No idea why this isn’t the default on the latest Ubuntu, as it is for every other service in /etc/pam.d/

Edit /etc/pam.d/su

Find, and uncomment the line that says

# session    required   pam_limits.so

Changes take effect on use, so you’ll have to re-su to get this to take effect.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Often times you need to recover a disk manually, as the automatic disk check (fsck) is not willing to risk data deletion. I have yet to find an instance where answering no to it’s (fsck’s) many requests to fix things has helped in getting data back, or in getting a server back up and running.

With that in mind, I pretty much always run fsck -y on a filesystem when it’s unwilling to mount due to an unclean mount (hard reboot/power failure/etc). This has always been done with ext3 or resierfs journaling file systems, and I’ve yet to notice any data loss, although the risk always exists.

As with any tip online, you proceed at your own risk.

So the standard procedure to recover a disk that won’t fsck on it’s own is simple, during it’s boot process it detects the drive was unmounted uncleanly (this is the default, and every ext2 or 3 drive is marked unclean when it is mounted, and only marked unclean when it is unmounted, the theory being that if it’s not unmounted then there is potentially lost or corrupt data.), and it starts running fsck on it. It will usually give you a progress indicator, and if fsck finds any problems it drops you to a shell, where you can manually repair the disk, with fsck -y /dev/XXX.

However, it seems, that often if the drive is a Linux software RAID partition, then it simply reboots, and trying to boot into single user mode, or with the drive in read only mode, all fail, and the system either loops a failing fsck, or reboots, or both, ad nausea m.

To the rescue is any Linux live CD. Lately, I prefer a Ubuntu install in live mode, but previously to that I really liked Knoppix. Boot it up, get to a command line, and follow these steps.

Overview is :

1. Boot up and get a root command line, (sudo su / su / single user mode)
2. Scan the RAID devices and build mdadm.conf file
3. Assemble each RAID device
4. fsck -y each RAID device
5. Reboot into normal / non-live CD mode
6. Success!

Most newer Linux store mdadm.conf in /etc/mdadm/mdadm.conf, some will have it in /etc/mdadm.conf, and some simply won’t have it.

Use ls to find which one your live CD is using, and then make sure to redirect the output there. This will assume it’s /etc/mdadm/mdadm.conf

Once booted, at the command prompt, as root, type (assuming you’re using either RAID-0 or RAID-1, and you have 3 partitions)

modprobe md
modprobe raid1
modprobe raid0
mdadm --examine --scan >> /etc/mdadm/mdadm.conf
mdadm /dev/md2 --assemble
mdadm /dev/md1 --assemble
mdadm /dev/md0 --assemble
cat /proc/mdstat
#verify your RAID arrays are all disks complete (should show UU)
#now check each one
fsck -y /dev/md0
fsck -y /dev/md1
fsck -y /dev/md2
#now reboot and cross your fingers it all comes up good
reboot

Some notes:
If the disk isn’t heavily used, or you are using ext3 or resierfs, then you stand a decent chance of not losing any data with a fsck -y of the file system.

If the power was lost, or the machine locked up you may lose the last little bit of data, even on a journaled file system.

RAID-1 is awesome, and this can be done with a software RAID-1 even if one of the drives is failed. You can also just mount the disk without RAID, and operate as if it never was in an array.

You can do other maintenance on the drives, such as mount them (mount /dev/md2 /mnt/md2) and modify/copy/backup data/etc instead of, or in addition to, fsck’ing them.

I’ve had the best luck with ext3 and resierfs. I’ve read bad things about XFS, JFS, and other file systems.

I would love for Linux to support ZFS, as I’ve played with it on Open Solaris, and Sun’s VM of their storage appliance, and it seems nice.

Enjoy!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

md5sum * | md5sum

This will return an md5sum which will look something like
9277826461d2cb19731f6201c6b2c6b3 -

Run it in 2 directories, if the sums of the sums match, the files are identical.
If not, you may want to rsync between them with something like
rsync-avz -e ssh localdir/ user@remotehost:/remotedir/
or
rsync-avz -e ssh user@remotehost:/remotedir/ localdir/

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

This will be a quick install to setup your server to e-mail you daily mysql reports using the cool mysqlreport application at hackmysql.com

As the user you want to set this up on, run the following commands.

