May 1st, 2012 | Author: jon
Left to their own devices, users will gobble up as much disk space as they need to use. Linux allows you to enforce disk quotas for your users so that your disks have enough space for everyone. I’m going to be using Fedora Linux for this, but the process is almost exactly the same for all distributions.
First, you need to make sure you have the quota package installed. It’s probably installed by default, but if not you can install it with: -
yum install quota
Under Debian-based systems this would be: -
sudo apt-get install quota
Next you need to decide which partitions you want to enable quota support on. Most people will naturally want to use “/home” as this is where user directories are but the beauty of quotas are that you can apply then to any partition, not just home. This works especially well if you have very little space on your home partition and some user’s home directories are actually on a different partition with their user accounts symbolically linked to appear under “/home”. But since the process is the same, I’ll assume you’ve got your “/home” directory mounted on a separate disk called “/dev/sdb1″.
Open up “/etc/fstab” which holds all the partitions to be mounted upon boot and append the string “usrquota,grpquota” where indicated. Obviously change your device to be mounted to whichever suits your needs.
/dev/sdb1 /home ext4 defaults 1 2
…should become…
/dev/sdb1 /home ext4 defaults,usrquota,grpquota 1 2
You’ll now have to remount the file-system for this change to take effect. If your home directory is on the same partition as your root (“/”) directory, this will probably necessitate a reboot. If not, you can remount the partition using: -
mount -o remount /home
Now that the selected partition has support for user quotas and has been remounted, you need to create the quota database files. This can be done with: -
quotacheck -cug /home
If you now do “ls -la /home”, you should see two new files, “aquota.user” and “aquota.group”. These are the quota files for that partiton for users and groups respectively and will be created at the root of the mounted partition directory (in this case, under “/home”).
Make sure quotas are turned on with: -
quotaon -av /home
This should give you output similar to this: -
group quota on /home (/dev/sdb1) is on
user quota on /home (/dev/sdb1) is on
Now that you’ve configured quota support for your partition, you need to add policies for users and groups. For this, I’m going to create a new user called “quotauser”.
useradd quotauser
…and set a password for the account.
passwd quotauser
Once the user is created, it’s time to impose a quota limit. So you’ll need to edit the quota policy for the user you’ve just created.
edquota -u quotauser
This will give you output similar to this.
Disk quotas for user quotauser (uid 502): Filesystem blocks soft hard inodes soft hard /dev/sdb1 32 0 0 8 0 0
This output deserves a little explanation. The “Filesystem” column is obvious, this is the file system on which quotas have been activated for users. The second column “blocks” is how many blocks the user is current using in their home directory. The next two columns are used to set soft and hard block limits for the user on the file system.
The “inodes” column shows how many inodes the user is currently using based on the number of files and directories in the user’s home directory. The last two columns are used to set the soft and hard inode limits for the user on the file system.
We’ll only need to concern ourselves with the first two soft and hard columns as we’re going to base our quota limits on disk space size and not the number of inodes used, although you can if you want to. The hard limit is the absolute maximum amount of disk space that a user or group can use. Once this limit is reached, no further disk space can be used. The soft limit defines the maximum amount of disk space that can be used. However, unlike the hard limit the soft limit can be exceeded for a certain amount of time. That time is known as the grace period and can be expressed in seconds, minutes, hours, days, weeks, or months. If any of the values for any of the columns are set to 0, that limit is not set. We’ll get to setting the grace period for the soft limits in a moment but for now let’s set the limits for our new user.
For example purposes, we’ll set the quota to a warning limit of 500MB (500MB x 1024K = 512000) and a panic limit of 512MB (512MB x 1024K = 524288) on the “/home” file system.
