /etc/fstab.It’s strange.

X-windows system
X-windows is the GUI environment of UNIX,and its port number starts from 6000 to 6063.”xhost” tools is used to protect the security of X-window system.
server access control program for X:

# xhost + system-name
# xhost +
# whatis xhost

Show who is logged on and what they are doing:

# whatis w

TCP/IP interface configuration and router utility:

# whatis ip

There are some trouble in the installation of Marvell Ethernet device in Turbo Linux 8.0 which has been added service pack 2. The hardware platform is PR2510 using SE7520BD2 server board.This board has two Ethernet devices,Inter Pro 1000 and Marvell.We installed and configured Intel Pro 1000 quickly and it works well.but as the former operaion that install marvell,something happened.During the installation of Marvell,it showed the drivers was complied ok and there was no error message.Howerver,the marvell ethernet device would not work well when we used “ping ” command to check it.In the “/var/log/messages” and issuing “dmesg | grep eth0″,the following information was displayed:”No IPv6 routers present.”

I searched in the Internet and found SuSE and Fedore Core2 also have the same matters.what a disappointed result,I’ve not resolve this problem.After all our expriences failed,we have to install another Ethernet device on this server board.What we choosed is an Enthernet device with “e100” chipset.It was in good working status.It’s different between Turbo Linux and Red Hat Linux.According to Red Hat Linux operating system,new hardware will be cheched in the starting up progress which is controlled by the “kutzu”,and then the hardware would be used whenever reboot.In the Turbo Linux,when the init progress is completed,and issued the following commands:

# lsmod

Neither sk98lin modules or e1000 modules would be found in the module list.(“/proc/modules”),and so if we execute the “ifconfig” command,only “lo” configuration is displayed.To fix this problem,i used the following method.first I insert the modules again by issuing “insmod sk98lin”,and then “insmod e1000″.second,used”# lsmod” to identify these modules have been inserted in the running kernel.Finally,execute the following command to make these ethernet device actively:

# ./etc/sysconfig/network restart

We can find all these two ethernet devices were active and working well. As a summary,the modules inserted sequence is the same to the ifcfg-ethx.if the marvell module (sk98lin) is inserted first,it will take the configuration of ifcfg-eth0 which is the first file,and then insert the Inter PRO1000 module(e1000),for the same reason,it will be configured by the ifcfg-eth1.

Note,Red Hat uses “netconfig” to configure the Ethernet device.In turbo Linux,it was used in “netcfg” strings.

As an administrator,we must pay attention to the security of system.Some people ofen required to need those information,maybe this is not necessary.we could identify their privilege and the reason given by them.Hackers want others take their suggestion,however, when it is happened to the hackers themselves,they will never do it.Hmmm,it seems that there will be other better ways completing the mission.

Check the strangers’s ID and identify their telephone number’s reality,or contact with their masters for identifing their information supplied.It is useful.We shoule learn to say no.Believe ours feeling which always is right for our decision.Trainning the users is also useful to decrease these matters that the whole systems are hacked and can not work any more.

Hackers will collect these information:Employee’s Item,telephone system structure,officer’s structure and the employee’s homepage.Even they searche the key work about people who they are intrested in the Internet,for example,Google website.The more information hackers know,the more easily they could control the target system.The following website maybe useful:www.hacklinux.com.

wget is used to download from internet.

# wget

find differences between two files.

# diff

Many hackers write those special code into the general source code so that they could use these “backdoors” to access the target servers.So we should check the integrity of the source codes between the original codes and those we download from internet.The following commands would be issues for checking :

# md5sum
# sum

What is sum?checksum and count the blocks in a file.There are two types algorithm for sum command:

-BSD algorithm

# sum -r

-System V algorithm

# sum -s

We can also check the signatures of rpm packages:

# rpr --chechsig  program.rpm

Gnu Privacy Guard(gpg),encryption and signing tool.It is not easily for Linux to be destoried by virtus,but worms could have great effect to Linux system.Morris worm(born in 1998) and Ramen worm(born in 2001) are the only two worms to UNIX systems.

Some people would like to install two different systems in one machine,for example,windows operating system and Linux.However,it is not safety.If the hackers have conquered one system,for example windows,they could delete the partition of Linux file system.So Linux is destroied.It is strongly recommended that we would not install two operating system in the same machine.

How to prevent the hackers used floppy or CD-ROM to access your system?First,in the BIOS setting,change the sequence of booting so that harddisk is in the first position,and then mask the option of floppy and CD-ROM,setting the bios password for the superuser.howerver,hackers could open the chassis and flashing the bios so that floppy and CD-ROM could be used again.In this way,choosing a security room to hold the servers machine is more and more necessary.

