Securing and optimizing linux: RedHat edition

462 Making backups with tar With six tapes you can make backups every day; The procedure is to use tape 1 for the first full backup (Friday 1), and tapes 2 to 5 for the incremental backups (Monday through Thursday). Then, you make a new full backup on tape 6 (second Friday), and start doing incremental ones with tapes 2 to 5 again. It’s important to keep tape 1 at its state until you've got a new full backup with tape 6. In the following example below, we assume that we write the backup to a SCSI tape drive named (/dev/st0), and we backup the home directory (/home) of our system. First of all, we must to move to the file system “/” partition. When creating an archive file, “tar” will strip leading “/” (slash) characters from file path names. This means that restored files may not end up in the same locations they were backed up from. Therefore, to solve the problem, the solution is to change to the “/” root directory before making all backups and restorations. • To move to the “/” root directory, use the command: [root@deep]# cd / It is important to always start with a full backup (say, on a Friday), for example: • Friday 1, (use tape 1 for the first full backup). [root@deep /]# cd / [root@deep /]# tar cpf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \ --directory / home • Monday, (use tapes 2 for the incremental backups). [root@deep /]# cd / [root@deep /]# tar cpNf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \ --directory / home • Tuesday, (use tapes 3 for the incremental backups). [root@deep /]# cd / [root@deep /]# tar cpNf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \ --directory / home • Wednesday, (use tapes 4 for the incremental backups). [root@deep /]# cd / [root@deep /]# tar cpNf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \ --directory / home • Thursday, (use tapes 5 for the incremental backups). [root@deep /]# cd / [root@deep /]# tar cpNf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \ --directory / home • Friday 2, (use tape 6 for the new full backups). [root@deep /]# cd / [root@deep /]# tar cpf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \ --directory / home • Now, start doing incremental ones with tapes 2 to 5 again and so on. The “c” option specifies that an archive file is begin created. The “p” option preserves permissions; file protection information will be “remembered”. The “N” option does an incremental backup and only stores files newer than DATE. The “f” option states that the very next argument will be the name of the archive file or device being written. Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 463 Notice how a filename, which contains the current date, is derived, simply by enclosing the “date” command between two back-quote characters. A common naming convention is to add a “tar” suffix for non-compressed archives, and a “tar.gz” suffix for compressed ones. Since we aren't able to specify a filename for the backup set, the "--label" option can be used to write some information about the backup set into the archive file itself. Finally, only the files contained in the "/home" are written to the tape. Because the tape drive is a character device, it is not possible to specify an actual file name. Therefore, the file name used as an argument to tar is simply the name of the device, "/dev/st0", the first tape device. The "/dev/st0" device does not rewind after the backup set is written; Therefore, it is possible to write multiple sets on one tape. You may also refer to the device as “/dev/st0”, in which case the tape is automatically rewound after the backup set is written. When working with tapes you can use the following commands to rewind and eject your tape: [root@deep /]# mt -f /dev/st0 rewind [root@deep /]# mt -f /dev/st0 offline Caution: To reduce the space needed on a tar archive, the backups can be compressed with the “z” option of tar program. Unfortunately, using this option to compress backups can cause trouble. Due to the nature of how compression works, if a single bit in the compressed backup is wrong, all the rest of the compressed data will be lost. It’s recommended to NOT using compression (the “z” option) to make backups with the tar command. • If your backup doesn't fit on one tape, you’ll need to use the --multi-volume (-M) option: [root@deep /]# cd / [root@deep /]# tar cMpf /dev/st0 /home Prepare volume #2 for /dev/st0 and hit return: • After you have made a backup, you should check that it is OK, using the --compare (-d) option as shown below: [root@deep /]# cd / [root@deep /]# tar dvf /dev/st0 • To perform a backup of your entire system, use the following command: [root@deep /]# cd / [root@deep /]# tar cpf /archive/full-backup-`date '+%d-%B-%Y'`.tar \ --directory / --exclude=proc --exclude=mnt --exclude=archive \ --exclude=cache --exclude=*/lost+found . The ”--directory” option tells tar to first switch to the following directory path (the “/” directory in this example) prior to starting the backup. The “--exclude” options tells tar not to bother backing up the specified directories or files. Finally, the “.” character at the end of the command tells tar that it should back up everything in the current directory. Caution: When backing up your file systems, do not include the "/proc" pseudo-file-system! The files in "/proc" are not actually files but are simply file-like links which describe and point to kernel data structures. Also, do not include the “/mnt”, “/archive”, and all “lost+found” directories. Automating tasks of backups made with tar It is always interesting to automate the tasks of a backup. Automation offers enormous opportunities for using your Linux server to achieve the goals you set. The following example below is our backup script, named “backup.cron”. This script is designed to run on any computer Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 464 by changing only the four variables: COMPUTER, DIRECTORIES, BACKUPDIR, and TIMEDIR. We suggest that you set this script up and run it at the beginning of the month for the first time, and then run it for a month before making major changes. In our example below we do the backup to a directory on the local server (BACKUPDIR), but you could modify this script to do it to a tape on the local server or via an NFS mounted file system. Step 1 Create the backup script backup.cron file (touch /etc/cron.daily/backup.cron) and add the following lines to this backup file: #!