Friday, July 5, 2013

Installing SNORT IPS/IDS in Backtrack 6

Snort: A Network Based Intusion Detection System(IDS)
Snort is an open source network-based intrusion detection system (NIDS). That can analyses the real-time traffic and can log packets on Internet Protocol (IP) networks. Snort can perform protocol analysis, content searching, and content matching. It also can be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans

There are three modes in which the can be configured:
1)Sniffer
2)Packet logger
3)Network intrusion detection.
In sniffer mode, It reads the network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.

In this  Article, we will learn how to configure snort on backtrack.

Snort is installed in backtrack by default. So you only need to configure it according to your infra
First of all Start Snort Service to test if there is any problem with the installation.
Step1
To accomplish this, Click on Application menu,=> click on backtrack menu, => click on services and then click on snort service.

Step2
Now edit the configuration file named snort.conf located in /etc/snort directory using vim or any other text editor and change...
var HOME_NET any to var HOME_NET <target ip/nw add>
var EXTERNAL_NET any to var EXTERNAL_NET <attacker ip address>
save the file and restart snort service using /etc/init.d/snort restart command on terminal


Step3
Now open terninal and type the command below

snort -q -A console -i eth0 -c /etc/snort/snort.conf
Where -
       -q is for quiet:- not to show banner and status report
       -A is to set alert mode in this case, it is console
       -i is to specify interface and
       -c is to tell snort the location of configuration file



Step4
Now to test the functionality of snort, perform a DOS attack using LOIC..

Your Snort  alarm should ring

Note:You can download LOIC from the link below
http://sourceforge.net/projects/loic/files/latest/download
Now perform Nmap scan,,,,
snort should display the logs again...
 source: http://security.koenig-solutions.com

For more information on configuring Intrusion Prevention System (IPS) using SNORT, please visit link below:
http://www.aboutdebian.com/snort.htm
Posted by at No comments:

Intrusion Prevention System (IPS) in Linux!

Fail2ban Intrusion Prevention System(IPS) in Linux

Fail2ban is an open source free intrusion prevention framework developed in python programming language.Fail2ban operates by monitoring log files such as /var/log/pwdfail, /var/log/auth.log, /var/log/secure etc. and bans the IP address after too many password failure attempts. It used to update iptable firewall rules to reject the IP address for a specified amount of time.
 
This article shows you how to install and configure Fail2ban under RHEL 6.3/6.2/6.1/6.0/5.8 CentOS 6.3/6.2/6.1/6.0/5.8 and Fedora 17,16,15,14,13,12 systems. Fail2ban runs as a daemon that uses python scripts to parse log files for system intrusion attempts and adds a custom rules to iptables configuration file to ban the access to certain ip addresses.
 
Before heading up for installation and configuration of Fail2Ban, I would like to tell you that most of the attackers trying to gain root access via SSH. So, I recommend you to pay close attention to things such as disable ssh root logins and use pair of ssh keys for authentication etc.

Installing Fail2Ban in RHEL, CentOS and Fedora

By default Fail2Ban is not available under Linux systems, so you will need to add and enable third party RPMForge repository or EPEL repository in your Linux box. Once you’ve added repository, install it using following YUM command.
# yum install fail2ban

Configuring Default section for Fail2Ban

The master Fail2Ban configuration file is located under /etc/fail2ban/jail.conf. So, open it using VI editor or any editor that you feel comfortable.
# vi /etc/fail2ban/jail.conf
Now, you will see default section with some basic rules that are followed by fail2ban itself. If you want to add some extra layer of protection to your server, then you can customize the each rule section as per your needs.
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
Let me describe each rule section with their description and what purpose we use these rules.
  1. ignoreip : IgnoreIP section allows you to white list certain IP addresses from blocking. Here, you can specify list of IP addresses with space separated and make sure you include your address.
  2. bantime : The number of seconds that a host would be banned from the server. The default is set for 600 (600 seconds = 10 minutes), you may increase this to an hour or higher if you like.
  3. findtime : The amount of time that a host has to log in. The default is set to 10 minutes, it means that if a host attempts, and fails, to log in more than the maxretry number of times, they will be banned.
  4. maxretry : The number of failed login attempts before a host is blocked for the length of the ban time.

