Old site, soon newer content

Sadly, the biggest thing that has stopped my from updating was, I never reset the cnames. Truck broke down on the side of the road, so while waiting on a tow, I finally got around to fixing it. Wow have things changed so much since the last time I really published anything. Now I will have a public way to share how to do stigs and such, the modern ways. Also fix issues that other people seem to miss with SELinux.  

Building OpenSSL 1.0.1F for RHEL 6

So today I wanted to install openssl 1.0.1F on my centos boxes, usually I will wait for an RPM, or just build from source. Today, I did a little of both using rpmbuild utility. You will need to have the rpmbuild utilities installed.

First download the source. What i did different for a 64bit build was I first untar'ed the file, then ran this against the spec file.

sed -i 's@/usr/lib@/usr/lib64@g' openssl.spec

then ran

tar zcvf ./openssl-1.0.1fa.tar.gz openssl-1.0.1f/

rpmbuild -ts ./openssl-1.0.1f.tar.gz
Which will creates the source rpm. Then run

rpmbuild -tb ./openssl-1.0.1fa.tar.gz

Which will create these packages:

openssl-1.0.1f-1.x86_64.rpm            openssl-devel-1.0.1f-1.x86_64.rpm
openssl-debuginfo-1.0.1f-1.x86_64.rpm  openssl-doc-1.0.1f-1.x86_64.rpm

then if you eff up an install.

cd /usr/lib64/

sudo ln -s libssl.so.1.0.0 libssl.so.10
sudo ln -s libcrypto.so.1.0.0 libcrypto.so.10

Then run yum update to make sure it worked. 

Eccouncil.org Hack

http://www.eccouncil.org/ has been hacked again. Awesome the group that publishes the C|EH Cert. Reason's not to get it.

From the site:
"Defaced again? Yep, good job reusing your passwords morons jack67834#"

Realistically they should have followed the rules that they teach. I will use the STIG's as guidelines. The password they chose does not qualify for those simple guidelines.

http://www.stigviewer.com/check/V-11947 must require passwords contain a minimum of 14 characters.
http://www.stigviewer.com/check/V-11948 must require passwords to contain at least one uppercase alphabetic character.
http://www.stigviewer.com/check/V-11972 must require passwords to contain at least one numeric character.
http://www.stigviewer.com/check/V-11973 must require passwords to contain at least one special character.
http://www.stigviewer.com/check/V-11975 must require passwords to contain no more than three consecutive repeating characters.
http://www.stigviewer.com/check/V-11976 Passwords must be changed every 60 days.
http://www.stigviewer.com/check/V-11977 All non-interactive/automated processing account passwords must be changed at least once per year or be locked.

I have scripts that will set this all up automatically for Linux/UNIX. 

McAfee Linux HBSS

So, you have a STIG'ed box, and McAfee av won't install.  The problem is the umask of 077. The installer id supposed to temporarily set the umask to 022 the /opt/NAI directory,  but due to the stigging, it won't let it. Temp fix. Add to the first lines of the Mcafee-installer script. 

Mkdir /opt/NAI
Chmod 755 /opt/NAI

That will allow for install.  At the bottom of the installer add nails:nailsgroup to an group with elevated permissions. 

Hope this helps.

Back

Site was done due to unforeseen circumstances.  It's back now, better than ever. Well backend is anyways. One day I will update the front end. The big things I need to do is either get Simontek.net usmc approved,  Or, use a secondary blog somewhere that is. This blog would be very handy at work.

SELinux httpd settings

Getting SELinux to play nice with a webserver

chcon -R -h -t httpd_sys_content_t /path/to/directory*

SSH Config files, and repo installs

In your .ssh folder, make a file called "config", put in it this information, change to your specs.

Host example.com
  Hostname example.com
  HostKeyAlias example
  Port 2222
  User linus






This is handy to have when you ssh into machines that have non standard ports, so with this you can now type: "ssh example" and it will insert your information that's needed for logging in. You still need the password, unless you setup keys. It works for scp as well. This is what I use it for.




Also today created a quick script for my rhel machines.


http://www.simontek.net/linux/iso/repoinstall.sh

# Created by Matthew M. Conley to add the epel, and el repo's to a build.
#
#!/bin/bash
if grep --quiet "[elrepo]" /etc/yum.repos.d/*; then
   echo "EL repo is installed"
else

rpm --import http://elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://elrepo.org/elrepo-release-6-5.el6.elrepo.noarch.rpm
fi

if grep --quiet "[epel]" /etc/yum.repos.d/*; then
   echo "epel is installed"
else
rpm --import https://fedoraproject.org/keys
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
fi

 It checks to see if the el and epel repo's are installed, if not installs them. I tend to have to do this all the time, so figured just put it in a script. I still can't tell you how often on test builds that I didn't use a kickstart I have to type "sed -i 's/no/yes/' /etc/sysconfig/network-scripts/ifcfg-eth0" Which turns the ONBOOT=no to ONBOOT=yes in eth0 config file.