(Note that I touch and then chmod og-rwx the .my.cnf file, since you’re putting your users mysql password in it, creating it and making it unreadable before editing is always a good idea.)

wget http://hackmysql.com/scripts/mysqlreport
chmod uog+x mysqlreport
mkdir bin logs
mv mysqlreport bin/
touch ~/.my.cnf
chmod og-rwx ~/.my.cnf
vi ~/.my.cnf

Now, put in a client section like this in, you can find your sock file with grep sock /etc/my.cnf, or grep sock /etc/mysql/my.cnf

[client]

user="root"

password="password"

socket=/var/run/mysqld/mysqld.sock

Now, install perl’s DBD::MySQL

Debian/Ubuntu:

sudo su

apt-get install libdbd-mysql-perl

via CPAN/Other Linux/Generic BSD:

perl -MCPAN -e shell

Optional, update CPAN:

install Bundle::CPAN

reload cpan

(If there are errors on following some dependencies exit, and restart your CPAN shell, then start with install Bundle::CPAN)
Install perl DBI

install DBD::mysql
exit

Now, run it to test, you should see a bunch of text output

~/bin/mysqlreport

Now, set it up to run from cron

crontab -e

Add a line like this (this will email to test@example.com a full report nightly at midnight, and put the last nights report in /home/USERNAME/logs/mysqlreport)

0 0 * * * /home/USERNAME/bin/mysqlreport --email test@example.com > /home/USERNAME/logs/mysqlreport.log 2>&1

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Here’s a quick page script for *nix boxes with mail.
I grabbed the mail / file redirect from

http://theos.in/shell-scripting/send-mail-bash-script/


#!/bin/bash
#Author : dougnaka@gmail.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it
#Description : Quick alert/page script, edit EMAIL="" to include a comma separated list of emails to send to
#Usage : page.sh "Short or long message"
if [ "${1}" ]
then
SUBJECT="[ALERT] ${1}"
EMAIL=" someone@example.com"
EMAILMESSAGE="/tmp/`date +%s`-message"
echo "ALERT: at `date`" > ${EMAILMESSAGE}
echo "${1}" >> ${EMAILMESSAGE}
echo "From `hostname`" >> ${EMAILMESSAGE}
mail -s "${SUBJECT}" "${EMAIL}" < ${EMAILMESSAGE}
/bin/rm ${EMAILMESSAGE}
else
echo "Usage: ${0} MESSAGE"
exit 1
fi


No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

I use this almost exclusively with trying to ssh to a machine that’s rebooting, but it’s useful to have, and, I think, should be included as a default command in any Linux distro.

Script : retry
Usage : retry command [args]

Code :

#!/bin/bash
while true
do
echo "trying $@ at `date`"
$@
sleep 1
done


Enjoy.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

There are a few regular expressions I find myself using all the time via grep on the command line. Here are a few, along with a few frequently used commands I can’t live without.

Find the non comment parts of a file.
(Useful if you want to see or compare the active parts of a config file.)
Most Unix config files use # as a comment tag, indicating everything after the # is a comment.
grep ‘^[^#]‘ filename.conf

To break this down, first we have grep , which is a command line program to find lines that match a regular expression pattern, and display them. The single quotes indicate that we’re passing the entire section enclosed in single quotes as the first argument, which doesn’t matter as much in this example, but it’s good to practice, so when you have a space or some other character, you won’t be confused when your shell interprits it. The regular expression used is
^[^#]
Which is slightly trick, as far as regular expressions go, for only one reason; the character ^ is used twice, with different meanings.
Normally the ^ is regular expression for the start of a line, and we use it here as this, the first time. The second time, inside the brackets, it means NOT.
Brackets in regular expressions are like a giant OR statement, with every non-escape character (like the forward slash / ) as a possible match. This can hang people up when they expect [bob] to match the full word bob, instead of just the first b.
Then we have the #, which just matches our comment character, #.
Then the closing bracket, since we’re not doing any other options.
The net result of this is to match any line that has a # right after the start of the line.

To do the same thing on a config file that uses a ; as a comment indicator:
grep ‘^[;]‘ filename.conf

OR, to be even trickier, you could just add the # and ; in the same set of brackets, like
grep ‘^[;#] fliename.conf

Note the order of items inside the bracket doesn’t really matter in this case.