Configuring ssh-iptables section for Fail2Ban

The following section is the default ssh-iptables section and it is turned on by default. So, you don’t need to make any changes to this section,
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5
You can find the details of each rule described below.
  1. enabled : This section refers that SSH protection is on. You can turn it off by changing the word “true” to “false“.
  2. filter : This section by default set to sshd and refers the config file (/etc/fail2ban/filter.d/sshd.conf) containing the rules that fail2ban uses to find matches.
  3. action : This action tells the fail2ban to ban a matching IP address once a filter matches in the /etc/fail2ban/action.d/iptables.conf file. If your server have mail setup, you can add email address, where fail2ban sends you a email alerts whenever it bans an IP address. The sender section refers to file /etc/fail2ban/action.d/sendmail-whois.conf file.
  4. logpath : The log path is the location of logs where fail2ban will track.
  5. maxretry : The max retry section is the same definition as the default option that we discussed above.

Restarting Fail2Ban Service

Once you’ve made the changes to the fail2ban config file, then always make sure to restart Fail2Ban service.
# chkconfig --level 23 fail2ban on
# service fail2ban start
Starting fail2ban:                                         [  OK  ]

Verifying Fail2Ban iptables rules

Check the rules that fail2ban added in effect within the IP table section.
# iptables -L
I have made some failed login attempts from one of our server to the server where fail2ban installed and it works. You see the banned IP address of my server.
Message from syslogd@tecmint at Nov 23 13:57:53 ...
fail2ban.actions: WARNING [ssh-iptables] Ban 15.13.14.40
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp multiport dports 5901:5903,6001:6003
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP all -- 15.113.134.40 anywhere
RETURN     all  --  anywhere             anywhere

Watch Failed SSH login attempts

To see the current ssh failed login attempts, run the following command it will display a list of failed attempts attempted by hosts.
# cat /var/log/secure | grep 'Failed password' |  sort | uniq -c
1 Nov 19 16:53:37 tecmint sshd[28185]: Failed password for root from 172.16.25.125 port 1302 ssh2
1 Nov 23 13:57:43 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2
1 Nov 23 13:57:46 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2
1 Nov 23 13:57:50 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2
1 Oct 18 14:11:58 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:03 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:11 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:16 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:22 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:28 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:47 tecmint sshd[10719]: Failed password for root from 172.16.18.249 port 4774 ssh2

Remove IP Address from Fail2Ban

To remove the banned IP address from the fail2ban iptable rules. Run the following command.
# iptables -D fail2ban-ssh 1
For any additional information, please visit Fail2ban official page. If you are having any questions any comments about this article, please tell us via comments.
 
Posted by at No comments:

Simple Bandwidth Monitoring tool for Linux!

IFTOP - Bandwidth Monitoring Tool -CentOS, RHEL, Fedora

IFTOP shows a real time updated list of network connections based on their network usage ordered on every 2, 10 and 40 seconds average. In this post we are going to see the installation and how to use IFTOP with examples.
Install iftop in Linux
Install iftop in RHEL / CentOS / Fedora

IFTOP Pre-requisite

  1. libpcap : module provides a user-level network packet capture information and statistics.
  2. libncurses : is a API programming library that enables programmers to provide text-based interfaces in a terminal.

Install libpcap and libncurses

Installation of the libpcap and libncurses library with YUM command as shown below for error-free iftop installation.
# yum -y install libpcap libpcap-devel ncurses ncurses-devel

Download and Install IFTOP

Download iftop from it’s website with Wget command as shown below.
# wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz
Follow the below all commands to install iftop.
# tar -zxvf iftop-0.17.tar.gz
# cd iftop-0.17
# ./configure
# make
# make install

Basic usage of Iftop

Once installation done, go to your console and type iftop command.
# iftop
Sample output of iftop command which shows bandwidth of default interface as shown below.
iftop command
iftop screenshot

Monitoring Specific Interface

You can give a specific interface to monitor with -i option.
# iftop -i eth0
iftop eth0 command
iftop eth0 command Screenshot

Iftop Options and Usage

While running iftop you can use the keys like S, D to see more information like source, destination etc. Please do man iftop if you want to explore more options and tricks. Press ‘q‘ to quit from running windows.
In this article we have seen how to install and usage of iftop. if you want to know more about it please visit iftop website.

Source: http://www.tecmint.com
Posted by at 1 comment:

Tuesday, June 18, 2013

VNC Configuration in CentOS

VNC is used to display an X windows session running on another computer. Unlike a remote X connection, the xserver is running on the remote computer, not on your local workstation. Your workstation ( Linux or Windows ) is only displaying a copy of the display ( real or virtual ) that is running on the remote machine.
There are several ways to configure the vnc server. This HOWTO shows you how to configure VNC using the 'vncserver' service as supplied by CentOS.

