Answers 71

From LXF Wiki

Answers 71

<title>Iptables rule OK!</title>

<question>I'm using a Red Hat 9 server as my router and iptables to shut down all unnecessary ports, but sometimes I want to turn off two additional ports using a web page interface, while keeping the existing rules in place. I figured PHP was the best item to use, but since I've never really used PHP I was hoping this would be a simple question for an experienced programmer. How do I do it? </question>

<answer>Modifying iptables rules can be done easily through PHP using the system function, which allows execution of a system binary. However, this would require the web server to run as root, which is pretty insecure and may compromise the system through the web service. You may want to look at a firewall system that gives you a graphical interface to your iptables rules, such as Astaro, ClarkConnect or SmoothWall. Depending upon what exactly you want to do with the ports you open, a technology that permits VPN access to the network such as OpenVPN or IPsec may be a better alternative than opening the Linux system up to possible security breaches. </answer>

<title>Video woes</title>

<question>I have an ATI All-in-Wonder 9800 Pro AGP video card. I need help getting the video card installed and working with SUSE 9.2 Pro. I used an old 16MB video card to boot the system in order to flash upgrade the BIOS, as the onboard video wasn't working. My first attempt at switching the power on with the new card only gave me a black screen, and the monitor had a `Check cable connection' message on the screen during the boot cycle. I have yet to get beyond this information on the screen. Can you help? </question>

<answer>If your machine doesn't show the BIOS boot screen with the ATI video card installed, it is likely a hardware issue. Most motherboards will beep with an error code during POST indicating why they don't like the hardware. We'd recommend returning this video card and obtaining a replacement, as it seems to be defective. </answer>

<title>Up/downgrade</title>

<question>I recently installed Fedora Core 4 on my Dell Inspiron 6000 laptop after about six months of using Fedora Core 3 and I'm having mixed feelings about it. I love how it automatically finds and configures my widescreen display, but I'm rather disappointed that since installation my soundcard no longer makes any sound. It worked fine in FC3 without any intervention from me, but now I run Soundcard Detection and it plays no sound but gives me a very long model name: `Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) AC'97 Audio Controller' and the module `snd-intel8x0'. I seem to remember the AC'97 in Fedora Core 3, but the rest is Greek to me. My laptop is dual booted with Windows XP Professional, where the soundcard works fine, giving me the name `SigmaTel C-Major Audio' under the device manager. A similar problem has occurred with my Logitech Quickcam for Notebooks Pro webcam. It worked without a hitch in GnomeMeeting on FC3, but in the same program on FC4 only the microphone seems to work. It comes up in Soundcard Detection as `unknown'. I'm disappointed that a newer version of Linux seems to be less compatible with my devices than older versions. Has anyone else had this problem? I live in the US Midwest, where Linux isn't very well known at all, but I'm working to change that! So I'd like to say thanks and keep up the good work... </question>

<answer>There are lots of changes in Fedora Core 4, so you may simply want to jump back to Fedora Core 3, ensure you have the correct updates, and submit some bug reports to Red Hat to find out if anyone else has the same issues. Unless you follow through with bug reports and make sure that people working on USB and sound support know that it's a problem, FC5 is going to be just as broken. There are also a number of mailing lists and IRC channels associated with Fedora that may help solve your problems, or at least make sure that the information is routed to the correct individual. Almost every US city has a LUG of some variety, even in the Midwest ­ check out your local universities or colleges, as these are often great places to get information from fellow Linux enthusiasts. </answer>

<title>A patchy server?</title>

<question>My customers have been reporting my website being down, usually around peak times. Could you suggest a simple way to monitor my system load? </question>

