Cron is the task scheduling daemon in linux. The daemon is called 'crond' and the program that manipulate cron jobs is 'crontab'. Once the daemon is started, it goes into sleep and wakes up every minute to examine all the files containing crontab entries. If a job is scheduled to run at the current minute, it will be executed and the daemon will go back to sleep.
A user can manipulate the cronjobs for his account using the command 'crontab'. Some security restrictions are imposed on use of this command with two files /etc/cron.allow & /etc/cron.deny.
If the file /etc/cron.allow exists, the user should be listed in that inorder to run crontab. If this file doesnt exist the user should not be listed in /etc/cron.deny to run crontab. If both the files does not exist, no users other than root is allowed to use crontab.
Cron jobs for individual users are stored in a seperate text file /var/spool/cron/username which is edited by corresponding user with the command 'crontab -e'
The system wide crontab configuration file is /etc/crontab. What this does is run the cronjob files under a set of directories.
/etc/crontab:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
As the name of the directories indicate, the files inside the directories are inspected by cron once every hour, day, week and month. The files insied this directories will be in the standard cronjob format as indicated below.
For per user crontab files (/var/spool/cron/username) the format is:
minute hour day month dayofweek command-to-be-scheduled
For all other crontab files the format is
minute hour day month dayofweek USER command-to-be-scheduled
Values for each field:
minute: 0-59
hour: 0-23
day: 1-31
month: 1-12 (or short names as jan,feb,jun etc can be used)
dayofweek: 0-7 ( or short names as sun, mon,fri etc; 0 & 7 represent Sunday )
For all these fields following rules apply:
Asteric (*) in any field indicate all applicable values for that field.
A hiphen (-) between two digits specify all the values in between inlcuding the two.
A comma seperated list specify all the values listed.
Eg:
10 9 * * 0 = 10:10 AM every sunday
0 10-17 * * * = Everyday at 10AM, 11AM..5PM
15,30,45 9 * * * = Everyday 9:15 AM, 9:30AM and 9:45 AM
*/5 * * * * = Every 5 minutes
USER: the user account under whose privilege the cron job should be run.
The command to execute can be a standatd linux command or a script. Whatever thing that can be executed in shell can be substituted here.
At the starting of the file, we can set the environemnt variables under which the cron job should run. Comments can be inserted with '#'. You can see both these in the /etc/crontab example above.
The script `run-parts` that you see in the crontab file is a standard script that takes a directory as its argument and run all the binaries under that directory.
Individual users can manipulate only their personal crontab file. All other files are managed by root.
In addition to the directories mentioned above, there is one more directory /etc/cron.d. If you want to run task at a custom time, ie not every hour/day/week/month the files should be put in this directory.
crontab command
For individual users to manipulate their cronjobs, use the command crontab.
To add a new job or edit an existing:
[safeer@LinuxBox1 ~]$crontab -e
This will open /var/spool/cron/safeer in the default editor. Now the user can edit this file just like any text file.
To add a job to run a script under the home directory to run at 10 minutes after 10 AM every day
10 10 * * * ~/bin/backup.sh >> backup.log 2>&1
To view safeer's current crontab entries:
[safeer@LinuxBox1 ~]$crontab -l
10 10 * * * ~/bin/backup.sh >> backup.log 2>&1
To remove all the cuurent cron jobs for safeer:
[safeer@LinuxBox1 ~]$crontab -r
The root user can edit anu users cronjob with the -u switch. With this command root can edit the croontab for user safeer:
[root@LinuxBox1 ~]#crontab -[e/l/r] -u safeer
The service name for cron is crond. Use this to start or stop the service. You will hardly need to do this ever.
[root@LinuxBox1 ~]#service crond restart
Wednesday, May 23, 2007
Tuesday, May 22, 2007
VSFTPD Configuration
VSFTPD- Very Secure FTP Daemon is the default ftp server for RedHat flavours of linux. The version discussed here is 2.0.4.