LUKS unlock

So, I went to manually unlock a LVM partition, and realized I had to look it up. It took me a few pages, so I am just copying the notes, cause I will have to do this again.
I was not using a debian or fedora based system, but its handy.

cryptsetup luksOpen /dev/ 

Enter any LUKS passphrase: 
key slot 0 unlocked.
Command successful.

1. $ sudo apt-get install lvm2
   

2. Load the necessary module(s):

   $ sudo modprobe dm-mod
   

3. Scan your system for LVM volumes and identify in the output the volume group name that has your Fedora volume (mine proved to be VolGroup00):

   $ sudo vgscan
   

4. Activate the volume:

   $ sudo vgchange -ay VolGroup00
   

5. Find the logical volume that has your Fedora root filesystem (mine proved to be LogVol00):

   $ sudo lvs
   

6. Create a mount point for that volume:

   $ sudo mkdir /mnt/fcroot
   

7. Mount it:

   $ sudo mount /dev/VolGroup00/LogVol00 /mnt/fcroot -o ro,user
   

8. Copied my files.

Finally getting around to doing stuff.

Well, I have finally Customized this a tad, Also setup blog.simontek.net to point to this site. I have been playing with the idea of putting a blog on to my site for years, and just finally thought. Eh I actually like blogger, Screw it, I am just going to continue using this.

Btw, remind me to do this, I wrote a script to install the files on a RHEL/CentOS 5/6 Fedora box, 32/64 bit, to setup cackey, with that sets up subversion to use a CAC and firefox. (so you can check your email). Wrote another one that does debian based, and OSX based systems. 

Using sed instead of echo

On a script, I need to have it enter in information into /etc config files. Typically, to prove a point I will just use echo "lalala" > file, but occasionally I rather it just change the information in it, helps in 2 things. A. I don't have conflicting information, and B. I can run the script more than once.



if grep --quiet "umask 077" /etc/profile; then
   echo "umask is set"
else
   sed -i 's@umask 022@umask 077@g' /etc/profile
fi

If umask 077 is in /etc/profile, then we are good. If not, it will find umask 022 and change it to umask 077.

SSH script to wait til machine is up to login

Keeping this around for notes, I actually have another version floating around, but couldn't remember where, so I put this up so I don't have to remember.


## Silly script that doesn't ssh until the machine is up.
## Matthew M. Conley 12/12/12
##
#!/bin/bash


ping -c 1 192.168.1.1;
if [ $? -eq 0 ]; then
ssh user@192.168.1.1

fi





a variable should work so you can just do pingssh.sh 192.16... enter your ip in. and have it load the ip. Thats how my other script runs. Change user to the user you login in as.


ping -c 1 $1;
if [ $? -eq 0 ]; then
ssh user@$1

fi

Joys of Subversion with a CAC card.

in $HOME/.subversion/servers

Put in the [Global] Section


#ssl-pkcs11-provider = coolkey
ssl-pkcs11-provider = cackey

Un-comment the setup you are using. I am using the cackey so I have coolkey uncommented, but if you are using coolkey, put the cool key line in. Its that simple, IF you already have the CAC software installed.
 --update Dec 7th, 2012
Ran a test today, for SVN coolkey WILL work with a CAC. I figured since its been years since the coolkey was notorious to fail, I would check it out today.


Alternatively you can just do this:

Create a script to do this for the users;

if grep --quiet "ssl-pkcs11-provider = cackey" $HOME/.subversion/server; then
   echo "SVN is cac enabled"
else
   sed -i 's@#ssl-pkcs11-provider = coolkey@ssl-pkcs11-provider = cackey@g' $HOME/.subversion/server
fi




Or on a just one off time; sed -i 's@#ssl-pkcs11-provider = coolkey@ssl-pkcs11-provider = cackey@g' $HOME/.subversion/server

Clamd has failed, and FIXED!

Cmd Service Check Raw Output: clamd is not running or is crashed.


