Tuesday, 18 November 2008

Samba with CUPS

Here we go again.... some notes on how to share your printer.. quick n dirty I would say.. but works.. what the hell :)

smb.conf:
[gloabal]
load printers = no
printing = cups
printcap name = cups
show add printer wizard = no
[printers]
comment = All Printers
path = /var/spool/samba
valid users = root @samba
public = yes
guest ok = no
writable = no
printable = yes
[HP-Laser]
name = HP-Laser
valid users = root @samba
public = yes
printable = yes
available = yes
printing = lprng
printer = HP-Laser
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
path = /var/spool/samba
use client driver = yes

done here... restart samba and lets go to CUPS (after you have configured your printer over there of course)

cupsd.conf

add
Listen 192.168.1.1:631

<Location />
Allow localhost
Allow 192.168.1.*
Order deny,allow
</Location>

and finally...

edit mime.convs and uncomment this line:
application/octet-stream        application/vnd.cups-raw        0       -

restart cups server, go to your windows box and install the drivers for the network printer.

You are good to go :)

Wednesday, 22 October 2008

eebuntu and eeepc 1000

It was a bit annoying but got it working... finally.

1. download the new version of eebuntu from here the standard version (more linux looking than the other (although same applies there as well)

2. use an existing install of ubuntu or a VM to create the damn USB stick/bootable thingy following the "manual"

3. keep pressing escape to boot from the usb stick - install - be happy - boot the actual OS

4. realize that none of the nics work

5. download the new kernel and its modules

6. install them
sudo dpkg-i linux-image-2.6.24-21-eeepc_2.6.24-21.39eeepc1_i386.deb-ubuntu linux-modules-2.6.24-21-eeepc_2.6.24-21.30eeepc5_i386.deb

7. reboot and be happy!

8. realize that pressing Fn+F2 kills the laptop

9. download the alternative script

sudo mv eee-wifi-on-off.sh /etc/acpi
sudo chmod +x eee-wifi-on-off.sh

10. connect to the net and fix bluetooth
sudo apt-get install bluetooth bluez-gnome bluez-utils

11. for eee-pc related updates you can add the array repo by:
wget http://www.array.org/ubuntu/array.list
sudo mv -v array.list /etc/apt/sources.list.d/
wget http://www.array.org/ubuntu/array-apt-key.asc
sudo apt-key add array-apt-key.asc
sudo apt-get update
sudo apt-get install linux-eeepc linux-headers-eeepc

12. Force avahi to shut up and stop creating aliased NICs

chmod -x /etc/init.d/avahi*

13.go get yourself a drink :) its not like you did something huge but at least you can enjoy your new laptop now :)

thanks for playing :)

Thursday, 16 October 2008

Solaris 10 firewalling

To make matters easy:

iptables -L == ipfstat -io

The configuration file for the firewall is on /etc/ipf/ipf.conf and its service's FMRI is svc:/network/pfil:default

ipf -E : Enable ipfilter when running for the first time.

ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in /etc/ipf/ipf.conf into active firwall.

ipf -Fi : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into inactive firewall.

ipfstat -hio : Show hits against all rules

ipfstat -t -T 5 : Monitor the state table and refresh every 5 seconds. Output is similar to 'top'

And finally an example of a ipf.conf just for the heck of having one just in case:

# 11/18/04 - Newest Firewall for testing.
# Rich Shattuck
# My IP: 172.16.1.100
#
# Block any packets which are too short to be real
block in log quick all with short
#
# drop and log any IP packets with options set in them.
block in log all with ipopts
#
# Allow all traffic on loopback.
pass in quick on lo0 all
pass out quick on lo0 all
#
# Public Network.   Block everything not explicity allowed.
block in  on elxl0 all
block out on elxl0 all
#
# Allow pings out.
pass out quick on elxl0 proto icmp all keep state
#
# for testing, allow pings from ben and jerry
pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32
pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32
#
# Allow outbound state related packets.
pass out quick on elxl0 proto tcp/udp from any to any keep state
#
# allow ssh from 172.16.0.0/16 only.
# pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22
# Actually, allow ssh only from ben, jerry, MSU
pass in log quick on elxl0 proto tcp from 172.16.1.11/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 172.16.1.100/32 port = 22


Thanks for playing :)

Thursday, 25 September 2008

SSH configuration with certificates

Quickly now.....

