Archive for category Linux
LCOD – 7.24.10 – Get su to respect /etc/security/limits.conf
Posted by Jon Zobrist in Linux, Linux Command of the Day, Linux Support - Servers on July 24, 2010
Get su to respect settings in /etc/security/limits.conf
Click to continue reading “LCOD – 7.24.10 – Get su to respect /etc/security/limits.conf”
LCOD – 7.7.10 – Rebuilding and checking a Linux software RAID array
Posted by Jon Zobrist in Linux, Linux Command of the Day, Linux Support - Servers on July 7, 2010
Recovering an unclean ext3 or reiserfs partition when it’s on a software RAID array in Linux – HOWTO.
Click to continue reading “LCOD – 7.7.10 – Rebuilding and checking a Linux software RAID array”
LCOD – 5.26.10 – Compare 2 directories
Posted by Jon Zobrist in Linux, Linux Command of the Day, Uncategorized on May 26, 2010
md5sum * | md5sum
This will return an md5sum which will look something like
9277826461d2cb19731f6201c6b2c6b3 -
Run it in 2 directories, if the sums of the sums match, the files are identical.
If not, you may want to rsync between them with something like
rsync-avz -e ssh localdir/ user@remotehost:/remotedir/
or
rsync-avz -e ssh user@remotehost:/remotedir/ localdir/
LCOD – 4.12.10 – Quick Mysqlreport to e-mail setup
Posted by Jon Zobrist in Linux, Linux Command of the Day, MySQL Server Support on April 12, 2010
This will be a quick install to setup your server to e-mail you daily mysql reports using the cool mysqlreport application at hackmysql.com
Click to continue reading “LCOD – 4.12.10 – Quick Mysqlreport to e-mail setup”
LCOD – 11.17.09 – Simple page/alert email script
Posted by Jon Zobrist in Bash, Linux, Linux Command of the Day, Programming on November 17, 2009
Here’s a quick page script for *nix boxes with mail.
I grabbed the mail / file redirect from
http://theos.in/shell-scripting/send-mail-bash-script/
#!/bin/bash
#Author : dougnaka@gmail.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it
#Description : Quick alert/page script, edit EMAIL="" to include a comma separated list of emails to send to
#Usage : page.sh "Short or long message"
if [ "${1}" ]
then
SUBJECT="[ALERT] ${1}"
EMAIL=" someone@example.com"
EMAILMESSAGE="/tmp/`date +%s`-message"
echo "ALERT: at `date`" > ${EMAILMESSAGE}
echo "${1}" >> ${EMAILMESSAGE}
echo "From `hostname`" >> ${EMAILMESSAGE}
mail -s "${SUBJECT}" "${EMAIL}" < ${EMAILMESSAGE}
/bin/rm ${EMAILMESSAGE}
else
echo "Usage: ${0} MESSAGE"
exit 1
fi
LCOD 10.9.09 – Script to retry command
Posted by Jon Zobrist in Linux, Linux Command of the Day on October 9, 2009
I use this almost exclusively with trying to ssh to a machine that’s rebooting, but it’s useful to have, and, I think, should be included as a default command in any Linux distro.
Script : retry
Usage : retry command [args]
Code :
#!/bin/bash
while true
do
echo "trying $@ at `date`"
$@
sleep 1
done
Enjoy.
LCOD – 6.18.09 Useful command line grepping (grep!)
Posted by Jon Zobrist in Linux, Linux Command of the Day on June 18, 2009
There are a few regular expressions I find myself using all the time via grep on the command line. Here are a few, along with a few frequently used commands I can’t live without.
Find the non comment parts of a file.
(Useful if you want to see or compare the active parts of a config file.)
Most Unix config files use # as a comment tag, indicating everything after the # is a comment.
grep ‘^[^#]‘ filename.conf
To break this down, first we have grep , which is a command line program to find lines that match a regular expression pattern, and display them. The single quotes indicate that we’re passing the entire section enclosed in single quotes as the first argument, which doesn’t matter as much in this example, but it’s good to practice, so when you have a space or some other character, you won’t be confused when your shell interprits it. The regular expression used is
^[^#]
Which is slightly trick, as far as regular expressions go, for only one reason; the character ^ is used twice, with different meanings.
Normally the ^ is regular expression for the start of a line, and we use it here as this, the first time. The second time, inside the brackets, it means NOT.
Brackets in regular expressions are like a giant OR statement, with every non-escape character (like the forward slash / ) as a possible match. This can hang people up when they expect [bob] to match the full word bob, instead of just the first b.
Then we have the #, which just matches our comment character, #.
Then the closing bracket, since we’re not doing any other options.