1. Installing the required packages

The server package is called 'vnc-server'. Run the command: rpm -q vnc-server
The result will be either package vnc-server is not installed or something like vnc-server-4.0-11.el4.
If the server is not installed, install it with the command: yum install vnc-server
The client program is 'vnc'. You can use the command: yum install vnc to install the client if: rpm -q vnc shows that it is not already installed.
Make sure to install a window manager in order to get a full-featured GUI desktop. You can use the command yum groupinstall "GNOME Desktop Environment" to install the Gnome Desktop and requirements, for example. Other popular desktop environments are "KDE" and "XFCE-4.4". XFCE is more light-weight than Gnome or KDE and available from the "extras" repository.
If you are a minimalist, or simply testing, however, it is sufficient to have yum install a simple XTERM client: yum install xterm
<!> If you are running CentOS 6, the command is yum groupinstall Desktop
<!> If you are running CentOS 5, yum groupinstall "GNOME Desktop Environment" may complain about a missing libgaim.so.0. This is a known bug. Please see CentOS-5 FAQ for details.
<!> If you are running CentOS 6, the server is: tigervnc-server not: vnc-server

2. Configuring un-encrypted VNC

We will be setting up VNC for 3 users. These will be 'larry', 'moe', and 'curly'
You will perform the following steps to configure your VNC server:
  1. Create the VNC users accounts.
  2. Edit the server configuration.
  3. Set your users' VNC passwords.
  4. Confirm that the vncserver will start and stop cleanly.
  5. Create and customize xstartup scripts.
  6. Amend the iptables.
  7. Start the VNC service.
  8. Test each VNC user.
  9. Additional optional enhancements

2.1. Create the VNC user accounts

As root: 
$ su -
# useradd larry
# useradd moe
# useradd curly
# passwd larry
# passwd moe
# passwd curly

2.2. Edit the server configuration

Edit /etc/sysconfig/vncservers, and add the following to the end of the file. 
VNCSERVERS="1:larry 2:moe 3:curly"
VNCSERVERARGS[1]="-geometry 640x480"
VNCSERVERARGS[2]="-geometry 640x480"
VNCSERVERARGS[3]="-geometry 800x600"
Larry will have a 640 by 480 screen, as will Moe. Curly will have an 800 by 600 screen.
Note: This step is NOT out of sequence, but is placed here so that the next following step will fall adjacent to the step in which failure to perform it, will permit immediate fault diagnosis.

2.3. Set your users' VNC passwords

Switch user into the account for each user, and as noted below, run: vncpasswd This will create the ~/.vnc directory for that userid: 
[~]# su - larry
[~]$ vncpasswd
[~]$ cd .vnc
[.vnc]$ ls
passwd
[.vnc]$ exit
[~]#

2.4. Confirm that the vncserver will start and stop cleanly

We will create the xstartup scripts by starting and stopping the vncserver as root. We also enable the vncserver service to be automatically started. 
# /sbin/service   vncserver start
# /sbin/service   vncserver stop
# /sbin/chkconfig vncserver on
Note: if you omitted the preceding step of logging in as each configured user, and creating their ~/.vnc/ subdirectory, this test will fail.

2.5. Create xstartup scripts ( You may omit this step for CentOS 6 )

Login to each user and edit the xstartup script. To use Larry as an example, first login as larry 
[~]$ cd .vnc
[.vnc] ls
mymachine.localnet:1.log  passwd  xstartup
Edit ~/.vnc/xstartup for each user. The original should appear as follows: 
#!/bin/sh
# Uncomment the following two lines for normal desktop:
# unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &
Add the line indicated below to assure that an xterm is always present, and uncomment the two lines as directed if you wish to run the user's normal desktop window manager in the VNC. Note that in the likely reduced resolution and color depth of a VNC window the full desktop will be rather cramped and a look bit odd. If you do not uncomment the two lines you will get a gray speckled background to the VNC window. 
#!/bin/sh
# Add the following line to ensure you always have an xterm available.
( while true ; do xterm ; done ) &
# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &

2.6. Amend the iptables

The iptables rules in /etc/sysconfig/ need to be amended to open the VNC ports; as needed, if a local ipv6 setup is being used, those need to be amended as well: 
[root@xen-221 sysconfig]# cat iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@xen-221 sysconfig]#
... and then restart the iptables: 
# /sbin/service iptables restart

