Monday, December 31, 2012

How to use VNC to view a remote system

VNC is a free 3rd party program that allows a remote login, similar to Remote Desktop in Windows or Daemonware. One nice thing about VNC, is that it's multi-platform. It works on Windows, UNIX, BSD, Linux and MAC. The down side to using VNC is that it's insecure, but you can wrap it in a SSH tunnel. Most of my experience with VNC is on Solaris and Red Hat. Most of the examples below are from a Solaris server.

To see if any VNC sessions is running on your server run the command below. # ps -ef|grep vnc
If you have a session running it will look like this. rich 15137 14170  0 Nov 24 ?    0:00  vncconfig -iconic
rich  538  8833   0 Nov 24 ?    7:34  Xvnc :1 -desktop server:1 (rich) -auth /home/rich/.Xauthority -geometry 1900

To start a basic VNC server session just type vncserver. # vncserver After you run this command you will get a session ID number. For example the first user of VNC server will get session number 1. When you connect to the session from a remote computer you use the hostname:1.

You will also need to set the VNC password to connect the session. # vncpasswd This sets the password for your account.

If you want more options, check the these popular options below. For screen size use -geometry widthxhight. If the computer you are connecting from doesn't have VNC Viewer installed then, you can use the -httpd option to connect using a web browser.  # vncserver :3 -geometry 800x600 -http

VNC is installed on MACs and you can turn on the VNC server by going to System Preferences -->  Sharing. Select Remote Management and then click Computer settings. In the drop down select VNC viewers may control screen with password. Then put in desired password in box.

The xstartup file controls the desktop you get. Uncomment lines 4 & 5 to get a gnome desktop.

Sometimes you need to shutdown the VNC session your using. # vncserver -kill :#Replace # with the session number VNC gave you.

Now that you have started the VNC server you will want to connect to use it. From a UNIX or Linux  you run the following command. vncviewer hostname:1 # vncviewer server1:1
If you are using VNC from a Windows PC, then there is a VNC viewer application.

Warning: If you auto-mount your home directory. Beware that different operating systems have different setting in the xstartup file. All VNC sessions use the same xstartup file, so changes made by you or the VNC program will effect the VNC experience. I ran into an issue when I tried to use the gnome desktop on both a RHEL & Solaris 10 servers. When I got the gnome desktop working for RHEL the gnome desktop was unusable with Solaris 10. The best way to get around this is to use different accounts or different windowing programs on different operating systems.

Important VNC files
$HOME/.vnc/xstartup -- The file that controls them all. This is the main config file used for the session on VNC server.

$HOME/.vnc/passwd -- The VNC password file

$HOME/.vnc/host:display#.log -- The log file for Xvnc and applications started in xstartup

$HOME/.vnc/ -- Identifies the Xvnc process ID, used by the -kill option.

Package list for Solaris 10
SUNWxvnc                VNC Server
SUNWvncviewer       VNC Viewer

Friday, December 28, 2012

Restrict the ability to switch to the root user

Having the ability to be come root is great, but if the wrong person gets the root password then bad things can happen. So lets make it a little harder on them. In the steps below I'm going to make the the su command unusable to a normal user. First we will remove the permissions for other. Then changing the group ownership to sysadmin so only users in the sysadmin group (gid 14) can su and become root.

Change permissions and group ownership on the su command
# cd /usr/bin
# ls -la su

-r-sr-xr-x 1 root sys 21192 Dec 28 12:30 su
# /usr/bin/chgrp syadmin su
# /usr/bin/chmod 04750 su
# ls -la su

-rwsr-x--- 1 root sysadmin 21192 Dec 28 12:30 su

Now lets change the su.static file. # cd /sbin
# ls -la su.static

-r-sr-xr-x 1 root sys 21192 Dec 28 12:30 su
# /usr/bin/chgrp syadmin su.static
# /usr/bin/chmod 04750 su.static
# ls -la su.static

-rwsr-x--- 1 root sysadmin 21192 Dec 28 12:30 su.static

Thursday, December 27, 2012

Restict SSH logins

As a System Administrator you always want to make your servers more secure. With that being said I'm going to restrict ssh logins. To do this, I will make a change to the /etc/ssh/sshd_config file. This change will limit the ability of accounts to login using ssh to only accounts in a the users group. The example below is from a Solaris 10 server, but this will still work on any UNIX, BSD and Linux system. We have done this on Solaris 10, RHEL 5 and SLES 11 servers at my work place.

Before you begin,  login to the server using a remote console or at least more then one terminal. I had one co-worker lock himself out of the server because he forgot to add himself to the users group before he restarted ssh. I would also take note of any programs that use ssh so you don't lock them out.

# vi /etc/ssh/sshd_config
Add the following line to the /etc/ssh/sshd_config file. AllowGroups users You can use any group you want, you don't have to use the users group. Often you will find that many people like to use the group sshusers for this function. I use the default group users, because all the user accounts use SSH to access my servers. Make sure you check all you application accounts and make use they are the in the group that are using for SSH. otherwise your applications may no longer work.

To have the changes take affect you need to restart the sshd process. # svcadm restart ssh or # /etc/rc2.d/K03sshd stop
# /etc/rc2.d/K03sshd start

Test the the new setup by trying to login with one accout not in the users group and one that is. The account that is in the users group should be able to login, but the account that is not should not.

 If you have anything to add please post below.

Tuesday, December 4, 2012

Uninstall and delete a zone in Solaris 10

This is how to completely remove a non-global zone from a Solaris 10 server. For the example below the global zone is called earth and the zone we are removing is called moon.

Check the current status of the zones running on the global zone.
root@earth> zoneadm list -cv
global running / native shared
moon running /export/zones/moon native shared

If the zone is running, then run the following command to shutdown the zone.
root@earth> zoneadm -z moon haltNote - You can also login to the zone and shut it down from inside the zone.

After the zone is shutdown it should be in the installed state. Run the command below to uninstall the zone.root@earth> zoneadm -z moon uninstall

Then you delete the zone with the command below.
root@earth> zonecfg -z moon delete

The site below also has a nice how to for removing zones.