The net result of this is to match any line that has a # right after the start of the line.
To do the same thing on a config file that uses a ; as a comment indicator:
grep ‘^[;]‘ filename.conf
OR, to be even trickier, you could just add the # and ; in the same set of brackets, like
grep ‘^[;#] fliename.conf
Note the order of items inside the bracket doesn’t really matter in this case.
Next, often times I have a file with a bunch of empty lines in it, and I want to quickly get rid of them all. To do this I use a combination of a simple grep and a output redirect.
grep . filename
The . character is a regular expression match for any character, but it won’t match empty lines (the regular expression ^$ does though).
To get this into the file, first redirect it to a new file, then move the file back.
grep . filename > newfile
mv newfile filename
or, if you want to sort, just run
sort newfile > filename
perhaps you now want to just get the unique lines
uniq newfile > filename
Of course, I should mention the very obvious ones.
Grepping for words in files.
grep Word filename
Note that grep is case sensitive, but you can turn that off with the -i flag.
grep -i word filename
There is an infinite amount of uses for grep, but the foundation for grep/sed/awk/perl use for patterns is regular expressions. More than any single book I’ve read about techonlogy, the O’Reilly book “Mastering Regular Expressions”, by Jeffrey Friedl has helped me the most in my IT career. I highly suggest you buy and read it.
LCOD 2.23.09 Setup Polycom Soundstation 6000 w/Asterisk
Posted by Jon Zobrist in Asterisk, Linux, Linux Command of the Day, VoiP on February 23, 2009
Setup/install notes, Polycom Soundstation IP 6000 with Asterisk 1.4
Have tftp setup, in this we use /tftpboot as the main tftp folder, and it’s world readable/writable, (LIMIT ACCESS VIA IPTABLES/FIREWALL/SOMETHING)
Have a dhcp server setup that’s giving out the normal things for SIP phones,
option tftp-server-name “[ASTERISK-SERVER-IP";
option time-offset -23400; # Mountain Standard Time
option ntp-servers 10.0.2.1;
Have asterisk up and running, make a SIP extension/entry like you would for a normal SIP client, although don't use type=friend, use type=peer
like this for extension 101, username 101, password temp
[101]
type=peer
username=101
secret=temp
host=dynamic
context=[your default context for phones]
qualify=150
accountcode=[optional accounting code]
mailbox=[extension for mailbox]
reload asterisk’s sip module
asterisk -vvvngrd
asterisk*>CLI>sip reload
Setup the Polycom:
download the latest rpm for firmware for trixbox from
http://yum.trixbox.org/centos/5/RPMS/
this time it was:
http://yum.trixbox.org/centos/5/RPMS/firmware-polycom-3.0.1-2.noarch.rpm
unzip this, put the tftpboot files into your tftpboot dir, put the setup-polycom.rpm_tmp_update in
/usr/local/sbin/setup-polycom.rpm_tmp_update
check which NIC your asterisk interface system is on and run
/usr/local/sbin/setup-polycom.rpm_tmp_update
(my ntp server doesn’t like our SIP clients sntp requests, so I use time.nist.gov and nat that outbound for the phones)
edit /tftpboot/server.cfg
change
tcpIpApp.sntp.address=”192.43.244.18″
Now download the latest version of the sip firwmare from polycom
http://downloads.polycom.com/voice/voip/sp_ss_sip/spip_ssip_3_1_2_release_sig_combined.zip
unzip and put all the files in /tftpboot/
edit /tftpboot/000000000000.cfg
add server.cfg on the CONFIG_FILES line, so mine looks like this
note there were 2 other application lines but i left them the same as they looked like they were for SPIP300/500′s
now, per conference phone, copy the /tftpboot/000000000000.cfg to /tftpboot/[phone mac address].cfg
the mac address is also the serial number of the phone (on the back!)
I’m not sure if it’s case sensitive but I did all lower case and it worked, tail your tftp servers logs to see what’s getting requested.
