July 2020
M T W T F S S
« Mar    
 12345
6789101112
13141516171819
20212223242526
2728293031  

Categories

WordPress Quotes

It is better to conquer yourself than to win a thousand battles. Then the victory is yours. It cannot be taken from you, not by angels or by demons, heaven or hell.
Buddha
July 2020
M T W T F S S
« Mar    
 12345
6789101112
13141516171819
20212223242526
2728293031  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (211)
Centos RHEL 7 (270)
centos8 (3)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (30)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (7)
Ldap (5)
Linux (188)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (35)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

0 visitors online now
0 guests, 0 bots, 0 members

Hit Counter provided by dental implants orange county

Vi Editior

Vi Editior

How to copy data in VI editor

vi first edit source file
then move your cursor to start of selection
ma mark current position with letter a
then move your cursor to end of selection
y’a yank to buffer x from current position to mark a
:e other edit target file
move cursor to where you want the data
p put from buffer x

Copying a block of text from one file to another in Vi
December 29th, 2008 No comments

To copy a block of text between files execute the commands:
Command Explaination
1. Edit the file containing the text you want to copy.
2. Go to the top line to be copied.
3. ma Mark this line as mark “a”.
4. Go to the bottom line to be copied
5. y’a Yank (y) the text from the current cursor location to the mark “a” (‘a)
6. :split second-file Open another window containing the second file. (This the file in which the text is to be inserted.)
7. Go to the line where the insert is to occur. The text will be place after this line.
8. p Put the text after the cursor.

For Vi Editor
Do you like www.linuxnix.com ? Please consider supporting us by becoming a subscriber and get a Linux basics e-book for free.
unix_vi_editor

VI editor is the default file editor in most of the Linux/Nix machines. It is having great capabilities to edit a file with in few key strokes.

Lets start with some general information and then move on to some good things what vi editor can do for you while editing a file.
1. Vi stands for visual.
2. Vi have its variants like vim which stands for Vi IMproved, VimX11 for gui and winvi for MS windows.
3. Vi is the most popular editor and next most popular editor is gedit.
4. Do you know there is a book on VI editor from orally which is of 600+ pages.
5. Some other editors which will do the work of editing files are neno, pico, gedit, emacs, joe, nedit, ed etc.

Learning vi editor and remembering them is a very a easy task if you learn it in a systematic way.
a. Modes of VI
b. Navigational commands
c. Editing commands.
d. Search and Replace
e. Save and quiting a file.

a. Modes of VI :
Vi have two mode of operation.
1. Command mode
2. Inserting mode

Command mode :
Vi editor begins in command mode, where cursor movement(navigation in the file) and editing occur. To enter in to command mode from Inserting mode press esc button.

Inserting mode :
Used for entering text, this is similar to notepad in Windows. To enter in to inserting mode you can use any of the following.
i or I => present line
o => one line down the present line
O => one line above

Note : All comments will work in command mode only.

b. Navigational commands :
1. Character navigation k, h, l and j
h => To move one character left.
j => To move one line down.
k => To move one line up.
l => To move one character right.

How to use above commands in clever way?
Examples :
6j => to move 6 lines down from the present courser.
7k => to move 7 lines above from the present courser.

2. Word Navigation
w => word forward.
e =>word forward, but end of the word.
b => one word backward.

Examples :
32w => To move 32 words forward
6b => To move 6 words back.

3. Setting (nu) mbering to lines
:set nu
Removing of (nonu)mbering to lines
:set nonu

4. Moving paragraphs
move one paragraph up => {{
move one paragraph down => }}

5. Moving page up/down
For up => ctrl+b
For down => ctrl+f

6. Moving start/end of the file
Starting of the file(first line => [[
End of the file(last line) => ]]

7. Going to any line :
:lineno

Example :
If we want to go to 56 line then type
:56

c. Editing commands

8. Replace one letter
Replace one letter => r
Delete one letter => x

>9. Editing one word
Edit one word => cw
Delete one word => dw

10. Editing one line
Editing a line from courser to the end of that line => d$

11. Cutting
deleting(cutting) one line => dd

Examples :
2dd(deleting/cutting two lines)

12. Pasting
Pasting a line below the courser => p
Pasting a line above the courser => P

13. Coping
Copying one line => yy
Copying n lines => nyy

14. Special commands
joining lines => J
undoing things => u
repeating previous command => .

d. Search and replace

15. Search for a term /term

Example : If you want to search for suresh then press /suresh enter
/suresh
Moving to next occurrence, press “n” with out quotes moving to previous occurrence, press “N” with out quotes.

16. Searching and replacing a term(here separator is / )
:%s/searchterm/replaceterm/g
change default separator
:%s_/home/surya/grade_/home/testing/dest_g

To search and replace particular term from given line to other given line.
:%s294,304/sahana/xyz/g

e)Save and quiting a file
:w => save the file
:q => quit the file
:wq => save and quit
:w! => force save the file
:q! => force quit with out save
:wq => save and quit forcefully

Memory commands

Memory commands

How do I find out System / Server Memory Utilization under RHEL / CentOS / any other Linux distribution?

