Computer and IT knowledge - things to know
number of matches found: 183
time echo "scale=1000; 4*a(1)" | bc -l
readpst - convert PST (MS Outlook Personal Folders) files to mbox and other formats
recode iso-8859-1..UTF-8 test.html
file -i * (abfragen)
put the following to: .vnc/xstartup
gnome-session &
gnome-panel &
Network Kernel Parameters
These Parameters have been suggested by TIBCO to bring the performance of a LINUX machine to the maximum regarding the network.
We have used these tuning parameters successfully to reduce retransmissions on heavy loaded machines. You will find similar tuning tips, when searching for web-server optimization.
Parameter Red Hat Enterprise Linux Server 5.6 (Tikanga) VALUES proposal
net.core.rmem_max 131071 16777216
net.core.rmem_default 129024
net.core.wmem_max 131071 16777216
net.core.wmem_default 12902?
net.ipv4.tcp_rmem (3) 4096 4096
87380 87380
4194304 16777216
net.ipv4.tcp_wmem (3) 4096 4096
16384 65536
4194304 16777216
txqueuelen 1000 7000
net.core.netdev_max_backlog 1000 30000
Performance daten: missed/pkts und retrans/pkts are good quality parameters
pdsh.x86_64 : Parallel remote shell program
#backup
dd if=/dev/sdb of=/tmp/compact_flash_winxp-embedded.dd
#restore
dd if=/tmp/compact_flash_winxp-embedded.dd of=/dev/sdb
yum install perf.x86_64
figlet -- http://www.figlet.org/
netstat -antpe
$ wget -O speedtest-cli https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py
$ chmod +x speedtest-cli
$ ./speedtest-cli
WSO is a PHP shell backdoor that provide an interface for various remote operations. It can perform everything from remote code execution, bruteforcing of servers, provide server information, and more.
example: http://snipplr.com/view/70661/
http://www.exploit-db.com/search/?action=search&filter_description=Linux+Kernel+2.6.32
check-for-backdoors-in-php-scripts
- maldet
- clamav
- https://github.com/emposha/PHP-Shell-Detector --> http://shelldetector.com/
>> http://www.xyz.de/_temp/PHP-Shell-Detector-master/shelldetect.php
lsof -s | awk '$5 == "REG"' | sort -n -r -k 7,7 | head -n 20
Linux Malware Detect v1.4.2
http://www.rfxn.com/projects/linux-malware-detect/
Here are the steps that I did to build the rpm:
1. installed Red Hat 5.7 / 64 bit server on our VMWARE test (IP 192.168.172.23 / name rhel5-mw-64)
2. installed the follwing rpm out of the 5.7 image:
rpm-build-4.4.2.3-22.el5
elfutils-0.137-3.el5
elfutils-libs-0.137-3.el5
gcc-4.1.2-51.el5
3. download the tool "checkinstall" .. this is a creat tool to build rpm's
- http://asic-linux.com.mx/~izto/checkinstall/download.php
--> saved to /root/checkinstall-1.6.2.tar.gz
--> extract: tar -xvzf /root/checkinstall-1.6.2.tar.gz
--> cd /root/checkinstall-1.6.2
--> make
--> make install
--> command "checkinstall" is now available
4. download the perl module -> source files from http://search.cpan.org/~mshoyher/TacacsPlus-0.16/TacacsPlus.pm
--> saved to /root/TacacsPlus-0.16.tar.gz
--> extract: tar -xvzf /root/TacacsPlus-0.16.tar.gz
--> cd /root/TacacsPlus-0.16
--> generate the make file: perl Makefile.PL
--> use now the command "checkinstall"
check install parameters:
- Should I create a default set of package docs? [y]: n
- Slackware [S], RPM [R] or Debian [D]? R
- description. TacacsPlus Perl Module
--> done:
Done. The new package has been saved to
/usr/src/redhat/RPMS/x86_64/TacacsPlus-0.16-1.x86_64.rpm
You can install it in your system anytime using:
5. problem / warning when running checkinstall: ERROR: ld.so: object ‘/usr/local/lib64/installwatch.so’ from LD_PRELOAD cannot be preloaded: ignored.