Next, often times I have a file with a bunch of empty lines in it, and I want to quickly get rid of them all. To do this I use a combination of a simple grep and a output redirect.

grep . filename
The . character is a regular expression match for any character, but it won’t match empty lines (the regular expression ^$ does though).
To get this into the file, first redirect it to a new file, then move the file back.
grep . filename > newfile
mv newfile filename

or, if you want to sort, just run
sort newfile > filename

perhaps you now want to just get the unique lines
uniq newfile > filename

Of course, I should mention the very obvious ones.
Grepping for words in files.

grep Word filename

Note that grep is case sensitive, but you can turn that off with the -i flag.

grep -i word filename

There is an infinite amount of uses for grep, but the foundation for grep/sed/awk/perl use for patterns is regular expressions. More than any single book I’ve read about techonlogy, the O’Reilly book “Mastering Regular Expressions”, by Jeffrey Friedl has helped me the most in my IT career. I highly suggest you buy and read it.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Setup/install notes, Polycom Soundstation IP 6000 with Asterisk 1.4

Have tftp setup, in this we use /tftpboot as the main tftp folder, and it’s world readable/writable, (LIMIT ACCESS VIA IPTABLES/FIREWALL/SOMETHING)
Have a dhcp server setup that’s giving out the normal things for SIP phones,
option tftp-server-name “[ASTERISK-SERVER-IP";
option time-offset -23400; # Mountain Standard Time
option ntp-servers 10.0.2.1;

Have asterisk up and running, make a SIP extension/entry like you would for a normal SIP client, although don't use type=friend, use type=peer
like this for extension 101, username 101, password temp
[101]
type=peer
username=101
secret=temp
host=dynamic
context=[your default context for phones]
qualify=150
accountcode=[optional accounting code]
mailbox=[extension for mailbox]

reload asterisk’s sip module
asterisk -vvvngrd
asterisk*>CLI>sip reload

Setup the Polycom:
download the latest rpm for firmware for trixbox from

http://yum.trixbox.org/centos/5/RPMS/

this time it was:

http://yum.trixbox.org/centos/5/RPMS/firmware-polycom-3.0.1-2.noarch.rpm

unzip this, put the tftpboot files into your tftpboot dir, put the setup-polycom.rpm_tmp_update in
/usr/local/sbin/setup-polycom.rpm_tmp_update

check which NIC your asterisk interface system is on and run
/usr/local/sbin/setup-polycom.rpm_tmp_update

(my ntp server doesn’t like our SIP clients sntp requests, so I use time.nist.gov and nat that outbound for the phones)
edit /tftpboot/server.cfg
change
tcpIpApp.sntp.address=”192.43.244.18″

Now download the latest version of the sip firwmare from polycom

http://downloads.polycom.com/voice/voip/sp_ss_sip/spip_ssip_3_1_2_release_sig_combined.zip

unzip and put all the files in /tftpboot/

edit /tftpboot/000000000000.cfg
add server.cfg on the CONFIG_FILES line, so mine looks like this

note there were 2 other application lines but i left them the same as they looked like they were for SPIP300/500′s

now, per conference phone, copy the /tftpboot/000000000000.cfg to /tftpboot/[phone mac address].cfg
the mac address is also the serial number of the phone (on the back!)
I’m not sure if it’s case sensitive but I did all lower case and it worked, tail your tftp servers logs to see what’s getting requested.

edit the /tftpboot/[phone mac address].cfg
on the line where you added server.cfg, add a custom config for this device, calling it whatever you want, so if you wanted, call it conference1.cfg, your application line would look like:

now edit that file /tftpboot/conference1.cfg (or whatever you called it)
username and password should match what you put in asterisk’s sip.conf
it should look something like this

reg.1.displayName="PhoneName"
reg.1.address="101"
reg.1.label="101"
reg.1.auth.userId="101"
reg.1.auth.password="password"
reg.1.lineKeys="6"
/>