Disk quotas for user quotauser (uid 502): Filesystem blocks soft hard inodes soft hard /dev/sdb1 32 512000 524288 8 0 0
Save this file using whichever default editor you’re using and verify the new limits with: -
quota quotauser
which should give the new output as something like: -
Disk quotas for user quotauser (uid 502): Filesystem blocks soft hard inodes soft hard grace /dev/sdb1 32 512000 524288 8 0 0
Next, we’ll set the grace period for the soft limit.
edquota -t
The “-t” switch will act on all file systems with quotas enabled, unlike the other switches to the edquota command which only affect particular users or groups. If the idea of setting quota limits for each user doesn’t appeal to you, you can set quotas for groups that a large number of users are a member of and they will still be enforced.
edquota -g some_group
A few other useful commands…
To show your own user quota, use “quota”
To show a particular user’s quota, use “quota -u user”
To show all users quota usage, use “repquota -a”
Posted in 
Tags:
April 12th, 2012 | Author: jon
I’ve already covered setting up FTP via vsFTPd in a previous article, but FTP is old and not terribly secure even these days. SSH is far better for accessing Linux machines in almost every scenario. From SSH tunneling to shell access to file transfer, it’s desirable to use for it’s security and flexibility. However, I found SSH problematic when trying to confine users to their home directories and didn’t want them viewing the rest of the system. SFTP (part of SSH) allows you to do this and with more recent versions of OpenSSH, it’s much easier to configure than it used to be.
So you want to allow SFTP access to your server but don’t want them to be able to wander around the system. Even with user privilege security that means they won’t be able to ruin the system, they’ll still be able to see the file-system. This is where you need what’s known as a chroot jail, which means that they cannot “get out” of their own home directory. I covered how to do this with regular FTP in the article above, but let’s modernise the situation and do it with SFTP instead.
At this point it’s worth pointing out that in order for this to work, you’ll need OpenSSH version 4.9p1 or higher. While chroot jails could be accomplished before this version, it involves the use of third-party tools that basically didn’t work terribly well. Assuming you’ve got that version or higher, let’s get started.
Also, don’t use regular users who require normal shell user access for this. Create user accounts specifically for using SFTP as the user won’t be able to add any file or directories from the shell even if they change users from another user using the su command. They certainly won’t be able to login normally via SSH as they won’t have shell access for this purpose.
I’ll be using Fedora Linux for this, but it’s virtually identical to other distributions aside from the location of the sshd_config file.
First, edit the sshd_config file with:-
vi /etc/ssh/sshd_config
Add the following, skipping any lines that might already be present but making sure that the “Match” line is near the bottom of the file. Comment out any existing Subsystem line and replace with the “internal-sftp” directive instead.
Subsystem sftp internal-sftp -f LOCAL5 -l VERBOSE
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Save this and return to the command line. Restart the sshd daemon for the changes to take effect with:-
service sshd restart
This basically tells OpenSSH that all users in the “sftp” group (which we will create in a moment) are to be chrooted to their home directory (which the %h represents in the ChrootDirectory command) and forces the use of the internal-sftp helper and disables TCP port forwarding. The Subsystem command is required to enable the use of the SFTP subsystem. This can either be a path to the sftp-server helper which is present in Fedora, or the internal-sftp, which we’ll use instead. The internal-sftp command apparently works better and doesn’t require a shell or extra libraries installed in the chroot location. I’ll not be covering chrooted command shells just yet because it’s damned difficult to make it usefully functional and I’ve not looked into it yet :-)
Next we’ll need to create the “sftp” group which we’ll add the users on our system that we want to confine to a jail. Do that with: -
groupadd sftp
Now, for any users you want to add to chroot, perform the following steps for each, which adds the user [USER] to our newly created “sftp” group for SFTP.
usermod -G sftp [USER]
usermod -s /sbin/nologin [USER]
chown root.root /home/[USER]
The usermod command adds [USER] to the “sftp” group and set’s their shell to “/sbin/nologin” which means that they absolutely cannot ever get shell access – we’re only dealing with chrooting SFTP here, not SSH shell access. The chown command will set the home directory owner to root. While this seems odd as home directories are normally owned by their users, this is needed for the chroot jail to work.