/bin/sh # full and incremental backup script # created 07 February 2000 # Based on a script by Daniel O'Callaghan # and modified by Gerhard Mourani #Change the 5 variables below to fit your computer/backup COMPUTER=deep # name of this computer DIRECTORIES="/home" # directoris to backup BACKUPDIR=/backups # where to store the backups TIMEDIR=/backups/last-full # where to store time of full backup TAR=/bin/tar # name and locaction of tar #You should not have to change anything below here PATH=/usr/local/bin:/usr/bin:/bin DOW=`date +%a` # Day of the week e.g. Mon DOM=`date +%d` # Date of the Month e.g. 27 DM=`date +%d%b` # Date and Month e.g. 27Sep # On the 1st of the month a permanet full backup is made # Every Sunday a full backup is made - overwriting last Sundays backup # The rest of the time an incremental backup is made. Each incremental # backup overwrites last weeks incremental backup of the same name. # # if NEWER = "", then tar backs up all files in the directories # otherwise it backs up files newer than the NEWER date. NEWER # gets it date from the file written every Sunday. # Monthly full backup if [ $DOM = "01" ]; then NEWER="" $TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DM.tar $DIRECTORIES fi # Weekly full backup if [ $DOW = "Sun" ]; then NEWER="" NOW=`date +%d-%b` # Update full backup date echo $NOW > $TIMEDIR/$COMPUTER-full-date $TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DOW.tar $DIRECTORIES # Make incremental backup - overwrite last weeks else # Get date of last full backup NEWER="--newer `cat $TIMEDIR/$COMPUTER-full-date`" Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 465 $TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DOW.tar $DIRECTORIES fi Here is an abbreviated look of the backup directory after one week: [root@deep /]# ls -l /backups/ total 22217 -rw-r--r-- 1 root root 10731288 Feb 7 11:24 deep-01Feb.tar -rw-r--r-- 1 root root 6879 Feb 7 11:24 deep-Fri.tar -rw-r--r-- 1 root root 2831 Feb 7 11:24 deep-Mon.tar -rw-r--r-- 1 root root 7924 Feb 7 11:25 deep-Sat.tar -rw-r--r-- 1 root root 11923013 Feb 7 11:24 deep-Sun.tar -rw-r--r-- 1 root root 5643 Feb 7 11:25 deep-Thu.tar -rw-r--r-- 1 root root 3152 Feb 7 11:25 deep-Tue.tar -rw-r--r-- 1 root root 4567 Feb 7 11:25 deep-Wed.tar drwxr-xr-x 2 root root 1024 Feb 7 11:20 last-full NOTE: The directory where to store the backups (BACKUPDIR), and the directory where to store time of full backup (TIMEDIR) must exist or be created before the use of the backup-script, or you will receive an error message. Step 2 If you are not running this backup script from the beginning of the month (01-month-year), the incremental backups will need the time of the Sunday backup to be able to work properly. If you start in the middle of the week, you will need to create the time file in the TIMEDIR. • To create the time file in the TIMEDIR directory, use the following command: [root@deep /]# date +%d%b > /backups/last-full/myserver-full-date Where is our variable TIMEDIR wherein we want to store the time of the full backup, and is the name of our server (e.g., deep), and our time file consists of a single line with the present date (e.i. 15-Feb). Step 3 Make this script executable and change its default permissions to be writable only by the super- user “root” (755). [root@deep /]# chmod 755 /etc/cron.daily/backup.cron NOTE: Because this script is in the “/etc/cron.daily” directory, it will be automatically run as a cron job at one o'clock in the morning every day. Restoring files with tar More important than performing regular backups is having them available when we need to recover important files! In this section, we will discuss methods for restoring files, which have been backed up with “tar” command. The following command will restore all files from the “full-backup-Day-Month-Year.tar” archive, which is an example backup of our “home” directory created from the example tar commands shown above. • To restore a full backup of the “home” directory, use the following command: [root@deep /]# cd / Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 466 [root@deep /]# tar xpf /dev/st0/full-backup-Day-Month-Year.tar The above command extracts all files contained in the compressed archive, preserving original file ownership and permissions. The “x” option stands for extract. The “p” option preserve permissions; file protection information will be “remembered”. The “f” option states that the very next argument will be the name of the archive file or device. If you do not need to restore all the files contained in the archive, you can specify one or more files that you wish to restore: • To specify one or more files that you wish to restore, use the following command: [root@deep]# cd / [root@deep]# tar xpf /dev/st0/full-backup-Day-Month-Year.tar \ home/wahib/Personal/Contents.doc home/quota.user The above command restores the “/home/wahib/Personal/Contents.doc” and “/home/quota.user” files from the archive. • If you just want to see what files are in the backup volume, Use the --list (-t) option: [root@deep /]# tar tf /dev/st0 Caution: If you have files on your system