encounter problem when ftp programs to x8web.com
1. log on to www.x8web.com
2. go to cPanel X
3. navigate to File Manager
4. You will see a list of files including .ftpquote
5. click .ftpquote
6. you can see a menu of fuctions as below on top right corner
Show File
Delete File
Edit File
Change Permissions
Rename File
Copy File
Move File
7. use "Delete File " to delete .ftpquote
8. refire up FTP software, you will be able to ftp programs to x8web.com successfully
2007年6月24日星期日
encounter problem when ftp programs to x8web.com
i不能 ftp 文件到x8web.com
2007年6月12日星期二
JBOSS 3.0.4 配置及使用初步
JBOSS推出3.0.4版本其实已经很久很久啦,可是呢,网上关于它的介绍就少得可怜,而且仅有的几篇介绍都并不完全正确,很多甚至是直接拷贝jboss2.4.4的相关内容。那些抄袭者没有想到,从jboss2.4.4到jboss3.0.4之间有很大的飞跃,甚至目录结构也不相同了,相关配置更不用多说,他们那些拷贝来的作品根本不能正确指导人们学习jboss。
为了学习jboss,我想大多数人可能都要从http://www.jboss.org ;那里下载其本身的文档,如3.x版本就有文档JBoss.3.0QuickStart.Draft3.pdf 来进行入门指导。但是令人万万没有想到的是,JBoss.3.0QuickStart.Draft3.pdf文档中甚至也有错误的地方,完全按照它的指引,大家将会走弯路的。
因此,结合我最近学习jboss3.0.4的经验,根据实际应用情况,总结出jboss3.0.4配置及使用初步文档,供大家参考和讨论。
前提
首先,你必须安装了JDK,版本为1.3以上,我使用的是1.4版本。并在CLASSPATH中设置JAVA_HOME环境变量为JDK安装目录。确保在你的机器上可以运行JAVA程序。
安装及运行jboss3.0.4
在jboss自己的网站http://www.jboss.org ;下载jboss3.0.4,有jboss-3.0.4.zip和jboss-3.0.4_tomcat-4.1.12.zip。后者是jboss和tomcat整合到一起的版本,这里主要介绍前者,既单独的jboss3.0.4。
jboss的运行很简单。将jboss-3.0.4.zip解压到本地硬盘的一个目录中。会有以下几个目录生成:
bin
放置jboss启动和停止的可执行脚本文件
docs
放置jboss的例子、测试脚本和各种脚本配置文件的DTD
lib
放置jboss所需要的部分jar包文件
client
放置EJB客户端运行时所需要的jar包
server
放置各启动类型的服务器端EJB配置所需要的文件等。
Jboss3.0.4有三种启动类型,分别为all, default, minimal。如在windows平台下启动jboss,可直接启动bin目录下的run.bat既可。此时默认为以default形式启动,如需其它启动方式,则需要参数设置,如想以all模式启动,则运行run.bat –c all命令。至于三种启动模式的区别,无非就是启动的服务多少不同,具体请参照JBoss.3.0QuickStart.Draft3.pdf文档。该文档也有设置jboss启动为windows服务的一段,也可以参照,不过我按照它的做法尝试了一下,发现居然jboss的服务会占据90%以上的CPU资源(当时我用的是赛扬233,脸红中……)。
正如大家所看到的,jboss启动就这么简单,而且也不需要按照自己的机器额外进行其他配置。到这一步,大家都很爽吧。OK,让我们继续
查看JBOSS端口这本来不应单独成为一章,但是,网上各资料和JBoss.3.0QuickStart.Draft3.pdf 中都在这一部分对使用者进行了误导,我想在这里我有必要进行澄清。
启动jboss后,我们可以查看8080端口,在浏览器地址栏中键入http://localhost:8080 ;,我们会发现一个错误页面,内容为“HTTP ERROR: 404 / Not Found RequestURI=/”这是正常的,因为你根本就没有页面可以显示。
在按照网上资料和JBoss.3.0QuickStart.Draft3.pdf的要求查看8082端口时,我们就会发现,根本和资料中讲述不一致了。JBoss.3.0QuickStart.Draft3.pdf中的原文是这样的:“To check if JBoss is running please open a browser and enter http://localhost:8082 ;which will list all JBoss components running.”但是,我们将会出现一个错误页面!并不是象它所说的会列出所有运行的JBOSS组件。经过查找,发现其实应该是http://localhost:8080/jmx-console ;。此点一定注意,否则会打击初学者学习jboss的兴趣的。我们通过这个页面进行对JBOSS的各服务的配置和管理。
我们再查看http://localhost:8083 ;会出现一个没有错误的空白页,正常,应该是这样。
我们再查看http://localhost:1099 ;会出现一大堆乱字符,当然,里面包含了你的IP地址等等类似的信息。1099是jnp协议监听名字服务的缺省端口,RMI的缺省端口也是一样的。在JNDI中,我们需要用到此端口。
OK,基本端口信息就这些。
EJB文件的编写
EJB的结构不是我们讨论的内容,下面只是列出它的程序代码,是一个无状态的sessionBean。在这里我用的是ejb2.1的JAR。
Remote接口文件:Example.java
package examples;import javax.ejb.EJBObject;public interface Example extends EJBObject { public String example() throws java.rmi.RemoteException;}
Home接口文件:ExampleHome.java
package examples;import javax.ejb.EJBHome;public interface ExampleHome extends EJBHome { Example create() throws java.rmi.RemoteException,javax.ejb.CreateException;}
Local接口文件:ExampleLocal.java
package examples;import javax.ejb.EJBLocalObject;public interface ExampleLocal extends EJBLocalObject { public String example();}
LocalHome接口文件:ExampleLocalHome.java
package examples;import javax.ejb.EJBLocalHome;public interface ExampleLocalHome extends EJBLocalHome { ExampleLocal create() throws javax.ejb.CreateException;}
Bean文件:ExampleBean.java
package examples;import java.rmi.RemoteException;import javax.ejb.EJBException;import javax.ejb.SessionBean;import javax.ejb.SessionContext;public class ExampleBean implements SessionBean { public ExampleBean() { super(); } public void setSessionContext(SessionContext arg0) throws EJBException, RemoteException { System.out.println("setSessionContext"); } public void ejbCreate() { System.out.println("ejbCreate"); } public void ejbRemove() throws EJBException, RemoteException { System.out.println("ejbRemove"); } public void ejbActivate() throws EJBException, RemoteException { System.out.println("ejbActivate"); } public void ejbPassivate() throws EJBException, RemoteException { System.out.println("ejbPassivate"); } public String example() { System.out.println("example()"); return "Just a simple example!"; }}
客户端调用程序文件:ExampleClient.java
package examples;import javax.naming.*;import javax.rmi.PortableRemoteObject;import java.util.Properties;public class ExampleClient { public ExampleClient() { super(); } public static void main(String[] args){ try{ Properties props =new Properties(); props.put(Context.INITIAL_CONTEXT_FACTORY,"org.jnp.interfaces.NamingContextFactory"); props.put(Context.PROVIDER_URL,"172.16.1.4:1099"); Context ctx = new InitialContext(props); System.out.println("start ejb client test"); Object obj=ctx.lookup("Example"); ExampleHome home = (ExampleHome)PortableRemoteObject.narrow(obj,ExampleHome.class); Example example = home.create(); System.out.println(example.example()); example.remove(); }catch(Exception e) { e.printStackTrace(); } }}
EJB打包
我们需要将以上文件编译的CLASS文件打成一个JAR包,部署到JBOSS中,才能调用ExampleClient执行测试。此jar包可以是任何名字,这里把它命名为myfirst.jar。
按照以上文件的包路径,在正常编译后会形成一examples目录,下面存放各class文件。在和examples同级目录中,还需建立一META-INF目录,里面将放置部署EJB所需要的各种配置文件。
在META-INF下,我们需要有两个文件ejb-jar.xml和jboss-service.xml。ejb-jar.xml文件里将包括EJB的各种关键信息,而jboss-service.xml则包括EJB部署在JNDI上的一些关键信息。一般网上资料介绍中只会介绍ejb-jar.xml文件,但对于JNDI部署就几乎没有,有的也是从jboss2.4.4那边继承过来的,名称为jboss.xml,但是在jboss3.0.4中,它不会承认这个名字的,只认得jboss-service.xml。
ejb-jar.xml文件内容如下:
Your first EJB application JUST A TEST Example examples.ExampleHome examples.Example examples.ExampleLocalHome examples.ExampleLocal examples.ExampleBean Stateless Container
里面列出了EJB的名称以及各接口和BEAN的类路径和类名。
Jboss-service.xml内容如下:
Example Example true
里面列出了EJB的名字和JNDI中该EJB的位置名称,这对于多个EJB的部署十分重要的。
有了这些目录和文件,就可以将其打包了。在examples和META-INF同级目录中,运行命令:
jar cvf myfirst.jar examples/*.class META-INF/*.xml
执行完毕,我们就有了一个myfirst.jar包,里面包括了目录examples和META-INF以及在相应目录下的class和xml文件。
至此,我们已经形成了一个可以在不同EJB容器下执行的EJB JAR包了,下面要讲述的是在jboss3.0.4中如何具体部署我们的myfirst.jar。
EJB在jboss3.0.4中的部署
只要写好了ejb-jar.xml和jboss-service.xml,在jboss3.0.4中部署EJB是很简单的了。
不同的启动jboss模式,就将该jar文件放入对应的目录中。例如:我们用run –c all命令启动,则就将myfirst.jar放入server目录下的all\deploy目录下,则此时,运行中的JBOSS会自动识别并根据jar中的META-INF\*.xml自动部署它。
则EJB的部署就完成了。
EJB的运行
我们运行ExampleClient来检验我们EJB程序。
在编译ExampleClient.java时, CLASSPATH需要引入jboss目录client下的jar文件,才能编译成功并正常运行。
运行ExampleClient,在客户端会出现:
start ejb client test
Just a simple example!
而在服务端,则会出现类似如下语句:
13:35:31,250 INFO [STDOUT] setSessionContext
13:35:31,250 INFO [STDOUT] ejbCreate
13:35:31,250 INFO [STDOUT] example()
证明我们的EJB在jboss3.0.4下成功运行!!
几个jboss 基础问题,install,start,stop
1、解压完毕后,应该生成如下目录:
bin: 命令和脚本
client: 客户端jars
docs: jboss的文档
lib: 服务器端jars
server: 服务器配置文件
2、jboss提供了3种服务器配置:
1)minimal:最小配置,仅仅包括日志,jndi服务和url部署扫描器,你可能会在一个不需要j2ee的应用中使用这种配置,或者以该配置为基础自定义配置。
2)default:缺省配置,包括除了rmi/iiop和集群的所有j2ee服务。
3)all:这种配置包括所有的jboss服务。
3、启动
为了启动jboss,在windows下:
键入:cd %jboss_home%bin;
键入:run [-c default|minimal|all]。
在unix下:
键入:cd $jboss_home/bin;
键入:./run [-c default|minimal|all]。
如果jboss启动成功,你应该可以看到以下输出:
12:16:27,812 info [server] jboss (mx microkernel) [4.0.1sp1 (build: cvstag=jboss_4_0_1_sp1 date=200502160314)] started in 20s:429ms
一旦服务器启动成功,你就可以通过在浏览器中打开http://localhost:8080/jmx-console/来验证所有的j2ee服务是否都启动了。这是jboss的管理台,它将显示当前配置下jboss正在运行的所有服务以及每个服务的详细内容。
4、关闭
如果在windows的命令行窗口或者当前的unix shell下运行jboss,只需要简单的按下ctrl+c即可关闭jboss。
如果在windows下不能看见命令行窗口:
打开一个新的命令行窗口;
键入:cd %jboss_home%bin;
键入:shutdown -s或者shutdown --server=url
如果在unix shell的后台运行:
打开一个shell;
键入:cd $jboss_home/bin;
键入:./shutdown -s或./shutdown --server=url
Install JBOSS on Linux
在linux下安装jboss
在linux下安装jboss
1.下载jdk-1.4.*.bin(http://www.sun.com)的linux二进制包
2.下载jboss-3.2.*.tar.gz
3.安装jdk
解压jdk到一个路径如:/usr/local/jdk,然后把"/usr/local/jdk/bin"添加到路径中去.并且设置JAVA_HOME ="/usr/local/jdk". 如果java能够执行,则说明安装正确.
4.安装jboss
解压jboss到一个目录中如:/usr/local/jboss,然后添加"/usr/local/jboss"到路径中,并设置jboss_home="/usr/local/jboss"
然后执行run.sh,打开浏览器http://localhost:8080,如果有测试页显示,说明安装成功!
在/root目录下配置 .bash_profile 添加环境变量
在/usr/local/jboss/bin 运行 sh run.sh 启动jboss服务器
jboss的后台运行命令 nohup ./run.sh&
2007年6月11日星期一
Install JBOSS 4.0.5 or 4.2.0 on AIX 5L.在 AIX 安装 JBOSS 4.0.5 or 4.2.0全过程
Installation of JBOSS on AIX
在 AIX 安装 JBOSS 全过程
在 AIX 安装 JBOSS 全过程
This is a successful procedure for installation of JBOSS.