<answer>An Apache slowdown is almost always due to memory. If you're not looking for something like Cacti (http://cacti.net), which uses RRDtool to record almost anything imaginable on a server, the simplest way I can think of is to have a shell scriptlet that just runs an infinite loop while capturing the output from a couple of utilities. You could use sar to monitor CPU usage, free for memory usage and vmstat. Use this last tool with a delay of three to five seconds to capture a couple of successive snapshots of your system state ­ this is just to make sure that the information you're getting from the redirected outputs are not spikes. Use your judgement as to how frequent the dumps are made unless you're prepared to code a monster application to sift through all the information. </answer>

<title>Foxed by Firefox</title>

<question>I have SUSE 9.2 installed on my box at home, and am having problems with browsing the web. I have no problems with Konqueror, but I installed Firefox and Mozilla and neither will surf the web ­ they always time out. The network settings are the same as Konqueror ­ but they don't load any pages. I don't know if this is a red herring or not but when I change the network settings from Direct Connection in Konqueror to Auto-Detect From The Proxy I can browse web pages that I have loaded first in Konqueror. However, I have problems submitting forms or accessing links from the page and it times out again... I'm utterly bemused! Any ideas how to get Firefox up and running? I need it so that I can ditch my Windows partition and do all my dev work in Linux! </question>

<answer>This is a common error and is caused by Firefox or Mozilla trying to access the network using an IPv6 modified IPv4 address. 0 The simplest way to fix this is to add the following code to /etc/modules.conf:

alias net-pf-10 off

This will disable `Protocol Family 10' on the system, which is essentially the IPv6 system. Both Firefox and Mozilla support both IPv4 and IPv6, which can often cause problems on installations where the networking isn't set up quite as it should be. </answer>

<title>X terminated</title>

<question>I recently moved my system from an old 120GB disk to a new 200GB disk. To do this, I booted from a Live CD, mounted both disks and used cpio to copy all the files across.

cd /mnt/old_disk
find . -print | /mnt/old_disk/bin/cpio -
pamd /mnt/new_disk

All went fine up until the point fluxbox wanted to start. To cut a long story short, it didn't. I can run TWM, xterms and aterms, but that seems to be about it on the graphical application front. All my favourite C apps seem OK. When I try to launch Gaim or Opera or pretty much anything else that uses X apart from MPlayer, they all segfault. Sometimes xine will appear briefly before dying, but Gaim never does anything. I've checked permissions to make sure they were preserved OK (as far as I can tell, they were). I've also recompiled my kernel and rebuilt X, all to no avail. Everything else, including Apache, PostgreSQL, MySQL and SSH, seems to be doing just fine; it's just the X apps. Any advice? </question>

<answer>If you still have the original 120GB drive, you may want to copy the data over again to ensure that all of the shared libraries that X applications need are complete. We normally just use cp ­fra /mnt/old /mnt/ new to copy the contents of a whole hard disk, which generally does a good job of making sure everything is as it was. A tool such as strace can be used to look at exactly why a process fails: perhaps it can't open a /dev file, or there's a permissions issue that it doesn't know how to handle. The strace command is a little cryptic, but it is usually reasonably easy to figure out where exactly the application is bombing out. </answer>

<title>SUSE confuser</title>

<question>I have a hard drive (hda) with Windows 98 and SUSE 9.2 installed on it. I also have another hard drive (hdb) on to which I installed MEPIS PRO. The problem is that when I boot into SUSE, although it sees my Windows files, it cannot see the other MEPIS drive. Running dmesg shows that SUSE is seeing all the partitions including hdb1 ­ but for some reason I am unable to access it. Originally each Linux distro tried to overwrite the MBR and delete any reference to the other Linux distro. Currently the SUSE GRUB loader gives me Windows and the SUSE option, and it would be nice if it could give me the MEPIS option as well. Because of this tendency to overwrite the MBR I installed MEPIS, including its boot loader, on hdb1. I can access it using the floppy install. The annoying part is that when I am in MEPIS it can see the SUSE partitions on hda. Any attempt to write a line in the fstab file is greeted with an error message when I try to load the hdb1 partition. Any help would be appreciated. </question>