A. You need to use free command which, displays the total amount of free and used physical and swap memory in the system, as well as the buffers used by the kernel.
free command example

Type the free command at shell prompt:
$ free
$ free -m
Output:

total used free shared buffers cached
Mem: 2010 1965 45 0 152 776
-/+ buffers/cache: 1036 974
Swap: 2047 137 1910

vmstat command

vmstat command provides more information :
$ vmstat
Output:

procs ———–memory———- —swap– —–io—- –system– —–cpu——
r b swpd free buff cache si so bi bo in cs us sy id wa st
0 0 140480 43636 158196 797692 1 0 108 220 1 4 7 5 87 1 0

Understanding vmstat memory options

* swpd: the amount of virtual memory used.
* free: the amount of idle memory.
* buff: the amount of memory used as buffers.
* cache: the amount of memory used as cache.
* inact: the amount of inactive memory. (-a option)
* active: the amount of active memory. (-a option)

$ vmstat -a
Output:

procs ———–memory———- —swap– —–io—- –system– —–cpu——
r b swpd free inact active si so bi bo in cs us sy id wa st
0 1 140480 37376 109516 1730040 1 0 108 220 1 4 7 5 87 1 0

The following command displays one new line of utilization data every second
$ vmstat 1
The following command displays one new line per 2 second, but only for the next 10 seconds:
$ vmstat 2 10
Output:

procs ———–memory———- —swap– —–io—- –system– —–cpu——
r b swpd free inact active si so bi bo in cs us sy id wa st
4 0 139216 23508 130644 1723680 1 0 108 220 1 5 7 5 87 1 0
2 0 139216 23252 130668 1723816 0 0 0 410 3242 11472 9 7 84 0 0
1 0 139216 23120 130656 1724012 0 0 0 750 3280 11592 3 6 90 1 0
0 0 139216 22996 130588 1724180 0 0 0 426 3272 11052 2 5 93 0 0
2 0 139216 20988 129932 1726980 0 0 6 1146 3353 12105 14 9 74 2 0
1 0 139216 20244 129900 1727216 0 0 0 392 3238 11752 8 7 85 0 0
1 0 139216 20120 129868 1727352 0 0 0 444 3197 11173 2 5 93 0 0
1 0 139216 25964 129852 1721044 0 0 0 268 3147 9269 1 4 95 0 0
3 0 139216 25964 129748 1721196 0 0 2 132 3199 10540 1 4 95 0 0
1 0 139216 25964 129676 1721332 0 0 0 456 3213 10608 2

Free Memory on Linux at Runtime
sync
echo 3 > /proc/sys/vm/drop_caches

Display Only The Process IDs of Lighttpd

ps -C lighttpd -o pid=
OR
pgrep lighttpd
OR
pgrep -u vivek php-cgi
Display The Name of PID 55977

ps -p 55977 -o comm=

CPU COMMAND

CPU COMMAND

PU COMMAND

10 cpu usage command

ps -e -o pcpu,cpu,nice,state,cputime,args –sort pcpu | sed ‘/^ 0.0 /d’

####Watch changeable data continuously

watch -n.1 ‘cat /proc/interrupts’

cat /proc/interrupts

Check CPU Temperature
# echo `date +%b-%d-%H:%M:%S` | tr -d ‘\ 012’ ; echo -n ‘ ‘; sensors | awk ‘/CPU Temp:/{ print $3 }’

Check those commands which have been used most
# history|awk ‘{print $2}’ |awk ‘{print $1}’ | sort | uniq -c | sort -rn | head -10

Linux System Monitoring Commands

Linux System Monitoring Commands

#1: top – Process Activity Command

Commonly Used Hot Keys

The top command provides several useful hot keys:
Hot Key Usage
t Displays summary information off and on.
m Displays memory information off and on.
A Sorts the display by top consumers of various system resources. Useful for quick identification of performance-hungry tasks on a system.
f Enters an interactive configuration screen for top. Helpful for setting up top for a specific task.
o Enables you to interactively select the ordering within top.
r Issues renice command.
k Issues kill command.
z Turn on or off color/mono

What are the CPU states found in “top” output?
Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st

# us -> User CPU time: The time the CPU has spent running users’ processes that are not niced.
# sy -> System CPU time: The time the CPU has spent running the kernel and its processes.
# ni -> Nice CPU time: The time the CPU has spent running users’ process that have been niced.
# wa -> iowait: Amount of time the CPU has been waiting for I/O to complete.
# hi -> Hardware IRQ: The amount of time the CPU has been servicing hardware interrupts.
# si -> Software Interrupts.: The amount of time the CPU has been servicing software interrupts.