set with the immutable bit, using the “chattr” command, these files will not be remembered with the immutable bit from your restored backup. You must reset it immutable with the command “chattr +i ” after the backup is completed. Test the ability to recover from backups For many system administrators, recovering a file from a backup is an uncommon activity. This step assures that if you need to recover a file, the tools and processes will work. Performing this test periodically will help you to discover problems with the backup procedures so you can correct them before losing data. Some backup restoration software does not accurately recover the correct file protection and file ownership controls. Check the attributes of restored files to ensure they are being set correctly. Periodically test to ensure that you can perform a full system recovery from your backups. Further documentation For more details, there is man page you can read: tar (1) - The GNU version of the tar archiving utility The dump backup program Description Dump is completely different from tar; it is a program for backing up and restoring file system. It backups up the entire file system - not the files. Dump does not care what file system is on the hard drive, or even if there are files in the file system. It examines files on an ext2 file system, determines which ones need to be backed up, and copies those files to a specified disk, tape, file or other storage medium. It dumps one file system at a time quickly and efficiently. Unfortunately, it does not do individual directories, and so it eats up a great deal more storage space than tar. It is also written specifically for backups. The restore command performs the inverse function of Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 467 dump; It can restore a full backup of a file system. Subsequent incremental backups can then be layered on top of the full backup. Single files and directory sub trees may also be restored from full or partial backups. You can use dump if you need a procedure for both backing up file systems and restoring file systems after backups. The Dump levels Dump has several levels of backup procedures. The levels range from 0 to 9, where level number 0 means a full backup and guarantees the entire file system is copied. A level number above 0, incremental backup, tells dump to copy all files new or modified since the last dump of the same or lower level. To be more precise, at each incremental backup level you back up everything that has changed since the previous backup at the same or a previous level. What are the advantages and the reasons to create and use several levels to make a backup? I try to explain it with the following schemas: 0 3 2 5 4 7 6 9 8 9 | | | | | | | | | | 0 means a full backup. | | | | | | | | | | | | 3 means copy all files new or modified since level 0, and 3. | | | | | | | | 2 means copy all files new or modified since level 0, and 2. | | | | | | | 5 means copy all files new or modified since level 0, 3, and 5. | | | | | | 4 means copy all files new or modified since level 0, 3, and 4. | | | | | 7 means copy all files new or modified since level 0, 3, 4, and 7. | | | | 6 means copy all files new or modified since level 0, 3, 4, and 6. | | | 9 means copy all files new or modified since level 0, 3, 4, 6, and 9. | | 8 means copy all files new or modified since level 0, 3, 4, 6, and 8. | 9 means copy all files new or modified since level 0, 3, 4, 6, 8, and 9. The advantages and reasons for doing this are that with multiple levels, the backup history can be extended more cheaply. A longer backup history is useful, since deleted or corrupted files are often not noticed for a long time. Even a version of a file that is not very up to date is better than no file at all. Also, backup levels are used to keep both the backup and restore times to a minimum (low). The dump manual page suggests a good scheme to take the full advantage of backup levels: 3, 2, 5, 4, 7, 6, 9, 8, 9, etc as described by the table below. The most you have to backup is two day's worth of work. The number of tapes for a restore depends on how long you keep between full backups. Tape Level Backup (days) Restore tapes 1 0 n/a 1 2 3 1 1, 2 3 2 2 1, 3 4 5 1 1, 2, 4 5 4 2 1, 2, 5 Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 468 6 7 1 1, 2, 5, 6 7 6 2 1, 2, 5, 7 8 9 1 1, 2, 5, 7, 8 9 8 2 1, 2, 5, 7, 9 10 9 1 1, 2, 5, 7, 9, 10 Making backups with dump It’s interesting to use the dump backup program if you want to take advantage of its several levels of backup procedures. Below, I show you a procedure to have a longer backup history, and to keep both the backup and restore times to a minimum. In the following example, we assume that we write the backup to a tape drive named (/dev/st0) and we backup the home directory (/home) of our system. It is important to always start with a level 0 backup, for example: • Friday 1, (use tape 1 for the first full backup). [root@deep /]# dump -0u -f /dev/st0 /home DUMP: Date of this level 0 dump: Fri Jan 28 21:25:12 2000 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/sda6 (/home) to /dev/st0 DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 18582 tape blocks on 0.48 tape(s). DUMP: Volume 1 started at: Fri Jan 28 21:25:14 2000 DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: DUMP: 18580 tape blocks on 1 volumes(s) DUMP: finished in 4 seconds, throughput 4645 KBytes/sec DUMP: Volume 1 completed at: Fri Jan 28 21:25:18 2000 DUMP: Volume 1 took 0:00:04 DUMP: Volume 1 transfer rate: 4645 KB/s DUMP: level 0 dump on Fri Jan 28 21:25:12 2000 DUMP: DUMP: Date of this level 0 dump: Fri Jan 28 21:25:12 2000 DUMP: DUMP: Date this dump completed: Fri Jan 28 21:25:18 2000 DUMP: DUMP: Average transfer rate: 4645 KB/s DUMP: Closing /dev/st0 DUMP: DUMP IS DONE • Monday, (use tapes 2 for the incremental backups). [root@deep /]# dump -3u -f /dev/st0 /home • Tuesday, (use tapes 3 for the incremental backups). [root@deep /]# dump -2u -f /dev/st0 /home • Wednesday, (use tapes 4 for the incremental backups). [root@deep /]# dump -5u -f /dev/st0 /home • Thursday, (use tapes 5 for the incremental backups). [root@deep /]# dump -4u -f /dev/st0 /home • Friday 2, (use tape 6 for the incremental backups). [root@deep /]# dump -7u -f /dev/st0 /home • Monday, (use tapes 2 for the incremental backups). [root@deep /]# dump -3u -f /dev/st0 /home • Tuesday, (use tapes 3 for the incremental backups). Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 469 [root@deep /]# dump -2u -f /dev/st0 /home • Wednesday, (use tapes 4 for the incremental backups). [root@deep /]# dump -5u -f /dev/st0 /home • Thursday, (use tapes 5 for the incremental backups). [root@deep /]# dump -4u -f /dev/st0 /home • Friday 3, (use tape 7 for the incremental backups). [root@deep /]# dump -6u -f /dev/st0 /home • Monday, (use tapes 2 for the incremental backups). [root@deep /]# dump -3u -f /dev/st0 /home • Tuesday, (use tapes 3 for the incremental backups). [root@deep /]# dump -2u -f /dev/st0 /home • Wednesday, (use tapes 4 for the incremental backups). [root@deep /]# dump -5u -f /dev/st0 /home • Thursday, (use tapes 5 for the incremental backups). [root@deep /]# dump -4u -f /dev/st0 /home • Friday 4, (use tape 8 for the incremental backups only if there have five Fridays in one month). [root@deep /]# dump -9u -f /dev/st0 /home • Monday, (use tapes 2 for the incremental backups only if there have five Fridays in one month). [root@deep /]# dump -3u -f /dev/st0 /home • Tuesday, (use tapes 3 for the incremental backups only if there have five Fridays in one month). [root@deep /]# dump -2u -f /dev/st0 /home • Wednesday, (use tapes 4 for the incremental backups only if there have five Fridays in one month). [root@deep /]# dump -5u -f /dev/st0 /home • Thursday, (use tapes 5 for the incremental backups only if there have five Fridays in one month). [root@deep /]# dump -4u -f /dev/st0 /home • Month, (use another tape for a new full backup when the month change). [root@deep /]# dump -0u -f /dev/st0 /home Where “-0 to -9” is the backup level option you want to use, the “u” option means to update the file “/etc/dumpdates” after a successful dump, the “-f” option to write the backup to file; the file may be a special device file like “/dev/st0” (a tape drive), “/dev/rsd1c” (a disk drive), an ordinary file, or “-“ (the standard output). Finally, you must specify what you want to backup. In our example, it is the “/home” directory (/home). You can see that we use the same tapes 2 to 5 for daily backups (Monday to Thursday = 4 tapes), tapes 6, 7, and 8 for weekly backups (other Fridays, 6 + 7 + 8 = 3 tapes; note that there can be five Fridays in one month) and tapes 1 and any subsequent new one for monthly backups (first Friday each month, 1 + any subsequent “11 months” = 12 tapes). In conclusion, if we use 8 tapes (4 + 3 + 1 = 8), we can have a full backup for one month and repeat the procedure with the 8 tapes to get our subsequent 11 months to come for a total of 1-year individual full backups. Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 470 The full backup should be done at set intervals, say once a month, and on a set of fresh tapes that are saved forever. With this kind of procedure, you will have 12 tapes for 12 months that handle histories and changes of your system for one year. Afterwards, you can copy the 12 tape backups onto a different computer designated to keep all yearly backups for a long time and be able to reuse them (12 tapes) to repeat the procedure for a new year. Restoring files with dump The restore command performs the inverse function of dump(8). It restores files or file systems from backups made with dump. A full backup of a file system may be restored, and subsequent incremental backups layered on top of it. Single files and directory sub-trees may be restored from full, or partial, backups. You have a number of possibile commands and options to restore backed up data with the dump program. Below, we show you a procedure that uses the full potential of the restore program with the most options possible. It is also done in interactive mode. In an interactive restoration of files from a dump, the restore program provides a shell like interface that allows the user to move around the directory tree selecting files to be extracted, after reading in the directory information from the dump. The following is what we will see if we try to restore our “/home” directory: First of all, we must move to the partition file system where we want to restore our backup. This is required, since the interactive mode of the restore program will restore our backups from the current partition file system where we have executed the restore command from. • To move to the partition file system we want to restore (the “/home” directory in our case), use the following command: [root@deep /]# cd /home • To restore files from a dump in interactive mode, use the following command: [root@deep /home]# restore -i -f /dev/st0 restore > A prompt will appear in your terminal, to list the current, or specified, directory. Use the “ls” command as shown below: restore > ls .: admin/ lost+found/ named/ quota.group quota.user wahib/ restore > To change the current working directory to the specified one, use the “cd” commands (in our example, we change to wahib directory) as shown below: restore > cd wahib restore > ls ./wahib: .Xdefaults .bash_logout .bashrc .bash_history .bash_profile Personal/ restore > To add the current directory or file to the list of files to be extracted, use the “add” command (If a