As GRUB 2’s ability to fix boot problems is greatly improved over the original GRUB bootloader. This article provides the you with information on options available for repairing GRUB 2 boot issues and specific instructions on how to use the GRUB 2 terminal. The instructions are written for GRUB 2.
How it looks?
There are basically three messages or error or screen mode whatever you say, when grub fails to boot.
grub: This is the screen mode you see when grub has found everything ecept the configurationn file. This file probably will be grub.conf.
grub rescue: This is the mode when GRUB 2 is unable to find the grub folder or its contents are missing/corrupted. The GRUB 2 folder contains the menu, modules and stored environmental data.
GRUB: Just “GRUB” nothing else indicates GRUB 2 failed to find even the most basic information needed to boot the system.
This is are the basic errors that we se on the boot. Althought there are few more errors that can be seen on the screen like frozen splash screen, Busybox or Initramfs: GRUB 2 began….
But each of the GRUB 2 failure modes can be corrected either from GRUB 2 terminal or the Live boot CD or DVD of the distro , there are also 3rd party rescue tools available out there.
Basic Commands available.
This are the commands that can be used when when you enter the GRUB 2 terminl mode by pressing “c”.
boot (Initiate the boot, also F10 or CTRL-x)
cat (view the contents of config or txt files; cat (hd0,1)/boot/grub/grub.cfg)
configfile (Load a GRUB 2 configuration file such as grub.cfg; configfile (hd0,5)/boot/grub/grub.cfg.)
initrd (Loads the initrd.img, necessary for booting; initrd (hd0,5)/initrd.img.)
insmod (Loads a module; insmod (hd0,5)/boot/grub/normal.mod, or insmod normal.)
linux (Loads the kernel; insmod /vmlinuz root=(hd0,5) ro.)
loop (Mount a file as a device; loopback loop (hd0,2)/iso/my.iso.)
ls (lists the contents of a partition/folder; ls, ls /boot/grub, ls (hd0,5)/, ls (hd0,5)/boot.)
lsmod (List loaded modules.)
normal (Activate the normal module, if loaded.)
search (Search for a device. Type help search for the available options.)
set (Review current settings, or set XXX to set a variable such as colors, prefix, root.)
vbeinfo (Display GRUB 2 available resolutions.)
The Rescue Shell.
If you get a rescue shell, this usually means that GRUB failed to load the “normal” module for some reason. It may be possible to work around this temporarily: for instance, if the reason for the failure is that “prefix” is wrong (perhaps it refers to the wrong device, or perhaps the path to “/boot/grub” was not correctly made relative to the device), then you can correct this and enter normal mode manually: Inspect the current prefix (and other preset variables):
set
You will probably have an output more or less like this:
Your output may differ but you get the information required. Find out which devices are available:
ls
Set to the correct value, which might be something like this:
set prefix=(hd0,1)/grub
(this has to be done according to your own drive name)
set root=(hd0,1)
(this has to be performed according to your own drive name.)
insmod normal
normal
The above commands will get you out of the rescue mode to the normal terminal mode. In the terminal mode you have more commands and with increased functionality.
After the above commands you can go ahead and start the rest of the settings.
insmod linux
* linux /vmlinuz root=/dev/sdXY ro
(if this doesn’t work try this)
linux /boot/vmlinuz-3.2.0-14-generic root=/dev/sda1 ro
(optional)
initrd /initrd.img
(Selects the initrd image.)
boot
After Booting in to the system.
Update the grub config file.
sudo update-grub
Reinstallation of grub on the device:
sudo grub-install /dev/sdX
This should the thing for the rescue part and your system should be good and running. If not you can save all your trouble by using Boot Repair. This is the tool used to repair your complete boot menu. It can be downloaded directly and used as a Live Boot CD or DVD. Here is the download link.
Fail2Ban is used to protect servers against brute force attacks. Fail2ban uses iptables to block attackers, so, if we want to add permanent IP address and never be blocked, we must add it in the config file.