Solution: The problem occurs because the loader can’t find the shared object file. The solution is very simple. Assuming that the installwatch.so is located in /usr/local/lib, just type the following commands:
echo "/usr/local/lib64" >/etc/ld.so.conf.d/installwatch.conf
ldconfig
ln -s /usr/local/lib/installwatch.so /usr/local/lib64/installwatch.so
http://www.thegeekstuff.com/2011/05/iozone-examples/
run with iozone -a
egrep -v '(^$|^#)' /etc/proxychains.conf
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks5 10.10.10.10 1080
socks5 11.11.11.11 1080
-> 4 kb technologie --> format under linux:
https://bbs.archlinux.org/viewtopic.php?id=99626
--> create filesystem with 4096 block size!!!
mkfs.ext3 -b 4096 /dev/hdd1
watch cat /proc/mdstat
iozone: http://www.iozone.org/src/current/iozone-3-397.i386.rpm
dd messung: dd if=/dev/zero of=/opt/vmware/test bs=200MB count=1 oflag=direct
rsync messung: rsync --progress test test4
find archive* -type f -print0 |xargs -0 grep -i m720bz *
mount /dev/scd0 /tmp/cdrom/
export LD_PRELOAD=/usr/lib/libtsocks.so
=>package tsocks
=>http://tsocks.sourceforge.net/
compile result:
- libtsocks.so - the libtsocks library
- validateconf - a utility to verify the tsocks configuration file
- inspectsocks - a utility to determine the version of a socks server
- saveme - a statically linked utility to remove /etc/ld.so.preload
if it becomes corrupt
Configuration file: '/etc/tsocks.conf'
unset LD_PRELOAD
/usr/src/packages/RPMS/s390/tsocks-1.8-1.s390.rpm
local = 192.168.2.0/255.255.255.0
path {
server = 192.168.2.99
reaches = 12.13.14.0/255.255.255.0
}
ifconfig eth0 mtu 1450 #change mtu size on linux
compy.ww.tu-berlin.de/Howto-DE/
fetchmail -u username <name>
- password can be stored in .fetchmailrc under root home
- password can be stored in .netrc in the user directory
-> see in "man ftp" for .netrc
-> syntax in .netrc: machine <name> login <userid> password <password>
www.socks.nec.com/s5examples.html
http://kbase.redhat.com/faq/FAQ_79_2561.shtm
Resolution:The new way to add static routes on Red Hat Enterprise Linux systems is to create a file
/etc/sysconfig/network-scripts/route-ethX where X corresponds to the network interface you wish to use
the alternate route(s). This file deals with three fields: GATEWAY, NETMASK, and ADDRESS. Each field
should have a number appended to it indicating what route it relates to. The example below shows two
static routes configured for the eth0 network interface.
/etc/sysconfig/network-scripts/route-eth0
GATEWAY0=10.10.0.1
NETMASK0=255.0.0.0
ADDRESS0=10.0.0.0
GATEWAY1=10.2.0.1
NETMASK1=255.255.0.0
ADDRESS1=192.168.0.0
free -o
ps -eo pid,ppid,rss,vsize,pcpu,pmem,cmd -ww --sort=pmem
The top 10 monopolizing process would be better if sorted as a numberic key :
ps -eo pcpu,pid,user,args | sort -k 1 -r -n | head -1
/etc/rc.d/boot.local
want to replace a string with another string in several text files. I tried the following command which I read from a Linux book, but it doesn't work. Can anyone give me some help?
perl -pi -e "s/search/replace/g;" *.txt
perl -pi -e "s/\/usr\/local\/mrtg\/web\//\/usr\/local\/mrtg\/web\/10.0.6.162\//g;" *.cfg
perl -pi -e "s/\/usr\/local\/mrtg\/web\//\/usr\/local\/mrtg\/web\/10.149.158.52\//g;" *.cfg
nc XYZ | gzip -dc | dd of=/dev/hda bs=64k
dd if=/dev/hda of=/dev/hdX bs=256k
cp -aX / /mnt/
remount: mount -n -o remount,rw /
reiserfsck /dev/hdXY --check
reiserfsck /dev/hdXY --rebuild-tree
reiserfsck /dev/hdXY --rebuild-sb
>> if you have to repair something you have to use command "--rebuild-tree", and you should check with "--check"
adding user xyz to group trusted:
gpasswd -a xyz trusted
sample entry in /etc/inetd.conf:
pop3 stream tcp nowait root /usr/sbin/pop3d pop3d
fdisk /dev/hdd
http://dotnot.org/blog/archives/2005/09/09/quick-nfs-howto-for-centos/
NFS under linux:
#export verzeichnis /home/nfsshare
/home/nfsshare 10.0.0.1(rw,no_root_squash,insecure) 10.0.0.2(rw,no_root_squash)
-> import under AIX using smitty nfs
check.