#2: vmstat – System Activity, Hardware and System Information

The command vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity.

vmstat 3

Display Memory Utilization Slabinfo

# vmstat -m

Tail, Vmstat and Date in Loop, Output every 10 Sec
# vmstat 1 1;for ((;;));do date; vmstat 10 2 | tail -n1;done

3: w – Find Out Who Is Logged on And What They Are Doing

w command displays information about the users currently on the machine, and their processes.
# w username
# w vivek

#4: uptime – Tell How Long The System Has Been Running

# uptime

#5: ps – Displays The Processes

Show Long Format Output

# ps -Al

Print All Process On The Server

# ps ax
# ps axu

Memmory commands cpu commands

Print Security Information

# ps -eo euser,ruser,suser,fuser,f,comm,label

Set Output In a User-Defined Format

ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm

ps -eopid,tt,user,fname,tmout,f,wchan

Display sorted process taking most CPU in descending order
# ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10

Grep Command

Grep Command

some examples of grep command:

* Print Apache’s documentroot directory name:

$ grep -i documentroot /etc/httpd/conf/httpd.conf

* View file contents without comments and empty lines:

$ grep -Ev “^$|^#” /etc/my.cnf

* print only IP address assigned to the interface:

$ ifconfig eth0 | grep ‘inet addr:’ | cut -d’:’ -f2 | awk ‘{ print $1}’

* How many email messages sent for a particular date:

$ cat /var/log/maillog | grep “status=sent” | grep “May 25” | wc -l

* Find out a running process/daemon from process list (thanks to staranneph for recalling this):

ps -ef | grep mysql

* You can also note cpu/mem usage by using above. like in below command output, you can see that Plesk’s statistics process is utilizing more than 18% cpu alone:

[root@myserver ~]# ps aux | grep statistics
root 8183 18.4 0.0 58384 2848 ? D 04:05 3:00 /usr/l

FIND Command

FIND Command

Find is a versatile tool which can be used to locate files and directories satisfying different user criteria. But the sheer number of options for this command line tool makes it at the same time both powerful and encumbering for the user. Here I will list a few combinations which one can use to get useful results using find command.

f – file
d – directory
l – symbolic link
c – character
p – named pipe (FIFO)
s – socket
b – block device

Find all HTML files starting with letter ‘a’ in your current directory (Case sensitive)
find . -name a\*.html

Same as above but case insensitive search.
find . -iname a\*.html

Find files which are larger than 5 MB in size.
find . -size +5000k -type f

Here the ‘+’ in ‘+5000k’ indicates greater than and k is kilobytes. And the dot ‘.’ indicates the current directory. The -type option can take any of the following values:

… Which is all files with 0 bytes size. The option -size can take the following:

c – bytes
w – 2 byte words
k – kilo bytes
b – 512 byte blocks

Note: The above command can also take the -empty parameter.

Find is very powerful in that you can combine it with other commands. For example, to find all empty files in the current directory and delete them, do the following:
find . -empty -maxdepth 1 -exec rm {} \;

To search for a html file having the text ‘Web sites’ in it, you can combine find with grep as follows:
find . -type f -iname \*.html -exec grep -s “Web sites” {} \;

… the -s option in grep suppresses errors about non-existent or unreadable files. And {} is a placeholder for the files found. The semicolon ‘;’ is escaped using backslash so as not to be interpreted by bash shell.

Note: You can use the -exec option to combine any command in Linux with the find command. Some of the useful things you can do with it are as follows:

Compress log files on an individual basis
find /var -iname \*.log -exec bzip {} \;

Find all files which belong to user lal and change its ownership to ravi
find / -user lal -exec chown ravi {} \;

Note: You can also use xargs command instead of the -exec option as follows:
find /var -iname \*.log | xargs bzip –

Find all files which do not belong to any user:
find . -nouser

Find files which have permissions rwx for user and rw for group and others :
find . -perm 766

… and then list them.

find . -perm 766 -exec ls -l {} \;

Find all directories with name music_files
find . -type d -iname \*music_files\*

Suppose you want to find files of size between 700k and 1000k, do the following:
find . \( -size +700k -and -size -1000k \)

And how about getting a formatted output of the above command with the size of each file listed ?
find . \( -size +700k -and -size -1000k \) -exec du -Hs {} \; 2>/dev/null

… here, the ‘2>/dev/null’ means all the error messages are discarded or suppressed.

You can also limit your search by file system type. For example, to restrict search to files residing only in the NTFS and VFAT filesystem, do the following:
find / -maxdepth 2 \( -fstype vfat -or -fstype ntfs \) 2> /dev/null

To View Or List Only Directories In Linux?
Do you like www.linuxnix.com ? Please consider supporting us by becoming a subscriber and get a Linux basics e-book for free.

How to view/list only directories in Linux?
Ans : This can be achieved in two ways
1. Through ls command
2. Through find command

With ls we have to use grep to get the directory listings.
Ls –l grep ^d

Example :
[root@test rmohan_a]# ls -l grep ^d
d——— 2 rmohan_a rmohan_a 4096 Sep 8 09:54 HTWFAIP
drwxrwxr-x 2 rmohan_a root 4096 Nov 27 12:30 LinuxCBT – RHEL5
drwxrwxr-x 2 rmohan_a root 4096 Oct 12 16:40 Software
[root@test rmohan_a]#

With find we can have more controle on how to display only directories.