This can also be referred for UNIX, HP-UX, Linux
1. Operating System:
IBM AIX 5.2 (minimum AIX level 5200-07 (APAR IY67914) for 32 Bit
or> 5200-07 (APAR IY67914) for 64 Bit)
2. Java Development Tools:
IBM Java SDK 5.0
Download from: http://www-128.ibm.com/developerworks/java/jdk/aix/service.html)
3. downlaod JBoss 4.0.5 or later
Download from: http://labs.jboss.com/jbossas/downloads
Please take great note that if you downlaod both jboss-4.2.0.GA-src.tar.gz and jboss-4.0.5.GA-src.tar.gz and use the commands of gunzip and tar to unpack it, you will encounter problem as the error, tar: 0511-169 A directory checksum error on media; 1 not equal to 44318. if you use command, tar xvhif jboss-4.0.5.GA-src.tar to unpack the package you also don't know how to build them as well as you encounter problems.
4. For item 3, pls downlaod windows format version, jboss-4.0.5.GA.zip or jboss-4.2.0.GA.zip
5. Please downlaod unzip of AIX from http://aixpdslib.seas.ucla.edu/packages/unzip.html
6. On AIX server, first copy jboss-4.0.5.GA.zip to /asw directory for example, then
#cd /asw
# unzip jboss-4.0.5.GA.zip. after this you will see a directory, jboss-4.0.5.GA created
#ls -l
/asw/jboss-4.0.5.GA
7. Now please set up the enviroment variables
# export JBOSS_HOME=/asw/jboss-4.0.5.GA
# export JAVA_HOME=/usr/java5_64
# export PATH=//usr/java5_64/bin:/asw/jboss-4.0.5.GA/bin:$PATH
After this setting up for environment variables , you need to test if Java5 is working
pilecms:/home/csadmin#>java -version
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build pap64dev-20070511(SR5))
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 AIX ppc64-64 j9vmap6423-20070426 (JI
T enabled)
J9VM - 20070420_12448_BHdSMr
JIT - 20070419_1806_r8
GC - 200704_19)
JCL - 20070511
8. Now you can start up JBOSS server
#run.sh --> you can see lots of info, showed on screen
#nohup run.sh& ---> backend run Jboss serveer
For example as below
# run.sh
=========================================================================
JBoss Bootstrap Environment
JBOSS_HOME: /asw/jboss-4.0.5.GA
JAVA: /usr/java5_64/bin/java
JAVA_OPTS: -Dprogram.name=run.sh -Xms128m -Xmx512m -Dsun.rmi.dgc.client.gcInte
rval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000
CLASSPATH: /asw/jboss-4.0.5.GA/bin/run.jar:/usr/java5_64/lib/tools.jar
=========================================================================
11:51:29,867 INFO [Server] Starting JBoss (MX MicroKernel)...
11:51:29,876 INFO [Server] Release ID: JBoss [Zion] 4.0.5.GA (build: CVSTag=Bra
nch_4_0 date=200610162339)
11:51:29,881 INFO [Server] Home Dir: /asw/jboss-4.0.5.GA
11:51:29,882 INFO [Server] Home URL: file:/asw/jboss-4.0.5.GA/
11:51:29,885 INFO [Server] Patch URL: null
11:51:29,885 INFO [Server] Server Name: default
11:51:29,886 INFO [Server] Server Home Dir: /asw/jboss-4.0.5.GA/server/default
11:51:29,887 INFO [Server] Server Home URL: file:/asw/jboss-4.0.5.GA/server/def
2007年6月10日星期日
google adsense key words
google 高价广告词
google 高价广告词
[mesothelioma lawyers] $48.61
[peritoneal mesothelioma] $48.38
[mesothelioma attorneys] $45.04
lexington law firm $33.91
[mesothelioma] $33.83
eloan $33.27
lexington law $31.43
[mesothelioma symptoms] $31.41
eloan com $28.47
alicante car hire $27.24
[mesothelioma info] $25.79
equity line of credit $23.46
alicante airport car hire $22.65
trans union llc $21.15
consolidate loans $21.03
home equity loans $20.98
domain name search $20.74
cheap term life insurance $20.10
mega life and health $19.71
trans union $19.43
ross simon jewelry $19.36
asbestos cancer $19.34
[asbestos mesothelioma] $19.06
home equity line of credit $18.65
lendingtree $18.50
car hire malaga $17.31
prostate cancer treatment $17.20
[malignant pleural mesothelioma] $16.30
domain name lookup $16.30
car hire in malaga $15.39
dedicated hosting $15.34
northwestern mutual life $15.11
anti spam software $15.03
at t phone $14.95
credit repair $14.76
chase credit $14.12
credit counseling $13.98
purchase domain name $13.92
car hire florida $13.74
computer rental uk $13.71
cheap domain names $13.38
selectquote $13.26
online degree $13.22
medical billing software $13.09
rental car in costa rica $13.06
internet domain registration $12.95
affiliate marketing $12.90
auto cheap insurance $12.90
register internet name $12.86
projector rental $12.83
Mesothelioma $12.79
cheap domain $12.72
help desk software $12.65
education degree online $12.56
registering domain name $12.44
domain search $12.19
ecommerce hosting $12.13
ocean finance $12.12
registering domain $12.02
register domain names $11.97
budget rental $11.94
car hire spain $11.81
debt problems $11.69
baines and ernst $11.69
consumer credit counseling $11.68
budget car hire $11.67
register web page $11.66
[asbestos] $11.55
criminal justice degree online $11.48
car hire in spain $11.43
capital one credit card $11.42
voip canada $11.40
support hose $11.31
best hosting $11.26
domain name $11.22
student credit cards $11.21
domain registration $11.19
purchase domain $11.19
adult friend finder $11.16
register domain name $11.14
line of credit $11.12
cheap hosting $11.11
capital one credit $11.07
prostate cancer $11.07
payperclick $11.05
low cost domain registration $11.05
computer rental $11.00
car hire malaga airport $10.90
domain name registry $10.79
domain name registration $10.77
airlines credit card $10.74
degree education on line $10.71
cheapest domain registration $10.61
voip phone service $10.52
car hire malaga spain $10.49
accept credit cards $10.46
debt solutions $10.43
consolidate $10.39
visa gift card $10.33
domain name check $10.32
lexapro and alcohol $10.28
domain names $10.20
merchant account $10.17
domain lookup $10.08
free legal advise $10.05
domain who is $10.02
online accounting degree $9.92
online texas hold em $9.83
buy a domain $9.81
free legal advice $9.77
voip test $9.69
cheap web hosting $9.57
available domain name $9.57
cheap domain name registration $9.49
register domain $9.48
free online legal advice $9.47
ross simon $9.46
my fico score $9.43
student credit card $9.41
online paralegal degree $9.41
accept credit $9.29
asbestos lung cancer $9.28
cyprus car hire $9.25
email marketing software $9.24
credit counseling service $9.18
support stocking $9.14
cheap domain registration $9.11
trw credit $9.08
adwords $8.97
life experience degree $8.95
hosting reviews $8.94
drug and alcohol rehab $8.94
att voip $8.94
search engine marketing company $8.91
buy domain name $8.90
online texas holdem $8.88
call center software $8.87
debt consolidation $8.86
cheap asp hosting $8.86
domain hosting $8.85
linux hosting $8.83
buy domain $8.82
affiliate programs $8.77
credit card processing $8.72
website domain names $8.71
cheap health insurance $8.62
online nursing degree $8.59
web hosting $8.59
one credit card $8.59
money exchange rates $8.58
credit counselors $8.52
debt $8.48
alcohol rehab $8.44
online holdem $8.44
lennox china $8.39
debt management $8.38
“web position gold” $8.37
domain name transfer $8.35
best web hosts $8.32
web site register $8.29
domain registry $8.26
voip testing $8.22
jesus is my homeboy $8.21
microsoft certification $8.20
voip phone system $8.19
consolidating $8.18
per click $8.18
lung cancer treatment $8.17
web host rating $8.16
domain registrars $8.16
cheap domain hosting $8.15
register web address $8.15
credit card applications $8.14
survey software $8.12
register a web site $8.12
cheap insurance $8.07
blue cross and blue shield $8.07
mba degree online $8.06
online psychology degree $8.01
domain name hosting $8.01
her first lesbian sex $8.01
att cellular phone $7.94
make extra money $7.91
make money fast and easy $7.85
lenox china $7.84
low interest credit $7.83
lingo voip $7.81
hosting $7.75
domain name registrar $7.75
cheap domain name $7.72
crm software $7.71
uk hosting $7.71
student credit $7.70
sponsored links $7.70
credit card services $7.66
consumer credit $7.64
master degree on line $7.64
web servers $7.61
addwords $7.60
cheap domain registrations $7.58
hard drive recovery $7.57
att wireless ringtone $7.54
register a website $7.51
nursing pda software $7.51
reseller hosting $7.50
friend finder $7.50
eharmony $7.50
low interest $7.47
make money quick $7.44
credit application $7.43
fast loans $7.42
vonage voip $7.38
secured $7.37
visa cards $7.36
scheduling software $7.35
car hire usa $7.29
[lung cancer] $7.29
broadband phone $7.27
gas prices compare $7.26
alcohol treatment center $7.23
online master degree $7.20
at t cellular phone $7.20
adult friend $7.19
payday loans $7.17
online credit report $7.15
on line degree $7.14
ways to make money fast $7.13
domain registration uk $7.13
mlm software $7.12
online movie rental $7.12
web domain $7.10
yahoo domain $7.08
fico score $7.07
blue cross blue shield $7.06
cheap website hosting $7.03
adult finder $7.02
loans $6.99
christian book store $6.98
car hire malaga airport spain $6.97
turbo tax $6.96
credit card application $6.96
hosting service $6.96
review web host $6.93
web name registration $6.91
low cost hosting $6.89
register a url $6.87
hosting services $6.87
voip service $6.87
satellite phone rental $6.87
satellite phone $6.84
hosting providers $6.81
free credit check $6.76
credit card offers $6.75
homeowner’s $6.75
voip equipment $6.75
dollar rental $6.74
hard money lenders $6.70
insurances $6.70
christian book distributor $6.67
website hosting $6.63
domain $6.62
integon $6.62
student loan $6.62
criminal justice degree $6.62
asp hosting $6.61
citifinancial $6.60
“sponsored links” $6.58
interest credit cards $6.58
uk web hosting $6.57
money at home $6.57
domain name uk $6.56
low interest credit cards $6.55
register
原文链接http://20061015.tianyablog.com/blogger/post_show.asp?BlogID=707969&PostID=8164844&idWriter=0&Key=0
2007年6月5日星期二
Google adsense 100个中文关键词
以前站长网透露过top 5000的英文关键词。现在有人爆料top100的中文关键词。这样是很危险的误导。也是对站长的不负责。
外汇 有效 ¥17.83 - ¥26.74
美容 有效 ¥5.45 - ¥6.81
印刷 有效 ¥2.11 - ¥3.09
广告 有效 ¥0.54 - ¥0.94
性病 有效 ¥0.68 - ¥1.13
成人用品 有效 ¥0.56 - ¥0.93
鲜花 有效 ¥4.12 - ¥5.18
健康 有效 ¥0.50 - ¥0.98
彩票 有效 ¥0.22 - ¥0.39
杀毒 有效 ¥0.65 - ¥0.68
游戏 有效 ¥0.52 - ¥0.90
乙肝 有效 ¥3.79 - ¥5.68
女人 有效 ¥0.22 - ¥0.40
婚庆 有效 ¥1.84 - ¥2.63
建材 有效 ¥0.71 - ¥1.19
汽车 有效 ¥0.60 - ¥1.00
电子 有效 ¥0.28 - ¥0.53
电脑 有效 ¥1.03 - ¥1.71
健康 有效 ¥0.50 - ¥0.98
外贸 有效 ¥0.67 - ¥1.26
学习 有效 ¥0.32 - ¥0.43
投资 有效 ¥0.93 - ¥1.84
教育 有效 ¥0.50 - ¥0.65
服务器 有效 ?.51 - ?.96
虚拟主机 有效 ?.66 - ?.67
电影 有效 ?.32 - ?.40
域名 有效 ?.39 - ?.59
目前google adsense有考察机构,当发现你的网站并非与关键词有关联的属性而大量出现类似的关键词,帐户必被封。如果类似的行业网站,可以参考以上关键词,定位自己的网站。
2007年6月4日星期一
在HP-UX下建立只归属于某个目录下的ftp账户
如何建立一个只归属于某个目录下的ftp账户?如ftptest通过ftp登陆到系统时,
系统认为/home/ftptest就是他的根(/)。
以下方法在hpux11下测试通过,如在hpux下实现此功能,需要安装wu_ftp这个软 件,或者更新你的ftp。
假设要在系统中建立一个ftptest(属于ftptest组),要想在它ftp的时候始终在
/home/ftptest目录以及它的子目录下。下面是他的建立步骤。
1。在/etc/passwd中建立相应的ftptest条目,注意他的主目录的写法:
ftptest:Aci$xi:555:555:ftp user for chroot:/home/ftptest/./:/bin/ksh
(确信/etc/shells中有/bin/ksh,否则请加上,密码由你自己决定 )
2。在/etc/passwd中建立相应的组ftptest
ftptest::555:ftptest
3。建立/home/ftptest以及相应的目录(主要是~ftp/usr/bin和~/ftp/etc)
#mkdir /home/ftptest
#chown ftptest:ftptest /home/ftptest
#su - ftptest
$pwd //make sure it is under /home/ftptest
$mkdir -p usr/bin
$cp /sbin/ls usr/bin ; cp /bin/pwd usr/bin
$mkdir etc
$cp /etc/passwd etc ; cp /etc/group etc (为了安全,你需要修改passwd中
不必要的项,如root)
4。编辑/etc/inetd.conf
确信ftp的那一行是这样写的:
ftp stream tcp nowait root /usr/lbin/ftpd ftp -l -a (一定要加上 -a 这
个参数)
5。重新初始化inetd : 执行: inetd -c
6。产生相应的ftpaccess/ftpgroups文件
#cd /etc/ftpd
#touch ftpgroups
#vi ftpaccess //这个文件的内容大致如下:
class all real,guest,anonymous *
# Define the line that limits the ftponly group to their own directories
# in the ftp-root heirarchy.
guestgroup ftptest //这里要和你的组ftptest一致。
email xxxx@xxxx.com //这里用你自己的email地址
loginfails 5
readme README* login
readme README* cwd=*
message /welcome.msg login
message .message cwd=*
compress yes all
tar yes all
chmod no guest,anonymous
delete no guest,anonymous
overwrite no guest,anonymous
rename no guest,anonymous
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg
passwd-check rfc822 warn
How to find what is the version of C++ of HP-UX
HP-UX下如何确定已安装C++ 的版本?
本文出自: http://www.hp.com.cn
Ansi C++ (aCC)
用下面的命令确定版本:
what /opt/aCC/bin/aCC
您看到的结果应当与下面类似:
- HP-UX 11.x
HP aC++ B3910B A.03.05
HP aC++ B3910B A.03.04 (970930) Support Library
- HP-UX 10.x
HP aC++ B3910B A.01.07
HP aC++ B3910B A.01.01 Support Library
- HP-UX 9.x
This product is NOT supported on 9.0X
第一行给出已安装产品的产品名称(HP aC++),产品编号(B3910B),以及当前版本。
第二行给出aCC 支持库的产品名称,产品编号,以及当前版本,它通常与编译器
的版本不同。
Cfront C++ (CC)
对于HP-UX 11.x和10.x,用下面的命令确定版本:
what /opt/CC/bin/CC
您应当在 HP-UX 11.x 和 10.x上看到与下面类似的结果:
- HP-UX 11.x
HP C++ HPCPLUSPLUS A.11.00 (971008) AR
- HP-UX 10.0X
HP C++ HPCPLUSPLUS A.10.32
对于HP-UX 9.x,用下面的命令确定版本:
what /usr/bin/CC
您应当在HP-UX 9.x上看到与下面类似的结果:
HP C++ HPCPLUSPLUS A.03.78
how to reduce the size of var for HP-UX
HP-UX如何改变/var目录的大小?
#reboot
进入维护模式 hpux -lm
#vgchange -a y vg00
#lvextend -L 500 /dev/vg00/lvol8
#extendfs -F vxfs /dev/vg00/rlvol8
#mount /dev/vg00/lvol8 /var
#bdf
#reboot
HP-UX的内核参数的修改
/usr/conf/master.d/core-hpux
设定HP-UX的核心环境,对核心环境进行管理。但修改后不能立即对核心参数进行管理。
因为系统会向boot.config读出参数,所以只有移走boot.config,然后再用getkinfo
重建boot.config文件。在SAM--》Kernel configuration--> Parameter会自动运行
getkinfo 命令。
先修改/usr/conf/master.d/core-hpux:
*range maxfiles<=60000
*range maxfiles_lim<=60000
把/var/sam/boot.config文件mv成boot.config.bak
mv /var/sam/boot.config /var/sam/boot.config.bak
然后运行
/usr/sam/lbin/getkinfo -b
to recreate the boot.config file.
本文出自:www.hp.com.cn 作者
在HP-UX服务器上实现用户空间限制
一、前言:
---- 在网络和多用户系统日益流行的今天,大家共亨服务器实现各种不同的应用已日趋广泛。惠普公司的HP-UX企业服务器以其良好的开放性、稳定性、易扩充性及优异的服务而广泛应用于我国金融、气象、石化、电信等大用户、大行业中,并创造了巨大的经济效益。但随着服务器用户的大量增加,尤其近年来Internet的迅猛发展,服务器空间、容量虽不断扩充但仍日趋紧张,用户访问后留下的大量废文件不仅降低了服务器的整体性能,也影响了其它用户的正常使用。本文介绍的是如何在HP-UX服务器上实现用户空间限制,达到规划合理、规范使用、互不影响、良性发展的目的。
---- 二、环境设置:
---- 操作系统选 HP-UX 10.10 或 HP-UX 10.20。
---- 以系统中存在两个用户 sea 和 sky为例。
---- 用户空间所在主目录为 /home,所在物理卷为 /dev/vg01/lvol1,用户空间限制为5M, 最多不超过8M,容纳文件数为20个,最多不超过30个。如果超出限制给予警告,提示清理,此时还可进行新的写入,如果用户在给定时间(设为20天)内未清理或继续操作超出了设定的最大限制,禁止新的写入。用户清理文件低于限制后,一切才恢复正常。
---- 三、实现步骤:
---- 1.用root用户登录
---- 如果用户所在主目录/home 没有mount上,执行#mount /dev/vg01/lvol1 /home
---- 2.生成名为quotas的控制参数文件:
---- #cpset /dev/null /home/quotas 600 root bin /dev/null 表示文件 /home/quotas 开始为一空文件。600 root bin表示该文件的限、属主及属组.
---- 3.通过命令/usr/sbin/edquota 设置用户空间参数。
---- 对sea用户:
---- #/usr/sbin/edquota sea
---- 针对提示按以上环境设置配置如下:
---- fs /home blocks (soft = 5000, hard = 8000) inodes (soft = 20, hard = 30)
---- 注: 以后需删除该用户时,先执行以上相同命令,修改其中的soft= 及 hard= 值均为0,这样该用户从系统中删除后,/home/quotas文件不保留该用户信息。
---- 4.复制以上参数给其它用户(本例为sky)
---- #edquota -p sea sky
---- 5.设置超出基本限制后允许用户继续操作的时间范围。
---- #edquota -t
---- 针对提示按以上环境设置配置如下:
---- fs /home blocks time limit = 20.00 days , files time limit = 30.00 days
---- 注: 如果不设limit值,系统缺省为7天。
---- 6. 激活用户空间限制功能。
---- 先修改 /etc/fstab文件,将原其中一行
---- /dev/vgo1/lvol1 /home hfs rm,suid 0 2 改为:
---- /dev/vgo1/lvol1 /home hfs rm,suid, quota 0 2
---- 通过以下三种方法激活用户空间限制功能
---- < 1 >系统重启。
---- < 2 >无需重启系统,执行:
---- #umount /home
---- #mount /home
---- #quotacheck -v /home
---- 注:quotacheck 检查/home/quotas文件的一致性和正确性并自动修正。
---- < 3 >无需umount /home,执行:
---- #quotaon -v /home
---- #quotacheck -v /home
---- 即可实现对以上操作的两用户 sea 和 sky 进行合理的限制。
---- 四、日常维护
---- 1.用户通过quota -v命令检查自己空间的使用情况,收到告警时及时清理 废文件或请求系统管理员修改原定参数。
---- 2.如要关闭某用户空间限制功能,例sea用户, 系统管理员使用命令:
---- #edquota sea
---- 修改其中soft= ,hard= 的值改为0即可。
---- 3.系统管理员查看/home下的所有用户空间使用情况可使用命令:
---- #repquota /home
---- 4.超级用户root不受以上限制
---- 五、结束语
---- 经过以上配置后,HP-UX服务器不再经常提示空间满信息,各用户均正常工 作,互不影响,针对某些特殊用户的需求,系统管理员调整相应参数即可。
本文出自:http://www2.ccw.com.cn 作者:杨跃峰
怎样升级到HP-UX 11.0?
升级到11.0之前
-----------------------
按照手册'Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0.'中的说明,
删除补丁信息。参考附录C,第8节,265页的`Loading HP-UX Patches Using
Ignite-UX,'。按照说明`Removing Prior Patch Information'中的指导去做。
如果您在更新前没有删除补丁信息,当您升到11.0时它仍然会存在那里,占用大约140MB
的磁盘空间(主要是被补丁程序替代的旧软件)。一旦升到了11.0,您仍然可以清除10.X
的补丁信息。但是,您不能使用swremove去删除10.X补丁本身。
如果您准备升级的10.X系统已经被打过补丁,您可以在升级到11.0之前,使用下列步骤
从IPD中删除以前所有的补丁信息:
1.键入下面的命令,把IPD(在/var/adm/sw/procducts中)作备份:
find /var/adm/sw/products | cpio -pdumv /tmp
2. 输入swmodify命令:
swmodify -u PH[CKNS][OLES]_\*\.* PH[CKNS][OLES]_\*
注:在第二项中的第一个选择,'PH[CKNS][OLES]_\*.\*'告诉swmodify删除补丁产
品的所有文件集信息。一旦文件集信息删除,第二个选择删除产品信息。如果在
IPD中有任何文件集存在,swmodify命令将不允许您从IPD中删除产品。为了防止
shell扩展通配字符,反斜线是必须的,否则,会启动swmodify去为补丁程序匹配
所有的软件选择。在系统上,您不应该有任何真正的产品或文件集匹配这些常规表
达。
3. 删除补丁目录:
rm -rf /var/adm/sw/patch
SD要求
------
在您从HP-UX 10.x升级到11.0之前,您必须安装SD(软件发行人(Software Distributor))
的新的11.0版本。这个要求还适用于您即使从11.0的一个版本变到另一个版本(32位到
64位或相反)。您不能使用您系统上的当前SD版本去装载HP-UX11.0。如果您试图这样
做的话,升级就会失败。
您首先要把名为swgettools的实用命令装入您的系统,接着使用swgettools得到SD的新
版本。按照'Installing HP-UX 11.0 and Updating from HP-UX 10.x to 11.0.'第
二章的`Updating SD-UX Before Installing/Updating Software'的指导去做,指导
内容位于26页。
另外,参考 'Patch May Be Needed To Run SD'一节,第23页的Readme。
唯一不必预装11.0 SD的情况是您在一个没有操作系统的新系统上进行“冷安装”
HP-UX 11.0,或 “重新冷安装”,也就是清空系统磁盘,重新开始。在那种情况下,您不必首先安装SD的原因是安装程序将会为您做这一切。
Swinstall 的必选项
------------------
swinstall命令在您的系统上装入新软件。
重要:如果您正在从10.30上升级,您不能在交互式菜单上使用swinstall的图形用户
界面(graphical user interface)(GUI))。参考'Running swinstall
on 10.30'的第15页。
在您更新HP-UX之前,swinstall的11.0版本必须安装到您的系统上。要得到详细信息,参
看'New Version Required'的第13页。这个版本的swinstall要求选项指明新操作系统的
名称和版本。尽管您打算用菜单界面交互式的运行swinstall,您也必须在命令行上指名这
些选项。例如,为了在交互式模式调用swinstall将HP-UX 10.x升级到11.0的32位版本,
键入下面的命令:
swinstall -x os_name=HP-UX:32 -x os_release=B.11.00
从HP-UX 10.20升级到64位11.0
----------------------------------------
参考'Do You Have the Right Hardware and Firmware?'的第11页,确定您的硬件支持64位HP-UX 11.0。
从HP-UX 10.20 升级到11.0的64位版本, 使用这个命令:
swinstall -x os_name=HP-UX:64 -x os_release=B.11.00
在32位 HP-UX 11.0和64位 11.0之间转换
------------------------------------
注意:在升级到11.0时,或在11.0的32位版本和64为版本之间转换时,决不要使用
“ -x allow_incompatible=true”选项。如果您使用这个选项,它可能会导致升
级失败和系统可能不能启动。
在32位 11.0和64位 11.0之间转换,使用下列步骤:
1.装入SD的新版本,就象您正在从10.x升级一样。
注:参看'New Version Required'的第13页。
2.用适当的选项-x os_name 和 -x os_release来执行swinstall,并指明
-x reinstall=true 和 -x reinstall_files=true。例如,将32位的11.0升级位64位
的11.0。
swinstall -x os_name=HP-UX:64 -x os_release=B.11.00 \
-x reinstall=true -x reinstall_files=true
注:在10.30的图形用户界面上运行swinstall,它提供交互式的菜单,在
10.30到11.0的升级中将不起作用,请使用命令行界面(对一个批处理更新),或
终端用户界面(为终端设计的非图形界面)。
- 从命令行更新:
a.获取SD的新版本。
注:参看`New Version Required'的第13页。
b.运行swinstall,指明软件选择选项,以及os_name和os_release,如
本例中所示:
swinstall -x autoreboot=true -x os_name=HP-UX:32 \
-x os_release=B.11.00-x match_target=true
- 使用终端界面更新:
a. 获取SD的新版本.