directory is specified, then it and all its descendents are added to the extraction list) as shown below: Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 471 restore > add Personal/ restore > Files that are on the extraction list are prepended with a “*” when they are listed by the “ls” command: restore > ls ./wahib: .Xdefaults .bash_logout .bashrc .bash_history .bash_profile *Personal/ To delete the current directory or specified argument from the list of files to be extracted, use the “delete” command (If a directory is specified, then it and all its descendents are deleted from the extraction list) as shown below: NOTE: The most expedient way to extract most of the files from a directory is to add the directory to the extraction list and then delete those files that are not needed. restore > cd Personal/ restore > ls ./wahib/Personal: *Ad?le_Nakad.doc *Overview.doc *BIMCOR/ *Resume/ *My Webs/ *SAMS/ *Contents.doc *Templates/ *Divers.doc *bruno universite.doc *Linux/ *My Pictures/ restore > delete Resume/ restore > ls ./wahib/Personal: *Ad?le_Nakad.doc *Overview.doc *BIMCOR/ Resume/ *My Webs/ *SAMS/ *Contents.doc *Templates/ *Divers.doc *bruno universite.doc *Linux/ *My Pictures/ To extract all files in the extraction list from the dump, use the “extract” command (Restore will ask which volume the user wishes to mount. The fastest way to extract a few files is to start with the last volume and work towards the first volume) as shown below: restore > extract You have not read any tapes yet. Unless you know which volume your file(s) are on you should start with the last volume and work towards the first. Specify next volume #: 1 set owner/mode for '.'? [yn] y To exit from the interactive restore mode after you have finished extracting your directories or files, use the “quit” command as shown below. /sbin/restore > quit NOTE: Other methods of restoration exist with the dump program; consult the man page of dump for more information. Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 472 Further documentation For more details, there are man pages you can read: $ man dump (8) - ext2 filesystem backup $ man restore (8) - "restore files or file systems from backups made with dump" Backing up and restoring over the network Backups allow you to restore the availability and integrity of information resources following security breaches and accidents. Without a backup, you may be unable to restore a computer's data after system failures and security breaches. It is important to develop a plan that is broad enough to cover all the servers you plan to deploy. We must determine what categories of files will be backed up. For example, you may choose to back up only user data files (i.e. /home) because damaged system files should be reloaded from the original distribution media. There are common technological approaches to file backups. For network servers, an authoritative version of the informational content of the server is created and maintained on a secure machine that is backed up. If the server is compromised and its content damaged, it can be reloaded from the secure system maintaining the authoritative version. This approach is typically used for public servers, such as Web servers, because the content changes at more predictable intervals. It is important to ensure that backups are performed in a secure manner and that the contents of the backups remain secure. We recommend that the plan specify that: • The source data is encrypted before being transmitted to the storage medium. • The data remains encrypted on the backup storage media. • The storage media are kept in a physically secure facility that is protected from man- made and natural disasters. Transfer your backup in a secure manner over the network In the previous sections, we have shown you how to make a backup onto both a tape and files from the same system where you execute the backup procedure, with utilities like tar and dump. These programs (tar and dump) are capable of making backups over the network as well. To be able to backup over the network you must ensure that the packages named “rmt” and “rsh” are installed on your system. The “rmt” utility provides remote access to tape devices for programs like dump, and tar. To complement this, the “rsh” package contains a set of programs which allow users to run commands on remote machines, login to other machines and copy files between machines (rsh, rlogin and rcp are this set of programs). Since “rsh” can be easily hacked, and “rmt” depends on “rsh” to be able to work, we have chosen to not install them in our setup installation (see Chapter 2, “Installation of your Linux Server” for more information) for security reasons. Therefore, we must find another way to make backups over the network in a secure manner. SSH technology is the solution for our problem (see Chapter 11, Securities Software and Network Securities) because it also has the ability to copy data across the network with its “scp” command, through encryption. The following is a method that permits us to use the potential of SSH software to transfer our backups made with tar or dump in a secure manner via the “scp” SSH utility. Backup and Restore Procedures 2 CHAPTER 2 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 473 Using the scp SSH command to transfer backups over the network The “scp” command copies files between hosts on a network. It uses SSH for data transfer, and uses the same authentication, and provides the same security, as SSH. Unlike the “rcp” utility that comes with the package “rsh”, “scp” will ask for passwords or passphrases. In our example below, we transfer a backup file made with the tar archive program; the procedure to transfer a backup file or tape made with dump program is the same. • To use scp to