If you want read access only, run the command:-
chmod -R o-w /home/[USER]
or the following for read/write access – which is normally the default if you’ve just created a new user for the purposes of SFTP and simply changed the owner of the /home/[USER] directory to root.
chmod -R o+w /home/[USER]
While you can do it this way, this has some obvious security flaws (everybody else = write access). A better alternative is to create two directories for uploads and downloads and set appropriate permissions with the following as root:-
cd /home/[USER]
mkdir uploads
chown [USER].[USER] uploads
chmod ug+rwx uploads
mkdir downloads
chown [USER].[USER] downloads
chmod ug+r downloads
chmod ug-w downloads
The user can then upload/download files to/from the “uploads” directory and only download files from the downloads directory. SFTP chroot jails simply cannot write files or directories to the root of the chroot jail even as that user. This is simply a functional limitation of chrooting the user to their home directory which is achieved by having the /home/[USER] directory owned by root.
One last thing to note is that I sometimes use symlinks and user permissions to give access to other parts of the system outside the chroot jail. This absolutely won’t work in this situation. Instead, you can simply double-mount the directory the symlinks points to.
For example, say I had the symlink with appropriate permissions under the user’s home directory called “linky” which points to “/some/path”. Instead delete the symlink with the following, remembering to do all this as root of course, as the mount command requires it.
rm /home/[USER]/linky
mkdir linky
chmod ug+rwx linky
mount --bind /some/path /home/[USER]/linky
Use the -t switch also if the file-system is not your native Linux file-system type. Done!
April 7th, 2012 | Author: jon
Like I imagine some of you do, I have a subscription to the Linux Journal. One perk of membership is that you get PDF digital back issues available to you. However, there is no real way to download all of them at once without paying for the collection on DVD. While you can download digital issues on PDF individually, this is a time-consuming and annoying process as there are quite a lot of back issues and you have to click on each download link separately.
With a bit of bash code trickery and the curl utility, you can download the whole lot automatically.
Disclaimer: I did not create this solution, I merely tidied up the solution based on a thread discussion and made it easier for beginners. The original blog that posted this solution is here.
This solution uses bash and the curl utility, so make sure you have curl installed via your favourite repository manager. It’s usually installed anyway, but if not you can use: -
yum install curl
…for Fedora/Red-Hat based systems and
sudo apt-get install curl
…for Debian/Ubuntu distributions.
Once that’s done, login into the Linux Journal website as linked above and login using your username/email address and password. Once you’re in, scroll all the way down to the bottom of the page and look to the left column where it says “Digital Edition” title and click on “Digital Downloads”. Login again using your username/email address and your ZIP/post code. You then need to login again using your Linux Journal subscription account number which was provided to you when you signed up either through post (in the pre-digital only era) or the account number beginning with “L” in your welcome email when you signed up.
You will now have a page with all the links to all the back issues available to you. Either save this page in your browser and rename it to “dljdownload.html” or right-click and “view source” for the HTML of this page, select all the HTML and save this in a file called “dljdownload.html”. Save this file in a directory somewhere under your home directory, preferably in it’s own directory as all back issue PDF files will be downloaded to this location. I’m going to use “Linux-Journal”.
mkdir ~/Linux-Journal
cd ~/Linux-Journal
Remember that you’ll want that “dljdownload.html” file in the same directory as the one you just created. So an “ls” on ~/Linux-Journal” should just list the HTML file.
Next, create a bash script in that same directory. I’m going to call mine “get-backissues.sh”.
vi get-backissues.sh
Add the following code: -
#!/bin/bash
for pdfcode in $(grep download-pdf.jpg dljdownload.html | cut -d\" -f2);
do
pdfaddress=$(curl "$pdfcode" | grep action=spit2 | cut -d\" -f2 | sed 's/amp;//g');
curl --remote-time --remote-header-name --remote-name "http://download.linuxjournal.com$pdfaddress";
done
Save this file and make it executable with:-
chmod u+x get-backissues.sh
Run it with:-
./get-backissues.sh
Once, it’s finished it’s run, you’ll have all the available back issues of the Linux Journal in your ~/Linux-Journal directory. Coolio! Many thanks to Alain Kelder and Jan van Haarst for developing this solution.
