• To setup ftp server on CentOS 7, perform following steps:
• Install vsftpd package with yum -y install vsftpd
• Edit the range of ports that is to be used by ftp service in /etc/vsftpd/vsftpd.conf

pasv_min_port=3000
pasv_max_port=3500

• Use systemctl command to enable vsftpd at boot time:

systemctl enable vsftpd.service
systemctl start vsftpd.service

• Open ftp port in firewall with:

firewall-cmd --add-port=21/tcp --add-port=3000-3500/tcp --permanent
systemctl restart firewalld.service

• To set selinux which will allow regular uer to get and put files to server:

setenforce 1
setsebool -P ftpd_full_access 1

Disclaimer: Links given on this page to external websites are provided for convenience only. SeiMaxim has not checked the following external links and is not responsible for their content or link availability. The inclusion of any link on this page to an external website does not imply endorsement by SeiMaxim of the website or their entities, products, or services. You must agree that SeiMaxim is not responsible or liable for any loss or expenses that may result due to your use of the external site or external content.

The following Linux benchmarking and performance tools are available from external sources:

• Unixbench
• sysbench
• tiobench
• ttcp
• sockperf
• siege
• nuttcp
• seeker
• nfsometer
• kcbench
• lmbench
• netpipe
• netperf
• iperf3
• iozone
• httperf
• fio
• dnsperf
• bonnie++
• aio-stress
• bandwidth
• dbench
• nuttcp

• Login on the Linux server (sftp) as root and create a new user account with the following Shell commands:

useradd seimaxim-user
passwd seimaxim-user

• On the client system copy the ssh keys to the server:

ssh-copy-id seimaxim-user@seimaxim-server

• On the client system verify the ssh keys so that a password-less login can be made to the server:

ssh seimaxim-uer@seimaxim-server

• Verify sftp connection is working passwordless from the client system to server:

sftp seimaxim-user@seimaxim-server

• At this stage, seimaxim-user from client system can ssh and sftp with entering password and have access to all directories. Now make necessary changes to chroot seimaxim-user caged to a specific directory.
• On Linux server create a new group to add chroot seimaxim-user with groupadd sftpuser
• Make a directory for chrooot seimaxim-user with mkdir /files
• Make a subdirectory for seimaxim-user that has to be chroot with mkdir /files/seimaxim-user
• Create a home directory for seimaxim-user with mkdir /files/seimaxim-user/home
• Add seimaxim-user to new group you added in previous steps which sftpuser in our case with usermod -aG sftpuser seimaxim-user
• Modify permissions of home directory /files/seimaxim-user/home of seimaxim-user with chown seimaxim-user:ftpuser /files/seimaxim-user/home
• Open /etc/ssh/sshd_config in text editor like vi and add following code:

Subsystem sftp internal-sftp -d /home
Match Group sftpuser
ChrootDirectory /files/%u

• Restart sshd service with systemctl restart sshd
• Now try to connect via ssh and as user seimaxim-user from the client system to the server. You will not be able to connect via ssh but only through sftp. Also, try connecting with sftp which will be connected to the server without any issue. This solution will allow other users to connect through ssh to the server.

• This issue occurs due to changes in the default service unit file. The changed file which is causing the error is given below;

[Service]
Type=forking
User=<USER>

# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=-/usr/bin/vncserver -kill %i
ExecStart=/usr/bin/vncserver %i
PIDFile=/home/<USER>/.vnc/%H%i.pid
ExecStop=-/usr/bin/vncserver -kill %i

• The correct file is shown below;

[Service]
Type=forking

# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l <USER> -c "/usr/bin/vncserver %i"
PIDFile=/home/<USER>/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

• To resolve this error, apply the latest OS updates.

• On the client system, start vnc viewer with vncviewer --shared serverIP:Display
• On server-side use option --shared when starting vncserver.

You can use the following PERL script to limit VNC sessions per user.

• Create a new file name vncserver and add the following content.

# Start the VNC Server
# Maximum sessions is limited to 2 per user in server.
&vnclimit();
}
}
sub vnclimit {
$countoutput = `ps -u $ENV{USER} | grep -i Xvnc | wc -l`;
if ($countoutput >= 1) {
print "Your vncsession is $ENV{USER} user. Maximum sessions is limited to 2 per user only!\n";
print "Execute 'vncserver -list' to list the current session\n\n";
print "Contact your server admin to increase the number of sessions.\n";
exit;
}
}

• After creating the file, run it as vncserver on the command line.