2.7. Start the VNC server

Start the vncserver as root. 
# /sbin/service vncserver start

2.8. Test each VNC user

2.8.1. Testing with a java enabled browser

Let us assume that mymachine has an IP address of 192.168.0.10. The URL to connect to each of the users will be: 
Larry is http://192.168.0.10:5801
Moe   is http://192.168.0.10:5802
Curly is http://192.168.0.10:5803
Connect to http://192.168.0.10:5801. A java applet window will pop-up showing a connection to your machine at port 1. Click the [ok] button. Enter larry's VNC password, and a 640x480 window should open using the default window manager selected for larry . The above ports  5801, 5802 and 5803  must be open in the firewall {iptables) for the source IP addresses or subnets of a given client.

2.8.2. Testing with a vnc client

For Larry: vncviewer 192.168.0.10:1
For   Moe: vncviewer 192.168.0.10:2
For Curly: vncviewer 192.168.0.10:3


Source: http://wiki.centos.org/HowTos/VNC-Server










Posted by



at





No comments:
  


































          

        

          

        

Thursday, May 30, 2013


          

        









Ethernet Card and Link Information in Linux












Command to find out Ethernet card driver name

You can try any one of the following command to find out your Ethernet card driver:

#lspci | grep Ethernet

Output:

04:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5722 Gigabit Ethernet PCI Express
05:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8169 PCI Gigabit Ethernet Controller (rev 10)
        Subsystem: Realtek Semiconductor Co., Ltd. RTL8169/8110 Family PCI Gigabit Ethernet NIC

Or




# dmesg | grep 'Ethernet driver'



Output:


8139cp: 10/100 PCI Ethernet driver v1.2 (Mar 22, 2004)

Or search a file called /var/log/dmesg:




# grep 'Ethernet driver' /var/log/dmesg



Output:


8139too Fast Ethernet driver 0.9.27
8139cp: 10/100 PCI Ethernet driver v1.2 (Mar 22, 2004)



You can also get driver name from config file:




# grep eth0 /etc/modprobe.conf



Output:


alias eth0 8139too



OR




# vi /etc/modprobe.conf



Search for eth0 string.



In above example 8139too is driver loaded for eth0. You can find out more information about this driver using modinfo command:




# modinfo 8139too



modinfo
  program to show information about a Linux Kernel module. You can also 
find out  all loaded modules or drivers using lsmod command:




# lsmod | less



lsmod is a program to show the status of modules in the Linux Kernel.



Command to check Ethernet Link status



#mii-tool eth0

Output:eth0: negotiated 100baseTx-FD flow-control, link ok














Posted by



at





No comments:
  


































          

        

          

        

Wednesday, May 29, 2013


          

        









Init Script to start Oracle Database 11g R2 automatically while reboot



















[root@db01 ~]# vi /etc/oratab 



# This file is used by ORACLE utilities.  It is created by root.sh

# and updated by the Database Configuration Assistant when creating

# a database.



# A colon, ':', is used as the field terminator.  A new line terminates

# the entry.  Lines beginning with a pound sign, '#', are comments.

#

# Entries are of the form:

#   $ORACLE_SID:$ORACLE_HOME:<N|Y>:

#

# The first and second fields are the system identifier and home

# directory of the database respectively.  The third filed indicates

# to the dbstart utility that the database should , "Y", or should not,

# "N", be brought up at system boot time.

#

# Multiple entries with the same $ORACLE_SID are not allowed.

#

#

orcl:/opt/app/oracle/product/11.2.0/dbhome_1:Y  #default N



 





[root@db01 ~]# vi  /home/oracle/.bash_profile 



# add your SID at the last line



export ORACLE_SID=orcl







Create init script for Oracle










[root@db01 ~]# vi /etc/rc.d/init.d/oracle 



 






#!/bin/bash

# oracle: Start/Stop Oracle Database 11g R2
#
# chkconfig: 345 90 10
# description: The Oracle Database is an Object-Relational Database Management System.
#
# processname: oracle

