Linux Doc

Q.
Can you explain /etc/passwd file format for Linux and UNIX
operating systems?
A. /etc/passwd file stores essential information, which is required
during login i.e. user account information. /etc/passwd is a text
file, that contains a list of the system’s accounts, giving for each
account some useful information like user ID, group ID, [...]
Q. Can you explain /etc/passwd file format for Linux and UNIX
operating systems?
A. /etc/passwd file stores essential information, which is required

during login i.e. user account information. /etc/passwd is a text
file, that contains a list of the system’s accounts, giving for each
account some useful information like user ID, group ID, home
directory, shell, etc. It should have general read permission as many
utilities, like ls use it to map user IDs to user names, but write
access only for the superuser (root).
Understanding fields in /etc/passwd

The /etc/passwd contains one entry per line for each user (or user
account) of the system. All fields are separated by a colon (:)
symbol. Total seven fields as follows.
Root: x: 0 : 0 : root: /root: /bin/bash
Quote:
1. Username: (Root) -:It is used when user logs in. It should be
between 1 and 32 characters in length.
2. Password:(x) -: An x character indicates that encrypted
password is stored in /etc/shadow file.
3. User ID (UID): (0) -: Each user must be assigned a user ID
(UID). UID 0 (zero) is reserved for root and UIDs 1-99 are
reserved for other predefined accounts. Further UID 100-999 are
reserved by system for administrative and system
accounts/groups.
4. Group ID (GID): (0) :- The primary group ID (stored in
/etc/group file)
5. User ID Info: (root) -: The comment field. It allow you to
add extra information about the users such as user’s full name,
phone number etc. This field use by finger command.
6. Home directory: (/root) -: The absolute path to the directory
the user will be in when they log in. If this directory does
not exists then users directory becomes /
7. Command/shell: (/bin/bash) -: The absolute path of a command
or shell (/bin/bash). Typically, this is a shell. Please note
that it does not have to be a shell.
The permission on the /etc/passwd file should be read only to users

(-rw-r–r–) and the owner must be root:
Q:- Can you explain /etc/shadow file used under Linux or UNIX?
A. /etc/shadow file stores actual password in encrypted format for

user’s account with additional properties related to user password
i.e. it stores secure user account information. All fields are
separated by a colon symbol. It contains one entry per line for each
user listed in /etc/passwd file.
For Example:-
root:$1$heLNU7cb$yLf9xPG/8o5LCmqpE.fVG0:14638:0:99999:7:::
Quote:
1. User name : (root) -: It is your login name
2. Password: ( $1$heLNU7cb$yLf9xPG/8o5LCmqpE.fVG0) -: It your
encrypted password. The password should be minimum 6-8 characters
long including special characters/digits
3. Last password change (lastchanged): (14638 ) -: Days since Jan
1, 1970 that password was last changed
4. Minimum: (0) -: The minimum number of days required between
password changes i.e. the number of days left before the user is
allowed to change his/her password
5. Maximum: (99999) -: The maximum number of days the password is
valid (after that user is forced to change his/her password)
6. Warn : (7) :- The number of days before password is to expire
that user is warned that his/her password must be changed
Note -------- In above example in only 6 field in show. Two next
field in describe 7 & 8 option.
7. Inactive : The number of days after password expires that account
is disabled
8. Expire : days since Jan 1, 1970 that account is disabled i.e. an
absolute date specifying when the login may no longer be used.
The last 6 fields provides password aging and account lockout

features (you need to use chage command to setup password aging).
According to man page of shadow – the password field must be filled.
The encrypted password consists of 13 to 24 characters from the 64
character alphabet a through z, A through Z, 0 through 9, \. and /.
Optionally it can start with a “$” character. This means the
encrypted password was generated using another (not DES) algorithm.
For example if it starts with “$1$” it means the MD5-based algorithm
was used.
/etc/group -:
/etc/group is a file that defines the groups to which users belong.
In Linux multiple users can be categorized into groups. Linux file
system permissions are organized into three classes, user, group, and
others. The use of groups allows additional abilities to be delegated
in an organized fashion, such as access to disks, printers, and other
peripherals.
It stores group information or defines the user groups i.e. it
defines the groups to which users belong. There is one entry per
line, and each line has the format (all fields are separated by a
colon (:)
ccache:x:497:
group_name: (ccache ) -: It is the name of group. If you run ls -l
command, you will see this name printed in the group field.
Password: (x) -: Generally password is not used, hence it is
empty/blank. It can store encrypted password. This is useful to
implement privileged groups.
Group ID (GID): (497) -: Each user must be assigned a group ID. You
can see this number in your /etc/passwd file.
Group List: It is a list of user names of users who are members of
the group. The user names, must be separated by commas.
Q-: What is umask and how is it determined on a Linux system?

A-: The user file-creation mode mask (umask) is use to determine the
file permission for newly created files. It can be used to control
the default file permission for new files. It is a four-digit octal
number . Procedure to setup default umask:-
You can setup umask in /etc/bashrc or /etc/profile file for all
users. By default most Linux distro set it to 0022 (022) or 0002
(002).
vi /etc/profile or vi ~/.bashrc
Append/modify following line to setup a new umask:
umask 022
Save and close the file. Changes will take effect after next login.
Q-: But what is 0022 and 0002?

A-: The default umask 0002 used for normal user. With this mask
default directory permissions are 775 and default file permissions
are 664.
The default umask for the root user is 0022 result into default
directory permissions are 755 and default file permissions are 644.
For directories, the base permissions are (rwxrwxrwx) 0777 and for
files they are 0666 (rw-rw-rw).
To calculate file permission for 022 (root user):
Default Permissions: 777
Subtract umask value: 022 (-)
Allowed Permissions: 755
To calculate directory permission for 022 umaks (root user):
Default Permissions: 666
Subtract umask value: 022 (-)
Allowed Permissions: 644
Meaning in chmod command in linux :-

chmod 400 file To protect a file against accidental overwriting.
chmod 500 directory To protect yourself from accidentally removing,
renaming or moving files from this directory.
chmod 600 file A private file only changeable by the user who
entered this command.
chmod 644 file A publicly readable file that can only be changed by
the issuing user.
chmod 660 file Users belonging to your group can change this file,
others don't have any access to it at all.
chmod 700 file Protects a file against any access from other users,
while the issuing user still has full access.
chmod 755 directory For files that should be readable and executable
by others, but only changeable by the issuing user.
chmod 775 file Standard file sharing mode for a group.
chmod 777 file Everybody can do everything to this file.
FIND COMMAND -:
Find files modified between now and 1 day ago (i.e., within the past
24 hours)
find . -mtime 0
Find files modified less than 1 day ago (i.e., within the past 24
hours, as before)
find . -mtime -1
Find files modified between 24 and 48 hours ago
find . -mtime 1
Find files modified more than 48 hours ago.
find . -mtime +1
Find files modified between 6 and 9 minutes ago
find . -mmin +5 -mmin -10
How do you enable iptables to open ip ports used by Red Hat

Enterprise Linux 5 Cluster Suite?
Listed below are example iptables rules for enabling IP ports needed
by the Red Hat Cluster Suite.
Note: Replace 192.168.5.0/24 with the appropriate subnet.
1. cman (Cluster Manager) UDP Ports 5404, 5405:
iptables I INPUT m state state NEW m multiport p udp s
192.168.5.0/24 d 192.168.5.0/24 dports 5404,5405 j
ACCEPTiptables I INPUT m addrtype dsttype MULTICAST m
state state NEW m multiport p udp s 192.168.5.0/24 dports
5404,5405 j ACCEPT
2. ccsd (Cluster Configuration System daemon) TCP Ports 50006,
50008, 50009:
iptables I INPUT m state state NEW m multiport p tcp s
192.168.5.0/24 d 192.168.5.0/24 dports 50006,50008,50009 j
ACCEPT
3. ccsd (Cluster Configuration System daemon) UDP Port 50007:
iptables I INPUT m state state NEW p udp s 192.168.5.0/24
d 192.168.5.0/24 dport 50007 j ACCEPT
4. dlm (Distributed Lock Manager) TCP Port 21064:
iptables I INPUT m state state NEW p \
tcp s 192.168.5.0/24 d 192.168.5.0/24 dport 21064 j ACCEPT
5. rgmanager (Highavailability Service Management daemon) TCP
Ports 41966, 41967, 41968, 41969:
iptables I INPUT m state state NEW m multiport p \
tcp -s 192.168.5.0/24 -d 192.168.5.0/24 --dports
41966,41967,41968,41969 -j ACCEPT
6. ricci (part of Conga remote agent) TCP Port 11111:
iptables I INPUT m state state NEW p tcp s 192.168.5.0/24
d 192.168.5.0/24 dport 11111 j ACCEPT
7. luci (Conga User Interface server) TCP Port 8084:
d 192.168.5.0/24 dport 8084 j ACCEPT
8. modclusterd (part of Conga remote agent) TCP Port 16851:
9. iptables I INPUT m state state NEW p tcp s 192.168.5.0/24
d 192.168.5.0/24 dport 16851 j ACCEPT
10. gnbd (Global Network Block Device) TCP Port 14567:
d 192.168.5.0/24 dport 14567 j ACCEPT
11. After applying the iptables rules, save the configuration for
the changes to be persistent during reboot.
12. service iptables save
What ports need to be open for DNS to operate?