<answer>You can start by checking the partition structure on hdb using fdisk l /dev/hdb. If /dev/hdb1 is the filesystem you want, running the following will manually mount it under /mnt/tmp, where /mnt/tmp is a directory that must already exist:

mount /dev/hdb1 /mnt/tmp

If this fails, check with dmesg to find out if there is an error from the kernel trying to mount the filesystem, or review the error output from mount to establish why it will not work. </answer>

<title>Pseudo security</title>

<question>I'm looking for a way to audit root's activities on the server. The root password is held by three people who look after the server for me. Any other better way to do it? </question>

<answer>The sudo command is the answer to your problems. What sudo does is run a command as a substitute user. You have two ways of doing this. You can either give those people the root password and have them authenticate twice, once for their own user then another to run the command using sudo. The other way would be to make them authenticate once, which would hide the root user to them. I suggest the first and rotate the root password as frequently as you're comfortable with. You also get a thorough log of all commands executed using sudo along with information on who ran it and an expanded command line, so if you have wildcards, you get the full picture. Editing the sudo configuration file, /etc/sudoers, is preferably done with the command visudo. You'll need the following lines:

# /etc/sudoers
exampleUser ALL=(ALL) ALL,!/bin/
bash,!/bin/tcsh,!/bin/sh,!/bin/csh,!/usr/
bin/strace

Basically, we've allowed user exampleUser to use sudo to run all commands from all hosts except for /bin/bash and the other commands on that line, because otherwise a user could run sudo bash or sudo trace to hide what they're doing. There is an element of trust here. It isn't viable to restrict people with elevated privileges to not sidestep limitations using such a simple way. If you really want to lock your server down, you should consider using SELinux. It's gaining users every day, so the online help is expanding all the time. </answer>

<title>Window on Linux</title>

<question>I am running Red Hat Linux 9, and using the following command to map Windows Storage Server 2003.

mount -t smbfs -o username=<username>,password=<passwd> //<ipaddress>/share /mntpoint

On the Windows side, I just make the share folder read-only. It successfully maps between Linux and Windows but recently Windows has begun to refuse the connection. When I check the Linux host, the mount is still there, and when I restart Windows I can read and write files to the directory without remounting on Linux. Before I restart Windows, I can't read the file in the mounted directory on Linux. I get the error message: `LS: Stale file handle'. Is there any thing I can do on the Windows side? Is there any service that I can restart without rebooting Windows? </question>

<answer>You can always restart the File and Print Sharing service in Windows 2003, which I hope might solve your problem. It sounds as if a scheduled service, such as Windows Update, is causing the Windows system to fall over. Windows has a comprehensive event log, which may help you locate the specific issue. Our forums are full of people who are crazy enough to use Windows as a file server, so that may be a good way to find out if ther are any changes in Windows 2003 which need to be made in order to reliably mount Windows shares in Linux. </answer>

<title>Missing monitor</title>

<question>I'm setting up a computer for a complete newbie and couriering it to them across the country. The box has an NVIDIA Pro card and their screen will be an Acer AL511 flat screen. If I set the monitor up to suit my hardware, a `detected hardware' change at the user's end will effectively uninstall the NVIDIA drivers. I therefore want to set the box up with the correct settings for their monitor just before shipping the box off, so it will work straight away on their system. Problem: there are lots of Acer monitors under display config, but no AL511. I know that they are probably cross-compatible, but some will not be. I don't want to pick the wrong one in case it causes grief to this complete newbie at the other end. I certainly don't want it to run diagonal lines, have bad flicker or have too low a resolution for their hardware. </question>

<answer>LCD displays are fairly easy to set up. You just need to choose the appropriate vertical refresh rate in X to ensure that the modes used are not beyond the maximum refresh rate for the display. A `General LCD' setting should be sufficient to ensure that the display works correctly. Reviewing the display specifications on the internet will help you decide which resolution should be set as default and which refresh rates can be used. </answer>