First, edit the config file :
vi /etc/fail2ban/jail.conf
Then, check the line :
ignoreip =
Add now add all ip you want. Each IP or range IP must be placed here with a space. Ex: 192.168.0.1 192.168.5.0/32
How to create a jailed ssh user with Jailkit on Debian Wheezy
This document describes how to install and configure Jailkit in Debian Wheezy Server. Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.
Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.
1 Preliminary Note
This tutorial is based on Debian 7.6 server, so you should set up a basic Debian 7.6 server installation before you continue with this tutorial. The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname.
2 Install Jailkit
We will first download and install the Jailkit. At present time of writing this guide the latest available version of Jailkit is 2.17. I will download it and install it as follows:
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz
tar xvfz jailkit-2.17.tar.gz
cd jailkit-2.17
Jailkit requires some packages before its installation, we will install them as follows:
Now our system is ready to install the Jailkit, install it as follows:
./debian/rules binary
cd ..
dpkg -i jailkit_2.17-1_amd64.deb
It will install the Jailkit in Debian Server, we can remove the extra packages from /tmp:
rm -rf /tmp/jailkit*
3 Jailing a user
Now we will create a user which will be jailed using Jailkit as:
adduser srijan
root@server1:~#adduser srijan
Adding user `srijan’ …
Adding new group `srijan’ (1001) …
Adding new user `srijan’ (1001) with group `srijan’ …
Creating home directory `/home/srijan’ …
Copying files from `/etc/skel’ …
Enter new UNIX password: –password
Retype new UNIX password:–password
passwd: password updated successfully
Changing the user information for srijan
Enter the new value, or press ENTER for the default
Full Name []: –ENTER
Room Number []:–ENTER
Work Phone []:–ENTER
Home Phone []:–ENTER
Other []:–ENTER
Is the information correct? [Y/n] –Y
root@server1:~#
In my case I am creating the user srijan, you can use any name.
Next we will check the information about user srijan in /etc/passwd as:
Now our user have been added in the Jailed environment. I will connect the Debian server with bash terminal with its IP 192.168.0.100:
ssh srijan@192.168.0.100
root@server1:~$ ssh srijan@192.168.0.100
The authenticity of host ‘192.168.0.100 (192.168.0.100)’ can’t be established.
ECDSA key fingerprint is 3d:ca:91:67:96:39:15:b4:0f:6e:c8:2c:92:ef:25:d7.
Are you sure you want to continue connecting (yes/no)? yes
srijan@192.168.0.100’s password:
Linux server1 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Connection to 192.168.0.100 closed.
root@server1:~$
Connection is getting closed as the user don’t have logging shell, lets add it in the configuration file for Jail:
It will add the bash prompt for the jailed user srijan. Now again try the ssh login with srijan user and you will be able to login:
ssh srijan@192.168.0.100
Now check the root directory content, you will notice that it have contents like this:
ls /
srijan@server1:~$ ls /
bin dev etc home lib lib64 usr
srijan@server1:~$
4 Running services and commands in Jailed environment
Jail can be used to run services in Jailed environment. Suppose we want to run any service in Jailed environment then we will use jk_chrootlaunch command for that:
Here I am starting the service of Apache, similarly you can run any service or daemon with it in Jailed environment.