DNS uses both the TCP and UDP protocols. Lookups performed by clients
primarily (but not exclusively) use UDP - when the response data
exceeds 512 bytes, the UDP query will fail and the resolver will
retry using TCP. Other DNS functions such as zone transfers use TCP
exclusively. DNS servers need to be reachable on port 53 ("domain")
for both TCP and UDP from their clients (often, the whole internet);
the standards do not prescribe a specific source port for DNS
requests, so the source port is arbitrary.
Additonally, on systems that are running BIND9 as part of a zone that
(as recommended) has multiple name servers, the servers need to be
able to connect to each other on TCP port 953 ("rndc") so they can
push changes out to their peers rather than wait for them to refresh
their cached information.
VLAN CONFIGURATION -:
VLAN stands for virtual LAN. A single VLAN-capable switch is able to
participate in multiple LANs at once.
Connect the eth0 interface of your linux machine to the switch.
2. Remove the IP Address information on the eth0 interface
# ifconfig eth0 0.0.0.0

# ifconfig eth0 up
3. Configure 2 VLANs on the eth0 interface using vconfig as follows

(100,200 are the VLAN id's). If the 8021q.o module is not loaded, the
vconfig command (when invoked first time) will automatically load the
module.
# vconfig add eth0 100

# vconfig add eth0 200
4. Configure IP on the VLAN interfaces
# ifconfig eth0.100 xxx.xxx.xxx.xxx netmask 255.255.252.0 up

# ifconfig eth0.200 yyy.yyy.yyy.yyy netmask 255.255.255.0 up
5. Preserve the vlan configuration across reboots by adding it to

configuration files. Create the appropriate ifcfg files for eth0,
eth0.100 and eth0.200 in /etc/sysconfig/network-scripts/
# cd /etc/sysconfig/network-scripts/
Contents of ifcfg-eth0
DEVICE=eth0
ONBOOT=no
TYPE=Ethernet
Contents of ifcfg-eth0.100
DEVICE=eth0.100
IPADDR=xxx.xxx.xxx.xxx
NETMASK=255.255.252.0
VLAN=yes
ONBOOT=yes
BOOTPROTO=none
Contents of ifcfg-eth0.200
DEVICE=eth0.200
IPADDR=yyy.yyy.yyy.yyy
NETMASK=255.255.0.0
VLAN=yes
ONBOOT=yes
BOOTPROTO=none
Update /etc/sysconfig/network file to make the GATEWAYDEV use the

public vlan interface.
Contents of /etc/sysconfig/network
Linux Crontab Format
MIN HOUR DOM MON DOW CMD
Crontab Fields :
 The crontab command is used to schedule jobs to be run in the
future, usually on some regular schedule (such as every
week). The command is run with one of three command line
arguments:
 crontab l View crontab file, if any
 crontab r Remove crontab file, if any.
 crontab e Edit (or create) user's crontab file (starts the
editor automatically)
 crontab file Replace existing crontab file (if any) with
file
 Field Descriptions:
 minute hour dayOfMonth month dayOfWeek command
 where: minute values range from 0 to 59,
 hour values range from 0 to 23,
 dayOfMonth values range from 1 to 31,
 month values range from 1 to 12,
 dayOfWeek values range from 0 to 6, with 0 meaning Sunday
 Examples :
 0,30 817 * * 15 cmd > Run cmd on the halfhour from 8:00
AM to 5:30 PM, Monday thru Friday
 0 12 1,15 * 5 cmd > Run cmd at noon each Friday AND the
first and fifteenth of every month
 17 3 * * 1 cmd > Run cmd at 3:17 AM Monday (a backup
program perhaps).
 Scheduling a Job For a Specific Time Every Day.
30 08 10 06 * /home/ramesh/fullbackup
 Schedule a Job For More Than One Instance (Twice a Day)
00 11,16 * * * /home/ramesh/bin/incrementalbackup
 Schedule a Job for Specific Range of Time (e.g. Only on
Weekdays)
 Cron Job everyday during working hours
00 0918 * * * /home/ramesh/bin/checkdbstatus
 Cron Job every weekday during working hours
00 0918 * * 15 /home/ramesh/bin/checkdbstatus
 HowTo: View Other Linux User’s Crontabs entries
crontab u sathiya l
 How to edit Other Linux User’s Crontab File entries
crontab u sathiya e
 Schedule a Job for Every Minute Using Cron.
* * * * * CMD
 Schedule a Background Cron Job For Every 10 Minutes.
*/10 * * * * /home/ramesh/checkdiskspace
 Schedule a Job For First Minute of Every Year using @yearly
@yearly /home/ramesh/redhat/bin/annualmaintenance
 Schedule a Cron Job Beginning of Every Month using @monthly
@monthly /home/ramesh/suse/bin/tapebackup
 Schedule a Background Job Every Day using @daily
@daily /home/ramesh/archlinux/bin/cleanuplogs "day
started"
FIND USEFUL COMMAND -:

Finds all files with name — MyCProgram.c in the current directory and
all it’s sub-directories.
find -name “Myprogram.c”
Find Files Using Name and Ignoring Case

find -iname "MyCProgram.c"
Limit Search To Specific Directory Level Using mindepth and maxdepth

find / -name passwd
Find the passwd file under root and one level down
find -maxdepth 2 -name passwd
Find the passwd file under root and two levels down. (i.e root —
level 1, and two sub-directories — level 2 and 3 )
find / -maxdepth 3 -name passwd
Find the password file between sub-directory level 2 and 4.
find -mindepth 3 -maxdepth 5 -name passwd
Finding the Top 5 Big Files

find . -type f -exec ls -s {} \; | sort -n -r | head -5
Finding the Top 5 Small Files

find . -type f -exec ls -s {} \; | sort -n | head -5
Find only the socket files.