. /etc/rc.d/init.d/functions

LOCKFILE=/var/lock/subsys/oracle
ORACLE_HOME=/opt/app/oracle/product/11.2.0/dbhome_1
ORACLE_USER=oracle

case "$1" in
'start')
   if [ -f $LOCKFILE ]; then
      echo $0 already running.
      exit 1
   fi
   echo -n $"Starting Oracle Database:"
   su - $ORACLE_USER -c "$ORACLE_HOME/bin/lsnrctl start"
   su - $ORACLE_USER -c "$ORACLE_HOME/bin/dbstart $ORACLE_HOME"
   su - $ORACLE_USER -c "$ORACLE_HOME/bin/emctl start dbconsole"
   touch $LOCKFILE
   ;;
'stop')
   if [ ! -f $LOCKFILE ]; then
      echo $0 already stopping.
      exit 1
   fi
   echo -n $"Stopping Oracle Database:"
   su - $ORACLE_USER -c "$ORACLE_HOME/bin/lsnrctl stop"
   su - $ORACLE_USER -c "$ORACLE_HOME/bin/dbshut"
   su - $ORACLE_USER -c "$ORACLE_HOME/bin/emctl stop dbconsole"
   rm -f $LOCKFILE
   ;;
'restart')
   $0 stop
   $0 start
   ;;
'status')
   if [ -f $LOCKFILE ]; then
      echo $0 started.
      else
      echo $0 stopped.
   fi
   ;;
*)
   echo "Usage: $0 [start|stop|status]"
   exit 1
esac

exit 0





[root@db01 ~]# chmod 755 /etc/rc.d/init.d/oracle

[root@db01 ~]# /etc/rc.d/init.d/oracle start/status


Starting Oracle Database:
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 12-JUL-2011 23:41:57

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Starting /opt/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 11.2.0.1.0 - Production
System parameter file is /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /opt/app/oracle/diag/tnslsnr/db01/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl.localhost)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl.localhost)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date                12-JUL-2011 23:41:57
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /opt/app/oracle/diag/tnslsnr/db01/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl)(PORT=1521)))
The listener supports no services
The command completed successfully
Processing Database instance "orcl": log file /opt/app/oracle/product/11.2.0/dbhome_1/startup.log
Oracle Enterprise Manager 11g Database Control Release 11.2.0.1.0
Copyright (c) 1996, 2009 Oracle Corporation.  All rights reserved.
https://orcl:1158/em/console/aboutApplication
Starting Oracle Enterprise Manager 11g Database Control ........ started.
------------------------------------------------------------------
Logs are generated in directory /opt/app/oracle/product/11.2.0/dbhome_1/db01.server.world_db01/sysman/log



[root@db01 ~]#chkconfig --add oracle

[root@db01 ~]#chkconfig oracle on



Enjoy!!!!












Posted by



at





No comments:
  










































Setting Time Zone in CentOS 5










Check the current timezone

# cat /etc/sysconfig/clock
 ZONE=”America/Toronto”
UTC=true
 ARC=false

There are two ways to change the timezone on CentOS.



1. Set the timezone by running system-config-date command

Before running the system-config-date tool, I created a file named “timestamp” as timestamp.

# date > timestamp

Type the system-config-date command at the command line to start the time and date properties tool.

# system-config-date

I selected “America/Vancouver” and press “OK” to exit.

Use the following command to find which configuration files had been changed.

# find /etc –newer timestamp
 /etc/sysconfig/clock
 /etc/localtime



From the above output, I know /etc/sysconfig/clock and /etc/localtime had been changed. Open the file /etc/sysconfig/clock, I found the “ZONE” had been changed. And I found the /etc/localtime had the same size with the file “/usr/share/zoneinfo/America/Vancouver”.



2. Set the timezone using /etc/sysconfig/clock and /etc/localtime configuration files

Since I know which files affect the timezone, I can modify manually. Use “vi” to modify the file /etc/sysconfig/clock, and change the “Vancouver” back to “Toronto”. Then copy “/usr/share/zoneinfo/America/Toronto” to /etc/localtime or use symbolic link command as below.

# ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime



Write the current System Time to the Hardware Clock

After changed the timezone, don’t forget to check the date and time using the date command, and then write the current System Time to the Hardware Clock.

# hwclock —systohc



Display date and time according to timezone

You can use TZ environment variable to display date and time according to your timezone. For example, I can display the local time of Los Angeles as below.



$ export TZ=America/Los_Angeles
 $ date



There are two clocks on Linux system, which one is the Hardware Clock and the other one is the System Time. The Hardware Clock keeps running after the system shutdowns. When a Linux system boots, the script /etc/rc.d/rc.sysinit will run the /sbin/hwclock program to set the System Time from the Hardware Clock. When you want to set the Hardware Clock, you should use the date command to set the System Time first, and then set the Hardware Clock to the current System Time with the command /sbin/hwclock –systohc.