Suppose we want to run a particular command in Jail environment then we will use jk_cp. Lets test it in Jailed environment when we will run cal then it shows as follows:
cal
srijan@server1:~$ cal
bash: cal: command not found
srijan@server1:~$
It means Jail environment don’t knows the cal command, now I will add it in Debian Server as follows:
jk_cp -v -j /jail/ /usr/bin/cal
root@server1:~# jk_cp -v -j /jail/ /usr/bin/cal
Creating symlink /jail/usr/bin/cal to ncal
Copying /usr/bin/ncal to /jail/usr/bin/ncal
Creating symlink /jail/lib/x86_64-linux-gnu/libncurses.so.5 to libncurses.so.5.9
Copying /lib/x86_64-linux-gnu/libncurses.so.5.9 to /jail/lib/x86_64-linux-gnu/libncurses.so.5.9
/jail/lib/x86_64-linux-gnu/libtinfo.so.5 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libc.so.6 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libdl.so.2 already exists, will not touch it
/jail/lib64/ld-linux-x86-64.so.2 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libtinfo.so.5 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libc.so.6 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libdl.so.2 already exists, will not touch it
/jail/lib64/ld-linux-x86-64.so.2 already exists, will not touch it
root@server1:~#
Again run the cal command in Jailed environment:
cal
srijan@server1:~$ cal
September 2014
Su Mo Tu We Th Fr Sa
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30
srijan@server1:~$
So we have added the command for the Jailed environment. Congratulations! Now we have successfully configured Jail environment in Debian Wheezy 🙂
How To Build PHP 5.6 (PHP-FPM FastCGI) with Zend OPcache And APCu For ISPConfig 3 On Debian 7 (Wheezy)
ISPConfig 3 has a builtin feature to support multiple PHP versions on one server and select the optimal PHP version for a website. This feature works with PHP-FPM and FastCGI. This tutorial shows how to build PHP 5.6 as a PHP-FPM and a FastCGI version on a Debian Wheezy server. These PHP 5.5 builds include Zend OPcache, and APCu.
1 Preliminary Note
I will install PHP 5.6.0, the latest PHP 5 version at the time of this writing. I will also show how to build some additional PHP extensions such as APCu and memcache. The ioncube loader is not available for php 5.6 at this time, so I will leave out that step.
Please note that PHP-FPM can be used on both Apache and nginx servers, while FastCGI is available only for Apache servers.
PHP-FPM and FastCGI are mutually exclusive in PHP 5.6, that’s why I show two ways of building PHP, one for PHP-FPM, one for FastCGI, however you can compile PHP twice to get both, one time with –enable-fpm and one time with –enable-cgi (make sure to use different base directories, such as /opt/php-5.6.0 for PHP-FPM and /opt/phpfcgi-5.6.0 for FastCGI).
2 Building PHP 5.6.0 (PHP-FPM)
Download and extract PHP 5.6.0:
mkdir /opt/php-5.6.0
mkdir /usr/local/src/php5-build
cd /usr/local/src/php5-build
wget http://de.php.net/get/php-5.6.0.tar.bz2/from/this/mirror -O php-5.6.0.tar.bz2
tar jxf php-5.6.0.tar.bz2
(The last command is needed if you build PHP with –with-imap, because otherwise ./configure will stop with the following error:
checking for crypt in -lcrypt… yes
configure: error: Cannot find imap library (libc-client.a). Please check your c-client installation.
root@server1:/usr/local/src/php5-build/php-5.6.0#
)
Configure and build PHP 5.6.0 as follows (you can adjust the ./configure command to your needs, take a look at
./configure –help
to see all available options; if you use a different ./configure command, it is possible that additional libraries are required, or the build process will fail):
Open /opt/php-5.6.0/etc/php-fpm.conf and adjust the following settings – in the listen line you must use an unused port (e.g. 8999; port 9000 might be in use by Debian’s default PHP-FPM already), and you must add the line include=/opt/php-5.6.0/etc/pool.d/*.conf at the end:
vi /opt/php-5.6.0/etc/php-fpm.conf
[...]
pid = run/php-fpm.pid
[...]
user = www-data
group = www-data
[...]
listen = 127.0.0.1:8999
[...]