find . -type s
Find all directories

find . -type d
Find only the normal files

find . -type f
Find all the hidden files
find . -type f -name ".*"
Find all the hidden directories
find -type d -name ".*"
Find files by comparing with the modification time of other file.
ls -lrt
find files in the current directory and sub-directories, whose
content got updated within last 1 hour (60 minutes)
find . -mmin -60
finds all the files (under root file system /) that got updated
within the last 24 hours (1 day).
find / -mtime -1
find files in the current directory and sub-directories, which got
accessed within last 1 hour (60 minutes)
find -amin -60
finds all the files (under root file system /) that got accessed
within the last 24 hours (1 day).
find / -atime -1
find files in the current directory and sub-directories, which
changed within last 1 hour (60 minutes)
find . -cmin -60
MYSQL -LINUX
How to change the MySQL root user password?
mysqladmin -u root -ptmppassword password 'newpassword'
How to check whether MySQL Server is up and running?
mysqladmin -u root -p ping
How do I find out what version of MySQL I am running?
mysqladmin -u root -ptmppassword version
What is the current status of MySQL server?
mysqladmin -u root -ptmppassword status
How to view all the MySQL Server status variable and it’s current
value?
mysqladmin -u root -ptmppassword extended-status
How to display all MySQL server system variables and the values?
mysqladmin -u root -ptmppassword variables
How to display all the running process/queries in the mysql database?
mysqladmin -u root -ptmppassword processlist
How to create a MySQL Database?
mysqladmin -u root -ptmppassword create testdb
How to Delete/Drop an existing MySQL database?
mysqladmin -u root -ptmppassword drop testdb
How to reload/refresh the privilege or the grants tables?
mysqladmin -u root -ptmppassword reload;
Refresh command will flush all the tables and close/open log files.
mysqladmin -u root -ptmppassword refresh
What is the safe method to shutdown the MySQL server?
mysqladmin -u root -ptmppassword shutdown
List of all mysqladmin flush commands.
mysqladmin -u root -ptmppassword flush-hosts
mysqladmin -u root -ptmppassword flush-logs
mysqladmin -u root -ptmppassword flush-privileges
mysqladmin -u root -ptmppassword flush-status
mysqladmin -u root -ptmppassword flush-tables
mysqladmin -u root -ptmppassword flush-threads
How to kill a hanging MySQL Client Process?
mysqladmin -u root -ptmppassword processlist
How to start and stop MySQL replication on a slave server?
mysqladmin -u root -ptmppassword stop-slave
How to combine multiple mysqladmin commands together?
mysqladmin -u root -ptmppassword process status version
DNS (DOMAIN NAME SERVICE) IN LINUX
DNS (Domain Name System), is the service which translates between
Internet names and Internet addresses. Internet names are the names
which we use to refer to hosts on the Internet, such as
www.debianhelp.co.uk. Internet addresses are the numbers which
routers use to move traffic across the Internet, such as
211.1.13.115 and
What are DNS Records ?
DNS records or Zone files are used for mapping URLs to an IPs.
Located on servers called the DNS servers, these records are
typically the connection of your website with the outside world.
Requests for your website are forwarded to your DNS servers and then
get pointed to the WebServers that serve the website or to Email
servers that handle the incoming email.
Different Types of DNS Records With Syntax and Examples :
Types of DNS Records :
 A
 AAAA
 CNAME
 MX
 PTR
 NS
 SOA
 SRV
 TXT
 NAPTR
The above DNS records are mostly used in all DNS Configurations. Now
we will see each one with examples.
A Record : An A record or address record.
Address Record, assigns an IP address to a domain or subdomain name.
When the domain name system was designed it was recommended that no
two A records refer to the same IP address.
Suppose you have the somedomain.tld domain and want to assign
10.10.0.1 IP address to your web server, then you should create an A
record with "www.somedomain.tld" as Fully Qualified Domain Name and
"10.10.0.1" in the value field.
From now on, all the requests for www.somedomain.tld will be sent to
a server with that IP.
Basically is useful to use an A record when you have subdomains
residing on various systems.
Usefultip: you might use a "*.somedomain.tld" A record to allow
WHATEVER.somedomain.tld to be resolved to your IP, though a wildcard
CNAME record is often better than a wildcard A record.
Example of A Record with Syntax :
example.com. IN A 69.9.64.11
Where :
IN indicates Internet.
A indicates the Address record.
The above example indicate that the IP Address for the domain
example.com is 69.9.64.11
AAAA Record : An AAAA record or IPv6 address record maps a hostname
to a 128bit IPv6 address.
The regular DNS Address resource record is defined for a 32bit IPv4
address, so a new one was created to allow a domain name to be
associated with a 128bit IPv6 address. The four “A”s (“AAAA”) are a
mnemonic to indicate that the IPv6 address is four times the size of
the IPv4 address. The AAAA record is structured in very much the
same way as the A record in both binary and master file formats; it
is just much larger. The DNS resource record Type value for AAAA is
28.
Example of AAAA Record with Syntax :
The AAAA record is to help transition and coexistence between IPv4
and IPv6 networks. An IPv4 nameserver can provide IPv6 addresses:
linux aaaa 3ffe:1900:4545:2:02d0:09ff:fef7:6d2c
CNAME Record :
A CNAME record or canonical name record makes one domain name an
alias of another. The aliased domain gets all the subdomains and DNS
records of the original.
You should use a CNAME record whenever you want associate a new
subdomain to an already existing A record; i.e. you can make
"www.somedomain.tld" to "somedomain.tld", which should already have
been assigned an IP with an A record.
This allows you to have as many subdomains as you wish without
having to specify the IP for every record. Use a CNAME if you have
more services pointing to the same IP. This way you will have to
update only one record in the convenience of a change of IP address.
Example of a CNAME record: "stuff.everybox.com CNAME
www.everybox.com" where 'www.everybox.com' is an A record listing an
IP address, and 'stuff.everybox.com' points to 'www.everybox.com'.
It will NOT allow you to foward a domain to a specific web page. Use
a webhop for that. Port numbers can be changed with webhops, as
well; CNAMEs cannot change the HTTP default of 80 to any other port
number.
Do not use CNAME defined hostnames in MX records. For example, this
is not recommended
Example Of CNAME With syntax
mail.example.com IN CNAME mail.example.net
where
IN indicates Internet
CNAME indicates CNAME record.
MX Record
An MX record or mail exchange record maps a domain name to a list of
mail exchange servers for that domain.
Example with MX Record Syntax Single mail servers
mydomain.com. 14400 IN MX 0 mydomain.com.
The MX record shows that all emails @ mydomain.com should be routed
to the mail server at mydomain.com. The DNS record shows that
mydomain.com is located at 26.34.9.14. This means that email meant
for test@mydomain.com will be routed to the email server at
26.34.9.14. This finishes the task of the MX record. The email
server on that server then takes over, collects the email and then
proceeds to distribute it to the user ``test''.
It is important that there be a dot(``.'') after the domain name in
the MX record. If the dot is absent, it routes to
``mydomain.com.mydomain.com''. The number 0, indicates Preferance
number. Mail is always routed to the server which has the lowest
Preferance number. If there is only one mail server, it is safe to
mark it 0.
Using Multiple mail servers :
If you want to use multiple mail servers you have to use MX record
preferences.The MX record preference values indicate which mail
server to use and in which order to try them when they fail or don't
respond. A larger preference number is less preferred. Thus, a mail
exchanger with a preference of zero (0) is always preferred over all
other mail exchangers. Setting preference values to equal numbers
makes mail servers equally preferred.
Example with MX Record Syntax Multiple mail servers
mydomain.com. 14400 IN MX 0 mydomain.com.
mydomain.com. 14400 IN MX 30 server2.mydomain.com
You can have unlimited MX entries for Fallback or backup purpose.If
all the MX records are equal Preference numbers, the client simply
attempts all equal Preference servers in random order, and then goes
to MX record with the next highest Preference number.
PTR Record
A PTR record or pointer record maps an IPv4 address to the canonical
name for that host. Setting up a PTR record for a hostname in the
inaddr.arpa domain that corresponds to an IP address implements
reverse DNS lookup for that address. For example www.name.net has
the IP address 122.0.3.16, but a PTR record maps 16.3.0.122.in
addr.arpa.
Example of PTR Record with syntax
16.3.0.122.inaddr.arpa. IN PTR name.net
Here as you see the IP Address is reversed and added with in
addr.arpa and this has come to the left side while the actual domain
name has gone to right side of IN PTR.
This is mostly used as a security and an antispam measure wherein
most of the webservers or the email servers do a reverse DNS lookup
to check if the host is actually coming from where it claims to come
from. It is always advisable to have a proper reverse DNS record
(PTR) is been setup for your servers especially when you are running
a mail / smtp server.
NS Record
An NS record or name server record maps a domain name to a list of
DNS servers authoritative for that domain. Delegations depend on NS
records.
NS Record Name Server Record which indicates the Authoritative Name
Servers for a particular Domain. The NS records of the Authoritative
Name Server for any given Domain will be listed on the Parent
Server. These are called as the Delegation Records as these records
on the Parent Server indicates the delegation of the domain to the
Authoritative servers.
The NS record will also be listed in the Zone records of the
Authoritative Name Server itself. These records are called as the
Authoritative Records.
The NS records found on the Parent Server should match the NS
records on the Authoritative Server as well. However, you can have
NS records listed on the Authoritative server that is not listed in
the Parent Server. This arrangement is normally used to configure
Stealth Name Servers.
Example of NS Record With syntax
example.com. IN NS ns1.live.secure.com.
where
IN indicates the Internet
NS indicates the type of record which Name Server record
The above indicates that the ns1.live.secure.com is the
authoritative server for the domain example.com
SOA Record
An SOA record or start of authority record specifies the DNS server
providing authoritative information about an Internet domain, the
email of the domain administrator, the domain serial number, and
several timers relating to refreshing the zone.
An SOA(State of Authority) Record is the most essential part of a
Zone file. The SOA record is a way for the Domain Administrator to
give out simple information about the domain like, how often it is
updated, when it was last updated, when to check back for more info,
what is the admins email address and so on. A Zone file can contain
only one SOA Record.
A properly optimized and updated SOA record can reduce bandwidth
between nameservers, increase the speed of website access and ensure
the site is alive even when the primary DNS server is down.
Example of SOA Record with syntax
Here is the SOA record. Notice the starting bracket ``(``. This has
to be on the same line, otherwise the record gets broken.
; name TTL class rr Nameserver emailaddress
mydomain.com. 14400 IN SOA ns.mynameserver.com.
root.ns.mynameserver.com. (
2004123001 ; Serial number
86000 ; Refresh rate in seconds
7200 ; Update Retry in seconds
3600000 ; Expiry in seconds
600 ; minimum in seconds )
WHERE :
name mydomain.com is the main name in this zone.
TTL 14400 TTL defines the duration in seconds that the record
may be cached by client side programs. If it is set as 0, it
indicates that the record should not be cached. The range is defined
to be between 0 to 2147483647 (close to 68 years !) .
Class IN The class shows the type of record. IN equates to
Internet. Other options are all historic. So as long as your DNS is
on the Internet or Intranet, you must use IN.
Nameserver ns.nameserver.com. The nameserver is the server which
holds the zone files. It can be either an external server in which
case, the entire domain name must be specified followed by a dot. In
case it is defined in this zone file, then it can be written as
``ns'' .
Email address root.ns.nameserver.com. This is the email of the
domain name administrator. Now, this is really confusing, because
people expect an @ to be in an email address. However in this case,
email is sent to root@ns.nameserver.com, but written as
root.ns.nameserver.com . And yes, remember to put the dot behind the
domain name.
Serial number 2004123001 This is a sort of a revision numbering
system to show the changes made to the DNS Zone. This number has to
increment , whenever any change is made to the Zone file. The
standard convention is to use the date of update YYYYMMDDnn, where
nn is a revision number in case more than one updates are done in a
day. So if the first update done today would be 2005301200 and
second update would be 2005301201.
Refresh 86000 This is time(in seconds) when the slave DNS server
will refresh from the master. This value represents how often a
secondary will poll the primary server to see if the serial number
for the zone has increased (so it knows to request a new copy of the
data for the zone). It can be written as ``23h88M'' indicating 23
hours and 88 minutes. If you have a regular Internet server, you can
keep it between 6 to 24 hours.
Retry 7200 Now assume that a slave tried to contact the master
server and failed to contact it because it was down. The Retry value
(time in seconds) will tell it when to get back. This value is not
very important and can be a fraction of the refresh value.
Expiry 3600000 This is the time (in seconds) that a slave server
will keep a cached zone file as valid, if it can't contact the
primary server. If this value were set to say 2 weeks ( in seconds),
what it means is that a slave would still be able to give out domain
information from its cached zone file for 2 weeks, without anyone
knowing the difference. The recommended value is between 2 to 4
weeks.
Minimum 600 This is the default time(in seconds) that the slave
servers should cache the Zone file. This is the most important time
field in the SOA Record. If your DNS information keeps changing,
keep it down to a day or less. Otherwise if your DNS record doesn't
change regularly, step it up between 1 to 5 days. The benefit of
keeping this value high, is that your website speeds increase
drastically as a result of reduced lookups. Caching servers around
the globe would cache your records and this improves site
performance.
SRV Record
The theory behind SRV is that given a known domain name e.g.
example.com, a given service e.g. web (http) which runs on tcp in
this case, a DNS query may be issued to find the host name that
provides such on behalf of the domain and which may or may not be
within the domain.
Example of SRV Record with syntax
srvce.prot.name ttl class rr pri weight port target
_http._tcp.example.com. IN SRV 0 5 80 www.example.com.
Srvce :
Defines the symbolic service name (see IANA portnumbers) prepended
with a '_' (underscore). Case insensitive. Common values are:
_http web service
_ftp file transfer service
_ldap LDAP service
prot :
Defines the protocol name (see IANA servicenames) prepended with a
'_' (underscore). Case insensitive. Common values are
_tcp TCP protocol
_udp UDP protocol
name :
Incomprehensible description in RFC 2782. Leaving the entry blank
(without a dot) will substitute the current zone root (the $ORIGIN),
or you can explicitly add it as in the above _http._tcp.example.com.
(with a dot).
Ttl :
Standard TTL parameter. For more information about TTL values.
Pri :
The relative Priority of this service (range 0 65535). Lowest is
highest priority.
Weight :
Used when more than one service with same priority. A 16 bit
unsigned integer in the range 0 65535. The value 0 indicates no
weighting should be applied. If the weight is 1 or greater it is a
relative number in which the highest is most frequently delivered
i.e. given two SRV records both with Priority = 0, one with weight =
1 the other weight = 6, the one with weight 6 will have its RR
delivered first 6 times out of 7 by the name server.
Port:
Normally the port number assigned to the symbolic service but does
this is not a requirement e.g. it is permissible to define a _http
service with a port number of 8100 rather than the more normal port
80.
target :
The name of the host that will provide this service. Does not have
to be in the same zone (domain).
TXT Record :
A TXT record allows an administrator to insert arbitrary text into a
DNS record. For example, this record is used to implement the Sender
Policy Framework specification.
Example of TXT Record with syntax
SPF domains have to publish at least two directives: a version
identifier and a default mechanism.
mydomain.com. TXT "v=spf1 all"
This is the simplest possible SPF record: it means your domain
mydomain.com never sends mail.
It makes sense to do this when a domain is only used for web
services and doesn't do email.
MX servers send mail, designate them.
mydomain.com. TXT "v=spf1 mx all"
Let's pretend mydomain.com has two MX servers, mx01 and mx02. They
would both be allowed to send mail from mydomain.com.
other machines in the domain also send mail, designate them.
mydomain.com. TXT "v=spf1 mx ptr all"
This designates all the hosts whose PTR hostname match mydomain.com.
any other machines not in the domain also send mail from that
domain, designate them.
mydomain.com. TXT "v=spf1 a:mydomain.com mx ptr all"
mydomain.com's IP address doesn't show up in its list of MX servers.
So we add an "a" mechanism to the directive set to match it.
mydomain.com. TXT "v=spf1 a mx ptr all"
This is shorthand for the same thing.
Each of your mail servers should have an SPF record also.When your
mail servers create a bounce message, they will send it using a
blank envelope sender: <>. When an SPF MTA sees a blank envelope
sender, it will perform the lookup using the HELO domain name
instead. These records take care of that scenario.
amx.mail.net. TXT "v=spf1 a all"
mx.mail.net. TXT "v=spf1 a all"
NAPTR Record
NAPTR records (NAPTR stands for "Naming Authority Pointer") are a
newer type of DNS record that support regular expression based
rewriting.
Example of NAPTR Record with syntax
$ORIGIN 3.8.0.0.6.9.2.3.6.1.4.4.e164.arpa.
NAPTR 10 100 "u" "E2U+sip" "!^.*$!sip:info@example.com!" .
NAPTR 10 101 "u" "E2U+h323" "!^.*$!h323:info@example.com!" .
NAPTR 10 102 "u" "E2U+msg" "!^.*$!mailto:info@example.com!" .
This record set maps the phone number +441632960083 onto three
possible identically ordered URIs, with a preference for SIP, then
H323, and finally email. In each case, the regular expression
matches the full AUS (^.$), and replaces it with a URI (e.g.,
sip:info@example.com). As this is a terminal record, this URI is
returned to the client.Though most NAPTR records replace the full
AUS, it is possible for the regular expression to backreference
part of the AUS, to grab an extension number, say:
$ORIGIN 0.6.9.2.3.6.1.4.4.e164.arpa. *
NAPTR 10 100 "u" "E2U+sip""!^+441632960(.*)$!sip:\1@example.com!" .
Once the client has the URI it must be resolved using DNS, but this
is no longer part of the DDDS algorithm..
wildcard DNS record
A wildcard DNS record is a record in a DNS zone file that will match
all requests for nonexistent domain names, i.e. domain names for
which there are no records at all.
Frequently Asked Questions about BIND 9
Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-