### /etc/ssh/sshd_config ###
Port 22
Protocol 2
SyslogFacility LOCAL1
PermitRootLogin no
StrictModes yes
PubkeyAuthentication yes
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding no
UsePrivilegeSeparation yes
Banner /etc/ssh/banner
Subsystem       sftp    /usr/libexec/openssh/sftp-server

these are openSUSE specifics:
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

### Creating SSH certs ###
ssh-keygen -b 2048 -t rsa -f certkeyfile

enter a key at the prompt (can be left blank)
this will create 2 files certkeyfile and certkeyfile.pub
cat certkeyfile.pub >> /home/target_user/.ssh/authorized_keys

copy certkeyfile to /home/source_user/.ssh/id_rsa

both files should be 600 owned by the user.

Tunneling:

ssh -p <ssh_port> -L <src_port>:hostname:<dest_port> username@ssh_server_host

Thanks for playing :)

Wednesday, 24 September 2008

Solaris Patching

Patching procedure usually should be undertaken under single mode (1)

Step by step:
smpatch analyze: print out the patches that should be applied
smpatch download -d /destination : download them on that directory
smpatch update -d /destination: applies them from that destination
smpatch add -x list=/filelist-with-updates.txt : add some more patches

Patches that require an immediate reboot will be skipped, and put into a file /var/sadm/spool/disallowed_patch_list.

When you're ready to apply them, kick everybody off the system, shut down as much as you can, and do
smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list

then reboot or go back to init 1 and do the full list from there..

Thanks for playing :)

Saturday, 13 September 2008

Solaris package management

Solaris package management notes...


1. prodreg ( GUI to package install or uninstall)

2. pkginfo (total installed package dump)

pkginfo -l pkgname (specific package dump pkgname is optional [will present details for all installed packages])

pkginfo -x pkgname (package info dump pkgname is optional [will present details for all installed packages])

pkginfo -i (fully installed packages)

pkginfo -p (partially installed packages)

3. pkgchk -v pkgname (checks/lists files included on the package installation)



Thats it for now :)

Wednesday, 10 September 2008

Solaris SMF and other configs

Ok.. SMF is a big thing and looks very neat... so here are some things to remember.

1.Logs from the SMF framework are kept at /var/svc/log/ on a directory similar to the FMRI of the service.

2.Useful commands:
svcs -a (prints out all the installed/registered with smf services)
svcs -x FMRI (prints out status and additional info)
svcs -l FMRI (prints out verbose dependencies for the service)
svcs -d (prints out the services the FRMI depends upon)
svcs -D (prints out the services that depend upon the FMRI)
svcs -p FMRI (prints out PIDs related to the FMRI)

svcadm disable FMRI (disable a service permenantly)
svcadm disable -t FMRI (disable a service until the next reboot)
svcadm disable -s FMRI (disable all the service's instances)

svcadm enable FMRI (enable a service permenantly)
svcadm enable -t FMRI (enable service for the current session only)
svcadm enable -r FMRI (enable service and all its dependencies)
svcadm enable -s FMRI (enable service and all its instances)

svcadm -v refresh/restart FMRI (restarts or re-reads a services configuration files)

3. Disabling X server login
/usr/dt/bin/dtconfig -d (disable login screen from the next reboot)
/usr/dt/bin/dtconfig -kill (kill the login screen and Xserver NOW)

4. Change the security policy to use md5 from crypt for accounts on /etc/security/policy
CRYPT_DEFAULT=__unix__  to  CRYPT_DEFAULT=md5
Note: you need to re-enter the passwords to be re-encrypted with the selected algorythm

Friday, 15 August 2008

syslog-ng and stunnel part 2

Now we need to create the ssl certificates for the two machines (2 and 3) in order to create the tunnel.

machine 3 certificate (server)
openssl req -new -x509 -out cacert.pem -days 1095 -nodes
scp cacert.pem root@machine2:/etc/stunnel/syslog-ng-server.pem
cat privkey.pem cacert.pem > /etc/stunnel/syslog-ng-server.pem

Keep the privkey.pem cacert.pem on an other directory and lets create the machine 2 certificates (client)
openssl req -new -x509 -out cacert.pem -days 1095 -nodes
cat privkey.pem cacert.pem > /etc/stunnel/syslog-ng-client.pem
scp syslog-ng-client.pem root@machine2:/etc/stunnel

and now the configs on each /etc/stunnel/stunnel.conf

machine2 (client):
client = yes
cert = /etc/stunnel/syslog-ng-client.pem
CAfile = /etc/stunnel/syslog-ng-server.pem
verify = 3
[5140]
accept = 127.0.0.1:514
connect = machine3-IP:5140

machine3 (server):
cert = /etc/stunnel/syslog-ng-server.pem
CAfile = /etc/stunnel/syslog-ng-client.pem
verify = 3
[5140]
accept = machine3-IP:5140
connect = 127.0.0.1:514

Now that both stunnel and syslog-ng is ready you can start them:
root@machine3:/# stunnel
root@machine3:/# service syslog-ng start

root@machine2:/# stunnel
root@machine2:/# service syslog-ng start

and hopefully all will be well (unless you have iptables blocking the damn thing! :P)

You can check out that the tunnel is up by doing:
netstat -putan | grep 5140

netstat -putan | grep 514

Finally remember to put the "stunnel" command to the rc.d of each machine so the channel can be initiated every time the machines boot up BEFORE syslog-ng.

thanks for playing :)

syslog-ng and stunnel part 1

OK... lets connect now machine 1, 2 and 3

1=main server

2=secondary server

3=log server

on the machine 1 we have a syslog sending data though UDP to machine 2 and since they are VMGuest to VMHost the packets dont touch wire so we are kinda ok... on the 2 to 3 path though we are going to use syslog-ng and stunnel since our logs DO touch wire.

after installing syslog-ng in both machines (2 and 3) we change the configuration files to:

machine 2 syslog-ng.conf:
options {
sync (0);
time_reopen (10);
log_fifo_size (4096);
create_dirs (yes);
perm (0640);
dir_perm (0750);
long_hostnames (off);
use_dns (yes);
dns_cache_hosts(/etc/hosts);
use_fqdn (yes);
keep_hostname (yes);
stats_freq(86400);
};

source s_sys {
unix-stream ("/dev/log");
file("/proc/kmsg" log_prefix("kernel: "));
udp();
internal();
};

filter f_default    { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_auth       { facility(auth); };
filter f_mail       { facility(mail); };
filter f_boot       { facility(local7); };
filter f_cron       { facility(cron); };
filter f_emerg      { level(emerg); };

destination d_default { file("/var/log/messages"); };
destination d_auth    { file("/var/log/secure"); };
destination d_mail    { file("/var/log/maillog"); };
destination d_boot    { file("/var/log/boot.log"); };
destination d_cron    { file("/var/log/cron"); };
destination d_cons    { file("/dev/console"); };
destination d_user    { usertty("*"); };
destination d_loghost {tcp("127.0.0.1" port(514));};

log { source(s_sys); filter(f_default); destination(d_default); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_sys); filter(f_emerg); destination(d_cons); destination(d_user); };
log { source(s_sys); destination(d_loghost); };

this is pretty much it and ready to roll

before we roll we need to setup machine 3 and most of all stunnel on machines 2 and 3

machine 3 syslog-ng.conf:
options {
sync (0);
time_reopen (10);
log_fifo_size (4096);
create_dirs (yes);
perm (0640);
dir_perm (0750);
long_hostnames (off);
use_dns (yes);
dns_cache_hosts(/etc/hosts);
use_fqdn (yes);
keep_hostname (yes);
stats_freq(86400);
};

source s_sys {
unix-stream ("/dev/log");
file("/proc/kmsg" log_prefix("kernel: "));
tcp (ip ("127.0.0.1") port(514) max-connections (1));
internal();
};

filter f_default    { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_auth       { facility(auth); };
filter f_mail       { facility(mail); };
filter f_boot       { facility(local7); };
filter f_cron       { facility(cron); };
filter f_emerg      { level(emerg); };

destination d_default { file("/var/log/messages"); };
destination d_auth    { file("/var/log/secure"); };
destination d_mail    { file("/var/log/maillog"); };
destination d_boot    { file("/var/log/boot.log"); };
destination d_cron    { file("/var/log/cron"); };
destination d_cons    { file("/dev/console"); };
destination d_user    { usertty("*"); };

log { source(s_sys); filter(f_default); destination(d_default); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_sys); filter(f_emerg); destination(d_cons); destination(d_user); };

now we are done with configuring syslog-ng

before we start it we need to hook up the stunnel so the encrypted channel is set up

move on to part 2

Thursday, 31 July 2008

Solaris shell services and packages

On my way to a mystical and magical world... the world of Solaris...

Unfortunately things aren't as fun and exiting as they sound... first impression... the system looks annoying.. uses korn shell and not the dearly beloved bash... and has no freaking colors... what are solaris admins?? colorblind? and what the hell! I like ps auxfw why do I have to do a ps -ef now!?... just annoying!
OK lets put the bitching aside and start getting the hang of this thing...