A. To display all the directories and sub-directories in present directory
#find . -type d

B. Displaying only directories in present directory
#find /root/ -type d –maxdepth 1

C. Displaying just directories in present directry and its sub-directories
#find /root/ -type d –maxdepth 2

* find top 10 largest files in /var:

$ find /var -type f -ls | sort -k 7 -r -n | head -10

* find all files having size more than 5 GB in /var/log/:

$ find /var/log/ -type f -size +5120M -exec ls -lh {} \;

* find all today’s files and copy them to another directory:

$ find /home/me/files -ctime 0 -print -exec cp {} /mnt/backup/{} \;

* find all temp files older than a week and delete:

$ find /temp/ -mtime +7-type f | xargs /bin/rm -f

* find and rename all mp3 files by changing their uppercase names to lowercase:

$ find /home/me/music/ -type f -name *.mp3 -exec rename ‘y/[A-Z]/[a-z]/’ ‘{}’ \;

find mtime

find . -mtime 0 # find files modified between now and 1 day ago
# (i.e., within the past 24 hours)
find . -mtime -1 # find files modified less than 1 day ago
# (i.e., within the past 24 hours, as before)
find . -mtime 1 # find files modified between 24 and 48 hours ago
find . -mtime +1 # find files modified more than 48 hours ago

find . -mmin +5 -mmin -10 # find files modified between
# 6 and 9 minutes ago

Find Parameters

-daystart This flag starts at the beginning of the day.
-atime The time the file was last accessed — in number of days.
-ctime The time the file’s status last changed — in number of days.
-mtime The time the file was last modified — in number of days.
-amin The time the file was last accessed — in number of minutes. (It is not available on all implementations.)
-cmin The time the file’s status last changed — in number of minutes. (It is not available on all implementations.)
-mmin The time the file was last modified — in number of minutes. (It is not available on all implementations.)
-type This flag describes the type of file, such as d for directories.
-userX Files belonging to user X.
-groupX Files belonging to group X.
-newerX Files that are newer than file X.

Here’s how to list all the files in your home directory tree that were modified exactly one hour ago:$ find ~ -mmin 60 \! -type d

Giving a negative value for a flag means to match that number or sooner. For example, here’s how to list all the files in your
home directory tree that were modified exactly one hour ago or any time since

find ~ -mmin -60 \! -type d

$ date
Mon Oct 23 09:42:42 EDT 2006
$ touch -t 10230842 temp
$ ls -l temp
-rw-r–r– 1 joe joe 0 Oct 23 08:42 temp
$ find ~ -newer temp \! -type d

find / -user `whoami` -daystart -atime -1 \! -type d

Give different values for the various time flags to change the search times. You can also combine flags. For instance,
you can list all the files in your home directory tree that were both accessed and modified between now and seven days ago:
find ~ -daystart -atime -7 -mtime -7 \! -type d

find /home/$1/mail/*/mail/.spam/cur -type f -mtime +7 -exec rm {} \;
find /home/$1/mail/*/mail/.spam/new -type f -mtime +7 -exec rm {} \;
find . -type f -exec grep ‘NMX_FXNG_AND_CONTRACT_DBF’ {} \;

Delete Empty Directories
# find folder/ -type d -empty | xargs -i -t rm -rf {}
or
# find folder/ -type d -empty -delete

DISK SPACE COMMAND

Find files based and sorted on Size
# find / -type f -size +20000k -exec ls -lh {} \; 2> /dev/null | awk ‘{ print $NF “: ” $5 }’ | sort -nrk 2,2

MYSQL Back On Unix

MYSQL Back On Unix

Shell script is a script where we are writing different types of commands and executing those commands from a single file. We can execute that command manually, by entering command one by one. But if we use shell script we have to write those commands into a text file for the first time and then we can run those commands as many times as required.

In this article first I will show you, Complete Script. Later on, you will get a description of that script. I assumed that you know about shell scripting, mysqldump and crontab.

Operating System: Any Linux or UNIX.

Main Script (for backup your mysql database):

This shell script will make the backup process of a database automatic. Just copy and paste this script in a text editor, put database user name, password, and database name. I will use mysqlump command to backup the database. Later on you will get description of each line.
1. Make a directory name “backup” and “oldbackup”
1
2

mkdir /backup
mkdir /oldbackup
2. Now make file name “backup.sh” and edit with any editor you like

I’m using vi here-
1

# vi /backup/backup.sh

Now write these lines into backup.sh file:
#!bin/bash
cd /backup
echo “You are In Backup Directory”
mv backup* /oldbackup
echo “Old Databases are Moved to oldbackup folder”
Now=$(date +”%d-%m-%Y–%H:%M:%S”)
File=backup-$Now.sql
mysqldump –u user-name –p ‘password’ database-name > $File
echo “Your Database Backup Successfully Completed”

Script Description:

Remember, in line number 8: Put your Database username, Password, database name after mysqldump command.

When we run this script, first it goes to a /backup directory. Then it will move old database backup files to /oldbackup folder. Next it generates a file name from system date and time. And finally mysqldump command will generate a database backup file with “.sql” format
3. Set permission to backup.sh file executable
1

# chmod +x /backup/backup.sh
4. Running the Script
1

#./backup.sh

You will get following output after executing the script.
root@Server1:/download#./backup.sh
You are in Download Directory
Old Backup Database is Moved to oldbackup folder
database backup successful completed
root@Server1:/download#

NB: first time when you run this script you will get a message “no such file”, because you don’t have old backup file. No problem just runs again this script, problem will be solved.
5. Schedule the Backup using cron

Using Cron job you can execute this script in a certain time, and all works will be done automatically. Use crontab command to edit editing cron schedules.

#crontab –e

Just add below line in the editor and save it.
0 13 * * * * /backup/backup.sh

In this way every day 1PM your database will back up in your desired folder. Please visit crontab manuals for more details about setting the cron jobs.