Syslog Messages: Oct 27 12:41:13 server2 clamd[1655]: clamd daemon 0.97.6 (OS: linux-gnu, ARCH: i386, CPU: i386)
Oct 27 12:41:13 server2 clamd[1655]: Running as user clam (UID 101, GID 102)
Oct 27 12:41:13 server2 clamd[1655]: Log file size limited to -1 bytes.
Oct 27 12:41:13 server2 clamd[1655]: Reading databases from /var/lib/clamav
Oct 27 12:41:13 server2 clamd[1655]: Not loading PUA signatures.
Oct 27 12:41:13 server2 clamd[1655]: Bytecode: Security mode set to "TrustSigned".
Oct 27 12:41:18 server2 clamd[1655]: Loaded 1316697 signatures.
Oct 27 12:41:18 server2 clamd[1655]: TCP: Bound to address 127.0.0.1 on port 3310
Oct 27 12:41:18 server2 clamd[1655]: TCP: Setting connection queue length to 30
Oct 27 12:41:18 server2 clamd[1655]: LOCAL: Unix socket file /var/run/clamav/clamd.sock
Oct 27 12:41:18 server2 clamd[1655]: LOCAL: Setting connection queue length to 30
Oct 27 12:41:18 server2 clamd[1655]: daemonize() failed: Cannot allocate memory
Oct 27 12:41:18 server2 clamd[1655]: Socket file removed.

clamd on simontek.net status: failed  ~~~ reason: I ran out of ram, so I had to selectively shut things down, start clamd, then restart everything else.

DoD Linux

Figured to share a distro of Linux the USAF created for secure access.

http://www.spi.dod.mil/lipose.htm

Notes for IA stuff

Insert into a kick start, used to lock a user for 5 failed login attempts.
### locks user out after 5 fail login tries, with a 3 minute lockout time.
echo "auth required pam_tally.so onerr=fail deny= 5 unlock_time=3600" >> /etc/pam.d/system-auth

Now to unlock yourself if you mess up

To view locked accounts
pam_tally2 -u username -r

To reset username account

pam_tally2 -u username --reset

#Replace username with the actual username


Also, what if you need encryption setup, but you don't want to be bothered with a password everytime you boot. This is for development boxes only. As in this cancels out the security LUKS provides, but still allows you to see if encryption will affect your systems. Basically, if you want to lock down a machine in a production environment. DO NOT USE THIS CODE. I actually have a way to get around both, but can't publish it yet.


cd /boot/
mkdir tmp/ && cd tmp/
gunzip -c ../initrd-2.6.25-..... .img |cpio -id
echo -n "passphrase you choose" > passphrase
sed -i '103 s/$/ -d passphrase/' /boot/tmp/init
find . | cpio --create --format='newc' |gzip -c > ../initrd-2.6.25luks.img



#Ok, the gunzip part, you need to put in your initrd.img file.
#the passphrase is the one you set in the encryption. Also echo -n means no carriage return.

sed '103 = 103 line, it changes from machine setup to setup, so replace with the correct one. typically its line 110.  $ means end of line.

Typically you want to create a new initrd.img file, so name it slightly different.

Now to boot this, you need to modify your grub file, I would add a new line, with the modified information. Reboot, and your machine should boot up without bugging you for a passphrase.

remove users from cisco ASA

config t

clear configure username user.name






      Make sure you include the word username

wr

copy running_config startup_config

CAC SVN setup

This client is an early access release that has some limitations, including:

• The client does not prompt you for which certificate to use if you have more than one certificate on your smart card
• The client won't currently work with SELinux in enforcing mode because of a currently unresolved text relocation issue in libgcrypt. A partial mitigation for this issue is to manually set the SELinux file type for one file:

chcon -t textrel_shlib_t '/lib/libgcrypt.so.11.5.1'

• The installation requires some libraries to have more than one RPM installed, making the initial installation somewhat awkward

You'll need to get at least these .i386.rpm packages from the file release system:

• gnutls
• libgcrypt
• libtasn1
• neon
• pakchois
• subversion

The library dependencies must be installed in parallel with some of the system libraries, you can't just do an upgrade on those packages, since many installed packages may depend on the current versions.
After downloading the above RPMs, use this set of commands as root to install them:

rpm -ivh --force gnutls-2.4.2-3el5.i386.rpm 
rpm -ivh libtasn1-1.5-%1el5.i386.rpm neon-0.28.3-2.i386.rpm pakchois-0.4-2.i386.rpm libgcrypt-1.4.3-2el5.i386.rpm 
rpm -Uvh subversion-1.5.4-3.i386.rpm 

Note: we know that an installation where you must use --force is suboptimal. We are working on the issue and will fix these instructions when we have a fixed gnutls RPM.' ' To enable smart card support, first make sure that you have CoolKey working for other applications, such as Firefox. Then run 'svn' once to establish a $HOME/.subversion/servers file if you haven't run svn on this system previously. Edit that file and add this line in the "global" section:

ssl-pkcs11-provider = coolkey

Once you do that, you should be able to check out client-certificate protected Subversion repositories using the Linux command line client.