I mostly followed the directions from here (I am using a self compiled asterisk, version 1.4.19.1 on Gentoo Linux, not trixbox)

http://www.sureteq.com/asterisk/polycom.htm

and used the following links for reference:

http://www.voip-info.org/wiki/view/polycom+trixbox

http://www.voip-info.org/wiki/view/Polycom+Phones

http://www.polycom.com/support/voice/soundstation_ip_series/soundstation_ip6000.html

http://blog.voipsupply.com/new-products/polycom-sip-firmware-31-released-whats-in-it-for-me

http://blog.voipsupply.com/voip-software/unleash-your-polycom-soundpoint-ip-phone%e2%80%a6introducing-the-polycom-productivity-suite-package

http://yum.trixbox.org/centos/5/RPMS/repodata/repoview/firmware-polycom-0-3.0.1-2.html

http://www.voip-info.org/wiki/view/Asterisk%40Home+Handbook+Wiki+Chapter+7#7224HowtouseProvisioningCentralBootServe

http://www.asteriskvoipnews.com/polycom/polycom_releases_soundstation_ip_7000_and_ip_6000_conference_phone.html

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Do you ever try to reformat / repartition disks and Linux complains the kernel is still using the old table and you have to REBOOT (a sin on any *NIX) to fix this?
The error is “WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.”

This annoys me, what was happening on my Ubuntu 7.10 computer was I had a disk that used to be Linux and I put it into a USB / Firewire enclosure and fdisk’d it and then formatted it, but the automounter sees the partition exists as soon as the kernel rereads the partition table and mounts it. This isn’t safe or a good idea really, so, if you’re going to nuke a disk you should zero out any previous partitions by nuking the master partition table.

THIS IS A POTENTIALLY DANGEROUS OPERATION, YOU PROCEED AT YOUR OWN RISK, I WILL NOT ASSUME LIABILITY FOR LOST DATA OR ANY DAMAGES.

Ok, so make 100% absolutely sure you know the drive letter you’re getting with something like

dmesg | tail

and you’ll see something like

sd 18:0:0:0: [sdf] 488397168 512-byte hardware sectors (250059 MB)
[3010413.606563] sd 18:0:0:0: [sdf] Test WP failed, assume Write Enabled
[3010413.606568] sd 18:0:0:0: [sdf] Assuming drive cache: write through
[3010413.607559] sd 18:0:0:0: [sdf] 488397168 512-byte hardware sectors (250059 MB)
[3010413.608807] sd 18:0:0:0: [sdf] Test WP failed, assume Write Enabled
[3010413.608811] sd 18:0:0:0: [sdf] Assuming drive cache: write through
[3010413.608815] sdf: sdf1 sdf2 < sdf5 >
[3010413.651837] sd 18:0:0:0: [sdf] Attached SCSI disk
[3010413.651880] sd 18:0:0:0: Attached scsi generic sg5 type 0
[3010415.111787] kjournald starting. Commit interval 5 seconds

Now run this (as root), substitude sdf for the device you found. BE WARNED that if Linux didn’t see your disk when you just plugged it in, you may be seeing the detection of an actual file system disk. The best way to tell is to run tail -f /var/log/kern.log (or /var/log/messages or something where the kernel logs, depending on your distribution of Linux)

fdisk -l /dev/sdf

This showed me

Disk /dev/sdf: 250.0 GB, 250059350016 bytes

255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000969e0

Device Boot Start End Blocks Id System
/dev/sdf1 * 1 30024 241167748+ 83 Linux
/dev/sdf2 30025 30401 3028252+ 5 Extended
/dev/sdf5 30025 30401 3028221 82 Linux swap / Solaris

Now I check df -h and see that Ubunu already mounted /dev/sdf1 on /media/disk
So I (as root) unmount it with
umount /dev/sdf1

Now I zero the partition table, THIS CAN TOTALLY MESS UP YOUR DISK IN AN UNRECOVERABLE FASHION, SO BE REALLY REALLY REALLY SURE YOU HAVE THE CORRECT DISK DEVICE NODE. IF YOU ARE UNSURE DO NOT PROCEED.
(More info about the master boot record on the wikipedia article here. )

dd if=/dev/zero of=/dev/sdf bs=512 count=1

Now, proceed with creating the partition(s) and formatting
fdisk /dev/sdf
select n,p,enter,enter,w
mkfs.ext3 /dev/sdf1

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

In light of an increase in ssh attacks , vulnerabilities and scans I am writing this guide to help you keep unwanted people from connecting to your server via SSH.

If you have generated any of your SSH keys on a Debian or Ubuntu system they are likely very vulnerable to guessing, e.g. someone could login to your box if they know the name of one of your users that you allow in via ssh within 30 minutes!
See here for more info: http://metasploit.com/users/hdm/tools/debian-openssl/

This applies to any PAM enabled Linux (or other PAM-enabled *nix like OS)

This guide will walk you through configuring your OpenSSH server to only allow public key authentication and limit that to specific users and groups. Errors in this guide or mistakes or differences in system configurations could lock you out of your own systems, be very careful and do not proceed unless you understand and assume the risk you are taking.