March 27th, 2012 | Author: jon
I don’t usually do reviews here at The Node, but in this case I’m going to make an exception. I’d bought an Arduino micro-controller board a while back but found out that while it was pretty easy to learn in terms of programming the thing, I didn’t know enough about basic electronics to do exciting things with it. While I have done a bit of prototyping of simple circuits on breadboards, I was more interested in learning the fundamentals and playing around with basic components without risking the hardware I had.
So I dutifully went to Google and typed in “circuit simulator” figuring that hey, I’ve read a couple of books on electronics. Components and current and voltage should be easy to simulate on a computer, right? There must be loads of these types of applications available!
Well, yes. Obtuse pieces of specialised industrial software called things like SPICE and Qucs. While I was pleased to see they were open source efforts, they didn’t really seem to do what I wanted – or at least not easily. When you think of “circuit simulator”, do you think of easily accessible components you can drag and drop onto a virtual workspace? Do you not almost expect to be able to snap everything together with virtual wire and connect to a virtual power source and see your circuit simulation in action? I did, and these seemingly professionally-used applications just weren’t user-friendly enough for a beginner to be able to do that. And considering the way that circuits operate, it was well….weird.
Well, I found that app on Android almost by accident. It’s called EveryCircuit and it’s much easier to use that any other circuit simulator on any platform.
It acts just as you’d expect really, which seems somewhat radical compared to almost any other circuit simulation software I’ve come across. You have a list of standard symbols of components at the top which you can flick through with your finger and a workspace to drag and drop your components. Most components have a radial dial to change the values of the components such as resistance or you can type the values in manually.
You connect your power source, either AC or DC and press the ‘play’ button. You’ll see the voltage drop across components, how many milliamps are flowing through the circuit and so on. Below is my real circuit design for a door alarm that activates when the door is left open.
[Yes, I know the power wastage is too high in the non-activated state :-)]
It’s certainly made me more confident about prototyping simple circuits before I reach for the breadboard and the app is well worth the money at £6.00. The general design is solid. While this app is fully usable on a phone (I am using it on a Nexus S running ICS 4.0.3), I imagine it was designed for an Android tablet in mind. This is clear of the lack of zoom functionality as you cannot “pinch” the screen to zoom in or out, which was sort of a pain…especially with larger circuits. The component list at the top has no “tooltips” to say what the symbol for each component means which will not be a problem for experiencing electronics hobbyists but is annoying for a beginner like me. I also discovered that I couldn’t simulate just any circuit diagram I found on the web…especially ones that included polarised capacitors as the app only has general capacitors. Again, I’m not sure if this was me or the app – do polarised capacitors matter? Don’t really know yet. EveryCircuit does seem to be updated on a regular basis, so I imagine more and more components will be added over time. It would be nice to have several common integrated circuits (ICs) included such as the 555 timer which a lot of simple circuits and educational and hobby texts make use of. One of the things that EveryCircuit does do well is the ability to change the values of components and see the immediate difference in the running simulation which is really great and helps you make sense of what is going on.
Liked:
- Works just like you’d expect a circuit simulator to work (finally!). Extremely intuitive interface.
- Includes it’s own fully functional oscilloscope for AC circuits.
- Reasonably wide range of common components to play with.
- Running simulations are interactive and include a lot of real-time information.
- The developer is extremely approachable and helpful with queries and questions.
- Basic integration with ElectroDroid, another handy Android electronics tool.
- You can email your designs as a JPEG to anybody from within the app or export via regular Android sharing services. This includes the circuit design in simulation mode.
Disliked:
- If you’re a beginner in electronics, there’s no help or information about what the circuit symbols for each component are.
- No zoom feature, especially notable in it’s absence on a phone rather than a tablet.
- Would be nice to have more components available like polarised capacitors, buzzers, variable resistors and a selection of common ICs.
- Transistors have a value attached to them which you can change, but no explanation of what that values does and no circuit diagram seems to mention a transistor value. This adds an element of doubt to a beginner about whether the app is wrong or you are when things don’t work. Disconcerting. A help page and basic user-guide would help alleviate these doubts.
