Add to del.icio.us     Digg this

July 24, 2008

Here are ten very good and useful tips for Linux system administrators.

Learn about SSH and VPN tunnels, VNC, root SSH password recovery, find out how to literally go through a firewall (when you really have to) console spying and a whole lot more.

Some graphical examples accompany some of the tips, in order that you may be able to duplicate them on your own systems.

A good Linux systems administrator can do a task in just five minutes or less than it would take another person more than two to three hours to complete the same exact task.

These ten good tips can save you a lot of time, while at the same time will make you a lot more productive.

Tip No. 1: Using SSH but through the back door:

Ask any experienced Linux system admin and he or she will tell you there are many times they happen to be at a customer's premises somewhere and they need remote support from someone who is blocked on the outside by a company firewall.

Now stop here for a minute! Remember that if you can get out to the world through a good firewall, then it should be very realtively easy to 'make a hole' in that very same firewall so that the world can come in for you... Makes sense?

The best way to phrase that would be to call it an "SSH back door" app. To use it, you'll need another server or computer connected to the Internet that you can use as an intermediate point of connection.

In this example, we will call our server blackbox.example.com. The computer behind the company firewall is called ginger. Finally, the PC or server that our technical support people are using will be called tech. The graphic below explains how this works.

Here's how the whole thing works:

First, let's check to see that what we're trying to do is allowed in the first place. Also, and this goes without saying, make sure you ask the right people in that company! We don't want any trouble here...

Now most 'normal' people that know anything about firewalls will normally OBJECT that you're opening THEIR firewall, but what some probably don't know is that everything is fully encrypted. What's more, someone would need to hack the outside computer (ginger) before getting into the company premises in the first place.

Now you need to SSH from ginger to blackbox.example.com with the -R flag. For this exercise, we will assume that you're the root user on ginger and that 'tech support' will need the root user ID to help you with that system. With the -R flag, you will forward instructions of port 2222 on blackbox to port 22 on ginger. This actually how you set up an SSH tunnel! Note that only SSH traffic can come into ginger. You're not putting ginger out on the 'unprotected' Internet in any way, rest assured.

You simply do this with the following syntax:

# ssh -R 2222:localhost:22 thedude@blackbox.example.com

Once you are into blackbox, you just need to stay logged in. Simply enter a command such as:

thedude@blackbox:~$ while [ 1 ]; do date; sleep 300; done

You will need to instruct the people at the 'tech' server to SSH as thedude into blackbox without using any special SSH flags. You'll have to give them your password:

root@tech:~# ssh thedude@blackbox.example.com.

Once tech is on the blackbox, they can SSH to ginger using the following command:

thedude@blackbox:~$: ssh -p 2222 root@localhost

The user at 'tech' will then be prompted for a password. All they need to enter is the root password of ginger. Now you and support from tech can work together and solve whatever problem there was in the first place.

Tip No. 2: Getting your screen back when it's all gibberish

Try this:

# cat /bin/cat

Woo-Hoo! Now your terminal looks like a LOT of useless gibberish! Just anything that you type looks like you're looking into an unknown galaxy. What do you do?

Type reset? Hummm, no. Typing reset would be like typing reboot or shutdown... Now you're starting to get real nervous, especially if you are doing this on a production server!

But now you can rest fully assured knowing all is well and fine. And you can do all of this with the full confidence that no server will be rebooted, not in this case anyway. So let's do it:

# reset

Is your screen back to normal now? There you go! This is much better than closing the window and then logging in again, especially if you just went through five different servers to login to this one!

Tip No. 3: Unmounting an unresponsive DVD drive on a Linux server

When a system admin pushes the eject button on the DVD drive of a server running Windows, it will usually eject the DVD media immediately, but in most Linux servers, if a process is running in that directory, then the ejection won't happen. Some would reboot the server and get the disk out if it's impossible to determine what was running and why it wouldn't release the DVD drive. But this can be very ineffective in many cases.

A better method would be to determine the process that freezes a DVD drive and to stop it dead in its tracks. But first, you need to simulate it. Place a DVD disk in the drive, open up a terminal and mount the DVD drive with this command:

# mount /media/cdrom
# cd /media/cdrom
# while [ 1 ]; do echo "All your drives are belong to us!"; sleep 30; done

Now open a second terminal window and try to eject the DVD drive:

# eject

You'll get a message like:

umount: /media/cdrom: device is busy

Before you free it, let's find out who is using it.

# fuser /media/cdrom

You can now see that the process was running indeed and that it is our fault if it's impossible to have the DVD disk ejected from its drive. All that is left to do is to login under 'root' and kill some Linux processes that are still running:

# fuser -k /media/cdrom

Now we need to 'unmount' the drive:

# eject

By now everything should be A-OK if all the above steps were carried exactly as recommended.

Tip No. 4: Two screens are better than one when you need to collaborate

Case in point: Martha, let's just call her a 'high-maintenance' girl from sales and marketing, calls you on a Monday morning and says: "Paul, I need you to help me understand WHY I can't COMPILE "Supercode C" on these new servers you just deployed Friday..." (@!*$!?%$# ... ANGER AND FRUSTRATION FROM HER IN THE BACKGROUND)

You answer "Ok. And which server do you happen to be on right now?"

Martha responds "HellGate3".

Ok, you answer. You exercise your admin talents and on the other server you become Paul:

# su - paul

Then you go over to HellGate3: (if the server's name give you goose bumps, don't worry, some have seen worse)

# ssh HellGate3

Once you are there, you type:

# screen -S foo

Then you yell at Martha: "Hey there, please run the following command on your terminal:

# screen -x foo

This will simply cause yours and Martha's sessions to be joined together in a single Linux shell. Either you can type or she can type, but you will both see what the other is typing! This saves you from walking to the other floor or building and lets you both have equal control, AND without having to repeat yourselves a million times or more...

The benefit is that Martha can now watch your troubleshooting skills and see exactly how you solve Sys Admin problems... (Does that make you nervous that you might lose your job? Just kidding!)

But at last you can now both see what the problem was: Martha's compile script hard-coded an old Linux folder that simply does NOT exist on this new server... You just mount it, recompile and solve the problem. Now Martha can go back to work, finally. Both her and her boss are now both happy.

The one single caveat to this server admin tip is that you both need to be logged in as the same user. Other neat little things you can do with that screen command include having multiple windows and split screens. Just read the man pages for more on that)

One last tip while you're in this 'screen session'. To remove yourself from it and leave it open, simply type: Ctrl-A D. (Just hold down the Ctrl key and strike the A key. Then press the D key.) You can then resume by running the screen -x foo command again.

(Please click here to read page 2 of this article)

Page 1       Page 2       Page 3

Source: The Web Hosting Forum.

Add to del.icio.us     Digg this

ADVERTISERS:
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development, professional Web hosting services, Linux security, Linux Web development, etc. Inquire about our reasonable advertising rates on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.