D-Bus IPC Service (messagebus)
D-Bus is an IPC mechanism that provides a common channel for inter-process communication.
If no services which require D-Bus are in use, disable this service:
# chkconfig messagebus off
A number of default services make use of D-Bus, including X Windows, Bluetooth, and Avahi. For security its recommended that D-Bus and all its dependencies be disabled unless there is a mission-critical need for them.
Stricter configuration of D-Bus is possible and documented in the man page dbus-daemon(1). D-Bus maintains two separate configuration files, located in /etc/dbus-1/, one for system-specific configuration and the other for session-specific configuration.
How to disable X Window System Listening
To prevent X.org from listening for remote connections, create the file /etc/X11/xinit/xserverrc and fill it with the following line:
exec X :0 -nolisten tcp $@
One of X.org’s features is the ability to provide remote graphical display. This feature should be disabled unless it is required. If the system uses runlevel 5, which is the default, the GDM display manager starts X safely, with remote listening disabled. However, if X is started from the command line with the startx command, then the server will listen for new connections on X’s default port, 6000.
Set Idle Timeout Interval for User Logins
SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be
automatically logged out.
Find and edit the following lines in /etc/ssh/sshd_config as follows:
ClientAliveInterval interval
ClientAliveCountMax 0
The timeout interval is given in seconds. To have a timeout of 5 minutes, set interval to 300.
Badblocks - search a device for bad blocks
Important note: If the output of badblocks is going to be fed to the e2fsck or mke2fs programs, it is important that the block size is properly specified, since the block numbers which are generated are very dependent on the block size in use by the filesystem. For this reason, it is strongly recommended that users not run badblocks directly, but rather use the -c option of the e2fsck and mke2fs programs.
This would check the drive “sdb” in non-destructive read-write mode and display progress by writing out the block numbers as they are checked.
This would check the sixth partition of the drive “sdb”, in destructive read-write mode and display progress by writing out the block numbers as they are checked. All data will be overwritten at the block level. If used on an entire disk as in the previous example, it destroys MBRs, partitions and data alike.
Yesterday, we have found an insane cpu overload generated from nowhere on several machines we manage, this was related to The leap second that was inserted on Saturday night, this can cause permanent high CPU loads on Linux computers (Debian and CentOS/RHEL mainly). Among other examples, the behaviour is documented in the blog of the Mozilla Foundation, where strange peak loads on one Mozilla server were observed from the time the leap second was added.
A quick fix to solve this is by performig a quick reboot of the server (Notice that rebooting server services such as httpd, mysqld, even tomcat will not work). If you found a reboot it is impossible because of downtime issues, you can solve the issue by stopping the NTP daemon and executing a Perl script that reset the leap second bit in the kernel, the perl script can be found on the following article,
http://my.opera.com/marcomarongiu/blog/2012/06/01/an-humble-attempt-to-work-around-the-leap-second
The root of the behaviour is located in the Linux kernel, where a leap second that is triggered by the NTP subsystem results in a deadlock situation. The problem appears to affect all kernel versions from 2.6.26 up to and including 3.3.
A further topic discussion concerning this behaviour can be followed on the link below,
http://serverfault.com/questions/403732/anyone-else-experiencing-high-rates-of-linux-server-crashes-during-a-leap-second
Should you require further support to patch/upgrade your kernel or solve this issue, please submit a Hour of Support,
http://www.serverbuddies.com/hour-server-support.php