- Modifying the connectors between components can sometimes be a frustrating experience and you often have no option but to delete many at once. This can sometimes lead to confusing circuit layouts as you cannot change the the layout of the connections from one component to another.
- No ability to change the colour-scheme for printer-friendly diagram exports.
- A little too easy to overwrite saved designs. An “are you sure?” dialog box would save the day here.
- More simple DC circuit examples for common entry-level tasks would be most welcome for the newbie.
EveryCircuit is a definite must for any electronics hobbyist or professional. I was amazed that I, as a relative beginner, could actually prototype and test a circuit within minutes. With a little more work on the interface and a wider selection of components, it could probably be sold to schools and colleges as a full-blown educational product. It’s certainly easier to use than anything else I’ve been able to find, on Android or any other platform. I would also mention that I would pay a fair bit of coin to get a desktop version of this app for my PC. Either that, or I’m going to have to get an Android tablet!
Conclusion: If you’re into electronics at all, you need this app. More components and some interface tweaks will make this app the hobbyists holy grail.
Update 27/03/2012: The author has contacted me to state that there is, in fact, a “new workspace” option. There is a “New” button in the “Open file” dialog that clears the workspace and allows you to start over. The review has been updated accordingly.
EveryCircuit is available on Google Play here.
March 21st, 2012 | Author: jon
A former Nokia executive today lambasted Nokia’s Microsoft Windows Phone strategy a certain road to death. While I think that Nokia is now for all intents and purposes dead, this also highlights the deeper problems at Microsoft who is struggling to find a place in the world of mobile.
In the most general terms, Microsoft wants an iPhone and they are seemingly so blinded by Apple’s fortunes that they are missing the obvious strategy that could save them from sliding into irrelevance. In fact there are two obvious choices, both of which Microsoft has major experience in. Both involve picking the Nokia carcass clean but perhaps that was the plan anyway because I see Microsoft buying Nokia outright before the corpse has cooled. Much like Google bought Motorola Mobility. If nothing else, Apple has taught us that a guiding hand is needed across both hardware and software. Sorry Nokia, but you’re now the hardware arm of Microsoft Mobile. So what options does Microsoft have now?
Choice 1 – Become RIM. Research In Motion’s Blackberry line is itself in trouble. RIM used to position itself as the business man’s smart phone manufacturer with it’s Messenger service and QWERTY keyboards. Business people loved them. It enjoyed tight integration to the enterprise and Microsoft Exchange…and then they got Apple-itis just as Microsoft have – trying to out-iPhone the iPhone (RIM PlayBook anybody?). Same depressingly predictable result.
So why can’t Microsoft spin Windows Phone 7 into an enterprise choice? Windows Phone 7 should be able to be tightly integrated into Windows Server and Exchange with no problem. Allow it to join domains (which apparently the recently announced Windows 8 ARM devices mind-bogglingly cannot do), seamlessly integrate into Active Directory and have an RDP client right there. That’s one option and the hole left by RIM plus Microsoft’s hold of the business desktop with Windows 7 makes this an obvious choice.
While they’re doing this, they need to rethink their Windows 8 tablet strategy too – because the public doesn’t understand the Windows 8 position any more than anyone else does. Where does .NET and XNA fit into Metro? Anywhere? There is a reason iOS is used on Apple’s tablets instead of OSX. They should make Windows 8 pretty much like Windows 7, drop the stupid Metro interface simply make a better operating system rather than change the user interface which makes no sense for anybody who has to do real work in an office. Make the core of Windows 8 better – a new file system, SSH client built in, all the things we were promised for Windows Vista. Work on integrating WP7 into Windows 8 so that the Windows “iPad” will then happen all by itself if the eco-system is there by simply up-sizing your mobile device when the time is right. Bingo.