Linksys E1200 Router

I may never use this, but someone might want this for a hack.

Broadcom's BCM5357 Is the CPU, to be exact it's BCM5357BOKFBG
This SOC supports USB, among other things, Which is header DJ2. Pin 1 is the red wire, so you should be able to solder a use port.

The ram is: Winbond W9425G6JH-5  (http://www.winbond.com.tw/NR/rdonlyres/11505884-F632-41F9-9438-A3EC025FEAED/0/W9425G6JH.pdf) useful link on that.
Its 256M, DDR 500mhz.

Ripping DVD images, and creating images.

I have to do this a lot at work, so figured to keep it around.

copying dvd/cd image to the hard drive:

dd if=/dev/scd0 of=/filename.iso

While I am at it, the reverse. After making my changes what I need to do to make an ISO.


mkisofs -o file.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -l -allow-leading-dots -relaxed-filenames -joliet-long -max-iso9660-#filenames -D -R -J -T -V $VOLID -v /home/matthew/directory of files for iso.


Also to mount an image.

mount -t loop /home/matthew/filename.iso /media/filename/

Studying for the Linux+ cert, and wanted to write down notes on LVM's. It helps for me to see examples of how each command is used, and I wanted a 1 place to go look for info.


pvcreate /dev/sda6 /dev/sda7 Creates Physical volumes on /sda6 and /sda7.

pvscan Will scan for physical volumes on the hard drives.

pvdisplay Displays more in depth info of the physical volumes

vgcreate vol_grp1 /dev/sda6 /dev/sda7 Creates Volume Groups from partitions sda 6 and 7.

-s changes the standard size of 4mb chunks to another size of your choosing

lvcreate -L 500G -n logical_vol1 vol_grp1 Creates a 500GB logical volume from the Volume group you created earlier

lvdisplay Displays the Logical Volume Info.


lvextend -L12G /dev/vol_grp1/logical_vol1 Extends the Logical drive 12GB's

other commands.

lvchange lvdisplay lvmchange lvmdump lvreduce lvresize
lvconvert lvextend lvmconf lvmsadc lvremove lvs
lvcreate lvm lvmdiskscan lvmsar lvrename lvscan

Needed this earlier. Came in handy. Its stupid stuff, but i forget the switches half the time.

wget -r --no-parent --reject "index.html*" http://website.com/dir/

also tar zxvf files.tar.gz -C /anotherDirectory/

So your running an older version of mysql, such as 5.0. And you want to use innodb as your engine.

vi /etc/my.cnf

#skip-innodb


Comment out skip-innodb and you will have the option to use it.

IF you want to use innodb by default, add to my.cnf

default-table-type=innodb



Reasons you may still be using an older version of mysql include having too many databases that rely on the older code or myisam engine and don't want to mess it up.

Also in phpmyadmin to convert tables to innodb, once you have enabled it, click on "operations" and you can change it from there.

HP Microserver storage system.



http://www.homedepot.com/Featured-Products-Storage-Solutions-Crate-Bin-and-Cubbie-Storage/h_d1/N-5yc1vZc0wh/R-202104735/h_d2/ProductDisplay?langId=-1&storeId=10051&catalogId=10053&superSkuId=202858033

I bought this today, needed a way to organize some electronics, and what the heck stuff. Then when I got home I realized that the HP Microserver fits perfectly. With enough room around it for breathing. I used wood glue in the construction to make the build stronger. Habit, all cheap furniture, I use wood glue.

---> Package antlr.x86_64 0:2.7.6-4jpp.2 set to be updated
---> Package java-1.4.2-gcj-compat.x86_64 0:1.4.2.0-40jpp.115 set to be updated
--> Processing Dependency: /usr/bin/rebuild-security-providers for package: java-1.4.2-gcj-compat
--> Processing Dependency: /usr/bin/rebuild-security-providers for package: java-1.4.2-gcj-compat
--> Processing Dependency: /usr/bin/rebuild-security-providers for package: java-1.4.2-gcj-compat
--> Processing Dependency: /usr/bin/rebuild-security-providers for package: java-1.4.2-gcj-compat
--> Finished Dependency Resolution
java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 from base has depsolving problems
--> Missing Dependency: /usr/bin/rebuild-security-providers is needed by package java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 (base)
Error: Missing Dependency: /usr/bin/rebuild-security-providers is needed by package java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 (base)
You could try using --skip-broken to work around the problem
You could try running: package-cleanup --problems
package-cleanup --dupes
rpm -Va --nofiles --nodigest
The program package-cleanup is found in the yum-utils package.