This is a very basic script for the beginners. Hope you can use the same idea for more complex backup. We will try to come up with new scripts to automate further. Please ask any question you have. We will try our best to address your questions. Thanks for staying with us.

No related posts.

IPTABLES Rules

Limiting Spam and Attacks
Security – Training

You can use a bridge to effectively limit spam and attacks by managing the IP Ranges per Country.The basis behind the thought here is that these IP Address Ranges probably do not need access to your network in any way, unless you are an International business. By blocking these country ranges you may be reducing SPAM and Malware by up to 25%. In addition, in the event of a catastrophic virus outbreak you may create a window of time to secure your server by blocking these IP Ranges. The following websites keep track of network subnets that are related to each country.

Lesson 9 / Lesson 11

These websites provide the subnets for each country.

http://www.countryipblocks.net/country-blocks/cidr/

http://ip.ludost.net

Why limit IP subnets?
Some may say, “if you want a global business you need to allow access to your server from anywhere.” If you have ever run a mail server and see that 70-85% of all email is Spam you may reconsider that. If you have ever run a web server and see scripting attacks from locations you cannot pronounce let allow speak their language, you may reconsider. The fact is, there are a lot of attacks on your infrastructure and if you do not take steps to protect it you will lose it. Blocking country subnets may not stop those who use proxies and it will certainly not stop the guy down the street on your subnet….but it will make as difference and you will notice it within the hour.

Implementing these restrictions will require you to add statements to your iptables in order to specifically drop subnets. The good thing about doing this from a bridge firewall is that you will do this once for the whole network. From the command line you will need to add a line to indicate the subnet source that you want to drop on the INPUT table. Here is an example that drops the subnet at 201.0.0.0/8. Remember that the bridge is only using the FORWARD so this must be reflecting in your rules.

iptables -A FORWARD -s 201.0.0.0/8 -j DROP

As an alternative you may want to only limit access to countries via port 80. This line will drop all attempts from the subnet at 201.0.0.0/8 in reaching any port except port 80.
iptables -A FORWARD -s 201.0.0.0/8 -p tcp –dport ! 80 -j DROP

Add A Script

When you view the number of subnets to work with you will realize that writing rules will get to be a lot of work. What you can do is create a file called banned and place it in your /etc/ directory and then add this script to your firewall to access the “banned” file.

##########################################
# BLOCK COUNTRY ATTACKS
BADIP=/etc/banned
BANNED=$( grep -v -E “^#” $BADIP )
for ip in $BANNED
do
iptables -A INPUT -p tcp -s $ip -j DROP
iptables -A FORWARD -p tcp -s $ip -j DROP
done

The /etc/banned file will look like this:

24.190.78.101
58.0.0.0/8
59.32.0.0/13
59.40.0.0/15
59.42.0.0/16
59.43.0.0/16
59.44.0.0/14
59.48.0.0/16
59.49.0.0/17

Prevent synchronization packet flooding (Sync Flood)
# Iptables-A FORWARD-p tcp – syn-m limit – limit 1 / s-j ACCEPT
Also was writing
# The iptables-A INPUT-p tcp – syn-m limit – limit 1 / s-j ACCEPT
– Limit 1 / s limit syn complicated by the number of times per second can be modified according to their needs
Prevent all forms of port scans
# Iptables-A FORWARD-p tcp – tcp-flags SYN, ACK, FIN, RST RST-m limit – limit 1 / s -j ACCEPT
Ping flood attacks (Ping of Death)
# Iptables-A FORWARD-p icmp – icmp-type echo-request-m limit – limit 1 / s -j ACCEPT

Linux IPTables: Incoming and Outgoing Rule Examples (SSH and HTTP)

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

# 4. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

# 5. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT

Load Balance Incoming Web Traffic iptables

You can also load balance your incoming web traffic using iptables firewall rules.
This uses the iptables nth extension. The following example load balances the HTTPS traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0).

iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 0 -j DNAT –to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 1 -j DNAT –to-destination 192.168.1.102:443
iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 2 -j DNAT –to-destination 192.168.1.103:443

12. Allow Ping from Outside to Inside
The following rules allow outside users to be able to ping your servers.

iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

13. Allow Ping from Inside to Outside
The following rules allow you to ping from inside to any of the outside servers.

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

14. Allow Loopback Access
You should allow full loopback access on your servers. i.e access using 127.0.0.1

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

16. Allow outbound DNS
The following rules allow outgoing DNS connections.

iptables -A OUTPUT -p udp -o eth0 –dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 -j ACCEPT

Allow Rsync From a Specific Network
The following rules allows rsync only from a specific network.

iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 –dport 873 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 873 -m state –state ESTABLISHED -j ACCEPT

19. Allow MySQL connection only from a specific network
If you are running MySQL, typically you don’t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.
However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.

iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 3306 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 3306 -m state –state ESTABLISHED -j ACCEPT

Prevent DoS Attack

The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.

iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT

Force SYN packets check

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

Force Fragments packets check

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

iptables -A INPUT -f -j DROP


XMAS packets

Incoming malformed XMAS packets drop them:

iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

Drop all NULL packets

Incoming malformed NULL packets:

iptables -A INPIT -p tcp –tcp-flags ALL NONE -j DROP

Bind Configuration in Chroot Environment

Bind Configuration in Chroot Environment
Wriiten by Babar Zahoor

Dated:12-01-2010

Pupose: Configuration of DNS (Bind) server in chroot environment.

OS CentOS 5.4 X86_64

————————————-
Please Install the bind packages
————————————-

[root@ns1 ~]# yum install bind bind-utils bind-*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* addons: virror.hanoilug.org
* extras: ftp.hostrino.com
* updates: ftp.hostrino.com
addons

| 951 B 00:00
extras

| 1.1 kB 00:00
ftp

| 2.1 kB 00:00
updates

| 1.9 kB 00:00
updates/primary_db

| 444 kB 00:00
Setting up Install Process
Package 30:bind-9.3.6-4.P1.el5_4.1.x86_64 already installed and latest version
Package 30:bind-utils-9.3.6-4.P1.el5_4.1.x86_64 already installed and latest version
Package 30:bind-sdb-9.3.6-4.P1.el5_4.1.x86_64 already installed and latest version
Package 30:bind-chroot-9.3.6-4.P1.el5_4.1.x86_64 already installed and latest version
Package 30:bind-devel-9.3.6-4.P1.el5_4.1.x86_64 already installed and latest version
Package 30:bind-devel-9.3.6-4.P1.el5_4.1.i386 already installed and latest version
Package 30:bind-libs-9.3.6-4.P1.el5_4.1.x86_64 already installed and latest version
Package 30:bind-libs-9.3.6-4.P1.el5_4.1.i386 already installed and latest version
Package 30:bind-9.3.6-4.P1.el5_4.1.x86_64 already installed and latest version
Package 30:bind-utils-9.3.6-4.P1.el5_4.1.x86_64 already installed and latest version
Package 30:bind-libbind-devel-9.3.6-4.P1.el5_4.1.x86_64 already installed and latest version
Package 30:bind-libbind-devel-9.3.6-4.P1.el5_4.1.i386 already installed and latest version
Nothing to do

———————————————-
Please Configure Static IP and Default Gateway
———————————————-

[root@ns1 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.1.100
NETMASK=255.255.255.0
ONBOOT=yes
HWADDR=00:16:36:73:7e:4f

wq!

[root@ns1 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:36:73:7E:4F
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:36ff:fe73:7e4f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1641 errors:0 dropped:0 overruns:0 frame:0
TX packets:950 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:192907 (188.3 KiB) TX bytes:117111 (114.3 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:105 errors:0 dropped:0 overruns:0 frame:0
TX packets:105 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10213 (9.9 KiB) TX bytes:10213 (9.9 KiB)

[root@ns1 ~]#
[root@ns1 ~]# vi /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=dns.companydns.org
GATEWAY=192.168.1.1

wq!

——————————————————————————————————————–
Now we are going to configure the named service please copy the files content and modify with your network settings
——————————————————————————————————————–

[root@ns1 ~]#
[root@ns1 ~]# cd /var/named/chroot/
[root@ns1 chroot]# ll
total 24
drwxr-x— 2 root named 4096 Dec 1 00:00 dev
drwxr-x— 2 root named 4096 Jan 4 04:42 etc
dr-xr-xr-x 85 root root 0 Jan 11 22:41 proc
drwxr-x— 6 root named 4096 Dec 1 00:00 var
[root@ns1 chroot]#

——————————-
Now create zone file named.conf
——————————-

[root@ns1 chroot]# vi etc/named.conf

options
{
directory “/var/named”; // the default
dump-file “data/cache_dump.db”;
statistics-file “data/named_stats.txt”;
memstatistics-file “data/named_mem_stats.txt”;

};

zone “.” IN {
type hint;
file “named.root”;
};

zone “localhost” IN {
type master;
file “localhost.fwd”;
allow-update { none; };
};

zone “0.0.127.in-addr.arpa” IN {
type master;
file “localhost.rev”;
allow-update { none; };
};

zone “companydns.org” IN {
type master;
file “companydns.org.fwd”;
allow-update { none; };
};

zone “1.168.192.in-addr.arpa” IN {
type master;
file “companydns.org.rev”;
allow-update { none; };
};

wq!

[root@ns1 chroot]# cd var/named

[root@ns1 named]#

————————–
Now create named.root file
————————–

[root@ns1 named]#

First We confiure named.root file for root dns

[root@ns1 named]# vi named.root
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33

wq!

———————————————————————————————————————————-
Now create zone db files one by one localhost.fwd and the localhost.rev are must then your network zone files forward and reverse
———————————————————————————————————————————-

[root@ns1 named]# vi localhost.fwd
$ORIGIN localhost.
$TTL 86400
@ IN SOA ns1.companydns.org. hostmaster.companydns.org. (
20100104 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days

@ IN NS dns.companydns.org.

localhost. IN A 127.0.0.1

wq! ##### Save the file after copying the content from here. #####

[root@ns1 named]# vi localhost.rev
$ORIGIN 0.0.127.in-addr.arpa.
$TTL 86400
@ IN SOA ns1.companydns.org. hostmaster.companydns.org. (
20100104 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days

@ IN NS ns1.companydns.org.

1.0.0.127.in-addr.arpa. IN PTR localhost.

wq!