Choice 2 – Leverage the Xbox brand and become the first hybrid phone/portable games console. The other two players in the games console market – Nintendo and Sony – both have mobile gaming devices out, the 3DS and PS Vita. Microsoft has been conspicuously absent from this market despite the occasional rumours that they’re working on an “Xbox Mobile”. Why couldn’t a Nokia-built Windows Phone 7 device become the next Xbox portable? Xbox is just about the only consumer brand-awareness Microsoft has, so why not use it? Xbox consoles are wildly popular in the west. Neither Sony or Nintendo realise that dedicated portable gaming devices are soon to be a dying breed and our Japanese friends in all honesty don’t seem to understand the Internet nearly as well as Microsoft has done with it’s Xbox LIVE service or the changing tastes of game players in the west. Microsoft has the ability to change the game in mobile. Why not create a device with slide out physical controls, tight integration with Xbox LIVE and mini-apps for things like Call of Duty Elite and Halo? Market it as the Xbox portable that also does as much as your cell phone. It would have to be handled right, but where Nokia tried and failed with the N-Gage, Microsoft has had a decade of experience with the games console market to pull it off and a pre-existing pull with Xbox LIVE. It would be a boon for developers as games could be written and released much like they are now on Android and the Xbox Indie channel. The developer tools for all that are already there – XNA allows you to code for WP7 devices, Windows and Xbox. Make it indie-friendly, the developer tools are free!
The mobile phone market has proved itself to be a two-horse race. So Microsoft needs to redefine the rules rather than release “just another smart phone with fewer apps” in a market already saturated by Android and iOS. Microsoft needs to redefine it’s line-up to be something other than just another consumer mobile phone. WP7 can either be Windows Enterprise Mobile or Xbox Mobile. Just don’t call it a phone…because we’ve already got those.
March 20th, 2012 | Author: jon
Linux is great at logging almost any event that happens in the operating system and pretty much all of this stuff is stored under /var/log/messages. This is fine until a machine is compromised. If a hacker somehow manages to sneak into your server, pretty much the first thing they’ll do is erase the logs to cover their tracks. So while local logging is fine for spotting failed intrusion attempts, there is always the possibility that your server is breached and the logs won’t tell you anything because the intruder has access to those logs by definition.
The solution to this is to use a remote centralised Linux server to log the system logs from other systems. This way, when a system is breached, the hacker has no way of hiding their access as the logs are actually stored in real-time on another, uncompromised system. Some home routers from the likes of NetGear also have the option to store system logs to a remote syslog server. This can be useful for storing access events onto your home network for analysis as routers tend not to have much onboard storage for log files and almost certainly don’t survive between reboots.
Either way, I hope I’ve made the case for setting up a syslog server on your network. I’ll assume you have a spare Linux machine lying around with the minimum of SSH and iptables working. Pretty much any distribution will have all this working by default :-)
Configuring the syslog server
All your system logs are stored under /var/log and the daemon responsible for this is rsyslogd. You can see if it’s running on your system with:-
ps -elf | grep rsyslog
You’ll probably get something back like:-
4 S root 24457 1 0 80 0 - 7742 poll_s 12:23 ? 00:00:00 /sbin/rsyslogd -n -c 5
On newer Fedora releases that use systemd rather than the older traditional sysvinit, you can also check that rsyslogd is running with:-
service rsyslog status
to which you’ll get back the following detailed information about the running process from systemd.
Redirecting to /bin/systemctl status rsyslog.service
rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled)
Active: active (running) since Tue, 20 Mar 2012 12:23:35 +0000; 6min ago
Process: 24454 ExecStartPre=/bin/systemctl stop systemd-kmsg-syslogd.service (code=exited, status=0/SUCCESS)
Main PID: 24457 (rsyslogd)
CGroup: name=systemd:/system/rsyslog.service
└ 24457 /sbin/rsyslogd -n -c 5
The interesting part (aside from the fact that it’s running!) is the last line, this one:-
/sbin/rsyslogd -n -c 5
This shows you what parameters are being passed to rsyslogd when it starts with the system. From this, we can tell by using “man rsyslogd” that -n means that the rsyslogd daemon will avoid auto-backgrounding which makes sense as the process is managed by init or in this case, systemd. The -c parameter allows backwards compatibility…in this case, version 5.0. I assume again that this is something to do with systemd which probably has something different “under the hood”. Anyway, nothing very interesting there. You might notice from the man pages that there is a -r parameter which allows logging from remote sources. This is what we want, so we need to know how to set rsyslogd’s parameters upon start up. This is done via the config file. So edit it with:-
vi /etc/sysconfig/rsyslog
…under RedHat/Fedora and:-
vi /etc/init.d/sysklogd
…under Ubuntu/Debian.