copy a backup tape or file to a remote secure system, use the command: [admin@deep /]# scp Where is the directory where your backup file resides on your local server, and represents, in order, the username (user) of the person on the remote site that will hold the backup file, the hostname (host) of the remote host where you want to send the backup file, and the remote directory of this host where you want to place the transferred backup file. A real example will look like this: [admin@deep /]# scp -Cp /backups/deep-01Feb.tar admin@backupserver:/archive/deep/deep- 01Feb.tar admin@backupserver's password: deep-01Feb.tgz | 10479 KB | 154.1 kB/s | ETA: 00:00:00 | 100% NOTE: The “C” option enables compression for fast data transfer over the encrypted session, the “p” option indicates that the modification and access times as well as modes of the source file should be preserved on the copy. This is usually desirable. It is important to note that the “dir/for/file” directory on the remote host (“/archive/deep” in our example) must be owned by the “username” your specify in your scp command (“admin” is this username in our example) or you may receive error message like: scp: /archive/deep/deep-01Feb.tar: Permission denied. • To use scp to copy a remote tape or file to the local system, use the command: [admin@deep /]# scp Where represents, in order, the username (user) of the person on the remote site that holds the backup file, the hostname (host) of the remote host where you want to get the backup file, and the remote directory of this host where the backup file is kept, and is the local directory on your system where your want to place the backup file that you get from the remote host. A real example would look like this: [admin@deep /]# scp -Cp admin@backupserver:/archive/deep/deep-01Feb.tar /backups admin@backupserver's password: deep-01Feb.tgz | 10479 KB | 154.1 kB/s | ETA: 00:00:00 | 100% NOTE: It is important to note that the “localdir/to/filelocation” directory on the local host (“/backups” in our example) must be owned by the “username” your specify in your scp command (“admin” is this username in our example) or you may receive an error message like: /backups/deep- 01Feb.tar: Permission denied. Alternatives to tar and dump backups AMANDA AMANDA Homepage: BRU BRU Homepage: Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 474 Part VI Appendixes In this part Appendix A. Tweaks, Tips and Administration tasks Appendix B. Obtaining Requests for Comments (RFCs) Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 475 Appendix A In this part Tweaks, Tips and Administration tasks Tweaks, Tips and Administration tasks 0 APPENDIX A Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 476 Tweaks, Tips and Administration tasks Some of the tips in this section are specific to Linux systems. Most are applicable to UNIX system in general. 1.0 The “du” utility command You can use the "du" utility to estimate file space usage. For example, to determine in megabyte the sizes of the "/var/log/" and "/home/" directories trees, type the following command: [root@deep /]# du -sh /var/log /home 3.5M /var/log 350M /home Keep in mind that the above command will report the actual size of your data. Now that you know for example that “/home” is using 350M you can move into it and "du -sh *" to locate where the largest files are. [root@deep /]# cd /home/ [root@deep /home]# du -sh * 343M admin 11k ftp 6.8M httpd 12k lost+found 6.0k named 6.0k smbclient 6.0k test 8.0k www NOTE: You can add this command to your crontab so that every day you get emailed the desired disk space list, and you’ll be able to monitor it without logging in constantly. 1.1 Find the route that the packets sent from your machine to a remote host If you want to find out the route that the packets sent from your machine to a remote host, simply issue the following command: [root@deep /]# traceroute www.redhat.com traceroute to www.portal.redhat.com (206.132.41.202), 30 hops max, 38 byte packets 1 ppp005.108-253-207.mtl.mt.videotron.net (207.253.108.5) 98.584 ms 1519.806 ms 109.911 ms 2 fa5-1-0.rb02-piex.videotron.net (207.96.135.1) 149.888 ms 89.830 ms 109.914 ms 3 ia-tlpt-bb01-fec1.videotron.net (207.253.253.53) 149.896 ms 99.873 ms 139.930 ms 4 ia-cduc-bb02-ge2-0.videotron.net (207.253.253.61) 99.897 ms 169.863 ms 329.926 ms 5 if-4-1.core1.Montreal.Teleglobe.net (207.45.204.5) 409.895 ms 1469.882 ms 109.902 ms 6 if-1-1.core1.NewYork.Teleglobe.net (207.45.223.109) 189.920 ms 139.852 ms 109.939 ms 7 206.132.150.133 (206.132.150.133) 99.902 ms 99.724 ms 119.914 ms 8 pos1-0-2488M.wr2.CLE1.gblx.net (206.132.111.89) 189.899 ms 129.873 ms 129.934 ms 9 pos8-0-2488m.wr2.kcy1.globalcenter.net (206.132.111.82) 169.890 ms 179.884 ms 169.933 ms 10 206.132.114.77 (206.132.114.77) 199.890 ms 179.771 ms 169.928 ms 11 pos8-0-2488M.wr2.SFO1.gblx.net (206.132.110.110) 159.909 ms 199.959 ms 179.837 ms 12 pos1-0-2488M.cr1.SNV2.gblx.net (208.48.118.118) 179.885 ms 309.855 ms 299.937 ms 13 pos0-0-0-155M.hr2.SNV2.gblx.net (206.132.151.46) 329.905 ms 179.843 ms 169.936 ms 14 206.132.41.202 (206.132.41.202) 2229.906 ms 199.752 ms 309.927 ms Where is the name or ip address of the host that you want to trace. Tweaks, Tips and Administration tasks 0 APPENDIX A Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 477 1.2 Display the number of times your Web pages have been accessed: To display quickly the number of times your web page has been accessed use this command: [root@deep /]# grep "GET / HTTP" /var/log/httpd/access_log | wc -l 467 1.3 Shut down most services altogether As root, you can shut down most services altogether with the following command: [root@deep /]# killall httpd smbd nmbd slapd named The above command will shut down the Apache server, Samba services, LDAP server, and DNS server respectively. 