Posted by



at





No comments:
  










































Installation and Configuration of Oracle 11g R2 database in CentOS 5! (WORKED EXAMPLE)












Log into the CentOS-5 system as the root user.



For setting up the system to be used by Oracle there are a few prerequisites that must be checked and possibly changed by the root user. Log in as the root user and this document will tell you when it is time to switch from the root user to someone else.



How much memory



command: grep -i memtotal /proc/meminfo



results: should be at least 1GB



 



How much swap



command: grep -i swaptotal /proc/meminfo



results: should be 1.5 the size of memtotal if memtotal < 2GB



         should be equal to memtotal if memtotal is between 2GB and 8GB



         should be .75 the size of memtotal if memtotal > 8GB



 



What processor type



command: grep "model name" /proc/cpuinfo



results: informational



How much available RAM and swap



command: free



results: informational



 



How much shared memory available



command: df -k /dev/shm



results: informational



purpose: The shared memory should be sized to be at least the greater of MEMORY_MAX_TARGET and MEMORY_TARGET for each Oracle instance on the computer.



 



How much disk space in /tmp



command: df -k /tmp



results: should have at least 400MB available



 



How much disk space for Oracle binaries



command: df -k



results: Depending on installation type you should have between 1.5GB and 3.5GB



 



Checking Software Requirements



What distribution and version of Linux is installed



command: cat /proc/version



results: Linux version 2.6.18-8.1.15.el5 (mockbuild@builder6.centos.org) 



         (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52)) 



         #1 SMP Mon Oct 22 08:32:04 EDT 2007



 



What version of the kernel is installed



command: uname -r



results: 2.6.18-8.1.15.el5



 



 



Are the following packages installed (assumes CentOS-5 and above distribution)



command:rpm -q binutils \



            compat-libstdc++ \



            elfutils-libelf \



            elfutils-libelf-devel \



            glibc \



            glibc-common \



            glibc-devel \



            glibc-headers \



            gcc \



            gcc-c++ \



            libaio-devel \



            libaio \



            libgcc \



            libstdc++ \



            libstdc++ \



            make \



            sysstat \



            unixODBC \



            unixODBC-devel



results: you will probably get quite a few packages that are not installed with a typical installation. You can investigate missing packages with the following command making sure you add/subtract from this list if necessary. 



yum list available "compat*" \



                   "elfutils*" \



                   "glibc*" \



                   "gcc*" \



                   "libaio*" \



                   "sysstat*" \



                   "unixODBC*"



action : Our base installation left us needing to issue the following command to install missing packages. 



 



yum -y install compat-libstdc++-296.i386 \



               compat-libstdc++-33.i386 \



               elfutils-libelf-devel.i386 \



               glibc-devel.i386 \



               glibc-headers.i386 \



               gcc.i386 \



               gcc-c++.i386 \



               libaio-devel.i386 \



               sysstat.i386 \



               unixODBC.i386 \



               unixODBC-devel.i386



 



 



Create Oracle user and group



Create groups oinstall & dba



command: /usr/sbin/groupadd oinstall



         /usr/sbin/groupadd dba



 



Create the Oracle and change password



command: /usr/sbin/useradd -g oinstall -G dba -s /bin/bash oracle



         /usr/bin/passwd oracle



 



Validate the nobody user exists



command: /usr/bin/id nobody



results: this user is almost always created on a base CentOS installation 



action : if this user is not created use the following command to create



         /usr/sbin/useradd nobody



 



Configuring kernel parameters



The following kernel parameters must be validated and possibly changed. Use the commands given below to view a particular kernel setting and then change if the setting is lower than the recommendation given in the following table. 