threads?
A: Linux threads do not fully implement the Posix threads (pthreads)

standard.
In particular, setuid() operates only on the current thread, not the
full process. Because of this limitation, BIND 9 cannot use setuid()
on Linux as it can on all other supported platforms. setuid() cannot
be called before creating threads, since the server does not start
listening on reserved ports until after threads have started.
In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to
preserve capabilities across a setuid() call is present. This allows
BIND 9 to call setuid() early, while retaining the ability to bind
reserved ports. This is a Linux-specific hack.
On a 2.2 kernel, BIND 9 does drop many root privileges, so it should

be less of a security risk than a root process that has not dropped
privileges.
If Linux threads ever work correctly, this restriction will go away.
Configuring BIND9 with the --disable-threads option (the default)
causes a non-threaded version to be built, which will allow -u to be
used.
Q: Why do I get the following errors:

general: errno2result.c:109: unexpected error:
general: unable to convert errno to isc_result: 14: Bad address
client: UDP client handler shutting down due to fatal receive error:
unexpected error
A: This is the result of a Linux kernel bug.

See: http://marc.theaimsgroup.com/?l=linux-
netdev&m=113081708031466&w=2
Q: Why does named log the warning message "no TTL specified - using
SOA MINTTL instead"?
A: Your zone file is illegal according to RFC1035. It must either

have a line like:
$TTL 86400 at the beginning, or the first record in it must have a
TTL field, like the
"84600" in this example:
example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
Q: Why do I see 5 (or more) copies of named on Linux?
A: Linux threads each show up as a process under ps. The approximate

number of threads running is n+4, where n is the number of CPUs. Note
that the amount of memory used is not cumulative; if each process is
using 10M of memory, only a total of 10M is used.
Newer versions of Linux's ps command hide the individual threads and

require
-L to display them.
Q: Why does BIND 9 log "permission denied" errors accessing its

configuration files or zones on my Linux system even though it is
running as root?
A: On Linux, BIND 9 drops most of its root privileges on startup.
This including the privilege to open files owned by other users.
Therefore, if the server is running as root, the configuration files
and zone files should also be owned by root.
Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading

master file bar: ran out of space"?
A: This is often caused by TXT records with missing close quotes.

Check that all TXT records containing quoted strings have both open
and close quotes.
Q: How do I produce a usable core file from a multi-threaded named

on Linux?
A: If the Linux kernel is 2.4.7 or newer, multi-threaded core dumps

are usable (that is, the correct thread is dumped). Otherwise, if
using a 2.2 kernel, apply the kernel patch found in
contrib/linux/coredump-patch and rebuild the kernel. This patch will
cause multi-threaded programs to dump the correct thread.
Q: How do I restrict people from looking up the server version?
A: Put a "version" option containing something other than the real

version in the "options" section of named.conf. Note doing this will
not prevent attacks and may impede people trying to diagnose problems
with your server.
Also it is possible to "fingerprint" nameservers to determine their
version.
Q: How do I restrict only remote users from looking up the server

version?
A: The following view statement will intercept lookups as the

internal view that holds the version information will be matched
last. The caveats of the previous answer still apply, of course.
view "chaos" chaos {

match-clients { ; };
allow-query { none; };
zone "." {
type hint;
file "/dev/null"; // or any empty file
};
};
Q: What do "no source of entropy found" or "could not open entropy

source foo" mean?
A: The server requires a source of entropy to perform certain
operations, mostly DNSSEC related. These messages indicate that you
have no source of entropy. On systems with /dev/random or an
equivalent, it is used by default. A source of entropy can also be
defined using the random-device option in named.conf.
Q: I installed BIND 9 and restarted named, but it's still BIND 8.

Why?
A: BIND 9 is installed under /usr/local by default. BIND 8 is often

installed under /usr. Check that the correct named is running.
Q: I'm trying to use TSIG to authenticate dynamic updates or zone

transfers. I'm sure I have the keys set up correctly, but the server
is rejecting the TSIG. Why?
A: This may be a clock skew problem. Check that the the clocks on the
client and server are properly synchronised (e.g., using ntp).
Q: I'm trying to compile BIND 9, and "make" is failing due to files

not being found. Why?
A: Using a parallel or distributed "make" to build BIND 9 is not

supported, and doesn't work. If you are using one of these, use
normal make or gmake instead.
Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
logging error messages like "notify to 10.0.0.1#53 failed: unexpected
end of input". What's wrong?
A: This error message is caused by a known bug in BIND 8.2.3 and is

fixed in BIND 8.2.4. It can be safely ignored - the notify has been
acted on by the slave despite the error message.
Q: I keep getting log messages like the following. Why?

Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
update failed: 'RRset exists (value dependent)' prerequisite not
satisfied (NXRRSET)
A: DNS updates allow the update request to test to see if certain

conditions are met prior to proceeding with the update. The message
above is saying that conditions were not met and the update is not
proceeding. See doc/rfc/rfc2136.txt for more details on
prerequisites.
Q: I keep getting log messages like the following. Why?

Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
A: Someone is trying to update your DNS data using the RFC2136

Dynamic Update protocol. Windows 2000 machines have a habit of
sending dynamic update requests to DNS servers without being
specifically configured to do so. If the update requests are coming
from a Windows 2000 machine, see
http://support.microsoft.com/support/kb/articles/q246/8/04.asp for
information about how to turn them off.
Q: I see a log message like the following. Why?

couldn't open pid file '/var/run/named.pid': Permission denied
A:You are most likely running named as a non-root user, and that user
does not have permission to write in /var/run. The common ways of
fixing this are to create a /var/run/named directory owned by the
named user and set pid-file to "/var/run/named/named.pid", or set
pid-file to "named.pid", which will put the file in the directory
specified by the directory option (which, in this case, must be
writable by the named user).
Q: When I do a "dig . ns", many of the A records for the root servers
are missing. Why?
A: This is normal and harmless. It is a somewhat confusing side

effect of the way BIND 9 does RFC2181 trust ranking and of the efforts
BIND 9 makes to avoid promoting glue into answers.
When BIND 9 first starts up and primes its cache, it receives the
root server addresses as additional data in an authoritative response
from a root server, and these records are eligible for inclusion as
additional data in responses. Subsequently it receives a subset of
the root server addresses as additional data in a non-authoritative
(referral) response from a root server. This causes the addresses to
now be considered non-authoritative (glue) data, which is not
eligible for inclusion in responses.
The server does have a complete set of root server addresses cached
at all times, it just may not include all of them as additional data,
depending on whether they were last received as answers or as glue.
You can always look up the addresses with explicit queries like "dig
a.root-servers.net A".
Q: Zone transfers from my BIND 9 master to my Windows 2000 slave

fail. Why?
A: This may be caused by a bug in the Windows 2000 DNS server where
DNS messages larger than 16K are not handled properly. This can be
worked around by setting the option "transfer-format one-answer;".
Also check whether your zone contains domain names with embedded
spaces or other special characters, like
"John\032Doe\213s\032Computer", since such names have been known to
cause Windows 2000 slaves to incorrectly reject the zone.
Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?

