Sunday, September 27, 2009

Disabling IPv6 lookup for the time being

Just had a chance to open up my hosts file under F11,and saw an entry that got my attention it was the second row as shown below.

[root@sawrub-xbox ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@sawrub-xbox ~]#
Moving around the web get me to the conclusion that its related to the IPv6. The IPv6 site also shouted out at me ,with my IPv4 IP Address.
Thinking over it, questions came up to the every answer that i was getting, let me collect all question together first and make the answers follow them:
Q1] If my machine is still IPv4, why was the entry of IPv6 over there under /etc/hosts.
Q2] Why is this enabled by default.
Q3] How do i control IPv6 fetch from my applications.
Q4] How do I disable IPv6 at my machine.
Q5] How do i get IPv6 address.

The answers are here.
A1] Kernel 2.2+ come with IPv6 built in.

A2] Ipv4 is now ~30 Yr old from its birth in January 1980, what a great job done but the world is running out of IP address now due to the hundreds of computers coming live every day,.The solution to this is wider IP address size, with IPv6 addresses being 128 bits long being 4 times larger than the present IPv4.
So enabling this by default ensures that when ever there is a transition from Ipv4 to Ipv6, no configuration is needed.
Just the drawback of having IPv6 enabled by default is that application s/w like Firefox, which access Internet and have the ability to use IPv6 try to get the Domain Name resolved into the IPv6 IP address by DNS Server,and if the DNS is not capable of returning the IPv6 address, then that handshake between the client and the DNS server is just a waste of time, which gets solved by Firefox re-requesting the DNS but now for the Ipv4 address. So its always better to switch off the use of IPv6 at application and OS to speed up the IP address fetching.Which is read as "Disabling IPv6 increases browsing speed".

A3] Disabling the Ipv6 under application s/w can be done if they provide any such option.I do have option for the most used Firefox.But this needs to be undone ,when you get an IPv6 address in future and your DNS is capable of

Following are the steps :
1] Type in "about:config" in the address bar.
2] In the Filter field. search for "ipv6"
network.dns.disableIPv6 will show up.
3] Right click on the row listing network.dns.disableIPv6,and click Toggle from the pop-up, and the value will be set to 'True'. If its not just edit the value column and set it to 'True' ,me using Firefox 3.5.3.

A4] Disabling the IPv6, services and firewalls involved couple of steps as :
[root@sawrub-xbox ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=sawrub-xbox
[root@sawrub-xbox ~]#
Check the /etc/sysconfig/network file for following entry,if settings are there just set it to 'no' as in :
NETWORKING_IPV6=no
IPV6INIT=no
if the lines as above were not there, then just execute the following.
[root@sawrub-xbox ~]# echo -e "NETWORKING_IPV6=no\nIPV6INIT=no" >> /etc/sysconfig/network
[root@sawrub-xbox ~]# cat /etc/sysconfig/network
--- snipped ---
NETWORKING_IPV6=no
IPV6INIT=no
--- snipped ---
Followed by few changes to ip-tables and services.
Stopping the IPv6 Iptables.
[root@sawrub-xbox ~]# service ip6tables stop
ip6tables: Flushing firewall rules: [ OK ]
ip6tables: Setting chains to policy ACCEPT: filter [ OK ]
ip6tables: Unloading modules: [ OK ]
[root@sawrub-xbox ~]#
Setting the values to off in chkconfig insures that the service will not come up on system restart, and finally re-starting the network service.
[root@sawrub-xbox ~]# chkconfig ip6tables off
[root@sawrub-xbox ~]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@sawrub-xbox ~]#

A5] Lastly i'll have to live with IPv4 as getting the IPv6 solely depends on the ISP.

Tuesday, September 22, 2009

Reading a txt file in a Zip

A problem came up...to read a text file without extracting the file from the zip file.
So it was like this how i went by it:

1] Zip file was present in my home dir by the name 'archive.zip',so listing the file in home directory was done by.