1.4 Want a clock on the top of your terminal for all user? Edit the profile file (vi /etc/profile) and add the following line: PROMPT_COMMAND='echo -ne "\0337\033[2;999r\033[1;1H\033[00;44m\033[K"`date`"\033[00m\0338"' The result will look like: 1.5 Do you have "lsof" installed on your server? If not, install it and execute "lsof -i". This should list which ports you have open on your machine. The lsof program is a great tool as it will tell you which processes are listening on a given port. [root@deep /]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME Inetd 344 root 4u IPv4 327 TCP *:ssh (LISTEN) sendmail 389 root 4u IPv4 387 TCP *:smtp (LISTEN) smbd 450 root 5u IPv4 452 TCP deep.openna.com:netbios-ssn (LISTEN) nmbd 461 root 5u IPv4 463 UDP *:netbios-ns nmbd 461 root 6u IPv4 465 UDP *:netbios-dgm Tweaks, Tips and Administration tasks 0 APPENDIX A Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 478 nmbd 461 root 8u IPv4 468 UDP deep.openna.com:netbios-ns nmbd 461 root 9u IPv4 470 UDP deep.openna.com:netbios-dgm named 2599 root 4u IPv4 3095 UDP *:32771 named 2599 root 20u IPv4 3091 UDP localhost.localdomain:domain named 2599 root 21u IPv4 3092 TCP localhost.localdomain:domain (LISTEN) named 2599 root 22u IPv4 3093 UDP deep.openna.com:domain named 2599 root 23u IPv4 3094 TCP deep.openna.com:domain (LISTEN) 1.6 Run commands on remote servers via ssh protocol without logging in The ssh command can also be used to run commands on remote systems without logging in. The output of the command is displayed, and control returns to the local system. Here is an example which will display all the users logged in on the remote system. [admin@deep /]$ ssh mail.openna.com who admin@mail.openna.com's password: root tty1 Dec 2 14:45 admin tty2 Dec 2 14:45 wahib pts/0 Dec 2 11:38 1.7 Filename Completion Tab filename completion allows you to type in portions of a filename or program, and then press [TAB], and it will complete the filename for you. If there's more than one file or program that starts with what you already typed in, it will beep, and then when you press [TAB] again it will list all the files that start with what you initially typed. 1.8 Special Characters You can quickly accomplish tasks that you perform frequently by using shortcut keys — one or more keys you press on the keyboard to complete a task. For example, special characters can be used on the Linux shell like the following: Control-d : If you are in the shell and hit control-d you get logged off. Control-l: If you are in the shell and hit control-l you clear the screen. ? : This is a wildcard. This can represent a single character. If you specified something at the command line like "m?b" Linux would look for mob, mib, mub, and every other letter/number between a-z, 0-9. * : This can represent any number of characters. If you specified a "mi*" it would use "mit", mim, miiii, miya, and ANYTHING that starts with “mi”. "m*l" could by mill, mull, ml, and anything that starts with an “m” and ends with an “l”. [] - Specifies a range. if I did m[o,u,i]m Linux would think: mim, mum, mom if I did: m[a-d]m Linux would think: mam, mbm, mcm, mdm. Get the idea? The [], ?, and * are usually used with copying, deleting, and directory listings. NOTE: EVERYTHING in Linux is CASE sensitive. This means "Bill" and "bill" are not the same thing. This allows for many files to be able to be stored, since "Bill" "bill" "bIll" "biLl", etc. can be different files. So, when using the [] stuff, you have to specify capital letters if any files you are dealing with have capital letters. Much of everything is lower case in UNIX, though. Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 479 Appendix B In this part Obtaining Requests for Comments (RFCs) Obtaining Requests for Comments (RFCs) 0 APPENDIX B Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 480 Obtaining Requests for Comments (RFCs) Requests for Comments (RFCs) is an ongoing set of documents issued by the Internet Engineering Task Force (IETF) at the Network Information Center (NIC) that presents new protocols and establishes standards for the Internet protocol suite. Each such document defines an aspect of protocol regarding the Internet. We have listed below all the RFCs that pertain to this book, and various software described in this book. RFCs are available from the following site: RFC706 On the Junk Mail Problem. RFC733 Standard for the Format of ARPA Network Text Messages. RFC768 User Datagram Protocol (UDP). RFC791 Internet Protocol (IP). RFC792 Internet Control Message Protocol (ICMP). RFC793 Transmission Control Protocol (TCP). RFC805 Computer Mail Meting Notes. RFC821 Simple Mail Transfert Protocol (SMTP). RFC822 Standard for the Format of ARPA Internet Text Massages. RFC934 Proposed Standard for Message Encapsulation. RFC950 IP Subnet Extention. RFC959 File Transfer Protocol (FTP). RFC976 UUCP Mail Interchange Format Standard. RFC1034 Domain Names: Concepts and Facilities. RFC1036 Standard for Interchange of USENET Message. Obtaining Requests for Comments (RFCs) 0 APPENDIX B Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 481 RFC1058 Routing Information Protocol (RIP). RFC1112 Internet Group Multicast Protocol (IGMP). RFC1122 Requirement for Internet Host—Communication Layers. RFC1123 Requirements for Internet Host—Application and Support. RFC1137 Mapping Between Full RFC 822 and RFC 822 with Restricted Encoding. RFC1153 Digest Message Format. RFC1155 Structure of Management Information (SMI). RFC1157 Simple Network Management Protocol (SNMP). RFC1176 Interactive Mail Access Protocol: Version 2. RFC1274 The COSINE and Internet X.500 Schema. RFC1275 Replication Requirements to provide an Internet Directory using X.500. RFC1279 X.500 and Domains. RFC1308 Executive