First things first! replace /sbin/sh with /bin/bash in the /etc/passwd

Second! Go to sunfreeware.com and download pine (of course!) and coreutils... gunzip and pkgadd -d to install

Third! create a .profile for root and add:
PATH="/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ucb:/usr/local/bin/"
export PATH
PS1="\u@\h:\w> "
alias ls="/usr/local/bin/ls --color"

Good.. it almost feels like home now!

other useful commands:

Install pine package
pkgadd -d pine-4.64-sol10-x86-local

Print system configuration
prtconf -v

Observe or configure inetd-controlled services
inetadm for a list of services
inetadm -l FMRI (to see more options settings)
inetadm -e FMRI (enable service)
inetadm -d FMRI (disable service)
inetadm -m FMRI option="setting" (change service settings)
inetadm -p (print out the global settings for all services of inetadm)
inetadm -M option=setting (change options to all services of indetadm)

Print processor information
psrinfo -v

Print system definition information
sysdef

File containing the name coresponding to the net interface
/etc/hostname.pcn0

Top lookalike
prstat

Thats all for now...

Thanks for playing :)

Tuesday, 15 July 2008

Dell Poweredge 860 RAID Controller

Fixing up the RAID Controller write cache:
1. Download and install the driver from here
2. Download the lsiutil utility from here
3. Run it and configure the controller thusly:
ocsp2:~# ./mptlinux/lsiutil/lsiutil

LSI Logic MPT Configuration Utility, Version 1.38, July 6, 2005

1 MPT Port found

     Port Name         Chip Vendor/Type/Rev    MPT Rev  Firmware Rev
 1.  /proc/mpt/ioc0    LSI Logic SAS1068 B0      105      000a310

Select a device:  [1-1 or 0 to quit] 1

 1.  Identify firmware, BIOS, and/or FCode
 2.  Download firmware (update the FLASH)
 4.  Download/erase BIOS and/or FCode (update the FLASH)
 8.  Scan for devices
10.  Change IOC settings (interrupt coalescing)
13.  Change SAS IO Unit settings
16.  Display attached devices
20.  Diagnostics
21.  RAID actions
22.  Reset bus
23.  Reset target
30.  Beacon on
31.  Beacon off
97.  Reset SAS phy
98.  Reset SAS link
99.  Reset port

Main menu, select an option:  [1-99 or e for expert or 0 to quit] 21

 1.  Show volumes
 2.  Show physical disks
 3.  Get volume state
23.  Replace physical disk
30.  Create volume
31.  Delete volume
32.  Change volume settings

RAID actions menu, select an option:  [1-99 or e for expert or 0 to quit] 32

Volume:  [0-1 or RETURN to quit] 

Volume 0 Settings:  write caching disabled, auto configure, priority resync
Volume 0 draws from Hot Spare Pools:  

Enable write caching:  [Yes or No, default is No] yes
Offline on SMART data:  [Yes or No, default is No]
Auto configuration:  [Yes or No, default is Yes]
Priority resync:  [Yes or No, default is Yes]
Hot Spare Pools (bitmask of pool numbers):  [00 to FF, default is 01]

RAID actions menu, select an option:  [1-99 or e for expert or 0 to quit] 

Main menu, select an option:  [1-99 or e for expert or 0 to quit] 

     Port Name         Chip Vendor/Type/Rev    MPT Rev  Firmware Rev
 1.  /proc/mpt/ioc0    LSI Logic SAS1068 B0      105      000a310

Select a device:  [1-1 or 0 to quit]
Many thanks to Jan Tomášek whose blog I copied (just in case)
I couldn’t have done it without his guidance

Thursday, 10 July 2008

USB Stick bootable with encypted partition

So I got this 4GB Sandisk thumb drive...

lets make it useful now...

Under linux:
cfdisk /dev/sdc
or
fdisk /dev/sdc

delete all partitions, create one FAT16 and one Linux, mark FAT16 as bootable and format them:
mkdosfs -F 16 /dev/sdc1

Install backtrack.. (I said useful right??)
mount /dev/sdc1 /mnt/memory

download the USB version from here
mount -o loop -t iso9660 bt3final_usb.iso /mnt/iso
cp /mnt/iso/* /mnt/memory
cd /mnt/memory/boot
./bootinst.sh

lets encrypt the other partition now...

boot Backtrack using the usb stick

create the encrypted volume
truecrypt /dev/sdc2

select None for filesystem

Load the volume without mounting it
truecrypt /dev/sdc2

truecrypt -vl
/dev/mapper/truecrypt0:
Volume: /dev/sda2
Type: Normal
Size: 2060089856 bytes
Encryption algorithm: AES-Twofish-Serpent
Mode of operation: LRW
Read-only: No
Hidden volume protected: No

mkfs.ext2 /dev/mapper/truecrypt0

to format the partition using the ext2 filesystem

dismount
truecrypt -d /dev/sdc2

and mount again using the truecrypt utility
truecrypt /dev/sdc2 /mnt/memory

all done!

thanks for playing :)

Tuesday, 8 July 2008

Useful one-liners

Some useful one liners for bash scripting....