edit the /tftpboot/[phone mac address].cfg
on the line where you added server.cfg, add a custom config for this device, calling it whatever you want, so if you wanted, call it conference1.cfg, your application line would look like:
now edit that file /tftpboot/conference1.cfg (or whatever you called it)
username and password should match what you put in asterisk’s sip.conf
it should look something like this
< ?xml version="1.0" encoding="UTF-8" standalone="yes"?>
reg.1.label="101"
reg.1.auth.userId="101"
reg.1.auth.password="password"
reg.1.lineKeys="6"
/>
I mostly followed the directions from here (I am using a self compiled asterisk, version 1.4.19.1 on Gentoo Linux, not trixbox)
http://www.sureteq.com/asterisk/polycom.htm
and used the following links for reference:
http://www.voip-info.org/wiki/view/polycom+trixbox
http://www.voip-info.org/wiki/view/Polycom+Phones
http://www.polycom.com/support/voice/soundstation_ip_series/soundstation_ip6000.html
http://blog.voipsupply.com/new-products/polycom-sip-firmware-31-released-whats-in-it-for-me
http://blog.voipsupply.com/voip-software/unleash-your-polycom-soundpoint-ip-phone%e2%80%a6introducing-the-polycom-productivity-suite-package
http://yum.trixbox.org/centos/5/RPMS/repodata/repoview/firmware-polycom-0-3.0.1-2.html
http://www.voip-info.org/wiki/view/Asterisk%40Home+Handbook+Wiki+Chapter+7#7224HowtouseProvisioningCentralBootServe
http://www.asteriskvoipnews.com/polycom/polycom_releases_soundstation_ip_7000_and_ip_6000_conference_phone.html
LCOD – 8.3.08 Get around annoying reboot during fdisk
Posted by Jon Zobrist in Linux, Linux Command of the Day on August 3, 2008
Do you ever try to reformat / repartition disks and Linux complains the kernel is still using the old table and you have to REBOOT (a sin on any *NIX) to fix this?
The error is “WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.”
This annoys me, what was happening on my Ubuntu 7.10 computer was I had a disk that used to be Linux and I put it into a USB / Firewire enclosure and fdisk’d it and then formatted it, but the automounter sees the partition exists as soon as the kernel rereads the partition table and mounts it. This isn’t safe or a good idea really, so, if you’re going to nuke a disk you should zero out any previous partitions by nuking the master partition table.
THIS IS A POTENTIALLY DANGEROUS OPERATION, YOU PROCEED AT YOUR OWN RISK, I WILL NOT ASSUME LIABILITY FOR LOST DATA OR ANY DAMAGES.
Ok, so make 100% absolutely sure you know the drive letter you’re getting with something like
dmesg | tail
and you’ll see something like
sd 18:0:0:0: [sdf] 488397168 512-byte hardware sectors (250059 MB)
[3010413.606563] sd 18:0:0:0: [sdf] Test WP failed, assume Write Enabled
[3010413.606568] sd 18:0:0:0: [sdf] Assuming drive cache: write through
[3010413.607559] sd 18:0:0:0: [sdf] 488397168 512-byte hardware sectors (250059 MB)
[3010413.608807] sd 18:0:0:0: [sdf] Test WP failed, assume Write Enabled
[3010413.608811] sd 18:0:0:0: [sdf] Assuming drive cache: write through
[3010413.608815] sdf: sdf1 sdf2 < sdf5 >
[3010413.651837] sd 18:0:0:0: [sdf] Attached SCSI disk
[3010413.651880] sd 18:0:0:0: Attached scsi generic sg5 type 0
[3010415.111787] kjournald starting. Commit interval 5 seconds
Now run this (as root), substitude sdf for the device you found. BE WARNED that if Linux didn’t see your disk when you just plugged it in, you may be seeing the detection of an actual file system disk. The best way to tell is to run tail -f /var/log/kern.log (or /var/log/messages or something where the kernel logs, depending on your distribution of Linux)
fdisk -l /dev/sdf
This showed me
Disk /dev/sdf: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000969e0
Device Boot Start End Blocks Id System
/dev/sdf1 * 1 30024 241167748+ 83 Linux
/dev/sdf2 30025 30401 3028252+ 5 Extended
/dev/sdf5 30025 30401 3028221 82 Linux swap / Solaris
Now I check df -h and see that Ubunu already mounted /dev/sdf1 on /media/disk
So I (as root) unmount it with
umount /dev/sdf1
Now I zero the partition table, THIS CAN TOTALLY MESS UP YOUR DISK IN AN UNRECOVERABLE FASHION, SO BE REALLY REALLY REALLY SURE YOU HAVE THE CORRECT DISK DEVICE NODE. IF YOU ARE UNSURE DO NOT PROCEED.
(More info about the master boot record on the wikipedia article here. )
dd if=/dev/zero of=/dev/sdf bs=512 count=1
Now, proceed with creating the partition(s) and formatting
fdisk /dev/sdf
select n,p,enter,enter,w
mkfs.ext3 /dev/sdf1
LCOD – 5.17.08 – Locking down ssh access
Posted by Jon Zobrist in Linux, Linux Command of the Day on May 17, 2008
In light of an increase in ssh attacks , vulnerabilities and scans I am writing this guide to help you keep unwanted people from connecting to your server via SSH.