The contents of the file is pretty sparse, consisting just of the line:-
SYSLOGD_OPTIONS="-c 5"
Here is where we set our remote switch, so change it so it reads:-
SYSLOGD_OPTIONS="-r -c 5"
Depending on your distribution, your SYSLOGD_OPTIONS parameters might look a little different – this doesn’t matter, the important part is that you’ve added the “-r” switch to the options. Save this file. Next you need to configure the daemon to listen on UDP port 514 for external syslog messages. So open the following file:-
vi /etc/rsyslog.conf
Look for the section near the top that looks like this:-
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
Uncomment these two lines by removing the hash character at the beginning. This simply says to listen on UDP port 514 for connections.
Save this file and restart rsyslogd with:-
service rsyslog restart
…under RedHat/Fedora and:-
/etc/init.d/sysklogd restart
Remember you’ll need to also open a port for incoming syslog information from remote clients. rsyslogd uses UDP port 514 for this, so make sure you’ve added the port to the iptables firewall with something like:-
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
If you want to lock down the firewall access a little more than that, you could use something like:-
iptables -A INPUT -p udp -i eth0 -s 192.168.1.2 -d 192.168.1.1 --dport 514 -j ACCEPT
This rule will ensure that the syslog server on IP address 192.168.1.1 will receive UDP packets containing the system log events from the remote client on IP address 192.168.1.2. Obviously replace these with the correct IP addresses for your network.
Once everything is set up, you can check that your syslog server is listening on the intended port with:-
netstat -an | grep 514
…which should give you this:-
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 :::514 :::*
If you’re using a NetGear router and want to log it’s information to your server, you’re now set up to point your router logs to your server. If you’re wanting to log system events from another Linux client on your network to the syslog server, these also need to be configured to log their stuff remotely rather than to /var/log/messages.
Configuring the syslog client
On each system that will log to the syslog server you’ve just set up, you need to configure it to log there rather than to it’s own /var/log directory. Add the file “/etc/syslog.conf” if it doesn’t already exist and add the line at the top of the file:-
*.* @192.168.1.1
…where the 192.168.1.1 IP address is the IP address of your syslog server. Change as appropriate. Finally, restart the syslog daemon on the client with:-
service syslog restart
Remember again that you’ll need to add an outgoing rule to your firewall to allow the 514 port-destined syslog traffic to your syslog server. Here is the iptables rule: -
iptables -A OUTPUT -p udp -i eth0 -s 192.168.1.2 -d 192.168.1.1 --dport 514 -j ACCEPT
If the client is an Ubuntu box, you won’t be using iptables, but ufw. The article on how to use Ubuntu’s firewall can be found here.
The client’s logs (or your router’s, if you have that functionality) will now be written to the syslog server’s /var/log/messages system log.
March 3rd, 2012 | Author: jon
Welcome to the first real Windows post :) Now, I know this place mostly has a Linux bias but really, The Node is about solving technological problems…it’s just that Linux makes it easier to do so. As my main interest and inspiration for starting this site was Linux, it has a Linux slant…but I use all sorts of computers. Since July I have become responsible for a Windows network as well as my yummy Linux servers. While I don’t hold Windows very highly, I have been using it…even at home with my new gaming laptop (I tweeted about the joys of Crysis 2 on max detail last week).
So there are bound to be little problems that crop up. This particular problem is so seemingly prevalent on Windows that I just took it as Windows being dreadful. This is when you have an external USB hard drive that you plug into Windows and Windows makes the “bing bong” noise…yet no drive pops up in Windows explorer. Your brow furrows, and you probably do what I did which was to switch it off and on again (grin). Still no luck. However, this isn’t Windows having shoddy USB drivers or anything like that. It’s totally fixable and here’s how.