<title>Sticky suite</title>

<question>I have just installed SUSE 9.3 ­ my introduction to Linux. All seemed to go well except that it didn't recognise my SpeedTouch broadband modem. My ISP is Kingston Communications. I note that in the August issue [LXF69] there is a SpeedTouch suite with drivers on the cover DVD, which would probably help me to get on to the internet. As I'm a real newcomer to Linux (and an octogenarian to boot), would you please give me precise instructions as to how I can install this suite (if indeed it's what I need)? All I can see when opening the file is what appears to be program coding. </question>

<answer>Lots of information on the Alcatel SpeedTouch USB modem, otherwise known as `the frog', can be found at http://linux-usb.sourceforge.net/ SpeedTouch. This includes open source versions of the drivers, as well as setup documentation to get you on to the internet using the modem. As you are running SUSE 9.3, you can follow the instructions at http:// linux-usb.sourceforge.net/SpeedTouch/suse/index.html to get it up and running. Many ISPs give you the option of using either PPP over Ethernet or PPP over ATM, although the SpeedTouch USB documentation recommends using PPPoA. In either case, you will need to follow the specific instructions for the PPP method used to connect to your ISP. </answer>

<title>PATA/SATA</title>

<question>I tried installing Fedora Core 4 on my Athlon 64 box last night. The problem is this: I have two PATA drives and four SATA drives, and if I try to use both types I get a lot of garbage during boot and a lock up. The info is excessive and contains a lot of `fffffffffffff' and`CPU locked' messages. When I disconnect the PATA drives all is fine, or if I disconnect all the SATA drives and leave only the PATA drives, things are again fine ­but I want to use both types. It is not a fault of the motherboard, because Windows can handle the six drives at once, not to mention two DVD drives. </question>

<answer>There are some known conflict issues with controllers used for both PATA and SATA devices (ie the same controller handling both types of drive). You haven't told us exactly which controller you are using, so we can't be certain, but that seems to be the most likely cause for this behaviour. Some devices do have boot-time workarounds though. Login as root and use dmesg to check for the hardware found at boot. The lsmod command will tell you which modules are running on your system (check the entry for libata, which is often used to load the SATA drivers). A Google search for `Fedora' or `Linux + the device name,/driver/etc' may yield some results, or tell us specifically what hardware you have and we can investigate further. </answer>

<title>Ubuntu and Xine</title>

<question>I have recently installed Ubuntu on my Toshiba 1800 laptop. It seems to work fine but DVD playback is choppy in Xine and MPlayer crashes as soon as I try to play a movie. Any guidance you can give me would be appreciated! </question>

<answer>Top of the list of things to try is to make sure DMA is enabled for your DVD drive. Something like:

hdparm -d1 /dev/hdc (changing hdc for the device of your DVD if it's

different)

should do the job. MPlayer as supplied with Ubuntu has a number of problematic issues ­ if you really want to have it, it's best to compile it from source. </answer>

<title>Postfix fixed</title>

<question>I want to set up Postfix so that it won't add new system users for each email address I want to add. I usually learn quite well by example but the tutorials I have found on this are very confusing. Can you suggest an easy tutorial or HOWTO? </question>

<answer>Better, I can write you one! As always on machines with a firewall policy of ACCEPT, you should start by restricting the relevant port to the local machine until you're satisfied with the configuration. This should do it quite nicely:

iptables -I INPUT -i ! lo -p tcp --
dport 25 -j DROP

The main configuration file for Postfix as a whole (as opposed to the daemon config file, which is master.cf) is main.cf. This is usually found in /etc /postfix. By default, Postfix should come configured to only listen to localhost. Postfix binds to loopback in such a way that it doesn't accept connections from the wild. What we need to do is append the inet_interfaces to the public IP. Usually the entry is:

inet_interfaces = localhost
    We change it to:
inet_interfaces = localhost,
123.213.312.132