When starting vncserver service on the command line you get the error  AttributeError: DBusException instance has no attribute _dbus_error_name, follow the solution How to configure virtual network computing [vncserver] in Linux CentOS Server 7 and 8?

• In Linux CentOS 7 and 8 install tigervnc-server using yum with yum install tigervnc-server tigervnc
• Install X Window System on CentOS 8 with yum group install GNOME base-x or yum groupinstall "Server with GUI".  On CentOS 7 install X Window System with yum groupinstall gnome-desktop x11 fonts or yum groupinstall "Server with GUI"
• Set the Linux server to boot directly into the graphical user interface systemctl start graphical.target
• After installing X Window System configure the VNC service by creating a VNC user account with useradd <yourusername> and set a password with passwd <yourusername>
• Login to the server and create VNC password with vncpasswd
• Create a VNC configuration file for the user <yourusername> with cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service
• Edit the /etc/systemd/system/vncserver@:1.service file and replace option “USER” with VNC user <yourusername>
• Change 1 in /etc/systemd/system/vncserver@:1.service for every next VNC user. You should create one file for each user instance.
• To change color depth, resolution, and other remote desktop options, add required values in ExecStart= as ExecStart=/sbin/runuser -l testuser1 -c "/usr/bin/vncserver %i -geometry 1024x768 -depth 24"
• You must open VNC port in firewall with firewall-cmd --permanent --zone=public --add-port 5901/tcp and then reload firewall with firewall-cmd reload
• Reload configuration with sytemctl daemon-reload
• Enable the VNC service and make sure it starts at your next boot with systemctl enable vncserver@:1.service and systemctl start vncserver@:1.service
• To configure the desktop environment for VNC on the server look xstartup file in ~/.vnc/xstartup. Following is on Gnome desktop;For KDE, xstartup is

# cat ~/.vnc/xstartup

#!/bin/sh
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
vncconfig -iconic &
dbus-launch --exit-with-session gnome-session &

• For KDE, xstartup is;

# cat ~/.vnc/xstartup

#!/bin/sh
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
#vncconfig -iconic &
#dbus-launch --exit-with-session gnome-session &
startkde &

• The last step is to install vncviewer on your local PC and adding IP address::port number of the remote server with vncviewer vncserver-ipaddress::59XX or vncviewer vncserver-ipaddress::5901
• Note that 1 in 5901 will have to be changed for each instance of vncserver as in vncserver@:1.service
• For any queries, chat with us or leave a comment. We will be happy to help to troubleshoot your server.

This is a quick guide to installing VNC on Debian 9 and Kali Linux

• Login to your server as root.
• Install VNC server with apt-get install tightvncserver
• If you get the following error then you can install tightvncserver from Debian or Kali installation ISO image.

root@server:/home/user# apt install tightvncserver -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package tightvncserver is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'tightvncserver' has no installation candidate

• To install tightvnc from ISO image, Mount Debian or Kali image on /media/cdrom with mount -t iso9660 /dev/sr0 /media/cdrom -o loop

tightvnc .deb packages [tightvncserver_1.3.9-9.1_amd64.deb xtightvncviewer_1.3.9-9.1_amd64.deb] is located in /media/cdrom/pool/main/t/tightvnc

• Change directory to /media/cdrom/pool/main/t/tightvnc with cd /media/cdrom/pool/main/t/tightvnc
• Install tightvncserevr with dpkg -i tightvncserver_1.3.9-9.1_amd64.deb
• Edit xstartup in /home/youraccount/.vnc/xstartup with vi and add following code:

#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
startxfce4 &
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey &
vncconfig -iconic &

• Start vnc server by executing following command:

vncserver

• You will be prompted to enter and verify vnc password. Make sure your password is less than 8 characters else it will be truncated to 8 characters.
• After vnc password is set you will have the option to set a view-only password which is optional.
• You may kill any instance of vncserver by executing commands vncserver -kill :1
• ~/.vnc/xstartup must have executable permission set. You may set these permissions with the command chmod +x ~/.vnc/xstartup
• If you did the above steps correctly, TightVNC server is already running on your server waiting for an incoming connection.
• To connect to vnc server from your local PC, install Tight vnc viewer. Open vncviewer and enter the IP address and listening port on the server 85.19.219.89::5906
• If your vncserver is listening on port :1 then you should enter 85.19.219.89::5901

