SysAdmin Valley

There have been times where I’ve installed Linux on a computer and needed to reinstall Windows.  Sometimes I’ve had an issue where after the install gets finished, the installer appears fine but it doesn’t update the MBR (Master Boot Record).  So when you reboot the computer you get a Lilo or Grub error saying that the Linux Operating System that it thinks is install is not there.

Before you reinstall Windows, download any of the bootable Linux distro’s such as Fedora Live, Ubuntu or Knoppix and boot into the temporary Linux.  Then bring up a Linux shell and type the following.  You may need to change hda to your appropriate hard drive device

dd if=/dev/zero of=/dev/hda bs=512 count=1

I do a lot of work with MySQL and I’ve had this reoccuring problem were I need to find some text in a table and replace it with new text. Like say I have a table of data that talks about dogs and I want to replace every occurrence of dog with cat. The old way I would search the entire table to find all rows that have the word dog in it, then that would give me a list to manually update each row. I’d then rerun the query to see if I missed any.

Recently I found that MySQL supports a command called what else but “replace”. So let’s say I have a table called “news” and in the table is a column called “content” and I wanted to replace all references of “dog” with “cat”, here is an example query.

update news set content = replace(content, “dog”, “cat”);

Very simple, it tells MySQL to replace the “content” field with what’s in the “content” field but replace “dog” with “cat”.

Here’s an example config for configuring an ASA5505 with primary and backup ISP’s.

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif primary-isp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 100.100.100.1 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backup-isp
ASA5505(config-if)# security-level 1
ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 100.100.100.2 1
ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 2

Here’s a sample config you might use for a Cisco 2600 router for a point to point T1. The Cisco would need to have a built in CSU/DSU for this configuration.

Router#sh run
Building configuration...

Current configuration : 1158 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip cef
!
interface FastEthernet0/0
 no ip address
 shutdown
!
interface Serial0/0
 description outside interface
 ip address 100.100.100.1 255.255.255.252
 no ip directed-broadcast
 service-module t1 timeslots 1-24
 set cdp disable
 no shutdown
 no fair-queue
!
interface FastEthernet0/1
 description inside interface
 ip address 200.200.200.1 255.255.255.0
 speed 100
 full-duplex
!
ip default-gateway 100.100.100.2
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 100.100.100.2
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

Here is a basic configuration for a Cisco 2621 using interface FastEthernet0/0 to connect to your ISP, and FastEthernet0/1 to connect to your local network.

Router#sh run
Building configuration...

Current configuration : 1158 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip cef
!
interface FastEthernet0/0
 description outside interface
 ip address 100.100.100.1 255.255.255.252
 speed 100
 full-duplex
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface FastEthernet0/1
 description inside interface
 ip address 200.200.200.1 255.255.255.0
 speed 100
 full-duplex
!
ip default-gateway 100.100.100.2
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 100.100.100.2
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

Network security is a hot topic today, and will only increase in importance in the months and years ahead.

While most of the attention is paid to exterior threats, there are some steps you can take to prevent unwanted Cisco router access from within your organization.

Whether you want to limit what certain users can do and run on your routers, or prevent unauthorized users in your company from getting to config mode in the first place, here are four important yet simple steps you can take to do so.

Encrypt the passwords in your running configuration.

This is a basic Cisco router security command that is often overlooked. It doesn’t do you any good to set passwords for your ISDN connection or Telnet connections if anyone who can see your router’s running configuration can see the passwords. By default, these passwords are displayed in your running config in clear text.

One simple command takes care of that. In global configuration mode, run service password-encryption. This command will encrypt all clear text passwords in your running configuration.

Set a console password.

If I walked into your network room right now, could I sit down and start configuring your Cisco routers?

If so, you need to set a console password. This password is a basic yet important step in limiting router access in your network. Go into line configuration mode with the command “line con 0″, and set a password with the password command.

Limit user capabilities with privilege level commands.

Not everyone who has access to your routers should be able to do anything they want. With careful use of privilege levels, you can limit the commands given users can run on your routers.

Privilege levels can be a little clumsy at first, but with practice you’ll be tying your routers down as tight as you like. Visit www.cisco.com/univercd for documentation on configuring privilege levels.