I actually was trying to remove java and tomcat from the server, but this was giving me issues. So I ran:

rpm -Uvh http://plone.lucidsolutions.co.nz/linux/centos/images/jpackage-utils-compat-el5-0.0.1-1.noarch.rpm


yum update
To confirm that it had been resolved.

I wished I had posted the php issues I was having and how I resolved them, but deleted the notes.
Which installed what I needed to fix those issues, then removed the packages I didn't want such as java, tomcat, and eclipse.

HP ProLiant N40L Ultra Micro Tower Server System AMD Turion II Neo N40L

Wanted to post a picture of the motherboard in case anyone needed it.

To find the ssh port on server, with the help of whm.

http://ip:2086/xml-api/cpanel?user=cpanel&cpanel_xmlapi_apiversion=1&cpanel_xmlapi_module=SSH&cpanel_xmlapi_func=getport

Useful when people forget their ssh ports.

This is for vps, dedicated, etc. Wrote the howto about 10 mins ago.

Login to your server via SSH as root.

Then Type: cd /usr/local/src/

2. Download RKHunter Version 1.3.8

Type: wget http://sourceforge.net/projects/rkhunter/files/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz

3. Extract files

Type: tar -xzvf rkhunter-1.3.8.tar.gz

4. Type: cd rkhunter-1.3.8

5. Type: ./installer.sh --install

6. Setup RKHunter to e-mail you you daily scan reports.

Type: nano -w /etc/cron.daily/rkhunter.sh
Add The Following:
#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" name@domain.com < /var/log/rkhunter.log

Type: chmod +x /etc/cron.daily/rkhunter.sh

Stupid expression that comes in handy.

cat document |mail -s subject email@domain.com

What I tend to use if for is like nmap 192.168.0.1-254 >> file
Then email the document to myself. I could just probably do nmap IP's >>file|mail -s subject email@domain.com but I like to read through the file. But it comes in handy.

Ok, so a server was root kit'ed. Not mine, a client's. It was on a xenserver. All the /bin files hosed. Because of this (/bin/basename /bin/hostname /bin awk, etc) was out, I couldn't get the server back online to grab all the files off of it. I am grateful the client had a near identical build to one of mine. So I copied my /bin directory to a thumb drive, and copied the files over the /bin/ directory. reboot, and system came back online, then was able to use the rootkit checker to verify, and yes, there was a rootkit. The VM still has to be re-imaged, but because it could get online, we could then backup the server of its content, and re-import them when its done.

So, I was doing something stupid in debian. Going with the testing branch for a few files, and had an issue.

Setting up runit (2.1.1-6) ...
dpkg: error processing runit (--configure):
subprocess installed post-installation script returned error exit status 10
Errors were encountered while processing:
runit


How to fix? Easy.
Delete /var/lib/dpkg/info/runit* and /var/cache/apt/archives/runit* and it works fine.

I actually moved the files first, just to verify it.

and to get the list I did this.

ls /var/cache/apt/archives/ |grep runit >> /root/info

ls list screen |grep (search) the files that i am looking for, >> append it to this file. So I can look thru it later.

Debian 5.0 Grub issues I was having.

Debian showed grub was installed, but I still had to use a cd to boot to it, I was a bit confused. So what I did was

fdisk /dev/sda (boot drive)

p to show a list of partitions. I could see that my only partition was non-bootable,
a added boot options,
w save and exit. Machine booted right up. Now to fix my X issues.

I was curious with the new Blackberry 9300, what was the difference between it and the 8520, other than 3G and GPS. Found out the cpu's are different. and the 9300 supports Wifi N.

8520: 512MHz
9300: 624 MHz, Even better I have the exact chip. Marvell PXA930

I have a spare 8520 that I am supposed to send back this week. But I just got a copy of the 9300 BB os 6.0, So I am going to load it, and see.

Say you are running 64 bit Windows, and you install OpenVPN, and someone gives you a script that keeps failing. You can't figure it out. I will post an example, and show you the issue I was having.

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

client
dev tap
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server

pkcs12 "C:\\Program Files\\OpenVPN\\config\\foo.pfx"

reneg-sec 0
comp-lzo
verb 3
mute 20
#####

Ok, Heres where the problem lies.
pkcs12 "C:\\Program Files\\OpenVPN\\config\\foo.pfx"

Needs to be changed to

pkcs12 "C:\\Program Files (x86)\\OpenVPN\\config\\foo.pfx"

The (x86) makes all the difference in the world.