rpcinfo -p
=> 100003 2 udp 2049 nfs
on client:
/etc/fstab
lnxsni01:/usr/local/uar /mnt/share nfs rsize=8192,wsize=8192,timeo=14,intr,soft,tcp 0 0
lnxsni01:/usr/local/uar /mnt/share nfs rsize=8192,wsize=8192,timeo=14,intr,soft
include vfat partition
mount /dev/hda7 /mnt/hda7 -o id=your-login,gid=users
or have something like this for it in /etc/fstab
/dev/hda7 /mnt/hda7 vfat user,uid=your-login,gid=users 1 0
/dev/hda7 /mnt/hda7 vfat defaults,umask=000 1 0
/dev/hdb /cdrom iso9660 ro,noauto,user,block=2048 0 0
echo 1 >/proc/sys/net/ipv4
- Ethernetcard: http://www2.neweb.ne.jp/wd/fbm/3c556/
use 3c59x module
- modem
Lucent softmodem
http://lisas.de/~david/t21/download/ltmodem-5.78e-1.src.rpm
http://lisas.de/~david/t21/download/ltmodem-2.4.3-5.78e-1.i386.rpm
- sound
Sound worked right out of the box. But when I tried playing DVD, the sound was really choppy, lagging a lot ... pretty badly screwed up! (I used omi_gtk dvd player from
the Livid project).
So I decided to use ALSA drivers as reccomended by quite a few people. I downloaded ALSA 0.5.8, untar it, and switched to the directory. Run these commands :
- ./configure --with-cards=cs461x
- make
- make install
After this, you can find the modules on /lib/modules/(kernel version)/misc directory.
Then, add these lines to /etc/modules.conf file :
alias char-major-116 snd
alias char-major-14 soundcore
alias snd-card-0 snd-card-cs461x
alias sound-slot-0 snd-card-0
alias sound-service-0-0 snd-mixer-oss
alias sound-service-0-1 snd-seq-oss
alias sound-service-0-3 snd-pcm-oss
alias sound-service-0-12 snd-pcm-oss
- TokenRing: try ibmtr_cs.o
http://www.linuxtr.net/newhowto/Token-Ring.html
I have a Token Ring Auto 4/16 Credit Card Adaptor that works good with my SuSE setup. One major key to getting it to work was
having at least the 3.x.x series of PCMCIA card services loaded onto your machine. Additionally in your conf.modules file you'll need the
following verbage:
alias tr0 ibmtr_cs mmiobase=0xd6000 srambase=0xd8000 ringspeed=[16]|[4] sramsize=16 irq_list=9
/etc/pcmcia
-> config.opts
# Options for IBM Token Ring adapters
module "ibmtr_cs" opts "mmiobase=0xd000 ..." <- auskommentieren
- PCI Devices
lspci -v
lspci -vv
- reboot notfall
linux init 1
- DHCP
dhclient
- ICA Client
/opt/Citrix/ICAClient
- Token Ring Card
To get the IBM Turbo tokenring 4/16 to work on a Thinkpad 770(9548) I did
the following.
Kernel 2.2.10
pcmcia-cs-3.0.13 And edit '/etc/pcmcia/config.opts' like this
#
# Local PCMCIA Configuration File
#
include port 0x100-0x4ff, port 0x1000-0x17ff
include memory 0xc0000-0xfffff
#
# Extra port range for IBM Token Ring
#
include port 0xa00-0xaff
#
# Resources we should not use, even if they appear to be available
#
# First built-in serial port
exclude irq 4
# Second built-in serial port
#exclude irq 3
# First built-in parallel port
exclude irq 7
module "ibmtr_cs" opts "m
use pump from redhat, should be working if installed ...