include=/opt/php-5.6.0/etc/pool.d/*.conf
Create the pool directory for PHP-FPM:
mkdir /opt/php-5.6.0/etc/pool.d
Next create an init script for PHP-FPM:
vi /etc/init.d/php-5.6.0-fpm
#! /bin/sh
### BEGIN INIT INFO
# Provides: php-5.6.0-fpm
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts php-5.6.0-fpm
# Description: starts the PHP FastCGI Process Manager daemon
### END INIT INFO
php_fpm_BIN=/opt/php-5.6.0/sbin/php-fpm
php_fpm_CONF=/opt/php-5.6.0/etc/php-fpm.conf
php_fpm_PID=/opt/php-5.6.0/var/run/php-fpm.pid
php_opts="--fpm-config $php_fpm_CONF"
wait_for_pid () {
try=0
while test $try -lt 35 ; do
case "$1" in
'created')
if [ -f "$2" ] ; then
try=''
break
fi
;;
'removed')
if [ ! -f "$2" ] ; then
try=''
break
fi
;;
esac
echo -n .
try=`expr $try + 1`
sleep 1
done
}
case "$1" in
start)
echo -n "Starting php-fpm "
$php_fpm_BIN $php_opts
if [ "$?" != 0 ] ; then
echo " failed"
exit 1
fi
wait_for_pid created $php_fpm_PID
if [ -n "$try" ] ; then
echo " failed"
exit 1
else
echo " done"
fi
;;
stop)
echo -n "Gracefully shutting down php-fpm "
if [ ! -r $php_fpm_PID ] ; then
echo "warning, no pid file found - php-fpm is not running ?"
exit 1
fi
kill -QUIT `cat $php_fpm_PID`
wait_for_pid removed $php_fpm_PID
if [ -n "$try" ] ; then
echo " failed. Use force-exit"
exit 1
else
echo " done"
echo " done"
fi
;;
force-quit)
echo -n "Terminating php-fpm "
if [ ! -r $php_fpm_PID ] ; then
echo "warning, no pid file found - php-fpm is not running ?"
exit 1
fi
kill -TERM `cat $php_fpm_PID`
wait_for_pid removed $php_fpm_PID
if [ -n "$try" ] ; then
echo " failed"
exit 1
else
echo " done"
fi
;;
restart)
$0 stop
$0 start
;;
reload)
echo -n "Reload service php-fpm "
if [ ! -r $php_fpm_PID ] ; then
echo "warning, no pid file found - php-fpm is not running ?"
exit 1
fi
kill -USR2 `cat $php_fpm_PID`
echo " done"
;;
*)
echo "Usage: $0 {start|stop|force-quit|restart|reload}"
exit 1
;;
esac
Make the init script executable and create the system startup links:
As long as there are no pools in /opt/php-5.6.0/etc/pool.d, you will get this warning which you can ignore:
root@server1:/usr/local/src/php5-build/php-5.6.0# /etc/init.d/php-5.6.0-fpm start
Starting php-fpm [29-Aug-2014 13:21:12] WARNING: Nothing matches the include pattern ‘/opt/php-5.6.0/etc/pool.d/*.conf’ from /opt/php-5.6.0/etc/php-fpm.conf at line 528.
done
root@server1:/usr/local/src/php5-build/php-5.6.0#
To enable the Zend OPcache, open /opt/php-5.6.0/lib/php.ini…
vi /opt/php-5.6.0/lib/php.ini
… and add the following line at the end:
[...]
zend_extension=opcache.so
That’s it – if you like, you can now install some additional modules like APCu, memcache, memcached, and ioncube.
The APCu, memcache, and memcached modules can be installed through PEAR which we must install and initialize first:
The memcache extension can be installed as follows:
pecl -C ./pear.conf install memcache
Open /opt/php-5.6.0/lib/php.ini…
vi /opt/php-5.6.0/lib/php.ini
… and add the line extension=memcache.so at the end of the file:
[...]
extension=memcache.so
Reload PHP-FPM afterwards:
/etc/init.d/php-5.6.0-fpm reload
In ISPConfig 3.0.5, you can configure the new PHP version under System Additional PHP Versions. On the Name tab, you just fill in a name for the PHP version (e.g. PHP 5.6.0) – this PHP version will be listed under this name in the website settings in ISPConfig:
Go to the PHP-FPM Settings tab (the FastCGI Settings tab can be left empty) and fill out the fields as follows:
