On a script, I need to have it enter in information into /etc config files. Typically, to prove a point I will just use echo "lalala" > file, but occasionally I rather it just change the information in it, helps in 2 things. A. I don't have conflicting information, and B. I can run the script more than once.
if grep --quiet "umask 077" /etc/profile; then
echo "umask is set"
else
sed -i 's@umask 022@umask 077@g' /etc/profile
fi
If umask 077 is in /etc/profile, then we are good. If not, it will find umask 022 and change it to umask 077.
Wednesday, December 26, 2012
Wednesday, December 12, 2012
SSH script to wait til machine is up to login
Keeping this around for notes, I actually have another version floating around, but couldn't remember where, so I put this up so I don't have to remember.
## Silly script that doesn't ssh until the machine is up.
## Matthew M. Conley 12/12/12
##
#!/bin/bash
ping -c 1 192.168.1.1;
if [ $? -eq 0 ]; then
ssh user@192.168.1.1
fi
a variable should work so you can just do pingssh.sh 192.16... enter your ip in. and have it load the ip. Thats how my other script runs. Change user to the user you login in as.
ping -c 1 $1;
if [ $? -eq 0 ]; then
ssh user@$1
fi
## Silly script that doesn't ssh until the machine is up.
## Matthew M. Conley 12/12/12
##
#!/bin/bash
ping -c 1 192.168.1.1;
if [ $? -eq 0 ]; then
ssh user@192.168.1.1
fi
a variable should work so you can just do pingssh.sh 192.16... enter your ip in. and have it load the ip. Thats how my other script runs. Change user to the user you login in as.
ping -c 1 $1;
if [ $? -eq 0 ]; then
ssh user@$1
fi
Tuesday, November 27, 2012
Joys of Subversion with a CAC card.
in $HOME/.subversion/servers
Put in the [Global] Section
#ssl-pkcs11-provider = coolkey
ssl-pkcs11-provider = cackey
Un-comment the setup you are using. I am using the cackey so I have coolkey uncommented, but if you are using coolkey, put the cool key line in. Its that simple, IF you already have the CAC software installed.
--update Dec 7th, 2012
Ran a test today, for SVN coolkey WILL work with a CAC. I figured since its been years since the coolkey was notorious to fail, I would check it out today.
Alternatively you can just do this:
Create a script to do this for the users;
if grep --quiet "ssl-pkcs11-provider = cackey" $HOME/.subversion/server; then
echo "SVN is cac enabled"
else
sed -i 's@#ssl-pkcs11-provider = coolkey@ssl-pkcs11-provider = cackey@g' $HOME/.subversion/server
fi
Or on a just one off time; sed -i 's@#ssl-pkcs11-provider = coolkey@ssl-pkcs11-provider = cackey@g' $HOME/.subversion/server
Put in the [Global] Section
#ssl-pkcs11-provider = coolkey
ssl-pkcs11-provider = cackey
Un-comment the setup you are using. I am using the cackey so I have coolkey uncommented, but if you are using coolkey, put the cool key line in. Its that simple, IF you already have the CAC software installed.
--update Dec 7th, 2012
Ran a test today, for SVN coolkey WILL work with a CAC. I figured since its been years since the coolkey was notorious to fail, I would check it out today.
Alternatively you can just do this:
Create a script to do this for the users;
if grep --quiet "ssl-pkcs11-provider = cackey" $HOME/.subversion/server; then
echo "SVN is cac enabled"
else
sed -i 's@#ssl-pkcs11-provider = coolkey@ssl-pkcs11-provider = cackey@g' $HOME/.subversion/server
fi
Or on a just one off time; sed -i 's@#ssl-pkcs11-provider = coolkey@ssl-pkcs11-provider = cackey@g' $HOME/.subversion/server
Saturday, October 27, 2012
Clamd has failed, and FIXED!
Cmd Service Check Raw Output: clamd is not running or is crashed.
Syslog Messages: Oct 27 12:41:13 server2 clamd[1655]: clamd daemon 0.97.6 (OS: linux-gnu, ARCH: i386, CPU: i386)
Oct 27 12:41:13 server2 clamd[1655]: Running as user clam (UID 101, GID 102)
Oct 27 12:41:13 server2 clamd[1655]: Log file size limited to -1 bytes.