shell script:
#!/usr/bin/sh
filename = `date | awk '{print $6"_"$3"_"$2"_fw.tar"}'`
tar -cvf /home/backup/$filename /tmp/*.*
#put STDOUT together
( echo "please check the directory $CHECKDIR\n"; ls -l $CHECKDIR; )
cat austria.usernams |awk '{print tolower($1)}'
IDLEPOS=`eval /usr/bin/vmstat 1 1 | /usr/bin/awk '/ sy /{i=1; while (i<NF) {if ($i~/sy/) print i; i+=1}}'`
vmstat 1 5 | awk 'BEGIN{ID=0}; / id /{i=1; while (i<NF) {if (tolower($i)~/id/) {ID=i; printf("ID in Spalte %s\n", ID)} ; i+=1}} ; /^ [0-9]+/{print $ID}'
ps -ef |grep xclock |awk '{print $2}' |xargs kill
mypids=`ps uxw | grep ssh-agent | grep -v grep | awk '{print $2}'`
mypids=`ps $psopts 2>/dev/null | grep "[s]sh-agent" | awk '{print $2}'` > /dev/null 2>&1
cat hostlist |awk '{print $1 " 1"}' |xargs ping
LINUX
runsocks MCPAN -eshell
-> o conf // see config
-> o conf ftpproxy proxy // modify ftp proxy
-> o conf commit // save config
-> o conf urllist push http://cpan.noris.de/
tty -s && ifconfig -a|awk '/^(en|eth|hsi)[0-9]+/{getline;"uname -n"|getline L; printf("\033]2;%s -- %s \007\n", $2,L);exit}'
tty -s && {
cat /etc/SuSE-release
# update putty terminal window header
HOST=$(ifconfig -a |awk -v U=$USER -v H=`uname -n` '/^(en|eth|hsi)[0-9]+/{getline;if ($2~/addr/){$2=substr($2,6)};printf("\033]2;%s@%s -- %s \007\n", U,$2,H) | "/bin/cat 1>&2";print $2; exit}')
export HOST
PS1='$USER@${HOST}:${PWD#$HOME/}$ '
}
Serial Cable 2 Linux
-> /etc/inittab
-> S0:123:respawn:/sbin/agetty -L 9600 ttyS0
-> reboot
-> connect serial nullmodem cable to serial port
-> use HyperTerminal / Tera Term ....
-> login, enjoy hacking over serial ;-)
Network Time protocol: NTP
linux: ntpdate IP-Adress
linux packet: ntp-4.0.99k-15
#ntp time synchronization
30 1 * * * /usr/sbin/ntpdate ntp1.ptb.de
-----------------------------------------------
information from colleage F:
ntp installieren und diese 4 zeilen in /etc/ntp.conf
server xyz
multicastclient
driftfile /var/lib/ntp/drift/ntp.drift # path for drift file
logfile /var/log/ntp # alternate log file
-----------------------------------------------
#check difference
/usr/sbin/ntpq -c peers
net time /setsntp:"192.168.0.1"
net time /querysntp
Registry: see HKEY_LOCAL_MACHINE\SYSTEM\CurrentContorlSet\Services\W32Time\Parameters
automatisch zeit aktuellisieren:
net time \\w2ktsv /set /yes
programm für windows:
http://home.att.net/~Tom.Horsley/ntptime.html#Download%20NTPTime
LINUX:
hwclock --systohc #set the system time from the hardware clock
LINUX & NOTES
The most frequent question I get about Notes and Linux: If you are using
Windows NT, do not let WINE use your Windows NT directory as it's "Windows"
directory (specified in wine.conf or wine.ini). Instead, point WINE at a Win95/98
directory or create a fake "Windows" directory and use that. If Lotus Notes complains
about missing DLLs, you can find the missing DLLs in the Lotus Notes installer
directories and put them in the Windows directory.
Howto (for systems that can dual-boot Linux and Win95/98/NT)
1.Boot into Win98/95/NT and install a copy of Lotus Notes client for Win32 on a
FAT or FAT32 drive partition.
2.If your notes.ini file is in your Windows directory, move it to your Notes executable
directory.
3.Boot into Linux and mount your FAT / FAT32 drive partitions. You may need to set
up entries in /etc/fstab for Linux to recognize and mount these partitions.
4.Verify that you have set up the X Window system and your window manager of
choice.
5.Download a copy of WINE (open-source Windows on UNIX) from
http://www.winehq.com/ WINE is evolving rapidly, each week brings new changes
and greater functionality, so it pays to stay current. WINE releases are named by
release date; releases before 981108 do not run Lotus Notes very well. You can
download binaries in .RPM format or download the source code and build it
yourself.
6.Create or edit the wine.ini file in your home directory. Make sure it includes
mappings for your Windows drives and that your Notes executable directory is on
the path. I run WINE as root (recommended!) so the file should be placed in
/root/wine.ini.