注:参看`New Version Required'的第13页。
b.确保您的显示变量没有设置,例如:
export DISPLAY=
c.运行swinstall,指明os_name和os_release,例如:
swinstall -x os_name=HP-UX:32 -x os_release=B.11.00
本文出自: http://www.hp.com.cn
这里是一些为升级到HP-UX 11.0的基本指令。为了得到更多的细节,参见手册
'Installing HP-UX 11.0 and Updating HP-UX 10.xto 11.0,'
'Installing HP-UX 11.0,' 和 'Readme Before Installing or
Updating to HP-UX 11.0.'
HP-UX 根磁盘故障后如何恢复?
解决方法
准备恢复的步骤
-----------------------------
这是您可以提前完成的工作,这些工作可使故障后的恢复更轻松一些:
1. 定期打印下列命令的输出:
/usr/sbin/ioscan -fk
/usr/sbin/vgdisplay -v
/usr/sbin/lvlnboot -v
/usr/sbin/lvdisplay -v /dev/vgXX/lvYY (对每个逻辑卷)
/usr/sbin/pvdisplay -v /dev/dsk/c#t#d0 (对每个LVM 磁盘)
cat /etc/fstab
fax = cat /etc/fstab
2. 使用SAM Backup and Recovery、fbackup或其它任何支持的方法,确认进行了可靠的系统完全备份。在每一次大的系统修改之后,使用COPYUTIL 可能会很有帮助。这是从支持介质上完成的。
注:这样就不必执行下面部分的第2步。
3. 在非根卷组中额外复制下面的文件:
/etc/passwd
/etc/group
/etc/lvmtab
/etc/lvmconf/ (整个目录)
/etc/fstab
/etc/rc.config.d/ (整个目录)
恢复步骤
----------------------
1. 如果可能,对除vg00之外的其它卷组执行vgexport(1M)。确保使用了映射文件的选项。
例: vgexport -v -m vg00.map /dev/vg01
2. 在根磁盘上重新安装,指定vg00需要的所有逻辑卷和磁盘。一定要记住这些磁盘的设备文件可以重新映射。根据需要扩展所有的文件系统。
3.用备份恢复根卷组中除下表中的文件之外的所有文件(通常为 vg00):
/etc/fstab
/etc/lvmtab
/etc/lvmconf/
/etc/ioconfig
/stand/ioconfig
/dev/dsk/
/dev/rdsk/
/dev/rmt/
/dev/vg*
所有的非vg00 安装点
4. 从磁带恢复映射文件,如果没有映射文件则跳过这一步。
5. 对其它卷组执行vgimport,指定适当的映射文件。记住要一次指定所有的磁盘设备文件。
例: vgimport -v -m vg02.map /dev/vg02 /dev/dsk/c1t4d0
/dev/dsk/c1t3d0
6. 编辑 /etc/fstab,以正确地反映所有的文件系统。
7. 对于任何其它系统配置的“恢复“,请参考第1步中收集的信息。
8. 如果没有映射文件,则重命名 /dev/vgxx/lvoly,将文件名rlvoly 为它们最初的名字(例如 /dev/vg01/foo and rfoo)
本文出自: http://www.hp.com.cn (2001-05-29 20:10:00)
配置信息
操作系统 - HP-UX
版本 - 10.20
硬件系统 - HP9000
系列 - K220
HP-UX 常用的维护命令
1) tail 和 head
使用tail命令可以查看文件的尾部,head命令则查看文件的头部。
# tail filename
# tail -f filename; 使tail不断执行,当文件被写入时显示文件的新行。
#head filename
2) date 和 cal
cal命令显示日历。
# cal 2000
# cal 1 2000
3) find
find命令是功能最强的命令之一,但同时也是命令行结构最难以掌握的命令之一。
# find / -print | wc -l 显示系统中所有文件和目录的数目。
# find / -user $LOGNAME -print 显示系统中该用户所有文件和目录。
# find / -size 100 -print 显示文件大小为100 blocks。
# find / -size -100 -print 显示文件大小小于100 blocks 。
# find / -size +100 -print 显示文件大小大于100 blocks 。
# find / -name core -exec rm {} \;查找并删除core文件。
# find . -exec chown $LOGNAME {} \; 修改一个目录下的所有文件的用户所属。
# find .-type d -exec chmod 770 {} \;修改一个目录下的所有目录的权限。
4) stty
该命令用于检查和修改用户当前注册终端的通信参数。
# stty -a;查看当前注册终端的通信参数。
# stty -ixon;设置ixon为off。
#stty ixon;设置ixon为on。
# stty sane;当终端发生混乱时,通常可以产生有益的效果。
5) tset
用于设置终端类型。
tset -s -Q -m ':?hp'
6) cron
cron(chronography,计时),每分钟苏醒一次,查看控制文件以确定当时是否存在应运行的作业,存在则运行之。
# crontab filename ; 创建一个 cron
# crontab -r ; 把cron从crontab去掉
crontab位于目录/var/spool/cron/crontabs下,每个用户的cron文件名是其用户名。
7) ioscan
#ioscan -fn (用这个命令,我们可以看到所有的设备及其设备文件等信息。)
例如:查看CD-ROM的设备文件
#ioscan -fnCdisk
Class I H/W Path Driver S/W State H/W Type Description
===================================================================
disk 6 4.8.0 sdisk CLAIMED DEVICE SEAGATE ST34371W
/dev/dsk/c0t8d0 /dev/rdsk/c0t8d0
disk 7 4.11.0 sdisk CLAIMED DEVICE SEAGATE ST34371W
/dev/dsk/c0t11d0 /dev/rdsk/c0t11d0
disk 5 16/5.2.0 sdisk CLAIMED DEVICE TOSHIBA CD-ROM XM-5401TA
/dev/dsk/c3t2d0 /dev/rdsk/c3t2d0
其中描述为" TOSHIBA CD-ROM XM-5401TA"的设备
就是CD-ROM,设备文件为/dev/dsk/c3t2d0。
8) bdf
该命令用于检查文件系统的使用情况。
#bdf
Filesystem kbytes used avail %used Mounted on
/dev/vg00/lvol1 67733 35561 25398 58% /
/dev/vg01/lvol1 20480 11675 8247 59% /home
各列的含义:
Filesystem:文件系统名
kbytes:字节数,以k为单位
used:已使用空间
avail:尚可使用空间
%used: 已使用空间占本文件系统全部空间比率。
Mounted on: 安装目录
注: %used达到90%以上时,应考虑做必要的文件清理工作
9) lanscan
用 lanscan 命令查看主机中的网卡。例如:
# lanscan
Hardware Station Crd Hdw Net-Interface NM MAC HP-DLPI DLPI
Path Address In# State NamePPA ID Type Support Mjr#
10/4/8 0x00108318E6E8 0 UP lan0 snap0 1 ETHER Yes 119
10/12/6 0x0060B0C44462 1 UP lan1 snap1 2 ETHER Yes 119
上述命令显示主机中有3块网卡,它们的有关参数如下:
硬件地址分别是 10/4/8、10/4/12(Hardware Path)
网卡名是 lan0、lan1(Net-Interface Name列)
各网卡的NMID是 1、2(NMID列)
各网卡的工作状态是 UP、DOWN、UP (Hdw state列)
各网卡的MAC地址是Station Address所对应的列。
一个网卡要能够正常工作,首先它的工作状态(Net-Interface name)必须是UP。
用 ifconfig 命令查看网卡对应的IP地址。例如:
# ifconfig lan0
lan0: flags=863
inet 15.85.114.14 netmask fffff800 broadcast 15.85.119.255
在网卡lan0上的地址是15.85.114.14(inet),子网掩码ffff800,广播地址15.85.119.255
10) ifconfig
# ifconfig lan0
lan0: flags=863
inet 15.85.114.14 netmask fffff800 broadcast 15.85.119.255
在网卡lan0上的地址是15.85.114.14(inet),子网掩码ffff800,广播地址
15.85.119.255
11) 更改主机IP地址
1. 首先使用"lanscan"和"ifconfig"命令查出该网卡的设备名
2. 使用vi命令编辑/etc/rc.config.d/netconf文件。找到
INTERFACE_NAME[0]=lan1
IP_ADDRESS[0]=""
SUBNET_MASK[0]=""
BROADCAST_ADDRESS[0]=""
将原有的IP地址和SUBNET_MASK改成新值
3. 使用vi 命令编辑/etc/hosts文件,改变对应主机名的IP地址
4. 注意:不要在CDE环境中,直接改变IP地址,应退出CDE环境,完成修改过程。
HP-UX系统维护常用配置文件
1./etc/hosts
主机名字解析文件,提供主机名和IP地址的对应。
2./etc/passwd
口令文件,内容为:
登录用户名:加密口令:用户ID:组ID:保留:初始工作目录:shell路径
3. /etc/group
内容为:
组名:加密密码:组ID:所有属于该组的用户。
4. /etc/profile
如果该文件存在,则每个用户登录时将执行该文件。该文件一般用于设置一些通用环境变量,如果用户的home目录中存在.profile文件,则在执行/etc/profile之后,再执行用户的.profile文件。
5. /etc/inittab
内部初始化之后,系统将启动/etc/init这个deamon进程,使/etc/init进程取得引导序列的控制权。而init进程从文件/etc/inittab(init table,初始化表)取得指示,该文件 的内容控制所有init状态,同时也控制那些已消亡进程的再生。
6. /etc/fstab
系统中可以mount的文件系统的信息。
7. /etc/lvmtab
使用命令:
# strings /etc/lvmtab;查看系统VG和磁盘信息。
8. /etc/rc.config.d/netconf
包含系统名称和网络配置信息,如IP地址、子网掩码和路由信息等。
9. /stand/system
包含系统的驱动程序和子系统信息,内核设备信息和一些系统可调参数信息
HP-UX系统安装和配置
1.1 HP-UX系统安装
HP-UX操作系统是预装的,由HP工程师进行配置。
配置包括如下参数:
主机名: CRCT1(上)
CRCT2(下)
此主机名可通过hostname或uname –a 命令查看。
1.2 创建用户帐号
使用sam创建用户帐号halt、test、jzx、train和informix。
并分别用passwd命令给各用户设置口令。
1.3配置磁盘
1.3.1 配置镜像磁盘
Mirror Disk是HP-UX的一套软件包,当系统中安装有两个系统盘时,可以利用该软件的功能来做操作系统的镜像备份,以下是做镜像磁盘的步骤。
1、 执行lvlnboot -v命令检查系统中的启动设备
#lvlnboot -v
Boot
Boot
Swap
Dump
2、 创建第二块系统盘
#pvcreate -B /dev/rdsk/c2t6d0
3、 扩展vg00,添加第二块硬盘
#vgextend /dev/vg00 /dev/dsk/c2t6d0
4、 为第二块磁盘创建boot引导信息
#mkboot /dev/dsk/c2t6d0
5、 扩展vg00中各逻辑卷,添加镜像磁盘
lvextend -m /dev/vg00/lvol2 /dev/dsk/c2t6d0
lvextend -m /dev/vg00/lvol3 /dev/dsk/c2t6d0
lvextend -m /dev/vg00/lvol4 /dev/dsk/c2t6d0
lvextend -m /dev/vg00/lvol5 /dev/dsk/c2t6d0
lvextend -m /dev/vg00/lvol6 /dev/dsk/c2t6d0
lvextend -m /dev/vg00/lvol7 /dev/dsk/c2t6d0
lvextend -m /dev/vg00/lvol8 /dev/dsk/c2t6d0
lvextend -m /dev/vg00/lvol9 /dev/dsk/c2t6d0
lvextend -m /dev/vg00/lvol10 /dev/dsk/c2t6d0
6、 为第二块磁盘创建boot引导信息
#mkboot -a "hpux(;0)/stand/vmunix" /dev/dsk/c2t6d0
7、 执行如下操作后重新启动系统
#lvlnboot -b /dev/vg00/lvol1
