Ulimit settings and SSH logins
On a RHEL5/6 server ulimit setting was not applied when I looged in using SSH. No matter what I did the setting remained the same. Doing a “su – ” to a user, however, worked like a treat. Strange! I did a bit of googling and found the following answer to my problem:1. In /etc/pam.d/sshd add the line
session required pam_limits.so
2. In /etc/pam.d/login add the line
session required pam_limits.so
3. In /etc/ssh/sshd_config add
UsePAM yes
(this might already be in place in your config file – I’m not using a stock sshd_config)
4. reload SSH
/etc/init.d/sshd restart
Now change something in /etc/security/limits.conf
user1 soft nofile 2048
user1 hard nofile 4096
Log in as user1 – and voila!
ulimit -n should now show 2048 and ulimit -nH 4096
VSFTP (Very Secure FTP)
Configuration variables to notechroot_local_user If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login
chroot_list_enable If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting.
userlist_enable If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted. See also userlist_deny.
userlist_deny This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password.
passwd_chroot_enable If enabled, along with chroot_local_user , then a chroot() jail location may be specified on a per-user basis. Each user's jail is derived from their home directory string in /etc/passwd. The occurrence of /./ in the home directory string denotes that the jail is at that particular location in the path.
vsftpd.conf contents:
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Authorized Use Only.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/userlist_file
passwd_chroot_enable=YES
/etc/hosts.allow entry for tcp wrappers
## Allow vsftp from wdc-ndmftpgw1
vsftpd:10.192.76.70
The two users that are authorized to access vsftpd is ndmftp-p
(wdc-ecdobatch01, wdc-ecdobatch02) and ndmftp-t (wdc-ecdobat01tst)
/etc/passwd entry for user ndmftp-p on wdc-ecdobatch01 and wdc-ecdobatch02
ndmftp-p:x:100034:65208:wdc-ndmftpgw Generic PROD Account:/dst/informa/prod/transfer/./ndmftpgw:/bin/ksh
/etc/passwd entry for user ndmftp-t on wdc-ecdobat01tst
ndmftp-t:x:100035:65208:wdc-ndmftpgw Generic TEST Account:/dst/informa/test/transfer/./ndmftpgw:/bin/ksh
Note: The '.' in the user's home directory path denotes where the chroot begins.
RHEL-ESX - Dynamic Memory Activation
Many times, memory increases may be needed on a RHEL guest running under ESXi. Typically administrators would schedule a time to perform a reboot to make the memory active and visible to the RHEL guest. The following helper script will assist in making this an online/inline change, no longer requiring a reboot of the guest.Dynamic Memory Activation in ESXi for RHEL Guests
if [ "$UID" -ne "0" ]
then
echo -e "You must be root to run this script.\nYou can 'sudo' to get root access"
exit 1
fi
for MEMORY in $(ls /sys/devices/system/memory/ | grep memory)
do
SPARSEMEM_DIR="/sys/devices/system/memory/${MEMORY}"
echo "Found sparsemem: \"${SPARSEMEM_DIR}\" ..."
SPARSEMEM_STATE_FILE="${SPARSEMEM_DIR}/state"
STATE=$(cat "${SPARSEMEM_STATE_FILE}" | grep -i online)
if [ "${STATE}" == "online" ]; then
echo -e "\t${MEMORY} already online"
else
echo -e "\t${MEMORY} is new memory, onlining memory ..."
echo online > "${SPARSEMEM_STATE_FILE}"
fi
done
Script Description
The script traverses the filesystems looking for the memory entries located in /sys/devices/system/memory. Each entry under this filesystem represents a memory address with status information located within the directory found. The script then traverses the found memory locations and checks the value contained in the file state. If the value contained is online, then that is active already. Otherwise, the script sets the value of state to online.
Creating Init Scripts for RHEL
The expected procedures for creating init scripts in RHEL, located in /etc/init.d, are as follows:1. The script must be compliant with chkconfig - the configuration utility for run-level services in RHEL
1. The script must contain the proper heading information to allow chkconfig to process the script for run-level service
chkconfig script heading example
format chkconfig runlevel start order, stop order
description must contain text!
# chkconfig: 3 25 15
# description: Start/Stop the script at boot time
2. Example script for PatrolAgent
PatrolAgent
#!/bin/ksh
#
#Added 06/12/2002 by OSG for BMC Patrol 3.5.30
#
#This starts the Patrol Agent on port number 2112 during system startup
#
#
#
# chkconfig: 3 25 15
# description: Start/Stop the Patrol Agent at boot time
case $1 in
'start' )
su - patrol -c "/var/patrol/Patrol3/PatrolAgent -p 2112 >/dev/null 2>&1"
;;
'stop' )
kill `ps -ef | grep PatrolAgent | awk '{print $2}'`
;;
* )
echo "error:syntax service PatrolAgent start/stop"
;;
esac
exit 0
2. The script needs to be copied to /etc/init.d, owned by root, and file access permissions of 755
Ownership and File Access Permissions
chown root:root /etc/init.d/<script name>
chmod 755 /etc/init.d/<script name>
3. Finally, the script needs to be added as active to the run-level service
Activate Run-Level Script chkconfig --add <script name> |
No comments:
Post a Comment