IPADDR_START=216.73.xxx.xxx
IPADDR_END=216.73.xxx.xxx
CLONENUM_START=0
NETMAST=255.255.255.0


Name file ifcfg-eth0-range0 (or whatever the nic card is)
Also The start IP address is the 2nd ip address in the list, the End is the last of them.

Yes I stole this script/borrowed from Calpop. Actually one of the most useful things I got out of there.

Scripts that come in handy.

Server e-mail every time someone logs in as root

To have the server e-mail you every time someone logs in as root, SSH into server and login as root.

At command prompt type: vi .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.

Install chkrootkit

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.44

At command prompt type: make sense


To run chkrootkit

At command prompt type: /root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.
Chkrootkit is a program that scans for root kits.


To modify LogWatch, SSH into server and login as root.

At command prompt type: vi /etc/log.d/conf/logwatch.conf


Scroll down to

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.


Now scroll down to

Detail = Low

Change that to Medium, or High...

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions.

LDAP error i was having.

root# nss_updatedb ldap passwd
Failed to enumerate nameservice: No such file or directory
passwd... nameservice unavailable.


go to /etc/ldap.conf and make sure

# Another way to specify your LDAP server is to this
uri ldapi:///example.com

to:
uri ldap://example.com

remove the i in ldap, and the / and your good to go.

Hmm strange issue, But I figured it out.

CRITICAL:yum.cli:Config Error: Parsing file failed: File contains parsing errors: file:///etc/yum.conf
[line 3]: mysql* nsd* proftpd* pure-ftpd* ruby* spamassassin* syslinux*

[line 4]: squirrelmail*

The problem is that line 3 and 4 are new lines, instead of a continuation of line 2. Fix that and it works, I figure someoneone will have that issue, since I googled it and nothing came up.

NIS INSTALL

I did not write this. but I used it a lot.

I wish I knew where I got the notes from, but I have kept them for a long time. I also used Yolinux.com for a lot of help.



NIS is a system which is designed to allow people to use the same username and password on a group of machines. (In NIS terms this group of machines is called a domain). This small introduction will guide you through setting up a central NIS server to centralise your logins, and a client to use it.

Of all the systems for sharing login details across multiple machines NIS is the oldest and possibly the most widely used. Other alternatives include database systems such as LDAP (OpenLDAP) and kerberos .

For NIS to work you need a single, central, machine which contains all the username and password pairs. Other machines will query this one when it comes to validating logins - so no local usernames and passwords need to exist.

For large systems this scales very well, when you wish to add a new user you only need to do it once on the central server rather than on each individual machine.

Installing the server is a simple matter:

name:~# apt-get install nis Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: portmap The following NEW packages will be installed: nis portmap 0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 190kB of archives. After unpacking 699kB will be used.

Once the packages have been downloaded and installed you will need to choose a name for the domain and set this up as a master server. (In NIS terms a domain is used to refer to a group of machines, it has no connection with DNS names, or WORKGROUP names).

Once you've installed the packages and given the system a domain name then you will need to set it up as a master server. You do this by editing the file /etc/defaults/nis making sure that you have the following lines:

NISSERVER=true NISCLIENT=false

Once this is done you need to control which machines are allowed to access the NIS server. Do this by editing the file /etc/ypserv.securenets as in the following example:

# Restrict to 192.168.1.x 255.255.255.0 192.168.1.0

Restart the server with /etc/init.d/nis restart and the server is ready.

This now has us running an NIS server, the next thing to do is initialise its maps. This is a simple process of running an init command and giving it the name of the servers you're using. In our case this is just the one server we've just setup:

root@sun:~# /usr/lib/yp/ypinit -m

Now we move on to setting up the clients.

Each client will also need the NIS package, so install that:

apt-get install nis

Enter the name of the domain you chose earlier (this is stored on the server in the file /etc/defaultdomain if ever you forget it).

Once this is done you will need to setup the server to authenticate against, place it's IP address in the file /etc/yp.conf, for example:

ypserver 192.168.1.1

Restart NIS with /etc/init.d/nis restart and test that this machine can access the client by running:

root@undecided:/etc# ypcat passwd mp3:x:1002:1002::/home/mp3: skx:x:1000:1000:Steve Kemp,,,:/home/skx:/bin/bash ipaudit:x:1001:100::/home/ipaudit:

Here we see that we've received some results so we're go to go on.

This is the most tricky step, upon this client you need to remove all user accounts from the password, shadow, group, and group shadow files. Here we really do mean users as people - say all the userid's above 1000. Leave the system accounts such as bin, bind, nobody alone.