#lvlnboot -b /dev/vg00/lvol2
#lvlnboot -b /dev/vg00/lvol3
#lvlnboot -d /dev/vg00 /dev/dsk/c2t6d0
#lvlnboot -R
#shutdown -h -y 0
8、 在启动Main Menu出现时,从第二块磁盘启动
Main Menu:>sea
P0 0/0/2/0.6 intscsia.6 Random access medias
P1 0/0/2/1.6 intscsia.6 Random access medias
P0 0/4/0/0.0 Random access medias
P3 0/10/0/0.1 Random access medias
P4 1/10/0/0.5 Sequene access medias
Main Menu:>bo p1
9、 系统启动以后执行如下操作
#lvlnboot -v
1.3.2添加磁盘阵列柜
使用sam命令添加物理磁盘:
;Disks and Filesam Systems(CRCT1)
选定某个磁盘,在该磁盘上执行:
;Disk Devices
;Disk Array;Actions ;bindMaitainece
出现的菜单可对选定的物理磁盘添加一个新的PV,共添加四个PV,其中两个64G,两个1GB。
1.3.3添加VG02、VG03
;Disks and File Systems(CRCT1)sam
;Volumes Groups
;Actions ;Create
;Modify
;delete
出现菜单以后对上一步创建的两个64GB的PV配置为新的VG02,共128GB。将其中的一个1GB的PV配置为VG03。
1.4配置磁带机
1.4.1 配置磁带机
1、 添加磁带机驱动程序tape
2、 连接核心并重新启动系统
3、 使用磁带机设备
tar cvf /dev/rmt/0m /etc/*
1.4.2 配置磁带库
1、 添加磁带库驱动程序shrgr
2、 连接核心并重新启动系统
3、 查看磁带库设备
ll /dev/ac/*
1.5配置网络
1.5.1使用sam配置网卡
;IP Address on network;Network Configrationsam devices
选择该选项之后会出现网络设备的列表,可以选择在某个设备上配置网络地址或禁止该设备(disable)。
1.5.2 手工配置网卡
编辑/etc/rc.config.d/netconf文件,更改其中的网卡的IP地址。
Lan0
IP=192.168.1.10
SUBNET=255.255.255.0
1.5.3 添加启动静态路由
1、 生成文件/sbin/init.d/route
#more /sbin/init.d/route
route add default 192.168.3.1
2、 生成连接文件
ln -s /sbin/init.d/route /sbin/rc2.d/S750route
3、 查看路由信息
netstat -r
1.5.4 配置bootp远程启动协议
1、 搜索系统中的网卡
#/usr/bin/lanscan
#ifconfig lan0
2、 备份原始文件
#cp /etc/bootptab /etc/bootptab.bak
3、 编辑/etc/bootptab文件
#/usr/bin/vi /etc/bootptab
add a similar entry for each system to be served by this bootp serverr
CRCT2:\
Ht=ether:\
Vm=rfc1048:\
Ha=080009000000:\
Ip=192.168.1.11
Hn:\
Bf=lif2021.bin:\
4、 当CRCT1启动时按空格键中断其启动过程
进入Main Menu状态,键入bo lan.192.168.1.10
interact with IPL (Y,N,or Cancel)?N
接下来就是远程启动的过程。
http://www.douzhe.com/bbsjh/38/225.html
作者:系统工程师
HP-UX操作系统备份与恢复指南
中国惠普公司 客户服务部
系统备份与恢复内容
一、系统备份与恢复常用命令 --------------------------------------2
1. fbackup / frecover ---------------------------------------------2
2. tar -----------------------------------------------------------------6
3. sam ---------------------------------------------------------------7
4. copyutil ----------------------------------------------------------8
5. make_recovery -------------------------------------------------9
二、系统备份与恢复方法与策略 ------------------------------------13
1. 系统备份的策略 ----------------------------------------------12
2. 系统恢复的策略 ----------------------------------------------15
三 、附录
一系统备份与恢复常用命令
1. fbackup & frecover
1.1系统备份命令: fbackup
1) fbackup的常用方式一:
[1] 进入单用户:
# shutdown -y 0
# /etc/mount -a
[2] 系统全备份
# fbackup –f /dev/rmt/0m -0iv / -I /tmp/sysbk.index
-f : 设备文件名 ( such as DDS tape driver)
-i : 要包含的目录
-e: 不包含的目录
- I: 备份内容检索目录
- v: 备份内容详细列表
- 0 : 零级备份
# fbackup –f /dev/rmt/0m -i / -e /home
备份除了目录 /home的所有目录
[3] 说明
1) 该命令方式对系统当前”mounted “ 的文件系统进行备份
2) 备份级别说明
备份级别有0~9 个级别,如果当前系统采用零级备份,当下一次采用5 级
备份时,系统仅将会对有变化的文件进行备份
2) fbackup的常用方式二:
〖1〗# mkdir -p /tmp/fbackupfiles/index
# mkdir -p /tmp/fbackupfiles/log
〖2〗# touch /tmp/fbackupfiles/index/full.`date ’+%y%m%d.%H:%M’`
〖3〗进入单用户
# shutdown –y 0
# /etc/mount -a
〖3〗对系统进行全备份
# fbackup –0vi / -f /dev/rmt/0m \
-I /tmp/fbackupfiles/index/full.`date ’+%y%m%d.%H:%M’` \
2 > /tmp/fbackupfiles/log/ full.`date ’+%y%m%d.%H:%M’`
〖4〗说明
通过该方式可以知到系统备份需要的时间
3)fbackup的常用方式三:
〖1〗进入单用户
# shutdown –y 0
# /etc/mount -a
〖2〗对系统进行全备份
# fbackup –0uv / -f /dev/rmt/0m \
-g /tmp/fbackupfiles/mygraph \
-I /tmp/fbackupfiles/index/full.`date ’+%y%m%d.%H:%M’` \
2 > /tmp/fbackupfiles/log/ full.`date ’+%y%m%d.%H:%M’`
〖4〗说明
a. 文件 mygraph: 包含需要备份的目录,格式如下:
i /users/data
i /home/app
e /oracle/sql
b. 参数 u :
当备份系统成功时,系统将更新 /var/adm/fbackupfiles/dates.
4) fbackup的常用方式四:
备份远程系统
[1] 登录在本地系统时
# remsh backup_sysname ” fbackup –f DDS_sysname: /dev/rmt/0m -0vi / ”
[2] 登录在远程系统时
# fbackup –f backup_sysname: /dev/rmt/0m –0vi /
5) fbackup的常用方式五:
压缩方式备份( 不建议使用、影响系统性能)
[1] 压缩方式备份
# fbackup –0vi /dir -f - | compress | dd of=/dev/rmt/0m obs=10k
“-” : 指向标准输出
[2] 查看备份内容
# dd if=/dev/rmt/0m ibs=10k | uncompress | frecover –I - -f -
1.2 系统恢复命令: frecover
1) 恢复磁带机上所有内容:
[1] 进入单用户:
# shutdown -y 0
# /etc/mount -a
[2] 恢复数据
# frecover –rf /dev/rmt/0m
恢复磁带上的所有数据
-f: 设备文件名
-r: 恢复磁带上的所有数据
-I: 将磁带上文件索引存到指定的文件中
# frecover –I /tmp/index.txt -f /dev/rmt/0m
2) 恢复某一目录:
# frecover -xi /directory
# frecover –x -i /dir1 -i /dir2
# frecover -xoi /dir
-o: 覆盖/dir下已有的、相同名称的文件
# frecover -xvXi /dir
-X: 按磁带上目录恢复数据
# cd /tmp/local; frecover –xvYi /dir
-Y: 按磁带上文件名恢复数据
例如:
# cd /tmp/local
# frecover –xvF -i /home/filename
[恢复结果] /tmp/local/filename 不是 /home/filename
3) 从远程磁带机上恢复数据到本地:
# frecover –xi /dir –f remote_name : /dev/rmt/0m
4) 从本地磁带机上恢复数据到远地系统:
# remsh remote_name ”frecover –xi /dir -f local_name:
/dev/rmt/0m”
2.tar 命令
2.2.1 对系统全备份
# tar cvf /dev/rmt/0m /
2.2.2 备份某目录
# tar cvf /dev/rmt/0m /tmp
2.2.3 改变文件的备份路径
# tar cvf /dev/rmt/0m -C /tmp .
[Note] : 路径 /tmp 在磁带上的备份路径变为 ./
# cd /tmp
# tar cvf /dev/rmt/0m ./*
2.2.4 恢复数据
# tar xvf /dev/rmt/0m (磁带上所有数据)
# tar xvf /dev/rmt/0m /tmp ( 恢复目录 /tmp )
2.2.5 查看磁带上的数据
# tar tvf /dev/rmt/0m
3. SAM
1) 备份数据
# sam
----> Select “ Backup and Recovery “
---- >Select “ Interactive Backup and Recovery “
---- >Select “ Backup Device “
---- > Select “ Backup Files Interactively “ ( From [ Action ] menus )
----- > Select Backup Scope
----- > Select Local File Systems Only ( no NFS )
----- > Select “ OK “
2) 检查备份的数据
[1] 检查文件 /var/sam/log/br_log
Notes: if Exit code=2, there is problem on backup procedure.
[2] 查看磁带上有那些文件
# frecover –rNsv –f /dev/rmt/0m
4. Copyutil
1) 如何启动 “ Copyutil “
[1] 从CD boot , 进入ISL
BOOT_ADMIN>boot scsi.n.m ( path of CDROM drive----such as scsi.4.0)
[2] ISL>ode copyutil
Type help for command information
[3] ISL_CMD>copyutil
please wait while scan device bussess…
TY Indx Path Product ID Bus Size Rev
D 0 16/5.6.0 SEAGATEST31230N disk drive SCSI 1.0 GB HPM4
D 1 16/5.5.0 SEAGATEST31230N disk drive SCSI 1.0 GB HPM4
T 2 16/5.0.0 HPC1504[X]/HPC1521B DDS tape SCSI n/a 1009
2) 备份系统硬盘上的所有数据
COPYUTIL>backup
Enter the disk index ([q]/?): 0
Enter the Tape index ([q]/?): 2
Use data compression? (y/[n])? Y
When backup finished, system will show: DONE!
COPYUTIL> exit
3) 恢复数据到指定的系统硬盘上
COPYUTIL> restore
Enter the Tape index ([q]/?): 2
Enter the disk index ([q]/?): 0
Use data compression? (y/[n])? Y
After system display: Restored Successful, that means restore is finished!