Removing the lines that start with #
cat file.conf | sed '/ *#/d; /^ *$/d'
Replacing text within configuration files (replace yes with no when PRELINKING)
sed '/PRELINKING/s/yes/no/g' /etc/sysconfig/prelink > /etc/sysconfig/prelink.new 
awk '/PRELINKING/{gsub(/yes/, "no")};{print}' /etc/sysconfig/prelink > /etc/sysconfig/prelink.new
Delete all blank lines on a file
sed '/^$/d' filename
Number lines (except blank ones)
awk 'NF{$0=++a " :" $0};{print}' filename


to be updated...


Monday, 2 June 2008

Full Disk Check - Notify

Another stupid little script written with the same principle as the previous ones to notify the administrator when a drive reaches 99% usage.
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin

FULL_DRIVES=`df -h | grep "99%"`
SPACE_USE=`echo $FULL_DRIVES | awk '{print $5}'`
PERCENT=`echo ${SPACE_USE%%%}`

if [ "$PERCENT" = "99" ]
then
wget "http://api.clickatell.com/http/auth?api_id=yourapi_id&user=usrname&password=passwd" -O /tmp/sessionid -q
# Create session and save to /tmp/sessionid
sessionid=`cat /tmp/sessionid | awk '{print $2}'`
# use only the session id for the variable
smssend clickatell.sms $sessionid usrname passwd yourapi_id "SystemAlert" phoneNo "$FULL_DRIVES"
# send sms
else
echo "No disks have reached critical usage"
fi

The previous articles can be found here and here

Thanks for playing :)

Thursday, 29 May 2008

Apache memory leak Fix

I ran into an apache memory leak today... the symptoms where:
[root@www /]# service httpd restart
Stopping httpd: [OK]
Starting httpd: [FAILED]
[root@www /]# service httpd status
httpd dead but subsys locked

Ok that was weird... so I check the logs in /var/log/httpd/error_log

[emerg] (28)No space left on device: mod_fcgid: Can't create global pipe mutex
[crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock
Configuration Failed

so... memory kinda full of it... solution:
[root@www /]# ipcs -s | grep apache
0x00000000 7897096 apache 600 1
0x00000000 7929865 apache 600 1
0x00000000 7962634 apache 600 1
0x00000000 7995403 apache 600 1
0x00000000 8028172 apache 600 1
0x00000000 8060941 apache 600 1
0x00000000 8093710 apache 600 1
0x00000000 8126479 apache 600 1
0x00000000 8159248 apache 600 1
0x00000000 8192017 apache 600 1
 ok... right on the money! so continue...

[root@www /]# ipcs -s | grep apache | awk ' { print $2 } ' | xargs ipcrm sem
resource(s) deleted
 and all is ok with the world again :)

Carlos Rivero on the same issue states "When dealing with mem-leaks in my mod_perl-apps I ran into a curious apache-problem" and since it is 4 in the morning I will just agree with him :) Damn that mod_perl then!

Anyway.. problem solved apache back up and running

Thank you for playing :)

Wednesday, 28 May 2008

Software RAID 1 and GRUB issues

A small problem I ran into the other day while I was trying to install a new kernel on a CentOS box... After making the changes I wanted on the grub.conf file, I run "grub-install /dev/md0" and I got this error:
"md0 does not have a corresponding BIOS drive"

(a small middle finger) no worries though..
after looking it up turns out the middle finger was justified.. grub does not look at /etc/fstab to find the corresponding drives instead it uses /etc/mtab 

In this case when having a /dev/md0 as / which corresponds to /dev/hda1 all that needs to be done is:
  • edit /etc/mtab and switch /dev/md0 with /dev/hda
  • run "grub-install /dev/hda" to install GRUB to the MRB of the first drive
  • edit /etc/mtab and switch /dev/md0 with /dev/hdb
  • run "grub-install /dev/hda" to install GRUB to the MRB of the second drive (just in case of failure)
  • edit /etc/mtab again and put it back as you found it with devices set to md instead of hd

Changes might need to be made using the same logic to the "/boot/grub/device.map" file which according to the Romanian guy that wrote the solution I used "maps a logical name such as /dev/hda to a physical device such as (hd0) which means (to grub) the first hard drive detected by the BIOS"

The actual link if you want the full article can be found here

Special thanks to "that guy" his solution did work and helped a lot.

