Slashdot Mirror
Top Ten Linux Configuration Tools?
jman251 asks: "I am presenting at a conference in September on a couple of Linux-centric topics. One of these is a collection of tips, tricks, and tools for configuring, securing, and maintaining a Linux-based server. I have a short list of tools I use, but would like some community input on the subject. What tools do you use that make your admin responsibilities easier or more automated on the Linux platform?"
Tripwire is a very easy to use intrustion detection system. If you follow the documentation, and implement it properly (storing the statically linked binary + database files on read-only media), it will make things very hard on a potential hacker.
cfengine (http://www.cfengine.org) is
the best automation tool for unix and unix-like
environments. Hands down.
It's a little hard to configure sometimes, but
worth the effort.
I'd put Webmin on my #1 list for best Linux admin tools. phpmysql is probably second (or the postgresql equivalent), and all the necessary toolkit apps like nmap, ethereal, netcat, etc.
That's all I can think of now. I'll think of others later.
I can't believe with all these posts that the only one(s) that actually respond to the question are about Webmin!
Don't get me wrong, Webmin is great, it's at the top of my list fer shure, but that's not the be-all and end-all of systems management!! What about actual convenient tools like MRTG, Novell's eDirectory, RedCarpet, etc. etc.?
Heck, I'm reading this article hoping to pick up a few tips myself and all I'm seeing are scripting languages and text-editor flame wars, (all of which can/should be moderated Off-topic or Funny).
So, anybody actually got anything useful to contribute besides Webmin?
Also, it kills me to see *NIX people still using passwords all the damn time. CVS + ssh keys = godlike.
/usr/local over nfs is good too. The only issue is that you may have to configure some packages to use a local filesystem for configuration files, keys, etc.
:)
Things I do. syslog to a common place. I have cloning scripts to dup a machine to a basic setup (poor mans jumpstart but faster and easier).
Perl and sed come in handy. Rsync (again with ssh keys) is good.
Oh yeah,
With these tips and tricks I can do whatever I need to do over a dialup connection anywhere in the world (I've only tested this from coast to coast in the US thought, but I believe it will scale worlwide
There are four of us who do *nix admin for over 600 *nix machines, more than half of which are linux boxes (both workstations and servers.) SSH with X displayback on a 100Mbit switched network is such a godsend I can't even begin to imagine life without it. I probably generate more SSH sessions in a normal workday than I do HTTP sessions. (Yes, that does include
I also think it's well worth your while to understand SSH's more esoteric tunneling capabilities... Recently I had to support a research group who was doing a demo at JPL and they were behind a very restrictive firewall but needed to do control and image transfer from a robot framework here in Massachusetts, and the researchers who'd coded the software hadn't implemented any kind of authentication layer. We were able to do everything using SSH tunneling over one of the three ports allowed through JPL's firewall (and they could IMAP their mail from our servers as a side bonus) without exposing our servers or JPL to unencrypted protocols of any kind.
Need a UNIX/Linux/network guru in the Boulde
su -- better sudo keeps your root password better kept, does more logging, etc
more -- better less (Its not the 70s anymore people, you can search and go backwards in files since less first came about in the mid 80s. With the LESSOPEN varible set to something useful you can "browse" many, many filetypes too).
bash -- better zsh My shell can do anything your shell can do, but better!
1. Nagios: monitors your servers/services, amails, pages, sends a carrier pigeon when one goes down.
2. Logwatch: Logwatch is something that should be used by every Unix/Linux SA everywhere. It gives you a daily snapshot of events in your logs
3. Mon: Nice, simple, easy. If your webserver goes down, your secondary can bring up a virtual ip a couple of seconds later. No more annoying three am phone calls
4. Snort/ACID: lets me know if a virus breaks out, or if there are stupid script kiddies trying to brute force their way in.
5. Nessus: run it early, run it often. Figure out any holes you have in your security, and make sure you fix them.
There's more, but you should really do some of your own homework.
RandomAndInteresting.comdefending the world from stupidity since 1979
So now "rm -fr /" won't work even as root as it will properly give you :
So there you are, you pesky root of all evil. Oh bummer, now I can't make any new files in /home/dude ....
Whilst you are correct this works for non-interactive processes, you can't use nohup to keep a copy of say, Lynx, running when you logout. Then return to it later and pick off where you left it.
Instead you should look at GNU Screen which allows this and more.
(It's essentially a windowing system for consoles, with the ability to detach and resume at will, and definately one of my top ten Unix utilities).