7.If you are using Windows NT, do not set your Windows NT system directory as the
Windows directory under WINE. WINE does not work well with the Windows NT
versions of system DLLs. Better to use an empty "Windows" directory instead.
8.Start the X Window system and your window manager
9.Start Lotus Notes using WINE. You can start 'notes.exe'. My DOS D: drive
partition is visible to linux as /mnt/windows, so: ./wine
/mnt/windows/Lotus/Notes/notes.exe
comp.dcom.net-analysis
comp.dcom.net-management
comp.dcom.lans.ethernet
comp.dcom.fax
comp.dcom.servers
comp.dcom.sys.cisco
comp.dcom.vpn
comp.doc.management
comp.groupware.lotus-notes.programmer
comp.groupware.lotus-notes.admin
comp.groupware.lotus-notes.misc
comp.groupware.lotus-notes.apps
comp.os.linux.networking
comp.protocols.snmp
comp.unix.aix
comp.unix.shell
comp.lang.perl.tk
MRTG Latency script
> I'm looking for scripts to measure latency in my IP network. Can someone
> help ?
Well, since you didn't specify an operating system, I'll assume
that you're following in my footsteps and doing battle with NT4
as a server. Note that the following requires that you use the
ping.exe supplied with Windoze 95/98 instead of the useless ping
supplies with NT4. See the MRTG stuff somewhere on:
http://www.lns.com
which is from where I stole the script. I also have a somewhat
different version for Linux (RH 7.1) but which I can't get to
as I managed to break SSH and can't grab it.
------------
# MRTGPING.PL
# Plagerized by Jeff Liebermann from original by Tim Pozar.
# 09/14/00 First hack for NT4.
$ipaddr = "NULL";
$ipaddr = $ARGV[0];
$numpings = 3;
if ($ipaddr eq "NULL"){
print "Usage mrtgping.pl [ipaddress]\n";
exit;
}
# Note that "ping95.exe" is the Windoze 95/98 version
# and not the useless ping supplied with NT4.
#
# Windoze ping will return...
# Minimum = 494ms, Maximum = 574ms, Average = 520ms
$result = `ping95 -n $numpings $ipaddr | find /i "average" `;
# Break result apart at the commas.
chop($result);
($Mins,$Maxs,$Avgs) = split(/,/,$result);
# Break each value apart at the = sign.
($Mint,$min) = split(/=/,$Mins);
($Maxt,$max) = split(/=/,$Maxs);
($Avgt,$avg) = split(/=/,$Avgs);
# Remove the "ms" at the end.
$min1 = substr($min,0,-2);
$max1 = substr($max,0,-2);
$avg1 = substr($avg,0,-2);
$min1 =~ s/ //g;
$max1 =~ s/ //g;
$avg1 =~ s/ //g;
# Belch results in 4 lines.
print "$avg1\n";
print "$max1\n";
print "0\n";
print "$ipaddr\n";
------------
If Perl is a bit of a heavy hammer, the following is what
I use on my SCO Unix OSR5 3.2v5.0.5 machines. The use of
the first ping return is intentional as I'm trying to plot
the latency of the Starband satellite flying cache, which
caches everything exept the first packet.
#!/bin/sh
# by Jeff Liebermann 04/15/98
#
# Record ping times.
#
# Results of:
# ping -c 1 -s 1024 bloat
#
# PING bloat (192.168.111.30): 1024 data bytes
# 1032 bytes from bloat (192.168.111.30): icmp_seq=0 ttl=128 time=10 ms
#
# --- bloat ping statistics ---
# 1 packets transmitted, 1 packets received, 0% packet loss
# round-trip min/avg/max = 10/10/10 ms
# Really disgusting way to get rid of extra leading spaces
# by feeding it to a shell variable. Ugly at best.
#
# usage: whatever machine_name_or_ip
# i.e. whatever bloat.comix.santa-cruz.ca.us
#
retch=`ping -c 1 -s 1025 $1 | grep "time"` # extract line with ping time.
set $retch # break apart into fields using IFS seperators
ping=`echo $8 | cut -c 6-` # extract ping time.
echo $ping # ping time=xxx
echo $ping # ping time=xxx
echo "0" # Filler
echo "0" # Filler
#
cat /etc/issue
evolution
rpm directory: /usr/src/packages/RPMS/s390/freeradius-1.0.0-1.s390.rpm
rpm -hiv --force --nodpes file.rpm #force it ;-)
rpm -q -a #list all install packages ..