Thanks for playing :)

Tuesday, 27 May 2008

Server up script - ping check

This silly little script checks if a host responds to initially 3 and then 5 icmp packets, if all fail then it sends an SMS using clickatell once again...
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin

if ifconfig | grep ppp0 > /dev/null
then
PKT_LOSS=`ping -c 3 xxx.xxx.xxx.xxx | grep transmitted | awk '{print $6}'`
PERCENT=`echo ${PKT_LOSS%%%}`
if [ $PERCENT = "100" ]
then
PKT_LOSS=`ping -c 5 xxx.xxx.xxx.xxx | grep transmitted | awk '{print $6}'`
PERCENT=`echo ${PKT_LOSS%%%}`
if [ $PERCENT = "100" ]
then
wget "http://api.clickatell.com/http/auth?api_id=yourapi_id&user=usrname&password=passwd" -O /tmp/sessionid -q
# Create session and save to /tmp/sessionid
sessionid=`cat /tmp/sessionid | awk '{print $2}'`
# use only the session id for the variable
smssend clickatell.sms $sessionid usrname passwd yourapi_id "SystemAlert" phone_No "Server not responding"
# send sms
else
echo "System Responding"
else
echo "System Responding"
fi
else
#yes I have a speedtouch STILL!
pppd call speedtch > /dev/null
#bandwith QoS thingy nothing important...
bandwith
fi

For the smssend part to work you will need the info from this post.

Thank you for playing :)

Linux - Router NAT with some restrictions

A simple IPtables script that allows forwarding from one interface to the other connecting 2 subnets while restricting access to the second.

eth0:192.168.0.1 (internet)

eth1:192.168.1.1 (lan)

The /bin/nat-up script:
iptables -t nat -F POSTROUTING
iptables -F FORWARD
iptables --policy FORWARD DROP
iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 192.168.0.1
# Full forwarding access to one host
iptables -A FORWARD -s 192.168.1.2 -j ACCEPT
iptables -A FORWARD -d 192.168.1.2 -j ACCEPT
# Access to one host only for the rest of the subnet
iptables -A FORWARD -s 192.168.1.0/24 -d host1 -j ACCEPT
iptables -A FORWARD -s host1 -d 192.168.1.0/24 -j ACCEPT
# Enable Forwarding...
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IPtables - NAT enabled ... "

Another script has been created to disable the NAT on demand (/bin/nat-down) containing:
iptables -t nat -F POSTROUTING
iptables -F FORWARD
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "IPtables - NAT disabled ... "

Thank you for playing :)

Saturday, 24 May 2008

Ossec plugin for sms notification

1. Create an account with Clickatell (they will be providing the sms gateway service)

2. Add some credit to your account

3. Create a "Connection" and note you API_ID

4. download and install smssend
wget http://www.barsnick.net/sw/smssend-3.2-1.i586.rpm
yum install smssend-3.2-1.i586.rpm

or (for Slackware users)

wget http://linuxpackages.inode.at/Slackware-10.2/Console/smssend/smssend-3.4-i486-2alt.tgz

installpkg smssend-3.4-i486-2alt.tgz

5. Create the .sms file you will be using
cat > /usr/share/smssend/clickatell.sms << "EOF"
NbParams 7
%Sessionid : Session ID
%Login : Your username
%Password : Your Pass
%ApiID : Your API ID
%Sender : API Sender Name
%Tel : Phone number To Send Message To
%Message Size=160 Convert : Your message

PostURL https://api.clickatell.com/http/sendmsg?
#GetURL https://api.clickatell.com/http/sendmsg?
#Params session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message%
PostData session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message%
Search ID:
PrintMsg message sent
Else
ErrorMsg 1 error sending message
GO
EOF

6. Add the following to your /var/ossec/etc/ossec.conf
<command>
<name>smsnotify</name>
<executable>smsnotify.sh</executable>
<expect>srcip</expect>
</command>

<active-response>
<!-- This response will notify the admin via
- sms for every event that fires a rule with
- level (severity) >= 10.
-->
<command>smsnotify</command>
<location>local</location>
<level>10</level>
</active-response>

7. Create your own smsnotify.sh
cat > /var/ossec/active-response/bin/smsnotify.sh << "EOF"
#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin
ACTION=$1
USER=$2
IP=$3

echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" > /tmp/alertid
ALERTID=`cat /tmp/alertid | awk '{print $11}' | cut -d "." -f 1`

# Getting alert header
LOG=`grep -A 3 $ALERTID /var/ossec/logs/alerts/alerts.log | tail -n 2`

# Create session and save to /tmp/sessionid
wget "http://api.clickatell.com/http/auth?api_id=''yourapi_id''&user=''yourusername''&password=''yourpassword''" -O /tmp/sessionid -q

# Use only the session id for the variable
sessionid=`cat /tmp/sessionid | awk '{print $2}'`

# Send sms
smssend clickatell.sms $sessionid ''yourusername'' ''yourpassword'' ''yourapi_id'' "ServerAlert" ''yourphoneNo'' "$LOG"
EOF

chmod 755 /var/ossec/active-response/bin/smsnotify.sh

8. Do an asl -f -s to restart ossec and your are good to go



update to come...