A: A zone can be updated either by editing zone files and reloading
the server or by dynamic update, but not both. If you have enabled
dynamic update for a zone using the "allow-update" option, you are
not supposed to edit the zone file by hand, and the server will not
attempt to reload it.
Q: I can query the nameserver from the nameserver but not from other
machines. Why?
A: This is usually the result of the firewall configuration stopping

the queries and / or the replies.
Q: How can I make a server a slave for both an internal and an

external view at the same time? When I tried, both views on the slave
were transferred from the same view on the master.
A: You will need to give the master and slave multiple IP addresses
and use those to make sure you reach the correct view on the other
machine.
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.1;
transfer-source 10.0.1.1;
query-source address 10.0.1.1;
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)

internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
You put the external address on the alias so that all the other dns
clients on these boxes see the internal view by default.
A: BIND 9.3 and later: Use TSIG to select the appropriate view.
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.2 { keys external; };
recursion no;
...
};
Slave 10.0.1.2:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.1 { keys external; };
recursion no;
...
};
Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
A: /dev/random is not configured. Use rndcontrol(8) to tell the

kernel to use certain interrupts as a source of random events. You
can make this permanent by setting rand_irqs in /etc/rc.conf.
/etc/rc.conf
rand_irqs="3 14 15"
Q: Why is named listening on UDP port other than 53?
A: Named uses a system selected port to make queries of other

nameservers. This behaviour can be overridden by using query-source
to lock down the port and/or address. See also notify-source and
transfer-source.
Q: I get error messages like "multiple RRs of singleton type" and

"CNAME and other data" when transferring a zone. What does this mean?
A: These indicate a malformed master zone. You can identify the exact
records involved by transferring the zone using dig then running
named-checkzone on it.
dig axfr example.com @master-server > tmp

named-checkzone example.com tmp
A CNAME record cannot exist with the same name as another record
except for the DNSSEC records which prove its existence (NSEC).
RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no

other data should be present; this ensures that the data for a
canonical name and its aliases cannot be different. This rule also
insures that a cached CNAME can be used without checking with an
authoritative server for other RR types."
Q: I get error messages like "named.conf:99: unexpected end of input"

where 99 is the last line of named.conf.
A: Some text editors (notepad and wordpad) fail to put a line title
indication (e.g. CR/LF) on the last line of a text file. This can be
fixed by "adding" a blank line to the end of the file. Named expects
to see EOF immediately after EOL and treats text files where this is
not met as truncated.
Q: I get warning messages like "zone example.com/IN: refresh: failure

trying master 1.2.3.4#53: timed out".
A: Check that you can make UDP queries from the slave to the master
dig +norec example.com soa @1.2.3.4
You could be generating queries faster than the slave can cope with.
Lower the serial query rate.
serial-query-rate 5; // default 20
Q: How do I share a dynamic zone between multiple views?
A: You choose one view to be master and the second a slave and
transfer the zone between views.
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
key "mykey" {
algorithm hmac-md5;
secret "yyyyyyyy";
};
view "internal" {
match-clients { !external; 10.0.1/24; };
server 10.0.1.1 {
/* Deliver notify messages to external view.
*/
keys { external; };
};
zone "example.com" {
type master;
file "internal/example.db";
allow-update { key mykey; };
notify-also { 10.0.1.1; };
};
};
view "external" {
match-clients { external; any; };
zone "example.com" {
type slave;
file "external/example.db";
masters { 10.0.1.1; };
transfer-source { 10.0.1.1; };
// allow-update-forwarding { any; };
// allow-notify { ... };
};
};
Q: I get a error message like "zone wireless.ietf56.ietf.org/IN:

loading master file primaries/wireless.ietf56.ietf.org: no owner".
A: This error is produced when a line in the master file contains

leading white space (tab/space) but the is no current record owner
name to inherit the name from. Usually this is the result of putting
white space before a comment. Forgetting the "@" for the SOA record
or indenting the master file.
Q: Why are my logs in GMT (UTC).
A: You are running chrooted (-t) and have not supplied local timezone
information in the chroot area.
FreeBSD: /etc/localtime
Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
OSF: /etc/zoneinfo/localtime
See also tzset(3) and zic(8).
Q: I get the error message "named: capset failed: Operation not

permitted" when starting named.
A: The capability module, part of "Linux Security Modules/LSM", has
not been loaded into the kernel. See insmod(8).
Q: I get "rndc: connect failed: connection refused" when I try to run

rndc.
A: This is usually a configuration error.
First ensure that named is running and no errors are being reported
at startup (/var/log/messages or equivalent). Running "named -g "
from a title can help at this point.
Secondly ensure that named is configured to use rndc either by "rndc-

confgen -a", rndc-confgen or manually. The Administrators Reference
manual has details on how to do this.
Old versions of rndc-confgen used localhost rather than 127.0.0.1 in

/etc/rndc.conf for the default server. Update /etc/rndc.conf if
necessary so that the default server listed in /etc/rndc.conf matches
the addresses used in named.conf. "localhost" has two address
(127.0.0.1 and ::1).
If you use "rndc-confgen -a" and named is running with -t or -u

ensure that /etc/rndc.conf has the correct ownership and that a copy
is in the chroot area. You can do this by re-running "rndc-confgen
-a" with appropriate -t and -u arguments.
Q: I don't get RRSIG's returned when I use "dig +dnssec".
A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
Q: I get "Error 1067" when starting named under Windows.
A: This is the service manager saying that named exited. You need to
examine the Application log in the EventViewer to find out why.
Common causes are that you failed to create "named.conf" (usually

"C:\windows\dns\etc\named.conf") or failed to specify the directory
in named.conf.
options {
Directory "C:\windows\dns\etc";
};
Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed

while receiving responses: permission denied" error messages.
A: These indicate a filesystem permission error preventing named

creating / renaming the temporary file. These will usually also have
other associated error messages like
"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
Named needs write permission on the directory containing the file.

Named writes the new cache file to a temporary file then renames it
to the name specified in named.conf to ensure that the contents are
always complete.
This is to prevent named loading a partial zone in the event of power
failure or similar interrupting the write of the master file.
Note file names are relative to the directory specified in options

and any chroot directory ([/][]).
If named is invoked as "named -t /chroot/DNS" with the following

named.conf then "/chroot/DNS/var/named/sl" needs to be writable by
the user named is running as.
options {
directory "/var/named";
};
zone "example.net" {
type slave;
file "sl/example.net";
masters { 192.168.4.12; };
};
Q: How do I integrate BIND 9 and Solaris SMF
A: Sun has a blog entry describing how to do this.
http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
Q: Can a NS record refer to a CNAME.
A: No. The rules for glue (copies of the *address* records in the
parent zones) and additional section processing do not allow it to
work.
You would have to add both the CNAME and address records (A/AAAA) as
glue to the parent zone and have CNAMEs be followed when doing
additional section processing to make it work. No nameserver
implementation supports either of these requirements.
Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-

ADDR.ARPA" mean?
A: If the IN-ADDR.ARPA name covered refers to a internal address

space you are using then you have failed to follow RFC 1918 usage
rules and are leaking queries to the Internet. You should establish
your own zones for these addresses to prevent you querying the
Internet's name servers for these addresses. Please see
http://as112.net/ for details of the problems you are causing and the
counter measures that have had to be deployed.
If you are not using these private addresses then a client has
queried for them. You can just ignore the messages, get the offending
client to stop sending you these messages as they are most probably
leaking them or setup your own zones empty zones to serve answers to
these queries.
zone "10.IN-ADDR.ARPA" {
type master;
file "empty";
};
zone "16.172.IN-ADDR.ARPA" {
type master;
file "empty";
};
...
type master;
file "empty";
};
type master;
file "empty";
};
empty:
@ 10800 IN SOA . . (
1 3600 1200 604800 10800 )
@ 10800 IN NS .
Note: Future versions of named are likely to do this automatically.
Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -

Why can't named update slave zone database files?
Why can't named create DDNS journal files or update the master zones
from journals?
Why can't named create custom log files?
A: Red Hat Security Enhanced Linux (SELinux) policy security

protections :
Red Hat have adopted the National Security Agency's SELinux security
policy ( see http://www.nsa.gov/selinux ) and recommendations for
BIND security , which are more secure than running named in a chroot
and make use of the bind-chroot environment unnecessary .
By default, named is not allowed by the SELinux policy to write,
create or delete any files EXCEPT in these directories:
$ROOTDIR/var/named/slaves
$ROOTDIR/var/named/data
$ROOTDIR/var/tmp
where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is

installed.
The SELinux policy particularly does NOT allow named to modify the
$ROOTDIR/var/named directory, the default location for master zone
database files.
SELinux policy overrules file access permissions - so even if all the

files under /var/named have ownership named:named and mode rw-rw-r--,
named will still not be able to write or create files except in the
directories above, with SELinux in Enforcing mode.
So, to allow named to update slave or DDNS zone files, it is best to

locate them in $ROOTDIR/var/named/slaves, with named.conf zone
statements such as:
zone "slave.zone." IN {
type slave;
file "slaves/slave.zone.db";
...
};
zone "ddns.zone." IN {
type master;
allow-updates {...};
file "slaves/ddns.zone.db";
};
To allow named to create its cache dump and statistics files, for
example, you could use named.conf options statements such as:
options {
...
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
...
};
You can also tell SELinux to allow named to update any zone database
files, by setting the SELinux tunable boolean parameter
'named_write_master_zones=1', using the system-config-securitylevel
GUI, using the 'setsebool' command, or in
/etc/selinux/targeted/booleans.
You can disable SELinux protection for named entirely by setting the
'named_disable_trans=1' SELinux tunable boolean parameter.
The SELinux named policy defines these SELinux contexts for named:
named_zone_t : for zone database files - $ROOTDIR/var/named/*

named_conf_t : for named configuration files - $ROOTDIR/etc/
{named,rndc}.*
named_cache_t: for files modifiable by named - $ROOTDIR/var/
{tmp,named/{slaves,data}}
If you want to retain use of the SELinux policy for named, and put
named files in different locations, you can do so by changing the
context of the custom file locations .
To create a custom configuration file location, e.g.