Here is one Screen tutorial which explains basic operation well.
what are the advatages of zsh over bash
1) programable tab completion - yes folks there is more to tab completion besides beeping all the time. When I hit cd fooTAB the list of completions only shows _directories_ beginning with foo
2) sane invocation - zsh is the only shell that has one file that is sourced _on all invocations of the shell_ so you can do stuff like have a consistant PATH and other env stuff
3) global aliases - zsh provides an alias that works _anywhere on the commandline_ I have 'G' mapped to '| grep -i', I have 'L' mapped to '| less' and 'vi' mapped to 'vim' (why? So sudo vi FILE gives me vim if the system has vim), etc, etc
4) the only shell that supports working 'vi' style history editing
5) multiple commandline commands are not rewritten as commands with ';' in them (what I typed is what I get, see 4)
6) too many features to name. Like I said, my shell can do anything your shell can do, but better.
Who exactly is your target audience? People who've never seen UNIX, people who've worked on UNIX environment for years? What is it you are attempting to accomplish with them?
Most of my list would be boring to people who know a lot about UNIX, however some of them are Linux specific.
Webmin's all well and good for a few machines. But if you're employed maintaining 100s of machines, there are very few real and free options, and I don't personally think webmin is one of them, unless it's become much more scriptable than when I last checked.
o n-fist's work, yet _can_ have role-based limited admin abilities.
cfengine works really well, but you don't appreciate its features until you hit the 70+ machine mark - the "trick" is that cfengine with it's inheritance and boolean class logic excels for systems that are different but have bits in common. Such different bits ALWAYS turn up with 70+ machines, simply because PC-class hardware's failure rate means something will have been changed on some machine somewhere at any given time. But if you've only got tens of machines runnning one OS rather than hundreds running five different OSes, it all seems like very hard work to set up your cfengine configuration files. The other "trick" is that cfengine is mostly multiuser and you can allow different users perform different actions, so when you've got a team of admins of different ability,
johnny-adds-visitor-laptops-to-vlan-17 just can't fuck up mordred-rules-production-database-servers-with-ir
UN*X/Linux doesn't work that way. You are looking for a one size fits all administrative interface and it doesn't exist.
/etc. You can use this to write program to update different pieces as needed. Any problem you do, you can undo. You can then run a program or use "kill -HUP" to get a process to reread that configuration.
But I can sum up some the key points and bits of wisdom I have picked up over the years.
1) Ascii text is your friend. 98% of all the configuration files for UN*X programs live in ascii files and they "usually" live in
2) Pick a programming language. Perl, AWK, Sed, ksh, all of them. You can use that programming language to role out changes as needed, or make a lot of changes really quickly. RSH/SSH allows you to do that across multiple systems. Use it carefully!
3) Design your environment. If you know what you are going to be using the servers, workstations and/or Linux embedded appliances for you can better decide how to automate it.
4)"Crunchy Cookie, Liquid Center".
In the end you will be automating certain administrative tasks over and over, but not all of them. That's why one size fits all won't work. It becomes a bloated security hole, so you only automate what you need and you automate it in an original and secure fashion.
As for some rock solid TLA recommendations.
SSH - SSH is your friend and as a replacement for RSH and its ilk you can use it to securely automate tasks. read up on ssh-agent for automating ssh access across multiple machines.
mon - How do you know it's working if you don't test it? You need to turn on monitoring, the more specific the test and monitor the better. mon is a good PERL framework for performing any test, and it has a lot of prepackaged/contributed test scripts that come in handy.
LDAP - Lots of UN*X environments are moving to LDAP to store enterprise wide information. It depends on how big of a UN*X environment you are setting up but having a centralized directory ala LDAP can be quite handy.
PAM/NIS - Plug In Authentication Modules. You can use these to have a centralized authentication server, cuts down on password updates. NIS+ is a tried and true system for stitching UNIX Systems together but I've only seen it installed in 1 UN*X environment and I've worked in several.
If you are looking for a prebuilt system or paradigm like Microsoft Server then you need to look to Redhat, Debian, else you are going to work from the need/application outwards.
Whatever you do more than once you will automate. When you no longer can budget the amount of UN*X Admins you will need you will start to build "tools" to delegate routine tasks, these will eventually become web pages, the web page will become an application. The application will become an acronym. The acronym will become a skill. The skill will become a job requirement HR will use to backfill a position. That's the way it goes.
Enjoy!
"Don't fear death... fear not living..." -me
and the console spits out junk until you close that shell.
Just so you know, when you accidentally cat a binary file and it changes all the letters in your console to garbage characters, just blindly type
reset
and hit Enter. Fixes it every time.
Intelligent Life on Earth
I regularly access dozens of *nix systems (mostly linux & solaris). I love the fact that I can enter my privatekey password once on booting my laptop, and then have a tool handle all the ssh-agents in subsequent sessions. Entering one (very long and tangled :) password once is so much nicer than having to enter passwords every time I connect to a new system...
http://www.gentoo.org/proj/en/keychain.xml
Also, (obligatory) perl is great and larry wall is my hero...
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.