 



You can make the changes by editing the /etc/sysctl.conf file and then rebooting the server. The following results are what we observed on our server and should not be expected on yours.





shmmni



4096





shmall



2097152





shmmax



2147483648





semmsl



250





semmns



32000





semopm



100





semmni



128





file-max



65536





ip_local_port_range



1024 - 65000





rmem_default



1048576





rmem_max



1048576





wmem_default



262144





wmem_max



262144







 



 



command: /sbin/sysctl -a | grep kernel.sem



results: kernel.sem = 250        32000   100     128



 



command: /sbin/sysctl -a | grep kernel.shm



results: kernel.shmmni = 4096



         kernel.shmall = 268435456



         kernel.shmmax = 4294967295



 



command: /sbin/sysctl -a | grep file-max



results: fs.file-max = 102440



 



command: /sbin/sysctl -a | grep ip_local_port_range



results: net.ipv4.ip_local_port_range = 32768    61000



 



command: /sbin/sysctl -a | grep rmem_default



results: net.core.rmem_default = 109568



 



command: /sbin/sysctl -a | grep rmem_max



results: net.core.rmem_max = 131071



 



command: /sbin/sysctl -a | grep wmem_default



results: net.core.wmem_default = 109568



 



command: /sbin/sysctl -a | grep wmem_max



results: net.core.wmem_max = 131071



 



sample /etc/sysctl.conf file. This is given as an example only and does not reflect the results obtained above by the /sbin/sysctl commands. Only add lines that are needed and do not change any values to be lower than the base installation might have assigned.



 



kernel.shmall = 2097152



kernel.shmmax = 2147483648



kernel.shmmni = 4096



kernel.sem = 250 32000 100 128



fs.file-max = 65536



net.ipv4.ip_local_port_range = 1024 65000



net.core.rmem_default = 4194304



net.core.rmem_max = 4194304



net.core.wmem_default = 262144



net.core.wmem_max = 262144



 



 



Setting shell limits for the Oracle user



Add the following lines to /etc/security/limits.conf



oracle soft nproc  2047



oracle hard nproc  16384



oracle soft nofile 1024



oracle hard nofile 65536



 



Add the following lines to /etc/pam.d/login



session required /lib/security/pam_limits.so



session required pam_limits.so



 



Add the following lines to /etc/profile



if [ $USER = "oracle" ]; then



  if [ $SHELL = "/bin/ksh" ]; then



    ulimit -p 16384



    ulimit -n 65536



  else



    ulimit -u 16384 -n 65536



  fi



fi



 



Creating Directories to Install the Oracle Software



Validate you have enough space on disk and choose a directory to install 



command: df -k



results: pick a mount point that has enough space—we have chosen /opt for the our.



 



Create subdirectories and give permissions to the oracle user



The following directory used is common for Oracle installations. Note that we are creating all directories under /opt and that there are no other applications using /opt/app and below. This is very important as we are changing permissions with the following commands.



command: mkdir -p /opt/app/oracle/product/11.2.0



         chown -R oracle:oinstall /opt/app



         chmod -R 775 /opt/app



 



Switch to the oracle user



Up to know we have been doing everything as the root user. It is now time to switch to the oracle user to actually install the Oracle software.



command: su – oracle



Add the following line to $HOME/.bash_profile



umask 022



 



 



Execute oracle's bash_profile to use new setting



command: . ./.bash_profile



 



Make sure the oracle user is using an X Windows System 



It is assumed you know how to set up an X Windows System as stated earlier in the document. However you need to issue following command as root user first.



 



#xhost +  (to accept X server connection from any client)



 



And then please verify it is working by setting DISPLAY and issuing the xterm command and validating an X Terminal comes up as oracle user. 



 



$export DISPLAY=<hostname>:0.0



$xterm



 



You may close the X Terminal if you wish.





 






Set Oracle environment for the installation



Issue the following commands to set/unset particular Oracle environments in preparation for the installation.



command: export ORACLE_BASE=/opt/app/oracle



         export ORACLE_SID=orcl



         unset  ORACLE_HOME



         unset  TNS_ADMIN



 



Start Oracle Installer



 



Unzip software into /opt 



 



$unzip linux_11gR2_database_1of2.zip linux_11gR2_database_2of2.zip



$cd /opt/database



$./runInstaller



 



From this point, Oracle will do a few minor checks on the operating system and then put up the Oracle Installation screen. Our particular configuration did not throw any errors at this point but it should be noted, as it can be helpful, that sometimes the Oracle installer will complain at this very early stage about various Linux system configurations. If this is the case you might be able to bypass them by adding an additional argument to the runInstaller command. Please only use this as a last resort to the normal installation path.



command: ./runInstaller -ignoreSysPrereqs



 



From this point on we will walk through each of the prompts one at a time to give you a simple feel for a full installation of the Oracle software.



 



Select installation method 



This screen is very busy to say the least. We are not going to create any databases at this point as it is not required nor is it suggested to do at this point. We like to create databases separately through the Database Creation Assistant (DBCA) and not confuse the software installation process. 