(If you want a login to only be available on the local machine then leave it there - certainly leave the root account alone!)

For the /etc/passwd add +:::::: at the end.

For the file /etc/shadow add +::::::::, and for the other files /etc/group and /etc/gshadow add +:::.

Now try and login with a user!

When it comes to time to add a new user to your setup you should only need to add it upon the server, and all machines will benefit. You may need to rerun the ypinit command we gave earlier for it to take effect though.

IPtables. Preventing multiple failed logins


iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name SSH -j DROP

Fairly easy to figure out. you fail 10 times in a min, you get booted. I should change that to much less now that I look at it.



IPtables Block

Iptables block info

-A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 192.168.1.0/24 --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d 192.168.2.0/24 --sport 22 -j ACCEPT

Actually this only allows listed ranges to login.

Java install notes:

export JAVA_HOME="/usr/java/jdk1.6.0_12/"
export JAVA_PATH="$JAVA_HOME"


/usr/sbin/alternatives --install /usr/bin/java java /usr/java/jre1.6.0_12
/usr/sbin/alternatives --config java

YEAH More notes.

So you want to ssh into boxes without typing in those pesky passwords every 2 mins.
SSHKeys can be your friend. I do this within a local environment.

user@localhost::~# ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:

DO NOT CREATE A PASSPHRASE

now Create a .ssh directory onto The other machine. SSH into the box, then SSH into something something else will create it for you.

Add key to MachineB .ssh/authorized_keys, enter in MachineB password.

user@localhost::~#cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
user@MachineB password:

now SSH into Machine B with fun!

Notes:

If something Fails, try this.

Put the public key in .ssh/authorized_keys2
Change the permissions of .ssh to 700
Change the permissions of .ssh/authorized_keys2 to 640

Eh, useful to have perl note.
(Sometimes I forget simple things.)


:/#perl -MCPAN -e shell

perl> install Bundle::CPAN

perl>reload cpan

Ok, stole these notes from OpenDNS. But I want my own copy of these notes that I can find when I need it.

To avoid having your settings get revoked after reboots, or after periods of inactivity you may need to make the following changes via the command line:

$ sudo cp /etc/resolv.conf /etc/resolv.conf.auto
$ gksudo gedit /etc/dhcp3/dhclient.conf
# append the following line to the document
prepend domain-name-servers 4.2.2.2,216.73.123.59;
# save and exit
$ sudo ifdown eth0 && sudo ifup eth0

You may be required to change eth0 to your own network device's name if it uses a non-standard name.

### Oh on the Prepend domain-name-servers. Please remember to change to your own DNS settings.

Eh, this is a line to a script, Useful as hell.

Say you want to have a cron job run all the time, and want each update to have its own folder, etc. Each labeled by the date.

backup_`date +"%Y-%m-%d"` > /backup_`date +"%Y-%m-%d_%Hh%Mm%Ss"`.log

## Guide for the use of the date function of bash. Case sensitive!!
## For use to perpend or append to a name.
## Use a % sign between each.
##
## Y = Year in 4-digit format (2006)
## M = Month number (06)
## d = Day of the month - 2 digits (05)
## T = Time in 24 hour format (17:45:52)
## H = Hour in 24-hour format (17)
## m = Minutes (35)
## S = Seconds (05)
##
## %Y%M%d%H%m%S = 20090209133424
## %Y-%M-%d_%Hh%mm%Ss = 2009-02-09_13h34m24s

Backup and Restore LDAP notes.

Maybe useful for you, but mostly they are notes for me.


Backups: Backup data with slapcat (e.g., slapcat -v -f /usr/local/etc/openldap/slapd.conf -l /path/to/backup/$(date +%Y%m%d).ldif). To ensure consistency, slapd should not be running during backups.

Restoration:To do a full restore from backup, first stop slapd and remove all ldap data (e.g., rm /usr/local/var/openldap-data/ for source installations or rm /var/lib/ldap/* for Debian installations). Then use slapadd to load data from the ldif backup (e.g., slapadd -v -c -l example.ldif -f /usr/local/etc/openldap/slapd.conf for source installations or slapadd -v -c -l backup.ldif -f /etc/ldap/slapd.conf for Debian installations). Then run slapindex and start slapd.