First Part: DNS traceroute

In the internet,hackers always want to find more informations about target machine,such as IP address and domain name.So DNS becomes the target hackes want to attack first.

The best DNS server is BIND in the Linux world, are developed and maintained by Internet Software Consortium who also do the same thing in DHCP and INN projects.BIND 4.0 is the stablest, BIND8.0 is released later,and BIND 9.0 is the latest release. Note: keep the BIND release to the latest will be benifit for higher security.

There are three common tools working on DNS information:nslookup,dig,host.

# nslookup

Query Internet name servers interactively.Note:nslookup is deprecated and may be removed from future releases.Consider using the “dig” or “host” programs instead.We could get the DNS server IP in the /etc/resolv.conf,for example:

# cat /etc/resolve.conf
 nameserver 202.96.143.133

DNS lookup utility.DNS criterion contains the following items:
SOA: include the email of Administrotor and updating information.
A: IP of local host
CNAME: alies name of local host
PTR: mapping from IP to host
HINFO: the structure and operating system of host
TXT: Additional descritption
RP: the master’s email address

 
# host -t txt www.example.com
# host -t '*' www.expample.com

Reverse resolving by issuing the following command:

# host 202.112.20.133
sea.whnet.edu.cn
 

DNS criteron should be in high security mode but they are so weak now.Hackers invades the DNS server,and response the cheaping program to the user’s request before the really IP resolving result sent by DNS,then hackers could control the user’s system.To make DNS more stronger,DNSSEC was developed.

The location of host is useful,if hackers want to start Dos attacking from invaded hosts,it seems more effective from those machines invaded which is near the target host.Traceroute are used for detecting hosts passed from localhost to target host.

#traceroute

Second Part: Scan ports

# nmap

nmap is used to detect which port of remote host is opened.and issue the following command could get the operating system of remote host:

# nmap -O remote-host
# nmap -P0(number zero) remote-host  (forcing scan mode)

How to prevent nmap scan? /etc/issue records those information including operating system and kernel release.we could change the information or recommend those lines in order to do not let the hacker know more about our system.In some case,/etc/issue would be modified by other processes or operating system after rebooting system,we could issue the following command to protect it:

# chattr + i  /etc/issue

As the same as /etc/issue,the file locates in “/etc/mail/sendmail.cf” shuold be noticed,too.

Polite reply words: Any help gladly appreciated,Thanks.

Ping attacking contains two methods,ICMP ping and responsible ping.

1.ICMP: ICMP send ICMP ECHO REQUEST to the destination host,if the destination is running,it will response for the ICMP ECHO REPLY.

# ping -c 3 target

Parameter c means continuous and 3 is the ping times.

2.The other ping attacking method is connecting with the remote host’s responsiblity port(port 7)by UDP or TCP packages.This port will reply the sending messages from localhost directly.for example:

# telnet target.example.com echo
 connect to target.example.com
 Escape character is '^]'
 pack my box with five dozen liquar juys.(send from local host)
 pack my box with five dozen liquar juys.(reply from remote host)

Nmap: network exploratin tool and security scanner.

Proxy server:202.97.142.40
Port:3128

How to prevent ping attacking?
We could configure the ipchains/iptables to refuse those access which request ECHO REQUEST and ECHO REPLY.In the /etc/inetd.conf,recommend the following two lines will disable those ping attacking request:

# echo stream tcp nowait root internal
# echo dgram udp wait root internal

And then,issue “kill – HUP inetd” to restart the inetd process for making the configuration actively.

MD5 invented by RSA data security company, is algorithm of checking summary.SHA1 is a hash algorithm,it runs slower than MD5.

Computer check md5 message digest:

#md5sum

Issue the above command,we could get a string created by md5 algorithm.If the file is modified,and we use md5sum command later,a different string would be created.This is always used to check file’s integrity and ensure the identified file is not modified.

How to identify the system has been invaded? We could estimate by the following situations:

1.Homepage of explorers has been modified.
2.Spaces of harddisk reduce rappidly.
3.Detecting contract from other administrators.
4.System’s log has been erased.
5.New account has been created.
6.There are unknown processes running.
7.CPU always work in high rate which can not be explained.
8.The remote account of localhost was detected by hackers.

And then,when we find this issues happen in our system,we should do the following step:

1.Shutdown the network service and change to single user mode by booting from floppy.
2.Estimate the degree of having been destoried.
3.Try to recovery online.