I’ve noticed that many people do not realize port 111 and a few other random ports are open on fresh debian installs. It is for the portmap daemon which is needed by RPC based services such as NFS. I barely have any use for NFS, especially on internet facing hosts.
Here we see TCP ports 111, 41394 and UDP ports 111, 742, 48841 are open. Portmap may be marked as secure right now, but it is always best to close up unused ports.
# netstat -nlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2251/portmap tcp 0 0 0.0.0.0:41394 0.0.0.0:* LISTEN 2262/rpc.statd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2490/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2757/exim4 tcp6 0 0 :::80 :::* LISTEN 2818/apache2 tcp6 0 0 :::22 :::* LISTEN 2490/sshd udp 0 0 0.0.0.0:48841 0.0.0.0:* 2262/rpc.statd udp 0 0 0.0.0.0:742 0.0.0.0:* 2262/rpc.statd udp 0 0 0.0.0.0:111 0.0.0.0:* 2251/portmap
Fortunately it is easy to remove (nfs-common relies on portmap, so we need to remove that as well):
# aptitude --purge remove portmap nfs-common
# netstat -nlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2490/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2757/exim4 tcp6 0 0 :::80 :::* LISTEN 2818/apache2 tcp6 0 0 :::22 :::* LISTEN 2490/sshd Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 6113 2454/acpid /var/run/acpid.socket
Now that’s much cleaner!
If you use Debian or Ubuntu you should consider using our fast (gigabit + nginx) mirror.
Here are some example sources.lists:
debian squeeze:
$ cat /etc/apt/sources.list deb http://mirror.peer1.net/debian/ squeeze main deb-src http://mirror.peer1.net/debian/ squeeze main deb http://mirror.peer1.net/debian/ squeeze-updates main deb-src http://mirror.peer1.net/debian/ squeeze-updates main deb http://mirror.peer1.net/debian-security/ squeeze/updates main deb-src http://mirror.peer1.net/debian-security/ squeeze/updates main
debian lenny:
$ cat /etc/apt/sources.list deb http://mirror.peer1.net/debian/ lenny main deb-src http://mirror.peer1.net/debian/ lenny main deb http://mirror.peer1.net/debian-security/ lenny/updates main deb-src http://mirror.peer1.net/debian-security/ lenny/updates main deb http://mirror.peer1.net/debian-volatile/ lenny/volatile main deb-src http://mirror.peer1.net/debian-volatile/ lenny/volatile main
ubuntu natty – 11.04:
root@media:~# cat /etc/apt/sources.list deb http://mirror.peer1.net/ubuntu/ natty main restricted deb-src http://mirror.peer1.net/ubuntu/ natty main restricted deb http://mirror.peer1.net/ubuntu/ natty-updates main restricted deb-src http://mirror.peer1.net/ubuntu/ natty-updates main restricted deb http://mirror.peer1.net/ubuntu/ natty universe deb-src http://mirror.peer1.net/ubuntu/ natty universe deb http://mirror.peer1.net/ubuntu/ natty-updates universe deb-src http://mirror.peer1.net/ubuntu/ natty-updates universe deb http://mirror.peer1.net/ubuntu/ natty multiverse deb-src http://mirror.peer1.net/ubuntu/ natty multiverse deb http://mirror.peer1.net/ubuntu/ natty-updates multiverse deb-src http://mirror.peer1.net/ubuntu/ natty-updates multiverse deb http://mirror.peer1.net/ubuntu natty-security main restricted deb-src http://mirror.peer1.net/ubuntu natty-security main restricted deb http://mirror.peer1.net/ubuntu natty-security universe deb-src http://mirror.peer1.net/ubuntu natty-security universe deb http://mirror.peer1.net/ubuntu natty-security multiverse deb-src http://mirror.peer1.net/ubuntu natty-security multiverse deb http://extras.ubuntu.com/ubuntu natty main deb-src http://extras.ubuntu.com/ubuntu natty main
ubuntu lucid – 10.04:
$ cat /etc/apt/sources.list deb http://mirror.peer1.net/ubuntu/ lucid main restricted deb-src http://mirror.peer1.net/ubuntu/ lucid main restricted deb http://mirror.peer1.net/ubuntu/ lucid-updates main restricted deb-src http://mirror.peer1.net/ubuntu/ lucid-updates main restricted deb http://mirror.peer1.net/ubuntu/ lucid universe deb-src http://mirror.peer1.net/ubuntu/ lucid universe deb http://mirror.peer1.net/ubuntu/ lucid-updates universe deb-src http://mirror.peer1.net/ubuntu/ lucid-updates universe deb http://mirror.peer1.net/ubuntu/ lucid multiverse deb-src http://mirror.peer1.net/ubuntu/ lucid multiverse deb http://mirror.peer1.net/ubuntu/ lucid-updates multiverse deb-src http://mirror.peer1.net/ubuntu/ lucid-updates multiverse deb http://mirror.peer1.net/ubuntu/ lucid-security main restricted deb-src http://mirror.peer1.net/ubuntu/ lucid-security main restricted deb http://mirror.peer1.net/ubuntu/ lucid-security universe deb-src http://mirror.peer1.net/ubuntu/ lucid-security universe deb http://mirror.peer1.net/ubuntu/ lucid-security multiverse deb-src http://mirror.peer1.net/ubuntu/ lucid-security multiverse deb http://archive.canonical.com/ lucid partner deb http://archive.canonical.com/ubuntu lucid partner