Oct 27 12:41:13 server2 clamd[1655]: Reading databases from /var/lib/clamav
Oct 27 12:41:13 server2 clamd[1655]: Not loading PUA signatures.
Oct 27 12:41:13 server2 clamd[1655]: Bytecode: Security mode set to "TrustSigned".
Oct 27 12:41:18 server2 clamd[1655]: Loaded 1316697 signatures.
Oct 27 12:41:18 server2 clamd[1655]: TCP: Bound to address 127.0.0.1 on port 3310
Oct 27 12:41:18 server2 clamd[1655]: TCP: Setting connection queue length to 30
Oct 27 12:41:18 server2 clamd[1655]: LOCAL: Unix socket file /var/run/clamav/clamd.sock
Oct 27 12:41:18 server2 clamd[1655]: LOCAL: Setting connection queue length to 30
Oct 27 12:41:18 server2 clamd[1655]: daemonize() failed: Cannot allocate memory
Oct 27 12:41:18 server2 clamd[1655]: Socket file removed.
clamd on simontek.net status: failed ~~~ reason: I ran out of ram, so I had to selectively shut things down, start clamd, then restart everything else.
Syslog Messages: Oct 27 12:41:13 server2 clamd[1655]: clamd daemon 0.97.6 (OS: linux-gnu, ARCH: i386, CPU: i386)
Oct 27 12:41:13 server2 clamd[1655]: Running as user clam (UID 101, GID 102)
Oct 27 12:41:13 server2 clamd[1655]: Log file size limited to -1 bytes.
Oct 27 12:41:13 server2 clamd[1655]: Reading databases from /var/lib/clamav
Oct 27 12:41:13 server2 clamd[1655]: Not loading PUA signatures.
Oct 27 12:41:13 server2 clamd[1655]: Bytecode: Security mode set to "TrustSigned".
Oct 27 12:41:18 server2 clamd[1655]: Loaded 1316697 signatures.
Oct 27 12:41:18 server2 clamd[1655]: TCP: Bound to address 127.0.0.1 on port 3310
Oct 27 12:41:18 server2 clamd[1655]: TCP: Setting connection queue length to 30
Oct 27 12:41:18 server2 clamd[1655]: LOCAL: Unix socket file /var/run/clamav/clamd.sock
Oct 27 12:41:18 server2 clamd[1655]: LOCAL: Setting connection queue length to 30
Oct 27 12:41:18 server2 clamd[1655]: daemonize() failed: Cannot allocate memory
Oct 27 12:41:18 server2 clamd[1655]: Socket file removed.
clamd on simontek.net status: failed ~~~ reason: I ran out of ram, so I had to selectively shut things down, start clamd, then restart everything else.
Tuesday, October 23, 2012
DoD Linux
Figured to share a distro of Linux the USAF created for secure access.
http://www.spi.dod.mil/lipose.htm
http://www.spi.dod.mil/lipose.htm
Friday, September 14, 2012
Notes for IA stuff
Insert into a kick start, used to lock a user for 5 failed login attempts.
### locks user out after 5 fail login tries, with a 3 minute lockout time.
echo "auth required pam_tally.so onerr=fail deny= 5 unlock_time=3600" >> /etc/pam.d/system-auth
Now to unlock yourself if you mess up
To view locked accounts
pam_tally2 -u username -r
To reset username account
pam_tally2 -u username --reset
#Replace username with the actual username
Also, what if you need encryption setup, but you don't want to be bothered with a password everytime you boot. This is for development boxes only. As in this cancels out the security LUKS provides, but still allows you to see if encryption will affect your systems. Basically, if you want to lock down a machine in a production environment. DO NOT USE THIS CODE. I actually have a way to get around both, but can't publish it yet.
cd /boot/
mkdir tmp/ && cd tmp/
gunzip -c ../initrd-2.6.25-..... .img |cpio -id
echo -n "passphrase you choose" > passphrase
sed -i '103 s/$/ -d passphrase/' /boot/tmp/init
find . | cpio --create --format='newc' |gzip -c > ../initrd-2.6.25luks.img
#Ok, the gunzip part, you need to put in your initrd.img file.
#the passphrase is the one you set in the encryption. Also echo -n means no carriage return.
sed '103 = 103 line, it changes from machine setup to setup, so replace with the correct one. typically its line 110. $ means end of line.
Typically you want to create a new initrd.img file, so name it slightly different.