If you have generated any of your SSH keys on a Debian or Ubuntu system they are likely very vulnerable to guessing, e.g. someone could login to your box if they know the name of one of your users that you allow in via ssh within 30 minutes!
See here for more info: http://metasploit.com/users/hdm/tools/debian-openssl/
This applies to any PAM enabled Linux (or other PAM-enabled *nix like OS)
This guide will walk you through configuring your OpenSSH server to only allow public key authentication and limit that to specific users and groups. Errors in this guide or mistakes or differences in system configurations could lock you out of your own systems, be very careful and do not proceed unless you understand and assume the risk you are taking.
I assume no responsibility for YOUR actions. This guide was tested on Ubuntu 7.10 and fairly recent Gentoo system.
1. Limit SSH access to public/private keys only, deny X11 and TCP forwarding, and deny root ssh access
Step 1 Discussion:
Public/Private keys are not necessarily more secure than passwords, but it’s harder to guess a private key, and if your users put passwords on their keys then an attacker must have or guess 2 things, the key and its password.
The root user is GOD on almost every Linux/*nix system out there, and nobody should be able to login directly as root remotely. In addition it’s a very common user, on almost every Linux/*nix system.
TCP and X11 forwarding is one of the coolest features of an ssh server. Unless you want people to be able to use your ssh server like a full access vpn to your local network, or any other network (bounce their attacks through your server), then you want this disabled. And X11 forwarding is great, but I never run an X11 server on something that is a “production” environment. If something requires an X11 server, like Oracle, then I run vncserver and allow ssh port forwarding so people can connect via ssh. I make sure to have full deny by default firewalls on all machines like this, limiting outbound access.
Step 1 HOWTO
Edit /etc/ssh/sshd_config
Make sure the following lines are not commented out, and don’t say something different
Protocol 2
PermitRootLogin no
UsePAM yes
PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
AllowTcpForwarding no
X11Forwarding no
2. Create an ssh remote users group and add users to it who need remote ssh access
Step 2 Discussion:
The main reason I want to limit who has remote ssh access is because there are frequently system accounts or other automatically created accounts that I don’t want to have to monitor to make sure the installer didn’t just make a new user with a simple password or key. I want to have the default be nobody can ssh, and then I’ll add ssh permissions to users who need it.
Step 2 HOWTO:
Let’s call our remote ssh users list rsshusers, we create it with the command
groupadd rsshusers
Now let’s say we have a user named mikey already setup, let’s add him to our new rsshusers group, with the command
usermod -a -G rsshusers mikey
Do this for every user you want to have ssh in remotely. Note that if you’re used to logging in remotely as root and are going to stop doing that, make sure you user can su to root with the command su.
Login as the user, run
su
Put in your root password, if it accepts it and you are root (run whoami to verify) then you’re good to go. If it fails to let you su and you’re sure you have the password right you may need to be in the wheel group to us (default on FreeBSD and Gentoo).
Back as root run the following command to add your user (again, mikey in this example) to your wheel group.
usermod -a -G wheel mikey
Now we’re going to edit 2 files to limit remote ssh users to the group we made called rsshusers.
First, edit /etc/pam.d/sshd (this was ssh on my Debian/Ubuntu systems)
Add the line
account required pam_access.so
This enables access accounting based on the /etc/security/access.conf file, which is the next one we are going to edit.
On both my Gentoo and Debian system this file had every line commented out.
At the end I added the following lines.
-:ALL EXCEPT root mikey:LOCAL
+ : (rsshusers) : ALL
- : ALL : ALL
Initially I tried to use a group like @rsshusers, however this didn’t seem to work, but () designates explicitly a group.
Restart sshd
Gentoo:
/etc/init.d/sshd restart
Debian/Ubuntu:
/etc/init.d/ssh restart
Now, without closing your root terminal, open a new one and make sure you can ssh in as mikey, and su to root.
Assuming everything went well you could try ssh’ing in as another user whose public key is correctly in place, but who isn’t in the rsshusers group.
Related links:
PAM:
http://devmanual.gentoo.org/tasks-reference/pam/index.html
http://linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html
http://tldp.org/HOWTO/User-Authentication-HOWTO/
http://www.faqs.org/docs/Linux-HOWTO/Secure-Programs-HOWTO.html
OpenSSH:
http://www.openssh.com/
http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/
http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html
http://geekzine.org/2007/09/28/easy-sftp-and-chroot-sftp-with-scponly/
Misc:
Securing RedHat
http://help.unc.edu/?id=1859
Debian SSLkeys
http://wiki.debian.org/SSLkeys
Links in post:
http://www.securityfocus.com/news/11518
http://metasploit.com/users/hdm/tools/debian-openssl/