ubuntu maverick – 10.10:
$ cat /etc/apt/sources.list deb http://mirror.peer1.net/ubuntu/ maverick main restricted deb-src http://mirror.peer1.net/ubuntu/ maverick main restricted deb http://mirror.peer1.net/ubuntu/ maverick-updates main restricted deb-src http://mirror.peer1.net/ubuntu/ maverick-updates main restricted deb http://mirror.peer1.net/ubuntu/ maverick universe deb-src http://mirror.peer1.net/ubuntu/ maverick universe deb http://mirror.peer1.net/ubuntu/ maverick-updates universe deb-src http://mirror.peer1.net/ubuntu/ maverick-updates universe deb http://mirror.peer1.net/ubuntu/ maverick multiverse deb-src http://mirror.peer1.net/ubuntu/ maverick multiverse deb http://mirror.peer1.net/ubuntu/ maverick-updates multiverse deb-src http://mirror.peer1.net/ubuntu/ maverick-updates multiverse deb http://mirror.peer1.net/ubuntu/ maverick-security main restricted deb-src http://mirror.peer1.net/ubuntu/ maverick-security main restricted deb http://mirror.peer1.net/ubuntu/ maverick-security universe deb-src http://mirror.peer1.net/ubuntu/ maverick-security universe deb http://mirror.peer1.net/ubuntu/ maverick-security multiverse deb-src http://mirror.peer1.net/ubuntu/ maverick-security multiverse deb http://archive.canonical.com/ maverick partner
Syntax highlighting is a sysadmin’s dream, it allows you to code more efficiently or easily parse through relevant information in config files. To get vim syntax highlighting to work in Lenny, you first need to install vim – as the base version (vim-tiny) does not support syntax highlighting.
# aptitude install vim
Then edit /etc/vim/vimrc and go to line 20 and remove the quotation in front of ‘syntax on’ so it looks like this:
# vi /etc/vim/vimrc
" Vim5 and later versions support syntax highlighting. Uncommenting the next " line enables syntax highlighting by default. syntax on " If using a dark background within the editing area and syntax highlighting " turn on this option as well
Finally save by hitting ‘:’ and type ‘x’ then enter. (There are many ways to save and quit in vim, such as replacing the ‘x’ with ‘wq’ or just simply hitting ‘ZZ’)
I’ve always had an issue with Debian Lenny and connecting via ssh or local console (xm console --role udev to the end of your xen-create-image command, and then add extra = ‘xencons=tty1 console=tty1′ to the newly created cfg file in /etc/xen.
# xen-create-image --size 10G --ip 1.2.3.4 --netmask 255.255.255.0 --gateway 1.2.3.1 --hostname newvm --lvm vg --role udev
# echo "extra = 'xencons=tty1 console=tty1'" >> /etc/xen/newvm.cfg
More info can be found at http://wiki.debian.org/Xen under “Additional note for domU on lenny using xen-tools”. Note: I do not follow their guide exactly – this is just what has worked for me.
Installing vmware tools on your vmware guests is a good idea, gives the ability to shut them from the vmware client, you get better disk/network performance, etc.
Install the packages required for the modules build as root:
# aptitude install autoconf automake binutils cpp gcc linux-headers-$(uname -r) make psmisc
In the vSphere client, right click on the guest VM. Go to ‘Guest -> Install/Upgrade VMware Tools’
This will insert a virtual cd to /dev/cdrom, which you then mount:
# mount /dev/cdrom /mnt
Copy the files to /root, umount the virtual CD and extract:
# cp /mnt/VMwareTools-4.0.0-208167.tar.gz /root # umount /mnt # cd /root # tar xvf VMwareTools-4.0.0-208167.tar.gz
Enter the vmware-tools-distrib folder and run the installer script:
# cd vmware-tools-distrib/ # ./vmware-install.pl
The default values are adequate for most cases. For the first question I like to use /usr/local/bin for the binary path, to separate vmware and system binaries. It will automatically set the prefixes for the other paths it uses to /usr/local.
