I’m pretty new to AIX, and I’m learning all about its idiosyncrasies. One thing I still don’t understang is why SSH isn’t installed by default. The packages are located on the AIX 7 Volume 1 of 2 DVD, but for some reason the installer doesn’t feel the need to make sshd available to the system at install time. For those who care about security, the following steps will get SSH installed and operational on your AIX 7.1 server:
First, mount the “AIX 7 Volume 1 of 2″ DVD in your drive (NIM installs aren’t covered here) and mount it up:
$ mount -V cdrfs -o ro /dev/cd0 /mnt
Once you mount the DVD you will need to change to the package directory:
$ cd /mnt/usr/sys/inst.images/
From there you can install the openssh and openssl packages:
$ installp -ac -Y -d . openssh.base openssl.base openssl.man.en_US openssh.man.en_US
This will install the packages and enable the SSH service. You can verify that the daemon started with the lssrc command:
$ lssrc -s sshd
Subsystem Group PID Status
sshd ssh 7340084 active
This is crazy simple and a great way to improve security on your AIX system.
While reading up on various scalable file systems I came across the sheepdog project. For those new to sheepdog, their website describes it as:
“Sheepdog is a distributed storage system for QEMU/KVM. It provides highly available block level storage volumes that can be attached to QEMU/KVM virtual machines. Sheepdog scales to several hundreds nodes, and supports advanced volume management features such as snapshot, cloning, and thin provisioning.”
This looks really cool, and I’m hoping to play around with it this weekend. Curious what experiences my readers have had with it?
I recently discussed setting up rsyslog to write syslog data to a MySQL database. Once you get this set up, you can start writing SQL statements to view the data in various ways. The next logical step is visualizing your data, and that’s where LogAnalyzer comes in.
LogAnalyzer is a PHP application that can be used to visualize syslog data. You can use the main LogAnalyzer screen to view syslog data from all of your hosts as it is generated (this is handy). You can also invoke any number of searches against the data and view the results in a web browser. Pretty cool, ey? Setting up LogAnalyzer is crazy easy. First, you will need to grab the latest release from their website (I have been testing out the 3.5.0 beta):
$ wget http://download.adiscon.com/loganalyzer/loganalyzer-3.5.0.tar.gz
Once you have the tarball you will need to extract it and copy the “src” directory to a location accessible by your PHP-enabled web server:
$ tar xfvz loganalyzer-3.5.0.tar.gz
$ cp -rp loganalyzer-3.5.0/src /var/www/html/log
Next you will need to create an empty config.php file that is writeable by the web server. This can be accomplished with the configure.sh script:
$ cp loganalyzer-3.5.0/contrib/configure.sh /var/www/html/log
$ cd /var/www/html/log && ./configure.sh
The configure script creates a config.php file and changes the permissions to 666. You will definitely want to tighten up these permissions once the server is configured. If everything went smoothly you should be able to connect to your web server and run through the configuration screens. The first screen welcomes you and asks you to click “here” to continue the setup process:
The second screen verifies that the config.php was created and has the correct permissions:
The next screen allows you to adjust the number of syslog entries that are displayed, the maximum size of the message to display and allows you to store the configuration in a MySQL database. I used the defaults, which have worked out ok so far:
The last screen is used to input the MySQL database parameters. This includes the type of driver to use, the format of the SQL tables, the name of the server to connect to, the database to access and the user and password to connect with:
If everything completed correctly you should be able to access the main screen and begin viewing your syslog data:
On the main page you can view your logs in realtime and execute searches to pull up specific syslog data. LogAnalyzer allow has a “Statistics” page that allows you to view the number of syslog events by host, the number of messages by the entity generating them and the number of messages generated by date. Searches allow you to search by tag and value, and I’m still trying to figure out if you can use regular expressions or logical operations to limit values. More to come on this in a future post.
I previously wrote about my experience installing bash on my AIX hosts. After I installed the package I wanted to make bash my default shell. I fired up usermod but was greeted with the following error:
$ usermod -s /usr/bin/bash matty
3004-703 Check “/etc/security/login.cfg” file.
3004-692 Error changing “shell” to “/usr/bin/bash” : Value is invalid.
AIX contains a list of valid shells in /etc/security/login.cfg, and bash is not in that list by default:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr
Once I appended “/usr/bin/bash” to the end of the “shells” line usermod worked without a hitch:
$ usermod -s /usr/bin/bash matty
$ echo $?
Rock and roll!!
I’ve recently started managing a number of AIX hosts, which use ksh as their default shell. I don’t have anything against ksh, but I’ve spent a ton of time working with bash and have become extremely proficient with it. Given that, I like it to be part of all of my system builds. To make myself more at home on my AIX machines, I went ahead and installed bash on each host. This was super easy.
First I located the “AIX Toolbox for Linux Applications for POWER Systems”. This CD contains a bunch of GNU packages which can be installed with the rpm utility. To install bash, I changed to the ppc directory on the DVD and ran rpm with the install option:
$ cd /mnt/RPMS/ppc
$ rpm -ivh bash-3.2-1.aix5.2.ppc.rpm
After the package was installed I was able to type bash and marvel in its awesomeness. :)
After many years of use it’s become almost second nature to type ‘telnet <HOST> <PORT>’ when I need to see if a system has TCP port <PORT> open. Newer systems no longer install telnet by default:
$ telnet google.com 80
-bash: telnet: command not found
I can’t think of a valid reason to keep telnet around (there are probably valid use cases). Since netcat and tcpdump are a billion times better for debugging TCP issues, I need to apply newer microcode to my brain to perform a ‘s/telnet/nc -v/g’ each time I need to test if a TCP port is open:
$ nc -v google.com 80
Connection to google.com 80 port [tcp/http] succeeded!
Anyone else have a telnet attachment they just can’t break? :)