The configuration directory for vsftpd is /etc/vsftpd.
Here is a short description of most common configuration options in the main configuration file: /etc/vsftpd/vsftpd.conf
Listen Port & Address
To change the listening port from default 21
listen_port=10021
By default vsftpd listen on all configured ip addresses. To configure vsftpd to listen on a single ip address
listen_address=65.17.45.85
User Management
Enable local system users of the ftp server to connect with their credentials
local_enable=YES
To restrict local users to their home directory (chroot)
chroot_local_user=YES
This will restrict all local users from accessing folders other than their home directory. If you want
to excempt some users from this restriction, you can specify a list of such user as follows.
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
/etc/vsftpd/chroot_list should contain the list of users who do not have the chroot restriction
If you set chroot_list_enable=NO or comment this line the file chroot_list will not be read by vsftpd
Anonymous Access
Enable anonymous user access. The home directory for anonymous user is /var/ftp
anonymous_enable=YES
If you want to allow anonymous users to upload files. This is disabled by default
anon_upload_enable=YES
Enable anonymous users to create directories. Disabled by default
anon_mkdir_write_enable=YES
To allow anonymous users to login without being prompted for a password:
no_anon_password=YES
Greeting/Message
FTP Welcome Banner
ftpd_banner=Welcome to XYZ Co Ltd FTP service.
Directory Message Enabling. Enabled by default
dirmessage_enable=YES
If this is enabled you can put a text file name .dirmessage in any directory that ftp user can access.
The contents of the file will be displayed to the ftp user when he changes to that directory.
Security
All users listed in the file /etc/vsftpd/ftpusers will be denied access to the ftp service
IF the entry userlist_enable is set to YES in vsftpd.conf, another file /etc/vsftpd/user_list is read for the users list.
But whether the users listed in this file are denied or allowed access depends on another directive in vsftpd.conf: If,
userlist_deny=NO
only users in this file will be allowed access. But if
userlist_deny=YES
the users in this file will also be denied ftp access.
The file ftpusers take precedence over user_list if the same user is listed in both files.
The file name user_list can be changed with
userlist_file=another_user_list_filename
The configuration directory for vsftpd is /etc/vsftpd.
Here is a short description of most common configuration options in the main configuration file: /etc/vsftpd/vsftpd.conf
Listen Port & Address
To change the listening port from default 21
listen_port=10021
By default vsftpd listen on all configured ip addresses. To configure vsftpd to listen on a single ip address
listen_address=65.17.45.85
User Management
Enable local system users of the ftp server to connect with their credentials
local_enable=YES
To restrict local users to their home directory (chroot)
chroot_local_user=YES
This will restrict all local users from accessing folders other than their home directory. If you want
to excempt some users from this restriction, you can specify a list of such user as follows.
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
/etc/vsftpd/chroot_list should contain the list of users who do not have the chroot restriction
If you set chroot_list_enable=NO or comment this line the file chroot_list will not be read by vsftpd
Anonymous Access
Enable anonymous user access. The home directory for anonymous user is /var/ftp
anonymous_enable=YES
If you want to allow anonymous users to upload files. This is disabled by default
anon_upload_enable=YES
Enable anonymous users to create directories. Disabled by default
anon_mkdir_write_enable=YES
To allow anonymous users to login without being prompted for a password:
no_anon_password=YES
Greeting/Message
FTP Welcome Banner
ftpd_banner=Welcome to XYZ Co Ltd FTP service.
Directory Message Enabling. Enabled by default
dirmessage_enable=YES
If this is enabled you can put a text file name .dirmessage in any directory that ftp user can access.
The contents of the file will be displayed to the ftp user when he changes to that directory.
Security
All users listed in the file /etc/vsftpd/ftpusers will be denied access to the ftp service
IF the entry userlist_enable is set to YES in vsftpd.conf, another file /etc/vsftpd/user_list is read for the users list.