[root@ns1 named]# vi companydns.org.fwd
$ORIGIN companydns.org.
$TTL 86400
@ IN SOA ns1.companydns.org. hostmaster.companydns.org. (
20100104 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days

@ IN NS ns1.companydns.org.

ns1.companydns.org. IN A 192.168.1.100
ftp.companydns.org. IN A 192.168.1.101
www.companydns.org. IN A 192.168.1.102
client3.companydns.org. IN A 192.168.1.103
client4.companydns.org. IN A 192.168.1.104

wq!

[root@ns1 named]# vi companydns.org.rev
$ORIGIN 1.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA ns1.companydns.org. root.companydns.org. (
20100104 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days

@ IN NS ns1.companydns.org.

100.1.168.192.in-addr.arpa. IN PTR ns1.companydns.org.
101.1.168.192.in-addr.arpa. IN PTR ftp.companydns.org.
102.1.168.192.in-addr.arpa. IN PTR www.companydns.org.
103.1.168.192.in-addr.arpa. IN PTR client1.companydns.org.
104.1.168.192.in-addr.arpa. IN PTR clinet2.companydns.org.

wq!

[root@ns1 ~]# vi /etc/resolv.conf
search companydns.org
nameserver 192.168.1.100

wq!

—————————————————————–
Configuration has been done now start “/etc/init.d/named” service
—————————————————————–

[root@ns1 ~]# /etc/init.d/named start
Starting named: [ OK ]
[root@ns1 ~]# dig yahoo.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.1 <<>> yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46559 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 2 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 21600 IN A 209.191.93.53 yahoo.com. 21600 IN A 69.147.114.224 yahoo.com. 21600 IN A 209.131.36.159 ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns6.yahoo.com. yahoo.com. 172800 IN NS ns8.yahoo.com. ;; ADDITIONAL SECTION: ns6.yahoo.com. 172800 IN A 202.43.223.170 ns8.yahoo.com. 172800 IN A 202.165.104.22 ;; Query time: 643 msec ;; SERVER: 192.168.1.100#53(192.168.1.100) ;; WHEN: Tue Jan 12 03:01:01 2010 ;; MSG SIZE rcvd: 233 [root@ns1 ~]# -------------------------------------------------- Now please open ports for named server for network -------------------------------------------------- [root@ns1 ~]# iptables -A INPUT -p tcp -m multiport --dport 53,953 -j ACCEPT [root@ns1 ~]# iptables -A INPUT -p udp -m multiport --dport 53,953 -j ACCEPT [root@ns1 ~]# [root@ns1 ~]# /etc/init.d/iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ] [root@ns1 ~]# [root@ns1 ~]# dig ns1.companydns.org ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.1 <<>> ns1.companydns.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29732 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ns1.companydns.org. IN A ;; ANSWER SECTION: ns1.companydns.org. 86400 IN A 192.168.1.100 ;; AUTHORITY SECTION: companydns.org. 86400 IN NS ns1.companydns.org. ;; Query time: 1 msec ;; SERVER: 192.168.1.100#53(192.168.1.100) ;; WHEN: Tue Jan 12 03:13:33 2010 ;; MSG SIZE rcvd: 66 [root@ns1 ~]# [root@ns1 ~]# dig www.companydns.org ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.1 <<>> www.companydns.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10800 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.companydns.org. IN A ;; ANSWER SECTION: www.companydns.org. 86400 IN A 192.168.1.102 ;; AUTHORITY SECTION: companydns.org. 86400 IN NS ns1.companydns.org. ;; ADDITIONAL SECTION: ns1.companydns.org. 86400 IN A 192.168.1.100 ;; Query time: 1 msec ;; SERVER: 192.168.1.100#53(192.168.1.100) ;; WHEN: Tue Jan 12 03:14:09 2010 ;; MSG SIZE rcvd: 86 [root@ns1 ~]#

VSFTP

CentOS 6

vsftpd 2.2.2

su – root

yum install vsftpd

cd /etc/vsftpd/

vi config

anonymous_enable=NO This is set to YES by default.

local_enable=YES This is set to NO by default and change when you want the local users to have ftp access.

xferlog_enable=Yes This is set to NO by default. Your logs will be written to /var/log/xferlog.

Most Linux’s have SELinux installed by default and this gives an error when the installer does not take care of the Selinux policy’s. The error is as follows:

500 OOPS: cannot change directory:/home/someuser

vi /etc/selinux/config

SELINUX=disabled

Setting SELinux for ftp access:

getsebool -a | grep ftp

setsebool -P ftp_home_dir on

chkconfig –levels 345 vsftpd on

service vsftpd start

The virtual users home folders will be under /var/ftp/. You need to have either ‘su’ permissions or ‘root’ access or ‘sudo’ access.