rpm -qa -last |Orders the package listing by install time such that the latest
packages are at the top.
rpm -q -p file.rpm #checks given rpm-files, see version number
rpm -q -p -i file.rpm #see information about given rpm-files
rpm -q -p -l file.rpm #listing of all files belonging to this paket
rpm -q -l file.rpm #see files of installed .rpm file
rpm -q --requires file.rpm #->show's packets/libs that are needed
rpm -q --provides file.rpm #->show's packets/libs that will be installed by this paket
rpm -Va #see missing files #verify ..
rpm -qf /usr/bin/smbmount #find out which package owns it
rpm -Fvh openssh*.rpm #Then, install the package using the following command to apply the update:
rpm -ba foobar-1.0.spec #building a rpm file
rpm -bb foobar-1.0.spec #building only binary rpm
- copy files specified in spec file to /usr/src/packages/BUILD
s390: stored under /usr/src/packages/RPMS/s390/
Use the command 'rpm/rpmbuild -ta dante-<version>.tar.gz' to build all rpm files.
rpm --rebuild src.rpm #make binaray rpm => /usr/src/redhat
#force install of package from other architecture
rpm -iv --force --nodeps --ignorearch freeradius-IBM-bluegroup-1-14.s390.rpm
-> build "noarch" rpm
rpm -bb --target=noarch specfile
apt-get -sy upgrade
apt-get clean #Ungenutzte Pakete entfernen
apt-get autoclean #Ungenutzte Pakete entfernen
#problem with apt-get update under ubuntu
-> resolution:
The fix is just to back up sources.list, delete everything in it and run "apt-get update".
After the update replace sources.list with the backup and run "apt-get update" again. You should not get the error then.
-> another resolution:
sudo apt-get update -o Acquire::http::No-Cache=True
or
sudo apt-get update -o Acquire::BrokenProxy=true
RPM update von libraries:
To add the new library to the shared library cache you have to run
ldconfig(8) as root. Additionally every program that is linked with
libmcrypt needs to be restarted. ldd(1) can be used to find out which
libraries are used by a program.
Another way to determine which process uses a shared library that
had been deleted is:
lsof -n 2>/dev/null | grep RPMDELETE | cut -d " " -f 1 | sort | uniq
lsof - list open files
#vmstat
/usr/bin/vmstat 2 2 |tail -n 1 |awk '{print $3; print 100-$16}'
man -k #man pages keyword
Linux disk performance
hdparm -v /dev/hdx #check settings
hdparm -t /dev/hdx #find out actual read speed
hdparm -d1 #set DMA mode
hdparm -c1 #set 32BIT Access
#festplatten standby zeit:
hdparm -Sx /dev/hda
beispiel:
hdparm -S60 /dev/sdc
/dev/sdc:
setting standby to 60 (5 minutes)
I just want masquerading! Help!
This is what most people want. If you have a dynamically allocated IP PPP dialup (if
you don't know, you do have one), you simply want to tell your box that all packets
coming from your internal network should be made to look like they are coming from the
PPP dialup box.
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Note that you are not doing any packet filtering here: for that, see the Packet
Filtering HOWTO: `Mixing NAT and Packet Filtering'.
#transparent proxy with squid
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#anschauen mit: iptables -L -t nat
cat /etc/hosts | sort -t'.' -n -k1,1 -k2,2 -k3,3 -k4,4
in der ldap.conf den eintrag DEREF FINDING od. SEARCHING haben
WINE-Settings:
- Basic
- Window Mode: Integration of Wine with X: Unmanaged!!
- Advanced
- Lock & Feel: Specialized Wine options: turn on:
- Use X shared memory
- Double-bufferd desktop
copy file MFC42.DLL to $HOME/.wine/fake_windows/windows/system32
VMWARE
IO-Tuning - http://vmfaq.com/entry/25/
/etc/vmware/config
MemTrimRate=0
sched.mem.pshare.enable = "FALSE"
mainMem.useNamedFile = "FALSE"
prefvmx.minVmMemPct = "100"
---------
server 2.0 command-line:
vmrun -T server -h https://192.168.0.5:8333/sdk -u root -p xxx suspend "[standard] /opt/vmware/server.vmx"
vmrun -T server -h https://localhost:8333/sdk -u root -p xyz start "[standard] iga_navigator/Red Hat Enterprise Linux 4.vmx"
#machine hinzufüggen
vmrun -T server -h https://localhost:8333/sdk -u root -p xyz register "[standard] ipcop_mwendig/Other_Linux_2.6.x_kernel.vmx"
https redirect abschalten:
/etc/vmware/hostd/proxy.xml
1. change "httpsWithRedirect" to "httpAndHttps"
2. restart
08/2005:
vmware 4.5.2 suse 9.3 links!!