'/root/named.conf', to use with the 'named -c' option, do:
# chcon system_u:object_r:named_conf_t /root/named.conf
To create a custom modifiable named data location, e.g.

'/var/log/named' for
a log file, do:
# chcon system_u:object_r:named_cache_t /var/log/named
To create a custom zone file location, e.g. /root/zones/, do:
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
See these man-pages for more information : selinux(8),

named_selinux(8),
chcon(1), setsebool(8)
Q: I want to forward all DNS queries from my caching nameserver to

another server. But there are some domains which have to be served
locally, via rbldnsd.
How do I achieve this ?
A:
options {
forward only;
forwarders { ; };
};
zone "sbl-xbl.spamhaus.org" {
type forward; forward only;
forwarders { port 530; };
};
zone "list.dsbl.org" {
type forward; forward only;
forwarders { port 530; };
};
Q: Will named be affected by the 2007 changes to daylight savings

rules in the US.
A: No, so long as the machines internal clock (as reported by "date

-u") remains at UTC. The only visible change if you fail to upgrade
your OS, if you are in a affected area, will be that log messages
will be a hour out during the period where the old rules do not match
the new rules.
For most OS's this change just means that you need to update the
conversion rules from UTC to local time. Normally this involves
updating a file in /etc (which sets the default timezone for the
machine) and possibly a directory which has all the conversion rules
for the world (e.g. /usr/share/zoneinfo).
When updating the OS do not forget to update any chroot areas as
well. See your OS's documentation for more details.
The local timezone conversion rules can also be done on a individual

basis by setting the TZ environment variable appropriately. See your
OS's documentation for more details.
Q: Why do we get the following warning at run time:

kernel: process named' is using obsolete setsockopt SO_BSDCOMPAT
A: The early Linux kernels broke sendto() by having it return that a

ICMP unreachable had be received for non connected UDP sockets. This
made non connected UDP sockets work like connected UDP socket which
is fine when you are only talking to one destination. Named however
talks to multiple destinations and it caused problems.
Rather than fix sendto() to just have BSD behaviour they added
SO_BSDCOMPAT to turn BSD behaviour on/off on a per socket basis.
Later they decided to make BSD behaviour the default and to
aggressively track down applications that used SO_BSDCOMPAT by
issuing a warning. This is the sort of things vendors do in
alpha/beta stages of a release so that their code is clean. They then
turn the warning *off* for release code.
We still have customers that have kernels that require SO_BSDCOMPAT
to operate. We therefore cannot remove the setsockopt(SO_BSDCOMPAT)
call.
Now most/all portable applications that use SO_BSDCOMPAT use it
conditionally manner so just removing SO_BSDCOMPAT from the header
file would be safe as long as the binary was not to be moved between
systems.
BIND's use is conditional.
In short, the Linux developers should either, remove the #define for
SO_BSDCOMPAT, and/or remove the warning.
Q: Isn't "make install" supposed to generate a default named.conf?
A: Short Answer: No.
Long Answer: There really isn't a default configuration which fits

any site perfectly. There are lots of decisions that need to be made
and there is no consensus on what the defaults should be. For example
FreeBSD uses /etc/namedb as the location where the configuration
files for named are stored. Others use /var/named.
IPTABLES IN LINUX :
Blocking Site in local System:
iptables A INPUT s google.com j DROP
iptables A OUTPUT d google.com j DROP
Unblocking Site in local System -:
iptables -A OUTPUT -d google.com -j ACCEPT
iptables -A INPUT -s google.com -j ACCEPT
Q. PC boot & Linux Booting Sequence process in LINUX?
 BIOS: The Basic Input/Output System is the lowest level
interface between the computer and peripherals.
 The BIOS performs integrity checks on memory and seeks
instructions on the Master Boor Record (MBR) on the floppy drive
or hard drive.
 The MBR points to the boot loader (GRUB or LILO: Linux boot
loader).
 Boot loader (GRUB or LILO) will then ask for the OS label which
will identify which kernel to run and where it is located (hard
drive and partition specified). The installation process
requires to creation/identification of partitions and where to
install the OS. GRUB/LILO are also configured during this
process. The boot loader then loads the Linux operating system.
 See the YoLinux tutorial on creating a boot disk for more
information on GRUB and LILO and also to learn how to put the
MBR and boot loader on a floppy for system recovery.
 The first thing the kernel does is to execute init program. Init
is the root/parent of all processes executing on Linux.
 The first processes that init starts is a script
/etc/rc.d/rc.sysinit.
 Based on the appropriate runlevel, scripts are executed to
start various processes to run the system and make it
functional.
The Linux Init Processes:
 Run /sbin/initlog

Run devfs to generate/manage system devices


Run network scripts: /etc/sysconfig/network


Start graphical boot (If so configured):
rhgb


Start console terminals, load keymap, system fonts and print

console greeting:
mingetty
,
setsysfonts.
The various virtual

console sessions can be viewed with the keystroke: ctrlaltF1
through F6. F7 is reserved for the GUI screen invoked in run
level 5.

Mount /proc and start device controllers.


Done with boot configuration for root drive. (
initrd
) Unmount

root drive.

Remount root file system as read/write


Direct kernel to load kernel parameters and modules:
sysctl
,

depmod
,
modprobe


Set up clock: /etc/sysconfig/clock


Perform disk operations based on fsck configuration


Check/mount/check/enable quotas nonroot file systems:
fsck
,

mount
,
quotacheck
,
quotaon


Initialize logical volume management:
vgscan
, /etc/lvmtab


Activate syslog, write to log files:
dmesg


Configure sound:
sndconfig


Activate PAM


Activate swapping:
swapon


Local system boot processes can be placed in file:

/etc/rc.d/rc.local

The system will then boot to the runlevel set by the directive

initdefault.
RAID :

RAID LEVEL 0
RAID Level 0 requires a minimum of 2 drives to

implement
Characteristics & Advantages :
 RAID 0 implements a striped disk array, the data is broken down
into blocks and each block is written to a separate disk drive
 I/O performance is greatly improved by spreading the I/O load
across many channels and drives
 Best performance is achieved when data is striped across
multiple controllers with only one drive per controller
 No parity calculation overhead is involved
 Very simple design
 Easy to implement
Disadvantages :
 Not a "True" RAID because it is NOT faulttolerant
 The failure of just one drive will result in all data in an
array being lost
 Should never be used in mission critical environments
Recommended Applications :

Video Production and Editing


Image Editing


PrePress Applications


Any application requiring high bandwidth

RAID LEVEL 1 : For Highest performance, the controller must be
able to perform two concurrent separate Reads per mirrored pair or
two duplicate Writes per mirrored pair.
RAID Level 1 requires a minimum of 2 drives to implement

One Write or two Reads possible per mirrored pair


Twice the Read transaction rate of single disks, same Write

transaction rate as single disks

100% redundancy of data means no rebuild is necessary in case of

a disk failure, just a copy to the replacement disk

Transfer rate per block is equal to that of a single disk


Under certain circumstances, RAID 1 can sustain multiple

simultaneous drive failures

Simplest RAID storage subsystem design.

Disadvantages :

Highest disk overhead of all RAID types (100%) inefficient


Typically the RAID function is done by system software, loading

the CPU/Server and possibly degrading throughput at high
activity levels. Hardware implementation is strongly recommended

May not support hot swap of failed disk when implemented in

"software"

Accounting.


Payroll
.


Financial
.


Any application requiring very high availability
.

RAID LEVEL2 : Each bit of data word is written to a data disk
drive (4 in this example: 0 to 3). Each data word has its Hamming
Code ECC word recorded on the ECC disks. On Read, the ECC code
verifies correct data or corrects single disk errors.

"On the fly" data error correction


Extremely high data transfer rates possible


The higher the data transfer rate required, the better the ratio

of data disks to ECC disks

Relatively simple controller design compared to RAID levels 3,4

& 5
.

Disadvantages :

Very high ratio of ECC disks to data disks with smaller word

sizes – inefficient.

Entry level cost very high requires very high transfer rate

requirement to justify

Transaction rate is equal to that of a single disk at best (with

spindle synchronization)

No commercial implementations exist / not commercially viable.

RAID LEVEL 3 :
The data block is subdivided ("striped") and

written on the data disks. Stripe parity is generated on Writes,
recorded on the parity disk and checked on Reads.

Very high Read data transfer rate
.

Very high Write data transfer rate


Disk failure has an insignificant impact on throughput
.

Low ratio of ECC (Parity) disks to data disks means high

efficiency
.

Disadvantages :

Transaction rate equal to that of a single disk drive at best

(if spindles are synchronized)

Controller design is fairly complex


Very difficult and resource intensive to do as a "software" RAID


Video Production and live streaming


Image Editing


Video Editing


Prepress Applications

 Any application requiring high throughput

RAID LEVEL 4 :
Each entire block is written onto a data disk. Parity

for same rank blocks is generated on Writes, recorded on the parity
disk and checked on Reads.

Very high Read data transaction rate.



efficiency.

High aggregate Read transfer rate.