Now to boot this, you need to modify your grub file, I would add a new line, with the modified information. Reboot, and your machine should boot up without bugging you for a passphrase.
### locks user out after 5 fail login tries, with a 3 minute lockout time.
echo "auth required pam_tally.so onerr=fail deny= 5 unlock_time=3600" >> /etc/pam.d/system-auth
Now to unlock yourself if you mess up
To view locked accounts
pam_tally2 -u username -r
To reset username account
pam_tally2 -u username --reset
#Replace username with the actual username
Also, what if you need encryption setup, but you don't want to be bothered with a password everytime you boot. This is for development boxes only. As in this cancels out the security LUKS provides, but still allows you to see if encryption will affect your systems. Basically, if you want to lock down a machine in a production environment. DO NOT USE THIS CODE. I actually have a way to get around both, but can't publish it yet.
cd /boot/
mkdir tmp/ && cd tmp/
gunzip -c ../initrd-2.6.25-..... .img |cpio -id
echo -n "passphrase you choose" > passphrase
sed -i '103 s/$/ -d passphrase/' /boot/tmp/init
find . | cpio --create --format='newc' |gzip -c > ../initrd-2.6.25luks.img
#Ok, the gunzip part, you need to put in your initrd.img file.
#the passphrase is the one you set in the encryption. Also echo -n means no carriage return.
sed '103 = 103 line, it changes from machine setup to setup, so replace with the correct one. typically its line 110. $ means end of line.
Typically you want to create a new initrd.img file, so name it slightly different.
Now to boot this, you need to modify your grub file, I would add a new line, with the modified information. Reboot, and your machine should boot up without bugging you for a passphrase.
Sunday, August 05, 2012
remove users from cisco ASA
config t
clear configure username user.name
Make sure you include the word username
wr
copy running_config startup_config
clear configure username user.name
Make sure you include the word username
wr
copy running_config startup_config
Tuesday, July 31, 2012
CAC SVN setup
This client is an early access release that has some limitations, including:
The library dependencies must be installed in parallel with some of the system libraries, you can't just do an upgrade on those packages, since many installed packages may depend on the current versions.
After downloading the above RPMs, use this set of commands as root to install them:
- The client does not prompt you for which certificate to use if you have more than one certificate on your smart card
- The client won't currently work with SELinux in enforcing mode because of a currently unresolved text relocation issue in libgcrypt. A partial mitigation for this issue is to manually set the SELinux file type for one file:
chcon -t textrel_shlib_t '/lib/libgcrypt.so.11.5.1'
- The installation requires some libraries to have more than one RPM installed, making the initial installation somewhat awkward
The library dependencies must be installed in parallel with some of the system libraries, you can't just do an upgrade on those packages, since many installed packages may depend on the current versions.
After downloading the above RPMs, use this set of commands as root to install them:
rpm -ivh --force gnutls-2.4.2-3el5.i386.rpm rpm -ivh libtasn1-1.5-%1el5.i386.rpm neon-0.28.3-2.i386.rpm pakchois-0.4-2.i386.rpm libgcrypt-1.4.3-2el5.i386.rpm rpm -Uvh subversion-1.5.4-3.i386.rpmNote: we know that an installation where you must use --force is suboptimal. We are working on the issue and will fix these instructions when we have a fixed gnutls RPM.' ' To enable smart card support, first make sure that you have CoolKey working for other applications, such as Firefox. Then run 'svn' once to establish a $HOME/.subversion/servers file if you haven't run svn on this system previously. Edit that file and add this line in the "global" section:
ssl-pkcs11-provider = coolkeyOnce you do that, you should be able to check out client-certificate protected Subversion repositories using the Linux command line client.
Tuesday, June 19, 2012
Linksys E1200 Router
I may never use this, but someone might want this for a hack.
Broadcom's BCM5357 Is the CPU, to be exact it's BCM5357BOKFBG
This SOC supports USB, among other things, Which is header DJ2. Pin 1 is the red wire, so you should be able to solder a use port.
The ram is: Winbond W9425G6JH-5 (http://www.winbond.com.tw/NR/rdonlyres/11505884-F632-41F9-9438-A3EC025FEAED/0/W9425G6JH.pdf) useful link on that.
Its 256M, DDR 500mhz.
Broadcom's BCM5357 Is the CPU, to be exact it's BCM5357BOKFBG
This SOC supports USB, among other things, Which is header DJ2. Pin 1 is the red wire, so you should be able to solder a use port.