• Login to the server as root and install vsftpd with yum install vsftpd ftp -y
• Use vi editor to open /etc/vsftpd/vsftpd.conf [vi /etc/vsftpd/vsftpd.conf] and add/change following options:

anonymous_enable=NO
ascii_upload_enable=YES
ascii_download_enable=YES
use_localtime=YES

• Enable and start the vsftpd service.

systemctl enable vsftpd
systemctl start vsftpd

• Allow the ftp service and port 21 via firewall.

firewall-cmd --permanent --add-port=21/tcp
firewall-cmd --permanent --add-service=ftp

• Reload firewall

firewall-cmd --reload

If you want users to restrict to their home directories, change permissions of home directory with

chmod -R go-rx /home/userdirectory

To test FTP server from client-side:

ftp ftp.yourservername.com

After error IOError: [Errno 1] Operation not permitted: '/etc/pam.d/system-auth' , the server drops to emergency mode.

To resolve this issue, Unset the immutable bit on system-auth-ac [This is symlink to /etc/pam.d/password-auth] with chattr -i /etc/pam.d/system-auth-ac

• Use podman to create new network podman network create
• Check under /etc/cni/net.d/ you will find file /etc/cni/net.d/cni-podman-2.conflist
• In your favorite file editor open /usr/share/containers/libpod.conf
• Change line cni_default_network = "podman" in configuration file /usr/share/containers/libpod.conf to cni_default_network = "cni-podman2"
• Reboot server
• Restart container with podman start discovery dsc-db
• Check the network status.
• A new network cni-podman2 will be present with a new IP 192.168.0.1/24

The server crashes due to an invalid pointer when executing an I/O generating from the aio code. A discrepancy with how the kernel updates the tail pointer with memory-mapped aio queues can corrupt the tracking of aio I/O operations. This causes aio queues killed prematurely while I/O operations are still active.

To resolve this error, update Linux Kernel to kernel-3.10.0-1127.18.2.

Add following settings in /etc/multipath.conf

defaults {

polling_interval 5
no_path_retry 4
find_multipaths yes
checker_timeout 5
max_fds 8192
fast_io_fail_tmo 4
dev_loss_tmo 19
user_friendly_names yes
}

Reload multipath service with service multipathd reload

This article will discuss, where the Ansible configuration files are located and how Ansible selects them and how we can edit default settings.

Configuring Ansible:

The Ansible behavior can be customized by modifying settings in the Ansible configuration files. Ansible chooses its configuration file from one of many locations on the control node.

•  /etc/ansible/ansible.cfg
  This file contains the base configuration of the Ansible. It is used if no other configuration file is found.
• ~/.ansible.cfg
  This ~/.ansible.cfg configuration is used instead of the /etc/ansible/ansible.cfg because Ansible for .ansible.cfg in the home directory of the user.
• ./ansible.cfg
  If the Ansible command is executed in the directory where the ansible.cfg is also present ./ansible.cfg will be used.

Recommendations of Ansible configuration files:

Ansible recommends creating a file in the directory from where you run the ansible command.

Varibale ANSIBLE_CONFIG

To define the location of the configuration file Ansible gives you a more handy option to define the configuration file by allowing you to change the environment variable named ASNIBLE_CONFIG. If you define this ANSIBLE_CONFIG variable, Ansible uses the configuration file that the variable specifies instead of any of the previously mentioned configuration file.

Configuration File Precedence:

Due to Ansible’s capability to handle configuration from multiple locations, sometimes it makes the user confused to determine the active configuration file.

So how use can determine which file is active?

How to check which Ansible configuration file is being used?

You can run the ansible –version command to identify which version of Ansible is installed and which configuration file is used.

[ali@controller /]$ ansible --version
ansible 2.9.16
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/ali/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
[ali@controller /]$

If you need servers to practice Ansible or Linux?

SeiMaxim is a leading Dutch web hosting company and provides resources to learn Ansible and Linux. If you want to get virtual servers to learn Ansible you can place your order and use code SE-ANSIBLE211 to rent two servers in just 18 USD.

Multiple bonding modes in a Linux operating system are given below:

• balance-alb (fault tolerance and load balancing)
• balance-tlb (fault tolerance and load balancing)
• active-backup (fault tolerance)
• broadcast (fault tolerance)
• balance-rr (fault tolerance and load balancing)
• 802.3ad (fault tolerance and load balancing)
• balance-xor (fault tolerance and load balancing)

We will use Network Manager CLI to add a bonding device to a Linux server.