Disadvantages :

Quite complex controller design


Worst Write transaction rate and Write aggregate transfer rate


Difficult and inefficient data rebuild in the event of disk

failure

Block Read transfer rate equal to that of a single disk

RAID LEVEL 5 :
Each entire data block is written on a data disk;

parity for blocks in the same rank is generated on Writes, recorded
in a distributed location and checked on Reads.

Highest Read data transaction rate


Medium Write data transaction rate



efficiency

Good aggregate transfer rate

Disadvantages :

Disk failure has a medium impact on throughput


Most complex controller design


Difficult to rebuild in the event of a disk failure (as compared

to RAID level 1)

Individual block data transfer rate same as single disk

RAIL LEVEL 6 :
Two independent parity computations must be used in

order to provide protection against double disk failure. Two
different algorithms are employed to achieve this purpose.

RAID 6 is essentially an extension of RAID level 5 which allows

for additional fault tolerance by using a second independent
distributed parity scheme (dual parity)

Data is striped on a block level across a set of drives, just

like in RAID 5, and a second set of parity is calculated and
written across all the drives; RAID 6 provides for an extremely
high data fault tolerance and can sustain multiple simultaneous
drive failures

RAID 6 protects against multiple bad block failures while non

degraded

RAID 6 protects against a single bad block failure while

operating in a degraded mode

Perfect solution for mission critical applications

Disadvantages :

More complex controller design

 Controller overhead to compute parity addresses is extremely
high
 Write performance can be brought on par with RAID Level 5 by
using a custom ASIC for computing ReedSolomon parity
 Requires N+2 drives to implement because of dual parity scheme
 File and Application servers
 Database servers
 Web and Email servers
 Intranet servers
 Excellent faulttolerance with the lowest overhead
RAID LEVEL 10 : RAID Level 10 requires a minimum of 4 drives to
implement

RAID 10 is implemented as a striped array whose segments are

RAID 1 arrays

RAID 10 has the same fault tolerance as RAID level 1


RAID 10 has the same overhead for faulttolerance as mirroring

alone

High I/O rates are achieved by striping RAID 1 segments


Under certain circumstances, RAID 10 array can sustain multiple

simultaneous drive failures

Excellent solution for sites that would have otherwise gone with

RAID 1 but need some additional performance boost
.
Disadvantages :

Very expensive / High overhead


All drives must move in parallel to proper track lowering

sustained performance

Very limited scalability at a very high inherent cost


Database server requiring high performance and fault tolerance.

RAID LEVEL 50 : RAID Level 50 requires a minimum of 6 drives to
implement.

RAID 50 should have been called "RAID 03" because it was

implemented as a striped (RAID level 0) array whose segments
were RAID 3 arrays (during mid90s)

Most current RAID 50 implementation is illustrated above


RAID 50 is more fault tolerant than RAID 5 but has twice the

parity overhead

High data transfer rates are achieved thanks to its RAID 5 array

segments

High I/O rates for small requests are achieved thanks to its

RAID 0 striping

Maybe a good solution for sites who would have otherwise gone

with RAID 5 but need some additional performance boost
.
Disadvantages :

Very expensive to implement


All disk spindles must be synchronized, which limits the choice

of drives

Failure of two drives in one of the RAID 5 segments renders the

whole array unusable.

RAID LEVEL 1+0 :
RAID Level 0+1 requires a minimum of 4 drives to

implement.

RAID 0+1 is implemented as a mirrored array whose segments are

RAID 0 arrays

RAID 0+1 has the same fault tolerance as RAID level 5


RAID 0+1 has the same overhead for faulttolerance as mirroring

alone

High I/O rates are achieved thanks to multiple stripe segments


Excellent solution for sites that need high performance but are

not concerned with achieving maximum reliability
Disadvantages :

RAID 0+1 is NOT to be confused with RAID 10. A single drive

failure will cause the whole array to become, in essence, a RAID
Level 0 array.

Very expensive / High overhead


All drives must move in parallel to proper track lowering

sustained performance

Very limited scalability at a very high inherent cost.


Imaging applications


General fileserver

RAID CONFIGURATION IN LINUX :
You use the mdadm command with the create option to create the RAID
set. In this example we use the level option to specify RAID 5, and
the raiddevices option to define the number of partitions to use.

mdadm create verbose /dev/md0 level=5 \
raiddevices=3 /dev/hde1 /dev/hdf2 /dev/hdg1
Format the new raid set :
mkfs.ext3 /dev/md0
Create the mdadm.conf Configuration File
Your system doesn't automatically remember all the component
partitions of your RAID set. This information has to be kept in the
mdadm.conf file. The formatting can be tricky, but fortunately the
output of the mdadm detail scan verbose command provides you
with it. Here we see the output sent to the screen.
mdadm detail scan verbose
Here we export the screen output to create the configuration file.
mdadm detail scan verbose > /etc/mdadm.conf
Create A Mount Point For The RAID Set
The next step is to create a mount point for /dev/md0. In this case
we'll create one called /mnt/raid
mkdir /mnt/raid
Edit The /etc/fstab File
The /etc/fstab file lists all the partitions that need to mount when
the system boots. Add an Entry for the RAID set, the /dev/md0 device.
/dev/md0 /mnt/raid ext3 defaults 1 2
Check The Status Of The New RAID
raidstart /dev/md0
Check the array out -:
mdadm --detail /dev/mdx
lsraid -a /dev/mdx
raidsetfaulty you can just simulate a drive failure without
unplugging things off
raidsetfaulty /dev/md1 /dev/sdc2
Fail the disk /dev/sdc2 of the array /dev/md1. If you are using
mdadm, just type
mdadm --manage --set-faulty /dev/md1 /dev/sdc2
Fresh utility in newest raidtools is lsraid. Try with
lsraid -a /dev/md1
Users of mdadm can run the command
mdadm --detail /dev/md1
Remove the failed disk from the array. Run the command
raidhotremove /dev/md1 /dev/sdc2
mdadm /dev/md1 -r /dev/sdc2
Add the disk from the array. Run the command
raidhotadd /dev/md1 /dev/sdc2
mdadm /dev/md1 -a /dev/sdc2
Query Check RAID HARD DISK :-
mdadm --query –details /dev/md0
Query ADD THE NEW HARD DISK : -
mdadm --manage /dev/md0 –add /dev/sdb3
Query REMOVE THE HARD DISK :-
mdadm -- manage /dev/md0 –remove /dev/sdb3
Query check fail HARD DISK :-
mdadm – manage /dev/md0 –fail /dev/sdb3
Query check the status :-
cat /proc/mdstat
Query check the partitions :-
cat /proc/partitions
Query swapping the boot process in both hard disk :-
bootlist -m normal -0
dd if= /dev/sda1 of=/dev/sdb1
NMAP USEFUL COMMAND -:

List all the host scanned ( All responding Ips in the subnet from
192.168.48.0/24)
nmap -sL 192.168.48.0/24
Scan the IP address range looking for open ports 80 and 443
nmap -p80,443 192.168.48.0/24
Scan all hosts between 172.16.0.1 and 172.16.0.254 looking for open TCP
PORT 80, 8080, 6588, and 800 (the default listig ports for various
proxy servers.
nmap -p T:80, 8080,6588,800 172.16.0.1/22
PING scan two hosyts in a fast scan.
nmap -sP 192.168.48.24,22
Scan all the hostzss in the 192.168.48.1 tp 192.168.48.255 range.
Sometimes, host-based firewall deny ping requests, and it is
difficult to scan such hosts.
nmap -PN 192.168.48.0/24
Detects target OS and services running on it, in fast-scan mode.
nmap -A -F 192.168.48.24,22
Testing IDS/IPS IP
nmap -sS -D 192.168.10.201, 192.168.10.202, 192.168.10.203,
192.168.10.50
Listing active host on the network
nmap -sP -n -oG hostlist 192.168.48.0/24
cut -d “ “ -f2 hostlist>iplist
NAGIOS INSTALLATION AND CONFIGURATION
Install & Configure Prerequisites

• Install Apache
• yum install httpd php gcc glibc glibc-common gd gd-devel
• Configure Apache to start on boot

• /sbin/chkconfig --levels 345 httpd on
• Configure iptables to allow Apache traffic

• /sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
• /etc/init.d/iptables save
• /etc/init.d/iptables restart
Install & Configure Nagios

• Install Nagios & Plugins
• yum install nagios nagios-plugins nagios-plugins-setuid
• Create the default Nagios web access user & set a password
• htpasswd -c /etc/nagios/htpasswd.users nagiosadmin
• Verify default config files

• nagios -v /etc/nagios/nagios.cfg
• Start Nagios
• /etc/init.d/nagios start
• Start Apache
• /etc/init.d/httpd start
Verify Install
• Try logging into your new Nagios installation by going to
http://servername/nagios/ and logging in with nagiosadmin and
the password you set.
PASSWORD COMMAND
List the password and its related details for an user -:
Any user can execute the chage command for himself to identify when
his password is about to expire.
chage -l root
chage --list root
Set Password Expiry Date for an user using chage option -M
Root user (system administrators) can set the password expiry date
for any user. In the following example, user dhinesh password is set
to expire 10 days from the last password change.
Syntax: # chage -M number-of-days username
chage -M 10 dhinesh
NOTE -: -M will update both “Password expires” and “Maximum number of
days between password change” entries as shown below.
Password Expiry Warning message during login