mit dem vmware patch ging das compilieren plötzlich ;-))
http://www.vmware.com/community/thread.jspa?threadID=13817&filterOrder=DESC&tstart=0
http://www.linux-club.de/viewtopic.php?t=30855
-------------------------------------------------------
vmware - hangs problem
in vmx:
http://communities.vmware.com/thread/106917
#mwendig, added 20Feb2009, solv hanging problem
mainMem.useNamedFile = "FALSE"
sched.mem.pshare.enable = "FALSE"
MemTrimRate = "0"
Installing VMware Tools from the Command Line with the RPM Installer
http://www.vmware.com/support/ws5/doc/ws_newguest_tools_linux.html
he first steps are performed on the host, within Workstation menus:
1. Power on the virtual machine.
2. After the guest operating system has started, prepare your virtual machine to install VMware Tools.
Choose VM > Install VMware Tools.
The remaining steps take place inside the virtual machine.
3. As root (su -), mount the VMware Tools virtual CD-ROM image, change to a working directory (for example, /tmp), uncompress the installer, then unmount the CD-ROM image.
Note: Some Linux distributions automatically mount CD-ROMs. If your distribution uses automounting, do not use the mount and umount commands below. You still must untar the VMware Tools installer to /tmp.
Some Linux distributions use different device names or organize the /dev directory differently. If your CD-ROM drive is not /dev/cdrom or if the mount point for a CD-ROM is not /mnt/cdrom, you must modify the following commands to reflect the conventions used by your distribution.
mount /dev/cdrom /mnt/cdrom
cd /tmp
Note: If you have a previous installation, delete the previous vmware-distrib directory before installing. The default location of this directory is
/tmp/vmware-tools-distrib.
4. At the command prompt, enter:
rpm -Uhv /mnt/cdrom/VMwareTools-5.0.0-<xxxx>.i386.rpm
umount /dev/cdrom
Where <xxxx> is the build/revision number of the VMware Workstation release.
Note: If you attempt to install an rpm installation over a tar installation — or the reverse — the installer detects the previous installation and must convert the installer database format before continuing.
5. Configure VMware Tools:
vmware-config-tools.pl
Respond to the questions the installer displays on the screen
change user settings, for a directory:
ls -l |awk '{print "chown -R " $9 " " $9}' >test.sh
cardmgr ident -> see cards detected ..
/etc/pcmcia/config #have to match cardmgr ident ..
so funktionierts auf 770X
=> /etc/sysconfig/pcmcia => PCMCIA_SYSTEM="kernel" auf "external"
Tracing / debugging
ldtrc on
slapd -h 65535
errors under /tmp/slapd.error ..
db2:
db2 "create db ldapdb2 on /home/ldapdb2 using codeset UTF-8 territory US"
#missing libraries for redhat ...:
compat-libstdc++-6.2-2.9.0.16.i386.rpm
pdksh-5.2.14-13.i386.rpm
ldap-dmtjavad-4.1-1.i386.rpm #for script ldapcfg
environment:
file: ~/.bash_profile# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
BASH_ENV=$HOME/.bashrc
USERNAME="root"
export USERNAME BASH_ENV PATH
# The following three lines have been added by UDB DB2.
if [ -f /home/ldapdb2/sqllib/db2profile ]; then
. /home/ldapdb2/sqllib/db2profile
fi
db steuerzentrale unter linux:
db2cc
ldapcfg:
ldapcfg -l /home/ldapdb2 -o
ldapcfg -l /home/ldapdb/ -a ldapdb -w passwort -d ldabdb
!!!!
On SuSE 7.0 and Red Hat 7.2 on Linux for S/390 with kernel level 2.4.x, you
must download and install the compat-libstdc++-2.10.0-1.s390.rpm package. This
package contains compatibility Standard C++ libraries that allow older binaries
(created with old versions of compilers) to execute.