I assume no responsibility for YOUR actions. This guide was tested on Ubuntu 7.10 and fairly recent Gentoo system.

1. Limit SSH access to public/private keys only, deny X11 and TCP forwarding, and deny root ssh access
Step 1 Discussion:
Public/Private keys are not necessarily more secure than passwords, but it’s harder to guess a private key, and if your users put passwords on their keys then an attacker must have or guess 2 things, the key and its password.

The root user is GOD on almost every Linux/*nix system out there, and nobody should be able to login directly as root remotely. In addition it’s a very common user, on almost every Linux/*nix system.

TCP and X11 forwarding is one of the coolest features of an ssh server. Unless you want people to be able to use your ssh server like a full access vpn to your local network, or any other network (bounce their attacks through your server), then you want this disabled. And X11 forwarding is great, but I never run an X11 server on something that is a “production” environment. If something requires an X11 server, like Oracle, then I run vncserver and allow ssh port forwarding so people can connect via ssh. I make sure to have full deny by default firewalls on all machines like this, limiting outbound access.

Step 1 HOWTO
Edit /etc/ssh/sshd_config
Make sure the following lines are not commented out, and don’t say something different

Protocol 2
PermitRootLogin no
UsePAM yes
PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
AllowTcpForwarding no
X11Forwarding no

2. Create an ssh remote users group and add users to it who need remote ssh access
Step 2 Discussion:
The main reason I want to limit who has remote ssh access is because there are frequently system accounts or other automatically created accounts that I don’t want to have to monitor to make sure the installer didn’t just make a new user with a simple password or key. I want to have the default be nobody can ssh, and then I’ll add ssh permissions to users who need it.

Step 2 HOWTO:
Let’s call our remote ssh users list rsshusers, we create it with the command
groupadd rsshusers
Now let’s say we have a user named mikey already setup, let’s add him to our new rsshusers group, with the command
usermod -a -G rsshusers mikey
Do this for every user you want to have ssh in remotely. Note that if you’re used to logging in remotely as root and are going to stop doing that, make sure you user can su to root with the command su.
Login as the user, run
su
Put in your root password, if it accepts it and you are root (run whoami to verify) then you’re good to go. If it fails to let you su and you’re sure you have the password right you may need to be in the wheel group to us (default on FreeBSD and Gentoo).
Back as root run the following command to add your user (again, mikey in this example) to your wheel group.
usermod -a -G wheel mikey

Now we’re going to edit 2 files to limit remote ssh users to the group we made called rsshusers.
First, edit /etc/pam.d/sshd (this was ssh on my Debian/Ubuntu systems)
Add the line
account required pam_access.so

This enables access accounting based on the /etc/security/access.conf file, which is the next one we are going to edit.
On both my Gentoo and Debian system this file had every line commented out.
At the end I added the following lines.

-:ALL EXCEPT root mikey:LOCAL
+ : (rsshusers) : ALL
- : ALL : ALL

Initially I tried to use a group like @rsshusers, however this didn’t seem to work, but () designates explicitly a group.

Restart sshd
Gentoo:
/etc/init.d/sshd restart
Debian/Ubuntu:
/etc/init.d/ssh restart

Now, without closing your root terminal, open a new one and make sure you can ssh in as mikey, and su to root.

Assuming everything went well you could try ssh’ing in as another user whose public key is correctly in place, but who isn’t in the rsshusers group.

Related links:

PAM:

http://devmanual.gentoo.org/tasks-reference/pam/index.html

http://linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html

http://tldp.org/HOWTO/User-Authentication-HOWTO/

http://www.faqs.org/docs/Linux-HOWTO/Secure-Programs-HOWTO.html

OpenSSH:

http://www.openssh.com/

http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/

http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html

http://geekzine.org/2007/09/28/easy-sftp-and-chroot-sftp-with-scponly/

Misc:
Securing RedHat

http://help.unc.edu/?id=1859

Debian SSLkeys

http://wiki.debian.org/SSLkeys

Links in post:

http://www.securityfocus.com/news/11518

http://metasploit.com/users/hdm/tools/debian-openssl/

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.