By default the number of days of warning before password expires is
set to 7. So, in the above example, when the user dhinesh tries to
login on Apr 30, 2009 — he’ll get the following message.
Ssh abc@192.168.48.24
User Forced to Change Password after Expiry Date
If the password expiry date reaches and user doesn’t change their
password, the system will force the user to change the password
before the login as shown below.
ssh dhinesh@testingserver
Set the Account Expiry Date for an User
You can also use chage command to set the account expiry date as
shown below using option -E. The date given below is in “YYYY-MM-DD”
format. This will update the “Account expires” value as shown below.
chage -E "2010-08-31" abc
Force the user account to be locked after X number of inactivity days
Typically if the password is expired, users are forced to change it
during their next login. You can also set an additional condition,
where after the password is expired, if the user never tried to login
for 10 days, you can automatically lock their account using option -I
as shown below. In this example, the “Password inactive” date is set
to 10 days from the “Password expires” value.
chage -I 10 abc
How to disable password aging for an user account
To turn off the password expiration for an user account, set the
following:
-m 0 ->will set the minimum number of days between password
change to 0.
-M 99999 -> will set the maximum number of days between password
change to 99999.
-I -1 ->(number minus one) will set the “Password inactive” to
never.
-E -1 (number minus one) will set “Account expires” to never.
The Ultimate Guide for Creating Strong Passwords

When you create an account on a website, you may have the “password
dilemma” for a second. The dilemma is whether you should provide a
weak password that is easy to remember or a strong password that is
hard to remember. Following are the rules and guidelines that may
help you in overcoming the password dilemma and help you in creating
a strong password that are secure. These are the things that I’ve
used over years based on my own interest in the area of keeping the
password safe and secure.
I. Two essential password rules:

Following two rules are bare minimal that you should follow while
creating a password.
Rule 1 – Password Length: Stick with passwords that are at least 8

characters in length. The more character in the passwords is better,
as the time taken to crack the password by an attacker will be
longer. 10 characters or longer are better.
Rule 2 – Password Complexity: Should contain at least one character
from each of the following group. At least 4 characters in your
passwords should be each one of the following.
1.Lower case alphabets
2. Upper case alphabets
3. Numbers
4. Special Characters
I call the above two rules combined as “8 4 Rule” (Eight Four Rule):
• 8 = 8 characters minimum length
• 4 = 1 lower case + 1 upper case + 1 number + 1 special
character.
Just following the “8 4 Rule” will be a huge improvement and
instantly make your password much stronger than before for most of
you who don’t follow any guidelines or rules while creating a
passwords. If your banking and any financially sensitive website
passwords doesn’t follow the “8 4 Rule”, I strongly suggest that you
stop everything now and change those passwords immediately to follow
the “8 4 Rule”.
II. Guidelines for creating strong passwords:

1. Follow “8 4 Rule”. Like I mentioned above this is the foundation
of creating a strong password.
2. Unique Characters. Should contain at least 5 unique characters.
You already have 4 different character if you’ve followed “8 4
Rule”.
3. Use Password Manager. Strong passwords are hard to remember. So,
as part of creating a strong password you need a reliable and
trustworthy way of remembering the strong password. Using
password management tool to store passwords should really become
a habit. Anytime you create a password, note it down on a
password manager tool, that will encrypt the password and store
it safe for you. I recommend Password Dragon (Shameless plug.
I’m the developer of this software), a free, easy and secure
password manager that works on Windows, Linux and Mac. This can
also be launched from the USB drive. There are lot of free
password manager tools available, choose the one that best
suites your taste and use it.
4. Use Passphrase. If you don’t want to use password management
tool, Use Passphrase to easily remember the passwords. You can
use initials of a song or a phrase that are very familiar to
you. for e.g. “Passwords are like underwears, change yours
often!” phrase can be converted to a strong password
“Prlu,Curs0!”
III. Guidelines for avoiding weak passwords.
Avoid the following in your passwords. Even part of your passwords
should not be anything in the following items.
1.Password same as username or part of the username
2. Name of family members, friends or pets.
3. Personal information about yourself or family members. This
includes the generic information that can be obtained about you
very easily, such as birth date, phone number, vehicle license
plate number, street name, apartment/house number etc.
4. Sequences. i.e consecutive alphabets, numbers or keys on
the keyboard. for e.g. abcde, 12345, qwert.
5. Dictionary words. Dictionary words with number or character
in front or back
6. Real word from any language
7.Word found in dictionary with number substitution for word look
alike. for e.g. Replacing the letter O with number 0. i.e
passw0rd.
8. Any of the above in reverse sequence
9. Any of the above with a number in front or back.
10. Empty password
IV. Common sense about passwords:

All the following points are nothing new and very much common sense.
But most of the time, we tend to ignore these items.
1. Create unique password every time. When you are changing a
password for an existing account, it should not be the same as
the previous password. Also, do not use incremental passwords
while changing it. i.e password1, password2 etc.
2. Change your passwords for all your accounts once every 6 months.
Since passwords have a fixed length, a brute-force attack to
guess the password will always succeed if enough time and
processing power was available to the attacker. So, it is always
recommended to change the passwords often. Schedule an recurring
appointment on your calendar to change your passwords once every
6 months.
3. Never write down your passwords. Creating a very strong password
and writing it down on a paper is as bad as creating an easy to
remember weak password and not writing it down anywhere. There
are several interesting surveys done on this subject, where it
was found that several people write down the password and keep
it somewhere next to the computer. Some of them think keeping
the post-it note below the mouse pad is secure enough. You
should never write down the password on a paper. If you want to
carry your password along with you all the times, use a password
manager tool that runs from USB stick and take that with you all
the times.
4. Don’t share with anyone. Anyone includes your friends and family.
Probably you might have heard the phrase “Passwords are like
underwear, don’t share with anybody”. We teach our kids several
things in life. Teaching them about online safety and not
sharing the password with anybody should be one of them.
5. Never keep the same password for two different sites. It is very
tempting to create one set of passwords for all your emails,
another password for all the banking sites, another password for
all the social networking sites etc. Avoid this temptation and
keep unique passwords for all your accounts.
6. Don’t type your password when someone is looking over your
shoulder. This is especially very important if you type slowly
and search for the letters in the keyboard and type with one
finger, as it is very easy for someone looking over your
shoulder to figure out the password.
7. Never send your password to anybody in an email. If you follow
#3 mentioned above, this should not be an option. But the reason
I’m specifically saying about this is because several hackers
send emails as a support person and asking for your user name
and password through email. Legitimate website or organization
will never ask you for your user name and password either via
email or over telephone.
8. Change password immediately when they are compromised.
Even if you have the slightest doubt that someone might have
stolen your password, change it immediately. Don’t even waste a
minute.
9. Don’t use the “Remember password” option on the browser without
setting the Master Password.
Don’t use this feature of the browser to store your username and
passwords without enabling the “Master Password” option. If you
don’t set master password on the firefox browser, anybody who
uses your firefox browser can see all the passwords that are
stored in the firefox browser in plain text. Also, be very
careful with this option and say ‘Not Now’ in the remember
password pop-up, when you are using a system that doesn’t belong
to you.
10. Don’t type your password on a computer that does not belong
to you. If possible, don’t use someone else computer that you
don’t trust to login to any website, especially to very sensitive
website such as banking. It is a very common practice for
hackers to use key loggers that will log all the key strokes on
a system, which will capture everything you type including the
passwords.

Linux Doc

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Linux Doc

Caricato da

Copyright:

Formati disponibili

Q.

A. /etc/passwd file stores essential information, which is required

Understanding fields in /etc/passwd

Root: x: 0 : 0 : root: /root: /bin/bash

The permission on the /etc/passwd file should be read only to users

A. /etc/shadow file stores actual password in encrypted format for

The last 6 fields provides password aging and account lockout

Q-: What is umask and how is it determined on a Linux system?

Q-: But what is 0022 and 0002?

Meaning in chmod command in linux :-

How do you enable iptables to open ip ports used by Red Hat

What ports need to be open for DNS to operate?

# ifconfig eth0 0.0.0.0

3. Configure 2 VLANs on the eth0 interface using vconfig as follows

# vconfig add eth0 100

4. Configure IP on the VLAN interfaces

# ifconfig eth0.100 xxx.xxx.xxx.xxx netmask 255.255.252.0 up

5. Preserve the vlan configuration across reboots by adding it to

Update /etc/sysconfig/network file to make the GATEWAYDEV use the

FIND USEFUL COMMAND -:

Find Files Using Name and Ignoring Case

Limit Search To Specific Directory Level Using mindepth and maxdepth

Finding the Top 5 Big Files

Finding the Top 5 Small Files

Find only the socket files.

Find all directories

Find only the normal files

Frequently Asked Questions about BIND 9

Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-

A: Linux threads do not fully implement the Posix threads (pthreads)

On a 2.2 kernel, BIND 9 does drop many root privileges, so it should

Q: Why do I get the following errors:

A: This is the result of a Linux kernel bug.

A: Your zone file is illegal according to RFC1035. It must either

Q: Why do I see 5 (or more) copies of named on Linux?

A: Linux threads each show up as a process under ps. The approximate

Newer versions of Linux's ps command hide the individual threads and

Q: Why does BIND 9 log "permission denied" errors accessing its

Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading

A: This is often caused by TXT records with missing close quotes.

Q: How do I produce a usable core file from a multi-threaded named

A: If the Linux kernel is 2.4.7 or newer, multi-threaded core dumps

Q: How do I restrict people from looking up the server version?

A: Put a "version" option containing something other than the real

Q: How do I restrict only remote users from looking up the server

A: The following view statement will intercept lookups as the

view "chaos" chaos {

Q: What do "no source of entropy found" or "could not open entropy

Q: I installed BIND 9 and restarted named, but it's still BIND 8.

A: BIND 9 is installed under /usr/local by default. BIND 8 is often

Q: I'm trying to use TSIG to authenticate dynamic updates or zone

Q: I'm trying to compile BIND 9, and "make" is failing due to files

A: Using a parallel or distributed "make" to build BIND 9 is not

A: This error message is caused by a known bug in BIND 8.2.3 and is

Q: I keep getting log messages like the following. Why?

A: DNS updates allow the update request to test to see if certain

Q: I keep getting log messages like the following. Why?

A: Someone is trying to update your DNS data using the RFC2136

Q: I see a log message like the following. Why?

A: This is normal and harmless. It is a somewhat confusing side

Q: Zone transfers from my BIND 9 master to my Windows 2000 slave

Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?