Linux

I have backed up my system to an external ximeta drive using "dd" and the well-known linux live cd distribution, Knoppix to boot from. Below are the steps in brief:

1. Boot from the live cdrom distribution.
   
2. Switch to root.
   
3. Make sure NO partitions are mounted from the source hard drive.
   
4. Mount the external HD.
   

     # mount -t vfat /dev/sda1 /mnt/sda1
     

5. Backup the drive.

     # dd if=/dev/hda conv=sync,noerror bs=64K | gzip -c  > /mnt/sda1/hda.img.gz
     

   "dd" is the command to make a bit-by-bit copy of "if=/dev/hda" as the "Input File" to "of=/mnt/sda1/hda.img.gz" as the "Output File". Everything from the partition will go into an "Output File" named "hda.img.gz". "conv=sync,noerror" tells dd that if it can't read a block due to a read error, then it should at least write something to its output of the correct length. Even if your hard disk exhibits no errors, remember that dd will read every single block, including any blocks which the OS avoids using because it has marked them as bad. "bs=64K" is the block size of 64x1024 Bytes. Using this large of block size speeds up the copying process. The output of dd is then piped through gzip to compress it.

6. To restore your system:
   

     # gunzip -c /mnt/sda1/hda.img.gz | dd of=/dev/hda conv=sync,noerror bs=64K 
     

   NOTE: I've had much success leaving out "conv=sync,noerror" during restore.

7. Store extra information about the drive geometry necessary in order to interpret the partition table stored within the image. The most important of which is the cylinder size.
   

     # fdisk -l /dev/hda > /mnt/sda1/hda_fdisk.info
     

The entries in the /proc/meminfo can help explain what's going on with your memory usage, if you know how to read it.

Example of `cat /proc/meminfo`:

        total:    used:    free:  shared: buffers:  cached:
Mem:  1050001408 1012899840 37101568        0 113672192 420950016
Swap: 2097434624 217985024 1879449600
MemTotal:      1025392 kB
MemFree:         36232 kB
MemShared:           0 kB
Buffers:        111008 kB
Cached:         279304 kB
SwapCached:     131780 kB
Active:         677908 kB
ActiveAnon:     487272 kB
ActiveCache:    190636 kB
Inact_dirty:    129164 kB
Inact_laundry:   23948 kB

mod_dosevasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_dosevasive presently reports abuses via email and syslog facilities.

The below steps were used to install mod_dosevasive on Apache-2.

1. Installation:
   • Check that you have httpd-devel package installed as you will need apxs
     
   • Download mod_dosevasive.
     

Whenever any hacker/cracker manages to get root acceess in a system, his motive mostly is to install a backdoor so that he can return later.This article demonstrates how simple bash backdoors can be made with a few lines of C code and misuse of linux's file permission mechanism.

Read Article

The kernel provides a list of file system types it is able to mount via the /proc file system. To view the list, run the command `cat /proc/filesystems`. The output will look something like:

nodev    proc
         ext3
         ext2
         vfat
         iso9660
nodev    nfs
nodev    smbfs

In this output, the entry vfat means you can mount FAT/VFAT (Microsoft Windows) partitions. The entries ending with smbfs and nfs mean you can interact with file servers that use SMBFS (Microsoft's Server Message Block File System, accessed via Samba) or NFS (Sun's Network File System). The iso9660 indicates that you can mount standard CD-ROM file systems, and ext3 and ext2 indicate that you can mount those kinds of Linux file systems.

MRTG is awesome, but by default it’s limited to SNMP metrics.

The MRTG extension packages allow for the monitoring of performance analysis metrics over SSH or locally, and they’re easy to set up, configure and maintain. With these extensions installed, it's possible to monitor UNIX performance metrics such as CPU and memory utilization, as well as paging, swapping and process statistics. Plus, since you don’t need to have an SNMP daemon running, your system is more secure.

There are two main clocks in a Linux system:

The Hardware Clock: This is a clock that runs independently of any control program running in the CPU and even when the machine is powered off.

The System Time: This is the time kept by a clock inside the Linux kernel and driven by a timer interrupt. It has meaning only while Linux is running on the machine.

Often-times, it happens that when you reboot, your clock does not reflect the correct date and time. You may be forgetting to sync the hardware clock with the current system time. Here is how:

First check and set the current system date and time.

# date
# date -s 'Wed May 28 11:35:00 EST 2003'

Then sync your hardware clock with the system time.

# hwclock --show
# hwclock --systohc

man date and hwclock for more info...

Nmap (http://www.insecure.org/nmap) is the most popular network scanner widely used and misused. Most people tend to ignore the various "switches (options)" and only use the default parameters. It is possible to prioritize SPEED or STEALTH in nmap scans but i'll mainly be talking about maximizing SPEED.

I'll demonstrate this by scanning localhost i.e. my own computer via loopback address. (127.0.0.1) via a non root user :

[d00m@localhost d00m]$ nmap -v 127.0.0.1
 
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-11-21 23:44 EST
Host localhost.localdomain (127.0.0.1) appears to be up ... good.

The NVIDIA GeForce FX5200 video card allows for dual monitor via the TwinView option.

To enable TwinView, you must specify the following options in the "Device" section of your XF86Config file:

Option "TwinView"
Option "SecondMonitorHorizSync"     "<hsync range(s)>"
Option "SecondMonitorVertRefresh"   "<vrefresh range(s)>"
Option "MetaModes"                  "<list of metamodes>"

You may also use any of the following options, though they are not
required:

Option "TwinViewOrientation"        "<relationship of head 1 to head 0>"
Option "ConnectedMonitor"           "<list of connected display devices>"

See the detailed descriptions of each option mentioned in the driver README file.

My current device setting is shown below:

Got a program sucking up system resources? Looking for a possible security breach?

Check out the command `lsof`.

The name "lsof" is short for "ls (or list) open files". Using it, you can look at certain processes, file descriptors of a process, or show certain network connections, since network connections use file descriptors like normal files.

To identify a suspect process, first run `ps -ef`, which will show the command line and environment information about swapped out processes. Then, run

#lsof -sp <pid>

Where "<pid>" is the process ID of the suspect process.