Introduction to Directory Services Using the X.500 Protocol. RFC1309 Technical Overview of Directory Services Using the X.500 Protocol. RFC1310 The Internet Standards Process. RFC1319 MD2 Message-Digest Algorithm. RFC1320 MD4 Message-Digest Algorithm. RFC1321 MD5 Message-Digest Algorithm. RFC1343 User Agent Configuration Mechanism for Multimedia Mail Format Information. Obtaining Requests for Comments (RFCs) 0 APPENDIX B Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 482 RFC1344 Implications of MIME for Internet Mail Gateways. RFC1345 Character Mnemonics and Character Sets. RFC1421 Privacy Enhancement for Internet Electronic Mail: Part I—Message Encipherment and authentication Procedures. RFC1422 Privacy Enhancement for Internet Electronic Mail: Part II—Certificate-based key Management. RFC1423 Privacy Enhancement for Internet Electronic Mail: Part III—Algorithms, modes, and identifiers [Draft]. RFC1428 Transmition of Internet Mail from Just-Send-8 to 8bit-SMTP/MIME. RFC1430 A Strategic Plan for Deploying an Internet X.500 Directory Service. RFC1492 An Access Control Protocol, Sometimes Called TACACS. RFC1495 Mapping Between X.400(1988)/ISO 10021 and RFC 822. RFC1496 X.400 1988 to 1984 Downgrading. RFC1505 Encoding Header Field for Internet Messages. RFC1510 The Kerberos Network Authentication Service (V5). RFC1519 Classless Inter-Domain Routing (CIDR) Assignment and Aggregation Strategy. RFC1521 MIME (Multipurpose Internet Mail Extensions): Mechanisms for Specifying and Describing the Format of Internet Message Bodies (MIME). RFC1522 Representation of Non-ASCII Text in Internet Message Headers. RFC1558 A String Representation of LDAP Search Filters. RFC1566 Mail Monitoring MIB. RFC1579 Obtaining Requests for Comments (RFCs) 0 APPENDIX B Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 483 Firewall-Friendly FTP. RFC1583 Open Shortest Path First Routing V2 (OSPF2). RFC1617 Naming and Structuring Guidelines for X.500 Directory Pilots. RFC1625 WAIS over Z39.50-1988. RFC1631 The IP Network Address Translator (NAT). RFC1652 SMTP Service Extentions for 8bit-MIMEtransport. RFC1661 Point-to-Point Protocol (PPP). RFC1711 Classifications in E-mail Routing. RFC1725 Post Office Protocol, Version 3 (POP)3. RFC1738 Uniform Resource Locators (URL). RFC1739 A Primer on Internet and TCP/IP Tools. RFC1777 Lightweight Directory Access Protocol. RFC1778 The String Representation of Standard Attribute Syntaxes. RFC1779 A String Representation of Distinguished Names. RFC1781 Using the OSI Directory to Achieve User Friendly Naming. RFC1796 Not All RFCs are Standards. RFC1798 Connection-less Lightweight Directory Access Protocol. RFC1823 The LDAP Application Program Interface. RFC1830 SMTP Services Extentions for Transmission of Large and Binary MIME Messages. Obtaining Requests for Comments (RFCs) 0 APPENDIX B Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 484 RFC1844 Multimedia E-mail (MIME) User Agent checklist. RFC1845 SMTP Service Extension for Checkpoint/Restart. RFC1846 SMTP 521 Reply Code. RFC1854 SMTP Service Extention for command pipelining. RFC1855 Netiquette Guidelines. RFC1864 The content-MD5 Header. RFC1866 Hypertext Markup Language - 2.0. RFC1869 SMTP Service Extensions. RFC1870 SMTP Service Extension for Message Size Declaration. RFC1872 The MIME Multipart/Related Content-type. RFC1873 Message/External-Body Content-ID Access-type. RFC1883 Internet Protocol, Version 6 (Ipv6) Specification. RFC1884 IP Version 6 Addressing Atchitecture. RFC1886 DNS Extentions to support IP version 6. RFC1891 SMTP Service Extension for Delivery Status Notifications. RFC1892 The Multipart/Report Content Type for the Reporting of Mail System Administrative Messages. RFC1893 Enhanced Mail System Status Codes. RFC1894 An Extensible Message Format for Delivery Status Notifications. RFC1918 Address Allocation for Private Internets. Obtaining Requests for Comments (RFCs) 0 APPENDIX B Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 485 RFC1928 SOCKS Protocol Version 5. RFC1929 Username/Password Authentication for SOCKS V5. RFC1959 An LDAP URL Format. RFC1960 A String Representation of LDAP Search Filters. RFC1961 GSS-API Authentication Method for SOCKS Version 5. RFC2003 IP Encapsulation within IP. RFC2028 The Organizations Involved in the IETF Standards Process. RFC2044 UTF-8, a transformation format of Unicode and ISO 10646. RFC2060 Internet Message Access Protocol – Version 4rev1 (IMAP4). RFC2104 HMAC: Keyed-Hashing for Message Authentication. RFC2138 Remote Authentication Dial In User Service (RADIUS). RFC2164 Use of an X.500/LDAP directory to support MIXER address mapping. RFC2200 Internet Official Protocol Standards. RFC2218 A Common Schema for the Internet White Pages Service. RFC2247 Using Domains in LDAP/X.500 Distinguished Names. RFC2251 Lightweight Directory Access Protocol (v3). RFC2252 Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions. RFC2253 Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names RFC2254 Obtaining Requests for Comments (RFCs) 0 APPENDIX B Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 486 The String Representation of LDAP Search Filters. RFC2255 The LDAP URL Format. RFC2256 A Summary of the X.500(96) User Schema for use with LDAPv3. RFC2279 UTF-8, a transformation format of ISO 10646. RFC2293 Representing Tables and Subtrees in the X.500 Directory. RFC2294 Representing the O/R Address hierarchy in the X.500 Directory Information Tree. RFC2305 A Simple Mode of Facsimile Using Internet Mail. RFC2307 An Approach for Using LDAP as a Network Information Service. RFC2313 PKCS 1: RSA Encryption Version 1-5. RFC2314 PKCS 10: Certification Request Syntax Version 1-5. RFC2315 PKCS 7: Cryptographic Message Syntax Version 1-5. RFC2377 Naming Plan for Internet Directory-Enabled Applications.