COPYUTIL> exit
4) 注意:
当用copyutil备份Root Disk到相应的磁带时,该磁带可以作为bootable 磁带使用
5 make_recovery
1) 安装 “Ignite-UX application”
[1] 从 “ HP-UX Application CD-ROM “ 上安装
1) # swinstall
2) “Mark” [A. 1.53 HP-UX Installation Utility( Ignite-ux for 10.20)]
3) “Analysis”
4) “Install”
[2] 从 WebSite 下载并安装:
1) http://www.software.hp.com/
Select : “ Network & System administration ”
Download: “ ignite-ux_10.20.tar”(10.20 为 OS 版本)
2) 从硬盘上安装:
# cd /tmp
# tar xvf /dev/rmt/0m ./ignite-ux_10.20.tar
# swinstall –s /tmp/ignite-ux_10.20.tar
3) 从磁带上安装:
# dd if=/tmp/ignite-ux_10.20.tar of=/dev/rmt/0m bk=2
# swinstall –s /dev/rmt/0m
[4] make_recovery:
/opt/ignite/bin make_recovery [ -AprvC] [-d destination] [-b boot_destination]
-A : 指定要备份整个Root disk / Volume Group
-p : 预览备份过程,并不创建 Bootable DDS Tape
a. 确认 /var/opt/ignite/recovery/mkrec.append 文件
b. 创建 /var/opt/ignite/recovery/arch.include 文件
-r : 使用 –p 选项后,可以用该选项创建 Bootable DDS Tape
a. 该选项可以识别 /var/opt/ignite/recovery/arch.include 文件
-v : 用于显示备份过程的提示信息
-d : 指定DDS 的设备文件名 ( default: /dev/rmt/0mn )
-b : 指定系统备份过程中,用到的临时文件 ( default: /var/tmp/uxinstlf.recovery )
该文件大小为 32M, 对系统进行make_recovery 时,要注意 /var 文件系统
的大小,当 /var 文件系统大小不足时,可用如下命令对系统进行备份:
# make_recovery –A -C -b /tmp/uxinstlf.recovery
-C : 创建反映系统当前状态的文件: /var/opt/ignite/recovery/makrec.last
如果该文件存在,那么可以用 check_recovery 命令
[5] 注意:
用make_recovery备份的磁带是bootable 磁带,用它可以安装OS。
2) 备份系统Root Disk
[1] 创建 “ 最小”OS 的 bootable DDS tape (default 设备文件: /dev/rmt/0mn )
# make_recovery
[2] 创建 “ 最小”OS 的 bootable DDS tape (设备文件: /dev/rmt/c0t1d1BESTn )
# make_recovery –d /dev/rmt/c0t1d1BESTn
[3] 先预览,再创建 bootable DDS tape
# make_recovery -p
# vi /var/opt/ignite/recovery/arch.include
# make_recovery -r
[4] 复制 整个 Root Disk
# make_recovery -A
[5] 复制 整个 Root Disk, 且生成反映系统当前状态的文件:
( /var/opt/ignite/recovery/makrec.last )
# make_recovery -C -A
[6] 实例分析 :
(1) 系统文件系统:
Filesystem kbytes used avail %used Mounted on
/dev/vg01/osdepot 2621440 2530838 84872 97% /osdepot
/dev/vg01/lvol1 480341 58696 373610 14% /var
/dev/vg01/lvol7 378965 297521 43547 87% /usr
/dev/vg01/lvol6 588643 245540 284238 46% /opt
/dev/vg00/lvol3 107669 38577 58325 40% /
/dev/vg00/lvol1 67733 12409 48550 20% /stand
/dev/vg00/lvol4 30597 19 27518 0% /tmp
/dev/vg00/lvol5 19861 1416 16458 8% /home
(2)分析:
[a] make_recovery:
vg00: /stand, /sbin, /dev, /etc, /tmp, /home
vg01: parts of /opt and /var (see Core-OS list)
/usr/bin, /usr/lib
/usr/obam, /usr/sam,
/usr/share, /usr/ccs,
/usr/conf, /usr/lbin,
/usr/contrib, /usr/local,
/usr/newconfig
[b] make_recovery -A:
vg00: 备份Root Volume Group 上的所有数据
vg01: 备份non-Root volume Group 上的所有数据
只有当/usr 位于non-root volume group时,
该 non-root volume group 上的所有数据也将
被备份到磁带上
3) 复磁带上的所有数据
(1) 非交互式恢复系统
[1] 在磁带机中,插入系统恢复带
[2] Boot 系统
[3] 中断Boot 流程,进入 Boot_admin> 提示下
[4] Boot_admin> bo 8/16.0.0
8/16.0.0: 磁带机的 hardware path
[5] 选取 “ non-interactive ”
[6] 等待系统恢复完毕
(2) 交互式恢复系统
[1] 在磁带机中,插入系统恢复带
[2] Boot 系统
[3] 中断Boot 流程,进入 Boot_admin> 提示下
[4] Boot_admin> bo 8/16.0.0
8/16.0.0: 磁带机的 hardware path
[5] 不选取 “ non-interactive ”
[6] 选取
a. [ Install HP-UX ]
b. [ Advanced Installation ]
c. 配置或改变如下选项:
disks, file systems,
hostname, IP ddress,
timezone, root password,
DNS server, and gateway
[7] 选取 [install continue… ],直到系统恢复完毕
二 系统备份 / 恢复方法及策略
2.1 系统备份的策略
〖1〗HP-UX Core-OS:
这部分内容主要包括一些HP-UX用到的文件系统,如
/, /opt, /var,/tmp, /usr, /home, /stand 通常这些文件系统
位于vg00中。
备份的方法:
(1) fbackup :
# fbackup –0vi / -f /dev/rmt/0m \
-I /tmp/fbackupfiles/index/full.`date ’+%y%m%d.%H:%M’` \
2 > /tmp/fbackupfiles/log/ full.`date ’+%y%m%d.%H:%M’
详见 ( fbackup的常用方式二)
(2) make_recovery :
# make_recovery –C -A -b /tmp/oslif.rec
详见 ( make_recovery)
〖2〗系统配置文件
对于系统一些关键性的文件或信息需要单独进行备份
这样有利于对系统进行恢复。这些文件或信息包括:
(1) 系统Swap 信息
#swapinfo –t
(2) 系统文件系统信息
#bdf
(3) 系统的 I / O 信息
# ioscan –fnCdisk
(4) /etc/fstab
(5) 系统逻辑卷配置文件
/etc/lvmconf/vg00.conf 、vg01.conf、vg02.conf
这些逻辑卷配置文件可以用命令:
vgcfgbackup / vgcfgrestore 生成和恢复
(6) 利用HP的Tools 收集和备份系统的配置信息
这些Tools 包括:LVMcollect.10
collect.sh
capture.sh
collect.conf
备份的方法:
(1) tar
# tar cvf /dev/rmt/0m ./vg00.conf ./vg01.conf
(2) fbackup
# fbackup –f /dev/rmt/0m –i /etc/lvmconf/vg01.conf
〖3〗系统其它逻辑卷 ( 如:vg01 、vg02)
备份的方法:
(1) fbackup :
# fbackup –0uv / -f /dev/rmt/0m \
-g /tmp/fbackupfiles/mygraph \
-I /tmp/fbackupfiles/index/full.`date ‘+%y%m%d.%H:%M’` \
2 > /tmp/fbackupfiles/log/ full.`date ’+%y%m%d.%H:%M’`
(2) tar
# tar cvf /dev/rmt/0m /oracle/app /home/oracle
〖4〗数据库的备份
请参照数据库的备份方法
2.2 系统恢复的策略
〖1〗用fbackup / tar 对系统进行备份时
1) Install Core-OS
2) 恢复vg00 / vg01 / vg02 的备份内容
# frecover –o –r –f /dev/rmt/0m
〖 2 〗用make_recovery 对系统进行备份时
1) 用磁带boot system, 恢复vg00
详见 make_recovery 的恢复方法
2) 恢复其它逻辑卷
# frecover -o –r -f /dev/rmt/0m
HP-UX 11.0 Installation Checklist
Securing UNIX GCUX Practical Assignment
Version 1.6b
HP-UX 11.0 Installation Checklist
By Della Schmidt
HP-UX 11.0 Installation Checklist
This document is to be used as a guide to help create a secure HP-UX 11.0 Internet ready server. Since this is to be a secure install it is advisable that the server remain off the network/internet until it has been completely configured. You will need to have some way to transfer files so the system will need either a tape drive or a cdrom physically attached. It is also advisable not to have a C compiler installed on the system. (While this won’t stop a determined hacker it will make it just a little bit harder for them.) Since the machine will not have a compiler you will need to do the compiles on a different machine and transfer the binaries between them.
HP-UX Minimal OS Installation
To cold-install HP-UX 11.0, you must have the following:
A supported HP 9000 server or workstation (see Appendix A)
64 MB memory, minimum
128 MB swap space, minimum
2GB root disk volume, minimum
You will need the following CD’s ready:
HP-UX 11.0 Install/Update/Recovery CD, March 2001 or later.
Core OS Options CD (for technical servers and workstations).
Support Plus CD, March 2001 or later (for hardware/critical patch bundle, diagnostics and iCOD product), is needed.
HP-UX 11.0 Application Software CDs
1. ____ Make sure all peripherals are turned on.
2. ____ Turn on the server or recycle the power.
3. ____ Load the Install and Core OS CDROM into the CD-ROM driver.
4. ____ Interrupt the autoboot process, by pressing any key during the 10 second interval that is given. This is so the system can be
booted from the Core OS CDROM.
5. ____ Once autoboot was been interrupted you should now see the autoboot menu.
6. ____ Boot from the device that contains the Core OS CDROM. Usually the alternative boot path is the CDROM drive.
But to verify that you can type search and view all defined boot devices.
bo alt OR bo
7. ____ You should now be asked: Interact with IPL (Y or N) ?> Type n.
8. ____ The install kernel will take 3-5 minutes to install.
9. ____When that has completed a screen will appear asking for the keyboard language of the console. Respond with the correct number
and press ENTER.
10. ____ The Welcome to Ignite-UX screen will be displayed.
11. ____ Tab to Install HP-UX field and press Enter.
12. ____ From the User Interface and Media Options screen, verify that these choices are selected:
Source Location Options: Media-only installation – installing from the local CD drive.
User Interface Options: Guided Installation – provides an install wizard with limited choices.
13. ____Now proceed through each screen to configure your system:
Basic Configuration: Commercial Servers – this will install HP-UX 11.0 Core OS software, required ACE patches, general recommended core (XSWGR1100), latest hardware-enablement and critical (HWCR) patches, diagnostic products and COD Client Product for HP-UX 11.0
Software Selection: Select needed mass-storage and networking I/O driver products.
Languages: Click the Languages button to view CDE-languages bundles to be loaded. Global is set by default when installing on workstations, resulting in all available CDE-language bundles being installed. Global (Non-CDE) is set when installing on servers to indicate that a generic, CDE-language bundle will be installed.
14. ____ Review any messages that Ignite-UX encountered. Resolve any errors before continuing with the installation.
15. ____ Select: Finish
16. ____ The system will now configure the disk(s) and load a minimum set of commands and libraries. Software Distributor will
download all the products and patches from the CD.
17. ____ As prompted, replace the HP-UX 11.0 Install/Update/Recovery CD with the requested CD from the media box.
18. ____ The system will automatically reboot after all software has been loaded.
19. ____ Set_parms will run and asked you to set
root password
date,
time,
time zone,
IP address
other network parameters.
Updating Applications
After installing HP-UX 11.0, install other needed applications
1. ____Use swinstall to install new software that was not included as part of the basic OS installation. The latest versions of HP-UX software products are provided on the HP-UX Applications CDs. To find the contents of each CD, mount any HP-UX Applications CD and view the TOC file.
2. ____ After installing the software, complete any post-install configuration. This will be explained in the software’s release notes or manual. Most documentation for HP-UX applications are either on the HP-UX Instant Information CD or on HP's documentation Web site: docs.hp.com/hpux/os/11.0/
HP-UX Patches Installation
To track down know HP software vulnerabilities and solutions, use the HP Security Archive on the IT Resource Center Web site. Each bulletin contains a description of the problem, which versions of the Operating System are affected and the solution. To access this information go to:
http://itrc.hp.com
Search Technical Knowledge Base
Security Bulletin Archive
You can also subscribe to HP’s Security Bulletin Digest. You will receive an email update of new vulnerabilities as they are identified. To sign up for this go to:
http://itrc.hp.com
more…
support information digests
Modification of the Boot Process
Closely review the startup scripts and identify all unnecessary services. You will then want to stop these services from starting up by renaming the startup script file that can be found in /sbin/rc?.d. By renaming the link instead of deleting it, it will be easier if you have to invoke the process in the future. Please pay particular attention to insecure network services. You should be able to eliminate everything in /sbin/rc3.d.
1. ____ Review /etc/rc.log to determine which processes are started on boot
2. ____ Rename NFS-related links
/usr/bin/mv /sbin/rc2.d/S400nfs.core /sbin/rc2.d/.NOS400nfs.core
/usr/bin/mv /sbin/rc2.d/S430nfs.client /sbin/rc2.d/.NOS430fns.client
/usr/bin/mv /sbin/rc3.d/S100nfs.server /sbin/rc3.d/.NOS100nfs.server
3. ____ Rename RPC link
/usr/bin/mv /sbin/rc2.d/S590Rpcd /sbin/rc2.d/.NOS290Rpcd
4. ____ Rename Sendmail links
/usr/bin/mv /sbin/rc2.d/S540sendmail /sbin/rc2.d/.NOS540sendmail
5. ____ If this is machine not going to be a DNS server, rename DNS link
/usr/bin/mv /sbin/rc2.d/S370named /sbin/rc2d/.NOS370named
6. ____ Rename everything in /sbin/rc3.d
/usr/bin/cd /sbin/rc3.d
for file in S*
do
mv $file .NO$file
done
Create a script to ensure that the startup scripts run with a proper umask [14]
1. ____ /usr/bin/echo ‘umask 022’ > /sbin/init.d/umask.sh
2. ____ /usr/bin/chmod 744 /sbin/init.d/umask.sh
3. ____ Add umask.sh to startup script directories by running the following script
/usr/bin/umask 022
for d in /sbin/rc?.d
do
/usr/bin/ln –s /sbin/init.d/umask.sh $d/S000umask.sh
done
Inetd is the internet daemon that controls access to network services that are started on an as needed basis. Many of the services are considered unsafe. Therefore it is very important to review these services and disable ones that are not absolutely necessary. The Berkley “r” programs have a long history of abuse so make sure that shell and login services are disable. You may also want to consider disabling bootps, exec, ntalk, echo and charge. In fact the ideal situation would be not to run inetd at all. (If inetd is not running you will not have remote access to the machine, until ssh is installed and configured)
1. ____ Disable inetd – Preferred method
/usr/bin/mv /sbin/rc2.d/S500inetd /sbin/rc2d/.NOS500inetd
/usr/bin/rm /etc/inetd.conf
2. ____ inetd enabled – but with all unnecessary disabled
/usr/bin/vi /etc/inetd.conf
comment out (place # at the beginning of a line) all unnecessary services
/usr/bin/kill –HUP inetd
Network Tuning
Reconfigure various network parameters to reduce your vulnerability to smurf attacks, SYN floods and ARP spoofing attacks. A description of the listed network parameters can be found in Appendix B. You can use ndd –h sup to list all supported network parameters. Use ndd –h unsup to list unsupported network parameters. HP recommends that you DO NOT make changes to unsupported parameters.