Small reconfigurations at Plesk services

ProFTPD
ServerIdent off

php.conf
add index.html to default index

disable fstab-sync

disable prelink

httpd.conf
Serversignature off

Servertokens Prod

when installing stuff php related
(easselerator, ioncube, zend optimizer) dont forget to check the paths in /etc/php.d/

thats it so far.. not much huh? :)

rc.firewall script

A simple script to start and stop.. and restart your firewall with slackware:

The script:
  • blocks some standard workstation traffic
  • allows NAT for 192.168.0.1/24
  • allows syslog connections for a particular host
  • drops invalid and possibly bad packets

#!/bin/sh
#
# /etc/rc.d/rc.firewall
#
# Start/stop/restart the IPtables Firewall.
#
# To make IPtables Firewall start automatically at boot, make this
# file executable:  chmod 755 /etc/rc.d/rc.firewall
#

fire_start() {
if [ -x /usr/sbin/iptables ]; then
fire_stop
echo "Starting IPtables: "
iptables -A INPUT -s 0.0.0.0/0 -i ppp0 -p tcp --dport 139 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -i ppp0 -p tcp --dport 445 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -i ppp0 -p tcp --dport 631 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -i ppp0 -p tcp --dport 6000 -j DROP
iptables -A INPUT -s source-address -p udp --dport 514 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p udp --dport 514 -j DROP
iptables -N SPOOF
iptables -A INPUT -i ppp0 -s ppp0-ip.address -j SPOOF
iptables -A INPUT -i eth0 -s 192.168.0.1 -j SPOOF
iptables -A SPOOF -m limit --limit 1/second -j DROP
iptables -N PORTSCAN
iptables -A INPUT -i eth0 -p tcp ! --syn -j PORTSCAN
iptables -A INPUT -i eth0  -m state --state INVALID -j PORTSCAN
iptables -A SPOOF -j REJECT --reject-with icmp-host-unreachable
iptables -L INPUT
echo "Enabling NAT: "
iptables -A POSTROUTING -t nat -s 192.168.0.1/24 -o ppp0 -j SNAT --to-source source-address
iptables -L POSTROUTING -t nat
iptables -A FORWARD -s 192.168.0.1/24 -j ACCEPT
iptables -A FORWARD -d 192.168.0.1/24 -j ACCEPT
iptables -L FORWARD
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IPtables - NAT Configuration finished ..."
fi
}

fire_stop() {
iptables -F
iptables -F FORWARD
iptables -F SPOOF
iptables -X SPOOF
iptables -X PORTSCAN
echo "Clearing Firewall:"
iptables -L INPUT
iptables -F -t nat
echo "Clearing Forwarding"
iptables -L POSTROUTING -t nat
iptables -L FORWARD
echo 0 > /proc/sys/net/ipv4/ip_forward
}

fire_restart() {
fire_stop
sleep 2
fire_start
}

case "$1" in
'start')
fire_start
;;
'stop')
fire_stop
;;
'restart')
fire_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions.  This may change to a 'usage' error someday.
fire_start
esac

To be updated.. soon hopefully

Windows Forensic Tools

One of the good toolkit links that certainly helps in a windows forensic investigation is the Sysinternals Suite which includes packages like:
  • PsExec
    psexec \\remote systeminfo >> d:\data.txt
    psexec \\remote ipconfig /all >> d:\data.txt
    psexec \\remote arp -a >> d:\data.txt
    psexec \\remote netstat -b >> d:\data.txt
    psexec \\remote schtasks >> d:\data.txt
  • PsFile
  • PsGetSid
  • PsInfo
  • PsKill
  • PsList
  • PsLoggedOn
  • PsLogList (psloglist -s -x security)

Another useful tool which "enables us to capture the memory space utilized by any executing process. " is included in the Microsoft OEM Support tools package available at:
Memory Dump

Forensic Acquisition Utilities (dd, memory dumps, netcat and others) can be found here

Some of the above utilities are based on the UnxUtils distribution available here

A history of logins can be obtained with the NTLast command, distributed by Foundstone

and of course never forget the Helix Toolkit

more to come...

ps. Congrats need to go out to Geraint Williams for providing most of the information here, giving us brilliant lectures and most of all making the subject fun!