Clear Cache from a linux box.
Works only with Kernels 2.6.16 or newer

sync; echo 3 > /proc/sys/vm/drop_caches


Quick Script I use for the machine and cron jobs

Named: clean.sh
#!/bin/bash

###
### Shell script to clean the cache on the machine, it also lists current memory usage, and
### afterwards its cleared so I can compare.
###
### SimonTek April 16th, 2009
###
free -m
sync; echo 3 > /proc/sys/vm/drop_caches
free -m

I wrote this for a few co-workers today. We run linux, and giving options for people to fix stuff when I am late coming in.

Firefox or Thunderbird won't work. How to fix.

FIREFOX

user@host:~$ cd .mozilla/firefox/weirdstuff.default/
user@host:~$ rm .parentlock

Commands Meanings:

cd = Change Directory, also "cd ~" will put you back in your home directory.

ls = List Screen, remember DOS days of dir? same thing, dir will also work.

rm = remove. BE CAREFUL with that command.

pwd = print working directory. Basically lets you know where you are.

Also .file means hidden. you can type in ls -a for all files

Notes:

If you hit TAB while typing it will finish what your typing for each directory.

weirdstuff.default is your profile directory, it changes on each machine.


THUNDERBIRD EMAIL

cd .mozilla-thunderbird/weirdstuff.default/
rm .parentlock

example: cd .mozilla-thunderbird/nq92xeeb.default/

P.S.
Also If you have an issue where your bookmarks have dis-appeared and the buttons don't work, mv places.sqlite to places.sqlite2 (You can delete it, but I always like to keep it around just incase.)

Also Firefox Usually does backups everyday, so in 3 you can just roll back. But as always make backups.

Hello. Spent the past 2 hours having an Issue with MYSQL INNODB. So I figured to post the answer.

I was installing RT (Request Tracker) and any time it got to mysql it came up with INNODB not installed or turned off. I was going INSANE, looking through my.cnf and going its RIGHT THERE #### out and everything. Should work fine. No. I am like is this defined somewhere else? Nope.

Guess what the issue was. Permission as usual.

Chmod 777 /tmp and every thing went fine. I will go and tweak it after this blog, wanted people to have an answer available. It drove me nuts.


What it SHOULD Do.

:/etc/mysql# /usr/sbin/rt-setup-database-3.6 --action init --dba root --prompt-for-dba-password
In order to create or update your RT database,this script needs to connect to your mysql instance on localhost as root.
Please specify that user's database password below. If the user has no database
password, just press return.

Password:
Now creating a database for RT.
Creating mysql database rtdb.
Now populating database schema.
Creating database schema.
Done setting up database schema.
Now inserting database ACLs
Done setting up database ACLs.
Now inserting RT core system objects
Checking for existing system user...not found. This appears to be a new installation.
Creating system user...done.
Now inserting RT data
Creating Superuser ACL...done.
Creating groups...3.4.5.6.7.8.9.done.
Creating users...10.12.done.
Creating queues...1.2.done.
Creating ACL...2.3.done.
Creating ScripActions...1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.done.
Creating ScripConditions...1.2.3.4.5.6.7.8.9.10.done.
Creating templates...1.2.3.4.5.6.7.8.9.10.11.12.done.
Creating scrips...1.2.3.4.5.6.7.8.9.10.11.12.13.14.done.
Creating predefined searches...1.2.3.done.
Done setting up database content.

Later today I will stop by Digi Comp on Santa Monica to pick up parts to explain my old apple airport hack. Its 4 years old, but i never showed pictures. or wrote how to get an orinoco card to show up as airport. ($20 parts vs $125 for used card)

Dlink DWL 520+
Wireless hack

I usually come up a quite a few hacks, but since it usually seems simple to me, i never publish them thinking others have done the same before. So i figured to start publishing them.

This Hack includes how to make the Dlink DWL-520+ a bit stronger, theoretically upto 600mw+.

First you will need a DWL-520+ card, another mini-pci wireless card, a phillips head screwdrivers, a soldering iron, new antenna wire, or adapter.


First unscrew the 2 screws (the red circles where i already removed them)


Now You will have access to the mini-pci card. Basically this entire card is a PCI to mini-pci adapter.

Lift the black tab up, and then press the release tabs of the mini-pci card. You can unsolder the wire from the card and add your own adapter to it. or just run a new antenna wire.

A card I would love to try with this is the Extreme Range2 card. Its a lovely 600mw card.

Once I get some new wireless cards to test more with I will update this.


******* Follow Up.

I borrowed the antenna lead off of a Linksys Wireless Cable Modem. It died, and I took it apart to see the motherboard. To my surprise it Uses a mini-pci card. And is easily upgrade-able. I swapped the card with an Intel card. Now have a neat toy. Required breaking off the old antenna post, but worth it.

ARGG Who the hell thinks that blogger captcha's are actually readable?