1. ____/usr/bin/vi /etc/rc.config.d/nddconf
2. ____ Add following entries:
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_send_redirects
NDD_VALUE[0]=0
TRANSPORT_NAME[1]=ip
NDD_NAME[1]=ip_ire_flush_interval
NDD_VALUE[1]=60000
TRANSPORT_NAME[2]=arp
NDD_NAME[2]=arp_cleanup_interval
NDD_VALUE[2]=60000
TRANSPORT_NAME[3]=ip
NDD_NAME[3]=ip_forward_directed_broadcast
NDD_VALUE[3]=0
TRANSPORT_NAME[4]=ip
NDD_NAME[4]=ip_forward_src_routed
NDD_VALUE[4]=0
TRANSPORT_NAME[5]=ip
NDD_NAME[5]=ip_forwarding
NDD_VALUE[5]=0
TRANSPORT_NAME[6]=tcp
NDD_NAME[6]=tcp_ip_abort_cinterval
NDD_VALUE[6]=60000
3. ____ ndd –c for the changes to take effect
File System Configuration
Some file systems are static in nature and won’t change unless you’re doing some type of upgrade. Therefore to safeguard against unkown modifications to the files in these file systems and possible addition of trojan horses, it makes sense to mount these files systems read-only. (/usr and /opt are examples) You also want to ensure that setuid programs are not executed in a non-root file system. To do this these file systems must be mounted with the nosuid option. (/var and /home are examples). An example of a secure /etc/fstab can be found in Appendix C.
1. ____ /usr/bin/vi /etc/fstab
2. ____ Add ro option to /opt and /usr
3. ____ Add nosuid to /stand, /var, /home
/usr/local by default has been configured with world-writeable permissions on all directories. Change this to a safer 755.
1. ____ find /usr/local –type d –exec chmod 755 {} \;
Remove write group permissions for /etc/.
1. ____ chmod –R g-w /etc
Remaining Network Services
If the machine is to be a DNS client then you’ll need to define the domain and it’s name server(s). You will have to configure which sources the resolver will use and in which order. You should configure so that the host file is checked first then DNS.
1. ____ /usr/bin/touch /etc/resolv.conf
2. ____ /usr/bin/echo “domain
3. ____ /usr/bin/echo “nameserver
4. ____ /usr/bin/chown root:root /etc/resolv.conf
5. ____ /usr/bin/chmod 644 /etc/resolv.conf
6. ____ /usr/bin/cp /etc/nsswitch.files /etc/nsswitch.conf
7. ____ /usr/bin/vi /etc/nsswitch.files
modify the hosts entry from hosts:files to hosts:files [NOTFOUND=continue] dns
8. ____ /usr/bin/chown root:root /etc/nsswitch.conf
9. ____ /usr/bin/chmod 644 /etc/nsswitch.conf
Convert to a Trusted System
HP-UX offers some additional security features such as, a more stringent authentication system, auditing, terminal access control and time-based access control. These are in addition to the normal Unix security mechanisms that are generally available. But to take advantage of these features the system must be converted to a trusted system.* If security is important, it is recommended this be done. To convert a system you would need to:
/usr/sbin/sam
Select “Auditing and Security”
Select “System Security Policy”
Select “YES”
You need to convert to a Trusted System before proceeding. The
conversion process does the following things:
1. Creates a protected database on the system for storing security
information.
2. Moves user passwords in "/etc/passwd" to this database.
3. Replaces all password fields in "/etc/passwd" with "*".
For more details, refer to the "System Security" chapter of the
"System Administration Tasks" manual.
Do you want to convert to a Trusted System now?
[ Yes ] [[No ]]
You will then see a message telling you that you’re converting to a trusted system...
Next you will receive a “Successfully converted to a trusted system” message. Press OK continue.
Time to setup your security policies. The following are recommendations only. Please curtail yours to fix your environment.
Use this screen to set system policies for user accounts. Policies
apply to all users unless user-specific policies are set.
If you choose more than one of the following options, users will
choose which one of these options they prefer at login time.
Password Selection Options:
[ ] System Generates Pronounceable
[ ] System Generates Character
[ ] System Generates Letters Only
[X] User Specifies
User-Specified Password Attributes:
[X] Use Restriction Rules
[ ] Allow Null Passwords
Maximum Password Length: 8
[ OK ] [ Cancel ] [ Help ]
Use this screen to set system password aging policies. Policies
apply to all users unless other user-specific policies are set.
Password Aging: [ Enabled ->]
Time Between Password Changes (days): 20
Password Expiration Time (days): 90
Password Expiration Warning Time (days): 14
Password Life Time (days): 180
[ OK ] [ Cancel ] [ Help ]
Use this screen to set system policies for user accounts.
Policies apply to all users unless user-specific policies
are set.
Lock Inactive Accounts:
< > Enabled
<*> Disabled
Unsuccessful Login Tries Allowed: 6
[X] Require Login Upon Boot to Single-User State
[ OK ] [ Cancel ] [ Help ]
Use this screen to set system policies for
terminals. Policies apply to all terminals
unless terminal-specific policies are set.
Unsuccessful Login Tries Allowed: 10
Delay Between Login Tries (sec.): 2
Login Timeout Value (sec.): 0
[ OK ] [ Cancel ] [ Help ]
* Network Information Service (NIS) is not supported on a trusted system.
System And Process Auditing
Now that the system has been converted to a trusted system and your security policies have been set. It’s time to turn on auditing.
/usr/sbin/sam
Select “Auditing and Security”
Select “Audited Events”
Select “Actions”
Select “Turn Auditing On”
File List View Options Actions Help
Turn Auditing ON
Auditing Turned: OFF
Set Audit Monitor and Log Parameters...
View Audit Log...
Audited Events Unconvert the System 18 selected
=======================================
Audit (nothing selected)
Event Type Success
admin Yes Yes acct, adjtime, audctl, audswitch, clock_ ^
close No No close, ksem_close, mq_close, munmap
create No No creat, mkdir, mknod, msgget, pipe, semge
delete No No ksem_unlink, mq_unlink, msgctl, rmdir, s
ipcclose No No fdetach, shutdown
ipccreat No No bind, socket, socket2, socketpair, socke
ipcdgram No No
ipcopen No No accept, connect, fattach
login Yes Yes
modaccess No No chdir, chroot, fchdir, link, lockf, lock v
< >
Next you need to select which events you want to audit. At the very minimum you should audit
admin - Logs all administrative and privileged events.
login - Logs all logins and logouts
modaccess - Logs all access modifications other than DAC
moddac - Logs all modifications of object’s discretionary access controls
Setup a cron job to collect system diagnostic messages.
1. ____ /usr/bin/crontab –e
2. ____ Insert the following 2 lines
# log kernel diagnostic messages every 10 minutes
05,15,25,35,45,55 * * * * /usr/sbin/dmesg - >>/var/adm/messages
User Access Control
Tight controls must be maintained on user’s accounts. You should only have accounts on a system that are necessary for the applications that are running.
Restrict root login to just the console. User must use su to login as root.
1. ____ /usr/bin/touch /etc/securetty
2. ____ /usr/bin/echo console > /etc/securetty
3. ____ /usr/bin/chmod 400 /etc/securetty
Enable password history and password reuse. On a trusted systems, the system administrator can enable the password history feature to discourage users from reusing previous passwords
1. ____ /usr/bin/touch /etc/default/security
2. ____ /usr/bin/echo “PASSWORD_HISTORY_DEPTH=10” > /etc/default/security
3. ____ /usr/bin/chown bin:bin /etc/default/security
4. ____ /usr/bin/chmod 444 /etc/default/security
Lock all “pseudo-accounts”, including uucp, lp, nnucp, sys, hpdb and www. These are logins that are not associated with individual users and do not have true interactive shells. They are in the password file because they are owners of files.
1. ____ /usr/bin/vi /etc/passwd and change the default shell to /dev/null
2. ____ Lock accounts using /usr/bin/passwd –l
3. ____ Remove any files in /var/spool/cron/crontabs except for root
4. ____ Remove any files in /var/spool/cron/atjobs except for root
Ensure that root is the only login that has access to run crontab and at commands
1. ____ /usr/bin/echo root > /var/admin/cron/cron.allow
2. ____ /usr/bin/echo root > /var/adm/cron/at.allow
3. ____ /usr/bin/chmod 400 /var/adm/cron/cron.allow
4. ____ /usr/bin/chmod 400 /var/adm/cron/at.allow
5. ____ /usr/bin/rm /var/adm/cron/cron.deny
6. ____ /usr/bin/rm /var/adm/cron/at.deny
Restrict ftp access. At a minimum all logins with uid < 100 should not be able to ftp. Also add any other logins that do not need to ftp to /etc/ftpd/ftpusers.
1. ____ /usr/bin/touch /etc/ftpd/ftpusers
2. ____ /usr/bin/chown root:root /etc/ftpd/ftpusers
3. ____ /usr/binchmod 600 /etc/ftpd/ftpusers
4. ____ Add administrative logins to /etc/ftpd/ftpusers
for names in root, daemon, bin, sys and adm
do
echo $names >> /etc/ftpd/ftpusers
done
Check for /etc/hosts.equiv, ~/.netrc and ~/.rhost files. The existence of these files can allow selected users to be granted password-free access to a system. There shouldn’t be any of these files on your system. But if you have a need for them, check that they are not world-writeable and that there is no + in them. A + means the system will trust all other systems. You can use the following command to search for these files. You should run this command periodically and review the output.
1. ____ /usr/bin/find / \( -name .rhosts –o –name .netrc –o -name hosts.equiv \) -exec ls -ldb {} \; -exec more {} \;
If you are still running inetd and are allowing ftp access you will want to log ftp access to /var/adm/syslog/syslog.log and change the default umask to 022.
1. ____/usr/bin/vi /etc/inetd.conf
2. ____ Add –l and –umask –22 to ftpd
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -umask 022
Add umask 022 and TMOUT to /etc/profile. Umask 022 will restrict file permissions. TMOUT will limit how long a session can set idle. But remember these can be easily overwritten in ~/.profile.
1. ____ /usr/bin/vi /etc/profile
2. ____ insert umask 022
3. ____ insert TMOUT=1800 (TMOUT is in seconds)
Statutory Warnings
Add a warning message that machine is for authorized use only and that all activity is subject to monitoring. It is believed that having such a warning, could aid in the prosecution of any computer crimes involving that machine. You should however, consult with legal counsel about the wording of the message. The following is an example of one such message.
This system is the property of the Company ABC. All activities
on this system are subject to monitoring for illegal or unauthorized activity.
Anyone using this system expressly consents to such monitoring and is advised
that if monitoring reveals possible improper or criminal activity, system
personnel may provide the evidence of such monitoring to authorities.
1. ____ /usr/bin/touch /etc/issue
2. ____ /usr/bin/touch /etc/motd.
3. ____ /usr/bin/chown root:root /etc/issue
4. ____ /usr/bin/chown root:sys /etc/motd
5. ____ /usr/bin/chmod 644 /etc/issue
6. ____ /usr/bin/chmod 644 /etc/motd
7. ____ copy warning message to /etc/issue and /etc/motd
8. ____ /usr/bin/vi /etc/inetd.conf *
9. ____ add –b /etc/issue to the end of the telnetd
telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/issue
* This is assuming you’re running inetd. If not, disregard this step.
Sendmail
Sendmail is very often a security risk. Therefore it is very important that you be running the newest version or at least a fully patched version. Also since most machines only need to send out mail to a relay host, many of sendmail functionalities can be disabled. You can download the latest version of sendmail for http://www.sendmail.org.
1. ____ replace the existing /etc/mail/sendmail.cf [14] with the following
# Minimal client sendmail.cf
### Define macros
# define the mail hub – Put hostname for local site here.
DRmailhost
# define version
V8
# my name for error messages
DnMAILER-DAEMON
# UNIX initial From header format
DlFrom $g $d
# delimiter (operator) characters (old $o macro)
Do.:%@!^/[]+
#From of the sender’s address
Dq<$g>
# queue directory
OQ/var/spool/mqueue
### Mailer Delivery Agents
#Mailer to forward mail to the hub machine
Mhub, P=[IPC], S=0, R=0, F=mDFMuCX, A=IPC $h
#Sendmail requires these, but they are not used
Mlocal, P=/dev/null, F=rlsDFMmnuP, S=0, R=0,A=/dev/null
Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0 A=dev/null
### Rule sets
S0
R@S+ $ #error $: Missing user
R$+ $ #hub $@$R $:$1 forward to hub
S3
R$*<>$* $n handle <> error address
R$*<$$*>$* $2 basic RFC822 parsing
Since you have removed sendmail from the startup scripts you should schedule a cronjob to run sendmail every hour so any mail can be processed.