[sawrubt@sawrub ~]#
[sawrub@sawrub ~]# ll archive.zip
-- output deprecated --
[sawrub@sawrub ~]#
2] List the files present in that archive.
[sawrub@sawrub ~]# unzip -l archive.zip|tail
-- output deprecated --
9999770 09-02-09 12:09 00010b32.jdb
9999963 09-02-09 12:09 00010b33.jdb
6371421 09-11-09 11:36 00010b34.jdb
71 09-11-09 11:49 version.txt
-------- -------
628281884 504 files
[sawrub@sawrub ~]#
3] And now my task was I had to read version.txt, so went by firing in the command
[sawrub@sawrub ~]# unzip -p archive.zip version.txt
-- output deprecated --
[sawrub@sawrub ~]#
and all was done.
Definition of '-p' option per unix manual:
-p extract files to pipe (stdout).Nothing but the file data is sent to stdout, and the files are
always extracted in binary format, just as they are stored (no conversions).


Cheers.

Sunday, September 20, 2009

Preventing Inactive SSH Snapping

Sometimes we face issues like very frequent connection breaks in the ideal SSH sessions,and its mostly because of "a packet filter or NAT device timing out your TCP connection due to inactivity."
http://www.openssh.com/faq.html#2.12

So here is the work around for the same.

Linux :
1] Open following file /etc/ssh/ssh_config (as Root user).
2] Append the following line in there at the bottom.
3] ServerAliveInterval 60
4] Save the file.
5] Restart the sshd daemon.
6] The line entered have the following definition.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the server, ssh
will send a message through the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to the server. This option applies
to protocol version 2 only.
Source :man page of ssh_config [man 5 ssh_config]


Windows [Putty] :
1] Open Putty.
2] Select a session,load the settings using 'LOAD'.
3] Set protocol to SSH and port number to 22 [if not default].
4] Under the 'Connection',option in the left hand side tree.
and set value of 'Seconds between Keepalives' to 60 [Default 0].
5] Also set Preferred SSH protocol version to '2' under Connection->SSH.
6] Save the settings,under Session.
7] Open up a new 'Break free' session now.
8] The 'Keepalives' are a special kind of messages sent to the server sent over SSH.As mention above by SSH manual.

Cheers...

Tuesday, September 8, 2009

SSH : Secure Shell

Using SSH [Secured SHell] is a very good mechanism to work on a remote system with full secured communication between client and server as the communicate is under SSL and no one sitting over the wire can read the encrypted data being transferred.

SSH came up as a replacement to the old unsecured protocols like ftp,telnet.
What all makes difference :
- Security
OpenSSH supports 3DES, Blowfish, AES and arcfour as encryption algorithms. These are patent free.Encryption is started before authentication, and no passwords or other information is transmitted in the clear. Encryption is also used to protect against spoofed packets.

- Compression
Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11 and TCP connections).The compression algorithm is the same used by gzipCompression is desirable on modem lines and other slow connections, but will only slow down things on fast networks.

- Key based authentication [RSA / DSA]
Strong authentication protects against several security problems, e.g., IP spoofing, fakes routes, and DNS spoofing. The authentication methods are: .rhosts together with RSA based host authentication, pure RSA authentication, one-time passwords with s/key, and finally authentication using Kerberos.

- Secure file transfer [scp/sftp]
@ scp
File transfer is carried out at port 22,Much similar to the BSD rcp, but here data is encrypted while transfer over the wire using the authentication and confidentiality of SSH.
Similar to SSH, SCP request any passwords required to connect to a remote host, which rcp is not capable of.
@ sftp
SFTP is not FTP run over SSH, but rather a new protocol designed from scratch.All role that SSH plays here is providing the authentication and security to the communication.sftp is sluggish in transferring of files when compared to scp.

- X11 Communication
GNOME's Nautilus have support under which remote X windows can be accessed and that also securely using the SSH.In the location bar just type in the ssh://user:password@hostname and then just in a matter of seconds you will be connected to the remote machine in GUI.And once there drag and drop can be done.

Little better one is not to pass in the password in the URI,but typing in when the system ask for it.So we can simply do ssh://user@hostname

References :
- openssh Best Practices
- The gr8 Wikipedia