The ram is: Winbond W9425G6JH-5 (http://www.winbond.com.tw/NR/rdonlyres/11505884-F632-41F9-9438-A3EC025FEAED/0/W9425G6JH.pdf) useful link on that.
Its 256M, DDR 500mhz.
Friday, June 08, 2012
Ripping DVD images, and creating images.
I have to do this a lot at work, so figured to keep it around.
copying dvd/cd image to the hard drive:
dd if=/dev/scd0 of=/filename.iso
While I am at it, the reverse. After making my changes what I need to do to make an ISO.
mkisofs -o file.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -l -allow-leading-dots -relaxed-filenames -joliet-long -max-iso9660-#filenames -D -R -J -T -V $VOLID -v /home/matthew/directory of files for iso.
Also to mount an image.
mount -t loop /home/matthew/filename.iso /media/filename/
copying dvd/cd image to the hard drive:
dd if=/dev/scd0 of=/filename.iso
While I am at it, the reverse. After making my changes what I need to do to make an ISO.
mkisofs -o file.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -l -allow-leading-dots -relaxed-filenames -joliet-long -max-iso9660-#filenames -D -R -J -T -V $VOLID -v /home/matthew/directory of files for iso.
Also to mount an image.
mount -t loop /home/matthew/filename.iso /media/filename/
Friday, March 16, 2012
Studying for the Linux+ cert, and wanted to write down notes on LVM's. It helps for me to see examples of how each command is used, and I wanted a 1 place to go look for info.
pvcreate /dev/sda6 /dev/sda7 Creates Physical volumes on /sda6 and /sda7.
pvscan Will scan for physical volumes on the hard drives.
pvdisplay Displays more in depth info of the physical volumes
vgcreate vol_grp1 /dev/sda6 /dev/sda7 Creates Volume Groups from partitions sda 6 and 7.
-s changes the standard size of 4mb chunks to another size of your choosing
lvcreate -L 500G -n logical_vol1 vol_grp1 Creates a 500GB logical volume from the Volume group you created earlier
lvdisplay Displays the Logical Volume Info.
lvextend -L12G /dev/vol_grp1/logical_vol1 Extends the Logical drive 12GB's
other commands.
lvchange lvdisplay lvmchange lvmdump lvreduce lvresize
lvconvert lvextend lvmconf lvmsadc lvremove lvs
lvcreate lvm lvmdiskscan lvmsar lvrename lvscan
pvcreate /dev/sda6 /dev/sda7 Creates Physical volumes on /sda6 and /sda7.
pvscan Will scan for physical volumes on the hard drives.
pvdisplay Displays more in depth info of the physical volumes
vgcreate vol_grp1 /dev/sda6 /dev/sda7 Creates Volume Groups from partitions sda 6 and 7.
-s changes the standard size of 4mb chunks to another size of your choosing
lvcreate -L 500G -n logical_vol1 vol_grp1 Creates a 500GB logical volume from the Volume group you created earlier
lvdisplay Displays the Logical Volume Info.
lvextend -L12G /dev/vol_grp1/logical_vol1 Extends the Logical drive 12GB's
other commands.
lvchange lvdisplay lvmchange lvmdump lvreduce lvresize
lvconvert lvextend lvmconf lvmsadc lvremove lvs
lvcreate lvm lvmdiskscan lvmsar lvrename lvscan
Sunday, January 29, 2012
Friday, January 27, 2012
So your running an older version of mysql, such as 5.0. And you want to use innodb as your engine.
vi /etc/my.cnf
#skip-innodb
Comment out skip-innodb and you will have the option to use it.
IF you want to use innodb by default, add to my.cnf
default-table-type=innodb
Reasons you may still be using an older version of mysql include having too many databases that rely on the older code or myisam engine and don't want to mess it up.
Also in phpmyadmin to convert tables to innodb, once you have enabled it, click on "operations" and you can change it from there.
vi /etc/my.cnf
#skip-innodb
Comment out skip-innodb and you will have the option to use it.
IF you want to use innodb by default, add to my.cnf
default-table-type=innodb
Reasons you may still be using an older version of mysql include having too many databases that rely on the older code or myisam engine and don't want to mess it up.
Also in phpmyadmin to convert tables to innodb, once you have enabled it, click on "operations" and you can change it from there.
Subscribe to:
Posts (Atom)