Note: This fix can also be achieved with Windows XP, but the location of various options and windows may have been moved. Anyway, there are two main ways to fix this. The first way is more common, less complicated in cause and solution.
As you probably know, Windows uses drive letters to distinguish between partitions. I think this is a bone-headed method of file system design, but fine. Anyway, in order for your USB drive to show up as…well…a drive, Windows has to assign it a letter when the USB subsystem alerts it to a new device being connected. No drive letter, no drive to use.
Before we start, make sure that you’ve disconnected or switched off any other external USB devices you may have attached to your computer else it’ll make identification of the problem device difficult.
So, first make sure your USB drive is plugged in and switched on. You’ll hear the “bing bong” sound Windows makes when it’s alerting you to a new USB device being attached. As expected, the drive doesn’t show up.
Open the Start menu and right-click on “My Computer”. From there, left-click on “Manage”. This requires Administrator privileges. From the left panel on the new window, click on: -
System Tools -> Device Manager
From the tree list, expand the “Universal Serial Bus Controllers” option. You’ll probably see many devices, but you only need to look for one, the “USB Mass Storage” entry. If you see more than one, you didn’t take my advice above and switch off and disconnect any other USB hard drives you have. Go ahead and do that and then come back :)
If you only have the one entry for “USB Mass Storage”, that’s your drive. Right-click on it and choose “uninstall” from the options. Switch off or disconnect your drive and then power it up again. This will allow Windows to attempt to re-install the driver for the device. If that was your problem, you should now see your device assigned with a correct drive letter. Done.
If this didn’t work, you’ll need to try the second method.
From the Start menu, select:-
Administration Tools -> Computer Management -> Disk Management
In the bottom middle panel of this new window, you will see a graphical representation of your disk drives. “Disk 0″ is usually your drive C: and should not be touched. If you have more internal drives or partitions, they will also show here. In order to match up your external USB device to the devices listed, either match it up by the approximate size listed or simply switch off and on your USB drive to see which entry vanishes and reappears. Once you’ve identified your device, right-click on the blue bar running along the top of the device entry and select “Change drive letters and paths”. Click change and choose an unassigned drive letter. Save your changes and reset the device and it should show up! If it was not seen there, go to “Action” on the menu bar, click on “Rescan Disks” and it should appear.
The blue bar menu is all greyed out and I cannot select the change drive letter option!
If you get this, you have a GPT Protective partition which means that the drive was probably installed on a Linux, Mac or Windows XP 64-bit edition machine. You can override this and get a functional drive, but you cannot save the data as the following solution is a data destructive process. In my case, I didn’t mind, but if you do, consider using the parent operating system of the drive to read the data.
In any case, you won’t be able to recover the data under Windows 7. The drive is inaccessible and Disk Management reports that the drive has a GPT Protective Partition on it. The drive cannot be re-partitioned and formatted in this state, so you’ll need to clean the drive before you can use it.
First, make a note of the disk number listed in the Disk Management window as you’ll need this information in a minute.
Open a Windows command prompt window and enter:-
diskpart
From the diskpart prompt, type: -
list disks
You’ll get back something like: -
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Disk 1 Online 111 GB 0 B
Disk 2 Online 298 GB 1024 KB
Select the disk number for your device that you noted down earlier with: -
select disk [NUMBER]
Where [NUMBER] is the number you wrote down. Windows will say that “disk [NUMBER] is now selected”. Now enter: -
clean
This removes the disk’s partition and signature from the drive. After you are returned to the diskpart prompt, type “exit” and go back to your Disk Management window. Windows should now be aware that the drive is uninitialised and should prompt for the wizard. From here you can reinitialise and format the drive. If you’re using a regular USB drive, you’ll probably want to format it as FAT32 (or exFAT) so that it can be used on older versions of Windows, Mac or Linux. Be aware – this format will take ages. Once it’s done, close the Disk Management window and power cycle your USB device. It should now should up with the assigned drive letter :-)