This enables Postfix to listen on the supplied IP. To make life easier, we'll also be making Postfix look for any variable info ­ such as added email addresses or domains ­ in files other than the main configuration file (main.cf). Let's see a dump of the additions required. You may want to append them to the file main.cf:

# /etc/postfix/main.cf
virtual_mailbox_domains =
virtualdomain1.tld, virtualdomain2.
tld
virtual_mailbox_base = /path/to/
mail/root
virtual_mailbox_maps = hash:/
path/to/postfix/virtual-mailbox-
maps
virtual_minimum_uid = 5000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = hash:/path/to/
postfix/virtual-alias-maps

There are seven configuration lines here. In the first, you tell Postfix which domains are virtual. We want everything except system mails to be virtual, so list any domains on that line that you would like to host. You're really telling Postfix that these domains should be handled by the Postfix Virtual Delivery Agent (man 8 virtual). Line two is where you specify the parent directory where all the emails will be stored. I suggest you specify something other than /var/spool/mail. The argument to hash: is a file with key/value pairs. The virtual_mailbox_maps directive is where you list the one-to-one mappings of email address to filesystem location. We'll get to that in a short while. Line five, virtual_uid_maps (yes, we skipped one; we'll get back to it right after this one) can be a variety of things. In this example, we went for a common UID for all email users, so we use the keyword static:, which in turn accepts one argument, the UID. Back to virtual_minimum_uid. You've probably guessed by now that it's a security constraint that restricts the user file UIDs to a level above a certain threshold. In our setup, we used a static UID for all users, but if we were using, say, hash, the virtual_minimum_uid would give us the security of knowing that any human errors in defining UIDs would be rendered harmless. Line six, virtual_gid_maps, is just like virtual_uid_maps only for GIDs (group IDs). Now that we've set those two, let's create the directory in virtual_mailbox_base and change the ownership of that directory to reflect the settings we chose: in our example, user and group 5000. Note that we don't have to create the user or group on the system; it's optional. Line seven, virtual_alias_maps, points Postfix to the file where the virtual alias mappings are listed. Virtual aliases `redirect' email messages meant for a virtual domain (see above) to any other destination. The file should contain pairs of email address/filesystem destination, such as:

# /path/to/postfix/virtual-mailbox-maps
account1@example.com example.
com-dir/account1/
account2@example.com example.
com-dir/account2

The first line tells Postfix to dump all emails addressed to account1@example.com in the directory /path/to/mail/root/example.com-dir/account1. The trailing slash makes Postfix use the Maildir format, which is recommended for most IMAP setups ­ check your POP3/IMAP service documentation. The real destination directory is the value of virtual_mailbox_base and the value of the file appended to it. You'll probably want the settings in /path/to/postfix/virtual-mailbox-maps to be checked when an email message comes in. For this to happen you have to make sure that the domain in the recipient address be listed as a virtual domain. We can do this in the file specified in virtual_alias_maps, which, as far as our settings in main.cf go, is /path/to/postfix/virtual-alias-maps. Let's alias postmaster@example.com and abuse@example.com to account1@example.com:

# /path/to/postfix/virtual-alias-maps
postmaster@example.com
account1@example.com
abuse@example.com
account1@ example.com

This setup is at least compatible with Dovecot IMAP and POP3 servers, except that both mailboxes should be in Maildir format, not Mbox format. Other things to consider are: using dbm instead of hash; moving the setup to MySQL; using Postfix Admin; and setting up a POP3/IMAP server. Before we can revel in a shiny new daemon ready to pipe thousands of email messages to the world, we need two things. First, let's allow access to the port:

iptables -D INPUT -i ! lo -p tcp --
dport 25 -j DROP

Then I suggest you pay a visit to http://abuse.net and have your server tested for open relaying. Start it up with service postfix restart on a RHL-like machine. If you need more guidance, you really should see is www.postfix.org/VIRTUAL_README.html#virtual_mailbox </answer>