1. ____ crontab -e
2. ____ add the following lines
## run send mail once an hour
* 0 0 0 0 /usr/sbin/sendmail –q
Installation of TCP_WRAPPERS
1. ____ Download from ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
2. ____ /usr/contrib/bin/gzip -dc tcp_wrappers_7.6.tar.gz | tar xvf –
3. ____ /usr/bin/cd tcp_wrappers_7.6
4. ____ /usr/bin/chmod 644 Makefile
5. ____ /usr/bin/vi Makefile
6. ____ uncomment the REAL_DAEMON_DIR line that refers to HP-UX
REAL_DAEMON_DIR=/etc
7. ____ Change FACILITY=LOG_MAIL to FACILITY=LOG_AUTH
8. ____ Add –DUSE_GETDOMAIN to the BUGS macro definition if not running NIS
9. ____ Make hp-ux
10. ____ /usr/bin/mkdir –p –m 755 /usr/local/sbin
11. ____ /usr/bin/mkdir –p –m 755 /usr/local/include
12. ____ /usr/bin/mkdir –p –m 755 /usr/local/lib
13. ____ for file in safe_finger tcpd tcpdchk tcpdmatch try-from
do
cp $file /usr/local/sbin/$file
chmod 555 /usr/local/sbin/$file
chown root:daemon /usr/local/sbin/$file
done
14. ____ /usr/bin/cp tcpd.h /usr/local/include/tcpd.h
15. ____ /usr/bin/chmod 444 /usr/local/include/tcpd.h
16. ____ /usr/bin/chown root:daemon /usr/local/include/tcpd.h
17. ____ /usr/bin/cp libwrap.a /usr/local/lib/libwrap.a
18. ____ /usr/bin/chmod 555 /usr/local/lib/libwrap.a
19. ____ /usr/bin/chown root:daemon /usr/local/lib/libwrap.a
Installation of Perl
1. ____ Download software HP-UX software porting site
http://hpux.connect.org.uk/hppd/hpux/Languages/perl-5.6.0/
2. ____ /usr/contrib/bin/gunzip gunzip perl-5.6.0-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s perl-5.6.0-sd-11.00.depot \*
Installation of ZLIB
1. ____ Download source from http://hpux.connect.org.uk/hppd/hpux/Misc/zlib-1.1.3/
2. ____ /usr/contrib/bin/gunzip zlib-1.1.3-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s /conv/tara/zlib-1.1.3-sd-11.00.depot \*
Installation of OPENSSL
Installation of OPENSSL needs Perl v5 installed on server.
1. ____ Download software from http://hpux.connect.org.uk/hppd/hpux/Languages/openssl-0.9.6/
2. ____ /usr/contrib/bin/gunzip openssl-0.9.6-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s /conv/tara/openssl-0.9.6-sd-11.00.depot \*
Installation of OPENSSH
Telnet, rlogin, ftp, and other related programs send a user’s password across the Internet unencrypted. Openssh solves this problem by invoking a secure encrypted connection between two untrusted hosts over an insecure network. Openssh is used in place of rlogin and rsh.
1. ____ Download software from
http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-2.5.1p1/
2. ____ /usr/contrib/bin/gunzip openssh-2.5.1p1-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s /conv/tara/openssh-2.5.1p1-sd-11.00.depot \*
Configuration of TCP-WRAPPERS and OPENSSH
1. ____ for file in /etc/hosts.allow /etc/hosts.deny
do
/bin/touch $file
/bin/chown root:root &file
/bin/chmod 600 $file
done
2. ____ /usr//bin/echo ‘ALL:
replace net1, net2 with the IP addresses of machines that you want to grant access to
3. ____ /usr/bin/echo ‘ALL:ALL: /usr/bin/mailx –s “%s:connection attempt from %a”
replace
4. ____ /usr/bin/cp /opt/openssh/etc/sshd_config /etc/rc.config.d/sshd_config
5. ____ Modify /etc/rc.config.d/sshd_config [14]
Port 22
Protocol 2,1
ListenAddress 0.0.0.0
PidFile /opt/openssh2/etc/sshd.pid
HostKey /opt/openssh2/etc/ssh_host_key
HostDSAKey /opt/openssh2/etc/ssh_host_dsa_key
ServerKeyBits 1024
LoginGraceTime 180
KeyRegenerationInterval 900
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
PrintMotd no
KeepAlive no
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
CheckMail nos
UseLogin no
6. ____ /usr/bin/chown root:root /etc/rc.config.d/sshd_config
7. ____ /usr/bin/chmod 600 /etc/rc.config.d/sshd_config
8. ____ Generate server key files
____ /opt/openssh2/bin/ssh-keygen –b 1024 –N ‘’ –f /opt/openssh2/etc/ssh_host_key
____ /opt/openssh2/bin/ssh-keygen –d –N ‘’ –f /opt/openssh2/etc/ssh_host_dsa_key
9. ____ create sshd startup script (See Appendix D for an example)
10. ____ move script to /sbin/init.d/sshd
11. ____/usr/bin/chown root:sys /sbin/init.d/sshd
12. ____/usr/bin/chmod 744 /sbin/init.d/sshd
13. ____ /usr/binln –s /sbin/init.d/sshd /sbin/rc2.d/S75sshd
14. ____ /sbin/init.d/sshd start
15. ____ /usr/sbin/vi /etc/inetd.conf*
16. ____ modify ftp daemon to include tcp_wrappers*
ftp stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/ftpd ftpd -l -umask 022
17. ____ modify telnet daemon to include tcp_wrappers*
telnet stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/telnetd telnetd -b /etc/issue
* If this system has been configured not to run inetd then you can disregard these steps.
LSOF
This utility is used to list files, sockets, etc opened by processes. It also gives a large amount of other related information that can select by process ID, username or filename.
1. ____ Download 32 bit version of the software from HP-UX Software porting site, http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.55/
2. ____ /usr/contrib/bin/gunzip lsof-4.51-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s lsof-4.51-sd-11.00.depot \*
1. ____ The 64 bit version binaries can be found at ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/binaries/hpux/B.11.00/64/9000_800/
2. ____ /usr/contrib/bin/gunzip lsof_4.55.gz
3. ____ /usr/bin/mv lsof_455 to /opt/lsof/bin
Backups
Create a Golden Image – use make_tape_recovery to create a bootable system recovery tape for an LVM or whole disk system while it is up and running. When a system has a logical volume layout, the recovery tape will only include data from the root volume group, plus data from any Non-root volume group containing /usr. Data not in the root volume group must be backed up and recovered using normal backup utilities. This golden image can be used to restore a non-bootable system with little or not user intervention, restore a system in the event of a hardware failure, clone software from one system to another.
Make_recovery is part of the Ignite-UX product. It can be downloaded from www.software.hp.com/products/IUX/download.html. More detailed installation instructions can be found at www.software.hp.com/products/IUX/install_instructions.html.
Installing Ignite-UX
1. ____ Downloaded software from www.software.hp.com/products/IUX/download.html
2. ____ Copy ignite11_11.00.tar to /tmp
3. ____ /usr/bin/bdf – Make sure you have at least 50 mb of free space in /opt
4. ____ /usr/sbin/swinstall -s /conv/tara/ignite11_11_00.tar \*
Create a golden image
5. ____/opt/ignite/bin/make_tape_recovery -AvC -d /dev/rmt/0m
Physical Security
It is extremely important that a unix server be placed in a secure environment. It is a fact that anyone who has physical access to the machine can fairly easily gain root access.
1. ____ The server should be installed in a locked environmentally controlled data center with restricted access to the server.
2. ____ If possible the data center should have cameras installed to monitor all activity.
3. ____ The keyboard should be situated away from any cameras, windows or prying eyes.
4. ____ The system should be attached to a UPS with monitoring software that will shutdown the server when power to the UPS has
been interrupted.
5. ____ Backup tapes should be kept in a secure environment.
APPENDIX A – HP-UX 11.0 Supported Systems
Model 32-bit 64-bit
Workstations:
Series 700: 712, 715/64/80/100/100XC, 725/100 X
B132L, B132L+, B160L, B180L X
B1000, B2000 X
C100, C110, C160L X
C160, C180, C180XP, C200, C240, C360 X X
C3000, C3600 X
J200, J210, J210XC X
J280, J282, J2240 X X
J5000, J5600, J6000, J7000 X
Servers:
A180, A180C X
A400, A5xx X
Dx10, Dx20, Dx30, Dx50, Dx60 X
Dx70, Dx80, Dx90 X X
E, F, G, H, I (all) X
Kx00, Kx10, Kx20 X
Kx50, Kx60, Kx70, Kx80 X X
L1000, L2000, L3000 X
N4000/360, N4000/440, N4000/550 X
R380, R390 X X
T500, T520 X
T6xx X X
V22xx, V2500, V2600 X
Enterprise Parallel Servers: EPS22, EPS23, EPS40 X X
APPENDIX B – Network Parameters [5]
ip_send_redirects – causes the machine not to emit any ICMP redirect Packets. Under normal operation this probably won’t have significant security implications.
ip_ire_flush_interval and arp_cleanup_interval – control how long information will live in the system’s ARP cache. The ARP cache maintains a mapping between Ethernet addresses and IP address. The default values are 10 minutes (?????). Lowering these values can help prevent some ARP spoofing attacks but at the cost of more ARP traffic on your local LAN and possibly reduced performance. Think carefully before you change these variables.
ip_forward_directed_broadcast – caused the machine to not transmit packets which are destined for a broadcast network address. If the machine is being used as a gateway between several networks this can help you from being used as an intermediary network in a “smurf” type network attach. The machine will still respond to broadcast packets directed at any LAN it may be connected to.
ip_forward_src_routed – prevents the machine from forwading any packets that have the source routing option turned on.
ip_forwarding – turning off ip_forwarding prevents the machine from accepting and forwarding on packets that are not destined for one of it’s local interface addresses. Such a feature can be used by attackers to bypass other network security measures.
tcp_ip_abort_cinterval – this is how long the kernel will wait for a TCP connection to be completed (in milliseconds). Tuning this value down can also help your system resist SYN flooding attacks.
You can use the following commands to view various information concerning Network parameter.
ndd –h sup – display all the parameters that are supported by HP.
ndd –h unsup – display all the parameter that are not supported by HP. Becareful modifying these!
ndd –c - set tunable parameters
APPENDIX C – Example secure /etc/fstab
/dev/vg00/lvol3 / hfs defaults 0 1
/dev/vg00/lvol1 /stand hfs nosuid 0 1
/dev/vg00/lvol4 /tmp hfs defaults 0 2
/dev/vg00/lvol5 /home hfs nosuid 0 2
/dev/vg00/lvol6 /opt hfs ro 0 2
/dev/vg00/lvol7 /usr hfs ro 0 2
/dev/vg00/lvol8 /var hfs nosuid 0 2
APPENDIX D – Sample SSHD Startup Script
#!/sbin/sh
#
# start up secure shell deaemon - sshd
#
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
rval=0
case $1 in
'start_msg')
echo "Starting the sshd"
;;
'stop_msg')
echo "Stopping the sshd"
;;
'start')
if [ -f /etc/rc.config.d/sshd_config ]
then
/opt/openssh2/sbin/sshd -f /etc/rc.config.d/sshd_config
else
echo "ERROR: /etc/rc.config.d defaults file MISSING"
fi
;;
'stop')
kill `cat /opt/openssh2/etc/sshd.pid`
;;
*)
echo "usage: $0 {start|stop|start_msg|stop_msg}"
rval=1
;;
esac
exit $rval
References:
1. Poniatowski, Marty. HP-UX 10.x SYSTEM ADMINISTRATION “HOW TO” BOOK. Upper Saddle: Prentice Hall PTR, 1996. 1-383.
2. Frisch, Aeleen. Essential System Administration Second Edition. Sebastopol: O’Reilly & Associates, Inc, December 1995. 1-758.
3. Hassell, Bill and Totsch, David. “HP-UX SysAdmin Training Camp”. HPWorld ’99 August 1999.
4. Farrow, Rik. “HP-UX and Internet Security”. HPWORLD ’98 August 1998.
5. Brotzman, Lee and Pomeranz. Hal. “UNIX Practicum”. SANS Institute February 2001.
6. Pomeranz, Hal. “Common Issues and Vulnerabilities in UNIX Security”. SANS Institute February 2001
7. Bishop, Matt. “UNIX Security Tools and Their Uses”. SANS Institute”. SANS Institute Februray 2001.
8. Netsysco Infrastructure Services. “Networking for System Administrators”
9. HP-UX 11.0 Installation and Update Guide March 2001, HP Part Number: 5971-0642. http://www.docs.hp.com/hpux/onlinedocs/5971-0642/5971-0642.html
10. Installing and Updating HP-UX 11.0 Additional Core Enhancements. November 1999, HP Part Number: B3782-90785
http://www.docs.hp.com/hpux/onlinedocs/B3782-90785/B3782-90785.html
11. HP-UX System Administration Tasks , First Edition. January 1995, HP Part Number: B2355-90672
12. Campione, Jeff. “Solaris 8 Installation Checklist”, http://www.sans.org/y2k/practical/Jeff_Campione_GUCX.htm
13. Rhoads, Jason. “HP-UX Security Guide”, http://www.sabernet.net/papers/hp-ux10.html
14. The SANS Institute. “Solaris Security Step by Step Version 2”
订阅:
博文 (Atom)