1.    Choose basic installation



1.    verify Oracle Base of '/opt/app/oracle'



2.    verify Oracle Home of '/opt/app/oracle/product/11.2.0/db_1'



3.    verify installation type of 'Enterprise Edition'



4.    verify dba group of 'dba'



2.    Un-check “Create Starter Database”



3.    Un-check “Advanced Installation”



4.    Click< NEXT>



 



Specify Inventory directory and credentials



1.    verify path of inventory directory of '/opt/app/oraInventory'



2.    verify group name for install of 'oinstall'



3.    Click< NEXT>



 



Product-Specific Prerequisite Checks



This screen, the installer will verify the system environment and report on any issues it may find. If all goes well you will get the status of 'Succeeded' for every check. Scroll through and make sure nothing has failed or look at the status box at the bottom of the screen and verify you get the following:



'Check complete. The overall result of this check is: Passed'



1.    verify all statuses



2.    Click< NEXT>



 



Summary



This screen give a summary of the installation you are about to perform. It can be interesting to click and expand the products being installed to give you an idea of the what product and version is going to be installed.



1.    validate 'Global Settings' for directories



2.    validate 'Space Requirements'



3.    Click< NEXT>



 



 



Install 



This screen gives a status of what is being installed. If all system settings have been properly set and all packages been installed properly then this should proceed without error. The status bar gives some indication of what is being installed at a particular point and the amount of work to be performed. But as all status bars you never really know how long in the process it is. 



1.    Note the time it takes for specific products. If you notice one hanging or taking a long amount of time (greater than 10 minutes) you could have a condition that requires a pre-installation patch. Don't stop the installer yet but instead start looking for a bug / patch for the Oracle 11g installation process and the actual product being installed.



2.    Execute Configuration scripts



1.    open up a different terminal window



2.    login as the root user



3.    run /opt/app/oraInventory/orainstRoot.sh



4.    run /opt/app/oracle/product/11.2.0/db_1/root.sh



1.    accept default of /usr/local/bin



5.    Click< OK>



3.    Click< EXIT>



4.    Click< YES>



 

Check listener.ora file has SID_LIST_LISTENER line added.



$cat $ORACLE_HOME/network/admin/listener.ora



# listener.ora Network Configuration File: /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
    )
  )
SID_LIST_LISTENER=
  (SID_LIST=
    (SID_DESC=
      (GLOBAL_DBNAME=orcl)
      (ORACLE_HOME=/opt/app/oracle/product/11.2.0/dbhome_1)
      (SID_NAME=orcl))
      )

ADR_BASE_LISTENER = /opt/app/oracle



 



Cleanup



1.    If you downloaded the software from the net you can now remove .zip file and the complete directory structure you unzipped it to. That particular command is not given here as it can be quite disastrous if executed from the wrong directory. 



2.    Add the following lines to oracle's $HOME/.bash_profile file. This will allow you to execute various Oracle binaries to create databases, configure network settings, and generally manage the Oracle database environment.



export ORACLE_HOME=/opt/app/oracle/product/11.2.0/db_1



export PATH=$ORACLE_HOME/bin:$PATH



 



Last Thing to Remember 



 



You need to set time zone of OS acceptable by ORACLE 11g.



 



$export TZ=Asia/Singapore (any timezone specified in emdb.properties file)



$date





Follow this link for setting TimeZone in CentOS 5:

http://shishirceh.blogspot.com/2013/05/setting-time-zone-in-centos-5.html

 



Reload the agent and database control



 



$emctl reload agent



$emctl stop dbconsole



$emctl start dbconsole



 



Go to your web browser and type https://serverip:5500/em 



and login as sys, sysman as sysdba.



 



 



Installation is complete 



Congratulations on a successful installation of the Oracle software. This paper hopefully was also successful in its attempt to guide you down a more simplistic path—giving you the commands to execute and working past the minor hurdles encountered during installation. Obviously this paper can not predict all the issues that you may encounter but if you have a relatively current system with ample memory and disk space there is no reason not to believe your installation wouldn't run smoothly. 



 



To create another instance of Database



 



$dbca



 



and follow instruction in screen.



 



$emctl status dbconsole



Init Script to automatically start Oracle Database during reboot



 http://shishirceh.blogspot.com/2013/05/init-script-to-start-oracle-database.html



 










Posted by



at





No comments:
  


































        

      









Subscribe to:
Posts (Atom)