As authentication will be required pam_userdb is a good option and is installed by default. Check with:

yum info db4-utils

yum install db4-utils as necessary

Now cd to /etc/vsftpd and prepare the .txt user file with the usernames and passwords.
This file will have a username in single line and the password in the next as shown. It is good practice to put these in a separate folder.

cd /etc/vsftpd
mkdir vuser
cd vuser
vim vuser_list

sudhakar
password1
bellamkonda
password2

db_load -T -t hash /etc/vsftpd/vuser/vuser_list /etc/vsftpd/vuser/vuser_db.db

vi /etc/pam.d/vsftpd

cd /etc/pam.d/
vi vsftpd

auth sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db
account sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db

vi /etc/vsftpd/vsftpd.conf

guest_enable=YES # activate the virtual users
virtual_use_local_privs=YES # virtual users have local priveleges
user_sub_token=$USER
local_root=/var/ftp/vuser/$USER # specifies a home directory for each virtual user
chroot_local_user=YES # Restricting the user to the FTP area and HOME dir’s only

Create the Virtual User Folders

cd /var/ftp
mkdir vuser
mkdir vuser/sudhakar
mkdir vuser/bellamkonda
chown -R ftp:ftp /etc/ftp/vuser/

/var/ftp/vuser/

mkdir yourlocaluser
chown ftp:ftp yourlocaluser

ln -s /var/ftp/vuser/yourlocaluser /home/yourlocaluser/ftphome

service vsftpd start
service vsftpd restart

cd /etc/vsftpd
mkdir vuser

vuserchk – checks the necessary files and folders necessary for these scripts
vuser.conf – the file containing configuration parameters for these scripts
vuseradd – adds a virtual user
vuserdel – delets a virtual user
vuserres – restores a deleted user
vuserpas – changes a virtual user password
vusersho – displays the user password

vsftpd SSL

yum install vsftpd

openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
-keyout /etc/vsftpd/vsftpd.pem \
-out /etc/vsftpd/vsftpd.pem

Configure vsftpd

To configure vsftpd you edit the file /etc/vsftpd/vsftpd.conf and add the following lines:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

/etc/rc.d/init.d/vsftpd restart

FTP Security – Chroot / Jail user (limiting user to own their home directory only)

Step1: Editing /etc/vsftpd/vsftpd.conf.

Option A: chroot all local user

By default, if you are adding in chroot_local_user=YES .All the local users are’ chroot()’ /jailed to their /home/user direcory. Go to last line adding in the line
vim /etc/vsftpd/vsftpd.conf

chroot_local_user=YES

Option B: chroot only selected users

If you want only selected ftp user restricted to their home directory, uncomment/delete the # sign at line 94 and 96. If chroot_local_user=YES was previously added , make sure that chroot_local_user=YES is removed from your vsftpd.conf file.
vim /etc/vsftpd/vsftpd.conf

91 # You may specify an explicit list of local users to chroot() to their home
92 # directory. If chroot_local_user is YES, then this list becomes a list of
93 # users to NOT chroot().
94 chroot_list_enable=YES
95 # (default follows)
96 chroot_list_file=/etc/vsftpd/chroot_list

CentOS Linux FTP Server

FTP Security – Chroot / Jail user (limiting user to own their home directory only)

Local account ftp user has the rights to change to any directory outside from their /home/user by default. Therefore, they can browse any files in any directory in FTP servers. Let’s have a close look at the example below. The user james is browsing the /etc/sysconfig/networking directory and he knows that there are two directories which is devices and profiles. If james has rights on the file outside his /home directory(such as group rights), he can just download these files.
>C:\>ftp 192.168.13.145
Connected to 192.168.13.145.
220 (vsFTPd 2.0.5)
User (192.168.13.145:(none)): james
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 “/home/james”
ftp> cd /etc/sysconfig/networking
250 Directory successfully changed.
ftp> pwd
257 “/etc/sysconfig/networking”
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
devices
profiles
226 Directory send OK.
ftp: 19 bytes received in 0.00Seconds 19.00Kbytes/sec.
ftp> bin
200 Switching to Binary mode.
ftp> cd devices
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
ifcfg-eth0
ifcfg-eth0.bak
ifcfg-eth1
ifcfg-eth1.bak
226 Directory send OK.
ftp: 56 bytes received in 0.00Seconds 28.00Kbytes/sec.
ftp> get ifcfg-eth0
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ifcfg-eth0 (117 bytes).
226 File send OK.
ftp: 117 bytes received in 0.00Seconds 117.00Kbytes/sec.

Thus, its always recommended to jail/ restrict FTP user access only to their /home/user direcotory.

Step1: Editing /etc/vsftpd/vsftpd.conf.

Option A: chroot all local user

By default, if you are adding in chroot_local_user=YES .All the local users are’ chroot()’ /jailed to their /home/user direcory. Go to last line adding in the line
vim /etc/vsftpd/vsftpd.conf

chroot_local_user=YES

Option B: chroot only selected users

If you want only selected ftp user restricted to their home directory, uncomment/delete the # sign at line 94 and 96. If chroot_local_user=YES was previously added , make sure that chroot_local_user=YES is removed from your vsftpd.conf file.
vim /etc/vsftpd/vsftpd.conf

91 # You may specify an explicit list of local users to chroot() to their home
92 # directory. If chroot_local_user is YES, then this list becomes a list of
93 # users to NOT chroot().
94 chroot_list_enable=YES
95 # (default follows)
96 chroot_list_file=/etc/vsftpd/chroot_list

Step2 (if selected option B above): create a file named chroot_list under /etc/vsftpd/

The following example, we are creating chroot_list and insert the user james in the list
cd /etc/vsftpd/

vim chroot_list

james

Step3: Restart vsFTPD services
service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]