But whether the users listed in this file are denied or allowed access depends on another directive in vsftpd.conf: If,
userlist_deny=NO
only users in this file will be allowed access. But if
userlist_deny=YES
the users in this file will also be denied ftp access.
The file ftpusers take precedence over user_list if the same user is listed in both files.
The file name user_list can be changed with
userlist_file=another_user_list_filename
Monday, May 21, 2007
Simple File Encryption with GPG
The easiest way to encrypt a file is to use the symmetric encryption provided by GPG (GNU Privacy Guard). This helps you to encrypt a file by providing a password. The same password is later used to decrypt the file.
Encryption
[safeer@LinuxBox1 ~]$echo "This is plain text" > file1_txt
Now encrypt this file with gpg
[safeer@LinuxBox1 ~]$ gpg -c file1_txt
Enter passphrase:
You will be prompted to enter the passphrase twice. Once the password is entered the encrypted file will be saved as "file1_txt.gpg". This will be a binary file. If you open this you will see a lot of unreadable characters. Instead if you want to make this readable use the armor option (ASCII format) as follows
[safeer@LinuxBox1 ~]$ gpg -c -a file1_txt
This will create a file "file1_txt.asc"
[safeer@LinuxBox1 ~]$ cat file1_txt
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.5 (GNU/Linux)
jA0EAwMCvQn1YCJCMmFgyTBooxld2Zo/Vb5hYg00Pyg1OMeaZ3CXIrICjUwHqj50
RKRRZMoQmvRnZzISt01uoZs=
=3UMZ
-----END PGP MESSAGE-----
This format is particularly useful when you are sending this file to somebody, most probably through e-mail. You will also have to let the receiver know the passsphrace, may be through phone or some other secure channel. Otherwise he wont be able to decrypt the file.
You can alternatively specify an output file other than the default -filename.(gpg/asc).
[safeer@LinuxBox1 ~]$ gpg -c -a --output file1.secure file1_txt
Now the encrypted output will be stored in "file1.secure".
Decryption
[safeer@LinuxBox1 ~]$ cp file1_txt.asc /tmp
[safeer@LinuxBox1 tmp]$ gpg file1_txt.asc
gpg: CAST5 encrypted data
Enter passphrase:
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
This will create the plain text file file1_txt. If a file of this name already exist in the current directory, yo will be prompted whether to overwrite it, or provide an alternative file name as follows:
[safeer@LinuxBox1 tmp]$ gpg file1_txt.asc
gpg: CAST5 encrypted data
Enter passphrase:
gpg: encrypted with 1 passphrase
File `file1_txt' exists. Overwrite? (y/N) N
Enter new filename: file1_plain
gpg: WARNING: message was not integrity protected
If you want the decrypted output to be printed to standard output:
[safeer@LinuxBox1 tmp]$ gpg --decrypt file1_txt.asc
gpg: CAST5 encrypted data
Enter passphrase:
gpg: encrypted with 1 passphrase
This is plain text
gpg: WARNING: message was not integrity protected
Here also you can give an alternate output file name:
[safeer@LinuxBox1 tmp]$ gpg --decrypt --output file1.plain file1_txt.asc
Decryption method is the same for asc and gpg files.
This method uses symmetric key encryption which is not considered much secure nowadays, because the passphrase should also be shared. Generally asymmetric/public key encryption is preferred. But for a starter, this is good enough.
Beware! If you forget the encryption password, you are done. You will never be able to decrypt the file.