Plesk Backup Script

Taken from the atomic wiki (thanks Scott):

Install the required packages
  • yum install lftp
  • create /root/scripts/remote-backup
    #!/bin/sh
    #
    # Format date YYYY-MM-DD-HH-MM
    #
    date=`/bin/date +%F-%R`
    #
    # Create plesk backup
    #
    /usr/local/psa/bin/pleskbackup all /var/backup/fullbackup-$date.bak
    #
    # Connect to FTP, change directory, send files, disconect.
    #
    lftp -u username,password@# ftp.server.ip.address <<EOF
    cd /
    lcd /var/backup/
    mirror -R
    quit 0
    EOF
  • add script to crontab

all done :)

Atomic installation

Atomic installation procedure:
  • wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh
  • add plesk.repo to /etc/yum.repos.d
    [root@www ]# cat /etc/yum.repos.d/plesk.repo
    [plesk]
    name=Plesk Server Administrator
    baseurl=http://www.atomicorp.com/channels/plesk/latest/centos/$releasever/$basearch
    gpgcheck=0
  • yum install atomic-psa
  • add license
  • add IPs
  • add locale (change /usr/local/psa/version to 7 [compatible version] and then install locale package)
  • install advanced statistics
  • add asl channel
    [root@www ]# cat /etc/yum.repos.d/asl.repo
    [asl-2.0]
    name=Atomicorp - $releasever - Atomic Secured Linux
    baseurl=http://username:password@atomicorp.com/channels/asl-2.0/centos/$releasever/$basearch
    enabled=1
    gpgcheck=1

    [asl-2.0-testing]
    name=Atomicorp - $releasever - Atomic Secured Linux
    baseurl=http://username:password@atomicorp.com/channels/asl-2.0-testing/centos/$releasever/$basearch
    enabled=1
    gpgcheck=1

    [asl-2.0-bleeding]
    name=Atomicorp - $releasever - Atomic Secured Linux
    baseurl=http://username:password@atomicorp.com/channels/asl-2.0-bleeding/centos/$releasever/$basearch
    enabled=1
    gpgcheck=1
  • yum update
  • yum install asl asl-web-gui clamd qmail-scanner dcc pyzor razor-agents
  • restart spamassassin
  • start clamd service
  • run /usr/bin/qmail-scanner-reconfigure
  • run asl -c (configure asl)
  • run asl -u (update databases)
  • run asl -s -f (enforce configuration)
  • yum install php-easselerator php-suhosin
  • yum install squirrelmail
    add "Alias /cp /var/www/vhosts/metroweb.gr/httpdocs/cp"
    for the domain.gr/cp link.. in the squirrelmail.conf configuration in httpd/conf.d
  • yum install rkhunter chkrootkit (if not installed by asl package)

all done :)

Application Vault Issues

Ok here is how the story goes...

Issue: Application Repo is not working + backup script not working + domains cannot be removed/deleted

After updating Plesk from 8.2.1 to 8.3.0 everything seemed to be working except the application repo..

I was experiensing exact error "Table 'psa.APSClientApplicationItems' doesn't exist" with that guy here http://forum.swsoft.com/showthread.php?t=50070

mostly because I did the same lame thing... copied the directory .. changed the files and woohoo created my own application on repo .. so my clients can use an up to date Greek version of joomla...

I followed the procedure the guy suggested on the forum:
mysql -u admin -p`cat /etc/psa/.psa.shadow ` psa -e "describe APSClientApplicationItems;"

mysql -u admin -p `cat /etc/psa/.psa.shadow ` psa

DROP TABLE IF EXISTS `APSClientApplicationItems`;
CREATE TABLE `APSClientApplicationItems` (
`id` int(10) unsigned NOT NULL auto_increment,
`client_id` int(10) unsigned NOT NULL default '0',
`app_item_id` int(10) unsigned NOT NULL default '0',
`instances_limit` int(11) NOT NULL default '-1',
PRIMARY KEY (`id`),
UNIQUE KEY `client_id_2` (`client_id`,`app_item_id`),
KEY `client_id` (`client_id`),
KEY `app_item_id` (`app_item_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

but it didn't fix it... it was asking for APSApplicationItems table as well...

so i did the same procedure with that... and now it asks for more.... (on the Application Vault...)
MySQL query failed: Unknown column 'categories' in 'field list'

on the backup procedure we have:
DBD::mysql::st execute failed: Table 'psa.APSLicenseTypes' doesn't exist

Plesk support this to check the situation:
rpm -q psa; rpm -qa | grep psa-hotfix; cat /usr/local/psa/version
mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e"select * from misc where
param='version'"

After enabling mysql's debug the technical support engineer did a series of database edits that added some missing tables and removed previous entries of installed non-existing applications. Since I don't actually know what was missing, why and any possible questions even though the guys actually said "ok we added that table and removed that one and now it works" I don't know if the information is useful to be put here so... i must going to call it magic and let us move on with our lives....