Configure an “enable secret” password.

It’s not uncommon for me to see a router that has an enable mode password set, but it’s in clear text.

By using “enable secret”, the enable mode password will automatically be encrypted. Remember, if you have an enable password and enable secret password set on the same router, the enable secret password takes precedence.

These four basic steps will help prevent unwanted router access from inside your network. If only preventing problems from outside your network was as simple!

Here is an example ISDN config for a Cisco 801 router

version 12.0
!
no ip domain-lookup
isdn switch-type basic-net3
!
!
!
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface BRI0
ip address negotiated
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer string (put ISDN phone number here)
dialer-group 1
isdn switch-type basic-net3
no cdp enable
ppp chap hostname (Put username here)
ppp chap password (Put password here)
!
router rip
network 172.16.0.0
!
ip nat translation timeout 180
ip nat inside source list 1 interface BRI0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 BRI0
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 100 deny ip any host 172.16.255.255
access-list 100 permit ip any any
dialer-list 1 protocol ip list 100
alias exec u undebug all
!

Find is one of my favorite little tools under linux.  It helps me “find” almost anything, I can find files older than a certain date, newer than a certain date, modified on a certain date.  I can find files that have a certain name, or match a part of a name, file extension.  Once I’ve found what I’ve been looking for I can have find do something with those files like delete them or gzip them.

My latest “find” with the find command came about because on one of my JBoss servers I wrote a simple script that looks for log files older than 15 days and deletes them and looks for other log files older than 61 minutes and compresses them with gzip.

#!/bin/bash
LOGS=/usr/local/jboss/server/all/log/
#delete all logs older than 37 days
find $LOGS -mtime +15 | xargs rm -rf
# gzip files last modify at least 1 hour ago
find $LOGS -mmin +61 | xargs gzip

Our JBoss setup automatically writes new logs to server.info.log and server.error.log, then every every hour it renames the INFO and ERROR log to the current date + hour, so server.info.log would be changed to server.info.log.2010-03-09-13 for today at 2pm to roll out the 1pm logs.

The problem I came across in my script was with my server.error.log file.  If an error hasn’t been written to the server.error.log file during that hour, it wasn’t going to rotate an empty error log.  Since the file hadn’t been touched/updated/modified in over 61 minutes, my script came along and gzipped it, at this point JBoss then had a problem because the error log was missing and didn’t create a new one.

So what I needed to do was to find all the files that matched the criteria, but exclude the server.info.log and server.error.log and here is my final script.

#!/bin/bash
LOGS=/usr/local/jboss/server/all/log/
INFOLOG=”server.info.log”
ERRORLOG=”server.error.log”
#delete all logs older than 37 days
find $LOGS -mtime +15 -not -name “$INFOLOG” -not -name “$ERRORLOG” | xargs rm -rf
# gzip files last modify at least 1 hour ago
find $LOGS -mmin +61 -not -name “$INFOLOG” -not -name “$ERRORLOG” | xargs gzip

While working on some MySQL stuff today I came across some interesting projects.  About 2 years ago I attended the Boston MySQL Meetup group which had a guest speaker (Patrick Galbraith) and he spoke about setting up MySQL in a Multi-Master setup.  This is where you have two MySQL database servers and each one is a slave of the other.  Today I came across two projects that look promising, the first is Multi-Master Replication Manager for MySQL (or MMM) and the second is Flipper.

MMM is a set of scripts that perform monitoring/failover and management of MySQL master-master replication.  Flipper is also a set of tools that manage which server in a Multi-Master setup is writable and which is readable by moving IP addresses based on the server’s role.  Both look very promising and hopefully soon I’ll have some free time to play around with them.

I’ve started using Percona’s version of MySQL 5.1 and have run into a few issues trying to get other tools such as mytop or maatkit to install but have been having problems with RPM dependency’s.  I found the solution on this guy’s blog.  Basically, if you install the MySQL-client-percona, MySQL-percona, MySQL-server-percona, MySQL-shared-percona and Percona-XtraDB, instead of installing MySQL-shared-percona, you should download and force upgrade (rpm -Uvh –force packagename) the MySQL-shared-compat library directly from MySQL.  Just make sure you get the same version from MySQL that you’re using of the Percona MySQL.