Encryption
[safeer@LinuxBox1 ~]$echo "This is plain text" > file1_txt
Now encrypt this file with gpg
[safeer@LinuxBox1 ~]$ gpg -c file1_txt
Enter passphrase:
You will be prompted to enter the passphrase twice. Once the password is entered the encrypted file will be saved as "file1_txt.gpg". This will be a binary file. If you open this you will see a lot of unreadable characters. Instead if you want to make this readable use the armor option (ASCII format) as follows
[safeer@LinuxBox1 ~]$ gpg -c -a file1_txt
This will create a file "file1_txt.asc"
[safeer@LinuxBox1 ~]$ cat file1_txt
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.5 (GNU/Linux)
jA0EAwMCvQn1YCJCMmFgyTBooxld2Zo/Vb5hYg00Pyg1OMeaZ3CXIrICjUwHqj50
RKRRZMoQmvRnZzISt01uoZs=
=3UMZ
-----END PGP MESSAGE-----
This format is particularly useful when you are sending this file to somebody, most probably through e-mail. You will also have to let the receiver know the passsphrace, may be through phone or some other secure channel. Otherwise he wont be able to decrypt the file.
You can alternatively specify an output file other than the default -filename.(gpg/asc).
[safeer@LinuxBox1 ~]$ gpg -c -a --output file1.secure file1_txt
Now the encrypted output will be stored in "file1.secure".
Decryption
[safeer@LinuxBox1 ~]$ cp file1_txt.asc /tmp
[safeer@LinuxBox1 tmp]$ gpg file1_txt.asc
gpg: CAST5 encrypted data
Enter passphrase:
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
This will create the plain text file file1_txt. If a file of this name already exist in the current directory, yo will be prompted whether to overwrite it, or provide an alternative file name as follows:
[safeer@LinuxBox1 tmp]$ gpg file1_txt.asc
gpg: CAST5 encrypted data
Enter passphrase:
gpg: encrypted with 1 passphrase
File `file1_txt' exists. Overwrite? (y/N) N
Enter new filename: file1_plain
gpg: WARNING: message was not integrity protected
If you want the decrypted output to be printed to standard output:
[safeer@LinuxBox1 tmp]$ gpg --decrypt file1_txt.asc
gpg: CAST5 encrypted data
Enter passphrase:
gpg: encrypted with 1 passphrase
This is plain text
gpg: WARNING: message was not integrity protected
Here also you can give an alternate output file name:
[safeer@LinuxBox1 tmp]$ gpg --decrypt --output file1.plain file1_txt.asc
Decryption method is the same for asc and gpg files.
This method uses symmetric key encryption which is not considered much secure nowadays, because the passphrase should also be shared. Generally asymmetric/public key encryption is preferred. But for a starter, this is good enough.
Beware! If you forget the encryption password, you are done. You will never be able to decrypt the file.
Thursday, May 17, 2007
Cisco HTTP Server
The conventional way to access a router is to use router lines console,auxiliary or telnet. But there is another method which is more flexible. Cisco comes with a built in web server which once enabled can be accessed from anywhere in the network through the web browser. The configuration steps are as follows:
Enable http server
RouterA(config)#ip http server
Tell the server the base path where the web server files are located. Flash memory in this case:
RouterA(config)#ip http path flash:
If you want to change the port on which the web server listens (default 80),
RouterA(config)#ip http port 8080
Authentication
To access the router through web interface you should have a level 15 authentication. The default is to use enable password/secret. To change this beahaviour, we can use:
RouterA(config)#ip http authentication local
This instructs the router to use local user databases for user authentication. After this you can login through the web interface with a username and password configured for level 15 access.
To switch back to the default authentication with enable passwords:
RouterA(config)#ip http authentication enable
Enable http server
RouterA(config)#ip http server
Tell the server the base path where the web server files are located. Flash memory in this case:
RouterA(config)#ip http path flash:
If you want to change the port on which the web server listens (default 80),
RouterA(config)#ip http port 8080
Authentication
To access the router through web interface you should have a level 15 authentication. The default is to use enable password/secret. To change this beahaviour, we can use:
RouterA(config)#ip http authentication local
This instructs the router to use local user databases for user authentication. After this you can login through the web interface with a username and password configured for level 15 access.
To switch back to the default authentication with enable passwords:
RouterA(config)#ip http authentication enable
Subscribe to:
Comments (Atom)