• Run the nmcli command as root on SHELL nmcli con add type bond ifname mode active-backup
• Assign IP address with nmcli connection modify ipv4.addresses
• Make static IP address nmcli connection modify ipv4.method manual
• Add bond slave to bonding device with nmcli con add type bond-slave ifname master
• Add the second slave with nmcli con add type bond-slave ifname master
• check bonding configuration with nmcli connection show
• Restart server network with systemctl restart network

The error produced during the yum update

Error: failed to retrieve repodata/-primary.xml.gz
error was [Errno 14] Peer cert cannot be verified or peer cert invalid

Perform the following steps to resolve the yum error:

• check and correct the date and time of the server.
• Disable SSL verification by adding sslverify=false in /etc/yum.conf
• Delete all repos and create a new yum repository.
• Check /etc/hosts file for any false DNS resolutions of servers.

Mount NFS share on NFS clients without cache.

• First, unmount NFS share and then remount NFS share with noac and lookupcache=none

The kickstart automatic installation of the Linux operating system fails but the normal install is successful. To resolve this issue follow the steps given below:

• Add clearpart --all --drives=${devname} --initlabel in kickstart disk section. This will delete partition table of disk.
• If the above option does not resolve the issue add zerombr option above clearpart command. The zerombr option will initialize and destroy all invalid partition tables.
• If above both steps does not work than boot into rescue mode of Linux OS and use dmraid or wipefs as follows:

dmraid -r -E /dev/sda
wipefs -fa /dev/sda

• Add -w /NFS-MOUNT/ -p wa -k NFS-MOUNT line at the end of file /etc/audit/audit.rules

[root@COMPUTE ~]# cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-w /NFS-MOUNT/ -p wa -k NFS-MOUNT

• Execute the following command to restart auditd service

service auditd restart

This error is resolved by upgrading the directory server base package in your Linux operating system. The issue arises because of an unindexed search. Check directory server logs for details.

In spite of /usr/lib/cups/daemon/cups-lpd denial to read access sock_file cups.sock, cups-lpd will successfully migrate print jobs received via LPD to the local CUPS server. You can either ignore this issue or create a custom SELinux policy module. The steps to create a custom SELinux policy module are listed below:

• yum -y install setools-console yum-utils policycoreutils-devel rpm-build make
• Create a file named local_cupslpd-read-cupssock.te in vi with the following contents.

module local_cupslpd-read-cupssock 1.0;

require {
type cupsd_var_run_t;
type cupsd_lpd_t;
class sock_file read;
}

#============= cupsd_lpd_t ==============
allow cupsd_lpd_t cupsd_var_run_t:sock_file read;

• Compile the SELinux policy module with make -f /usr/share/selinux/devel/Makefile local_cupslpd-read-cupssock.pp
• Install the policy module with semodule -i local_cupslpd-read-cupssock.pp

• If attackers request using your CGI script open an outgoing network connection than this can be redirected to attackers controlled proxy. This can lead to denial of service and potentially occurs while using httpd mod_cgi
• This issue can be resolved via mod_header in httpd configuration.

RequestHeader unset Proxy early

IPv6 requires ICMPv6 neighbour solicitation and neighbour advertisement packets to create IPv6 connectivity. These packets are used to resolve IPv6 addresses to link-layer (ethernet).

• Add new icmptypes for neighbour solicitation and neighbour advertisement

firewall-cmd --permanent --new-icmptype=neighbour-solicitation

firewall-cmd --permanent --new-icmptype=neighbour-advertisement

• Remove destination IPv4

firewall-cmd --permanent --icmptype=neighbour-solicitation --remove-destination=ipv4

firewall-cmd --permanent --icmptype=neighbour-advertisement --remove-destination=ipv4

• Attach icmptypes to the –zone=drop list of –add-icmp-block

firewall-cmd --permanent --zone=drop --add-icmp-block=neighbour-solicitation

firewall-cmd --permanent --zone=drop --add-icmp-block=neighbour-advertisement

• Invert the icmptype block.

firewall-cmd --permanent --zone=drop --add-icmp-block-inversion

Confirm icmp-block-inversion from output of following command.

firewall-cmd --permanent --list-all --zone=drop

[500 OOPS: child died] is a permanent negative error reply, whereas [421 Timeout] is a temporary negative error reply.

• Downgrade vsftpd to a lower version to resolve this issue.

Check vsftpd man pages for details on Transient Negative Completion reply and Permanent Negative Completion reply.