Even after this change, the ldapcfg, ldapucfg and ldapxcfg programs fail on
both SuSE 7.0 and Red Hat 7.2 systems. To correct the problem, edit the
/usr/ldap/bin/ldapcfg script to uncomment the following line by removing the
# in the first column of the line:
export LD_PRELOAD=/usr/lib/libstdc++-libc6.2-2.so.3
You must specify the absolute path of the library.
################
db2 setup a database instance manually
important directory for instance commands
/opt/IBM/db2/V8.1/instance
#list instances
./db2ilist
#create an DB2 instance
./db2icrt -a SERVER -p 50000 -s ESE -w 32 -u ldapdb2 ldapdb2
#setup autostart of instances
./db2iauto -on ldapdb2
#startup database
su - ldapdb2
db2start
#db2 registry files .. see instances etc.
/var/db2/global.reg
su - db2inst1 -c db2inst1 //opt/db2inst1/sqllib/adm/db2start
db2 init.d script (für stop / start):
#!/bin/sh
# chkconfig: 35 98 02
# description: Start and Stop IBM's db2 dbms.
# Set the path.
BASE=/opt/ibm/db2
VERSION=V9.1
INSTANCE=/opt/db2inst1
PATH=/sbin:/bin:/usr/bin:/usr/sbin
#Check we have the start and stop programs.
test -x $INSTANCE/sqllib/adm/db2start || exit 0
test -x $INSTANCE/sqllib/adm/db2stop || exit 0
test -x $BASE/$VERSION/bin/db2 || exit 0
case "$1" in
start)
echo -n 'Starting IBMdb2 daemons: '
su - db2inst1 -c $INSTANCE/sqllib/adm/db2start
echo
;;
stop)
# We first try twice to kill all existing applications.
# There really should be none most of the time.
echo 'Stopping IBMdb2 daemons: '
su - db2inst1 -c "$BASE/$VERSION/bin/db2 FORCE APPLICATION ALL"
sleep 2
su - db2inst1 -c "$BASE/$VERSION/bin/db2 FORCE APPLICATION ALL"
sleep 2
su - db2inst1 -c $INSTANCE/sqllib/adm/db2stop
echo
;;
reload|restart)
$0 stop
sleep 3
$0 start
;;
*)
echo "Usage: /etc/rc.d/init.d/IBMdb2 {start|stop|restart|reload}"
exit 1
esac
#-----------------------------------------------------------------------
# Exit successfully.
#-----------------------------------------------------------------------
exit 0
stunnel -d 127.0.0.1:636 -r ldaphost1:636 -c -C 'DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5'
stunnel -D 7 -d localhost:3389 -r ldaphost1:636 -C EXP-RC4-MD5 -c
stunnel ##################################################
To build a new pem, execute the following OpenSSL command:
/usr/bin/openssl req -new -x509 -days 365 -nodes \
-config /usr/share/doc/packages/stunnel/stunnel.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
for i in `ls`; do ls -l $i;done
linux-backup
tar -tvf /dev/st0
tar -cvf /dev/st0 /home/mwendig/
mt -f /dev/st0 erase #delete tape
mt -f /dev/st0 rewind #rewind tape
mt -f /dev/st0 tell #Find out what block you are at with mt command:
mt -f /dev/st0 offline #unload the tape
mt -f /dev/st0 status #Display status information about the tape unit:
rsync -av /src /dest
rsync -uav /src dest #update modus
rsync -uvzcae ssh /home/myuser/log_analysis user@lnxuar04:/home/myuser/log_analysis
/usr/bin/rsync -uvzca -e 'ssh -i /home/myuser/.ssh/id_rsa' -rtpvz --stats --sa
loganalysis
cat run_loganalysis.sh
#!/bin/sh
filename=`date | awk '{print $6"_"$3"_"$2"_logAnalysis.log"}'`
#echo $filename
/usr/local/bin/log_analysis -f /opt/conf/mw_log_analysis.conf -o /opt/web/log_analysis/$filename -m user\@mail.de
chmod 755 /opt/web/log_analysis/$filename
3ware sata raid
tw_cli #command line on linux
/c0 show all
/c0 Driver Version = 2.26.02.008
/c0 Model = 9550SXU-4LP
/c0 Available Memory = 112MB
/c0 Firmware Version = FE9X 3.04.01.011
/c0 Bios Version = BE9X 3.04.00.002
/c0 Boot Loader Version = BL9X 3.02.00.001
/c0 Serial Number = L320909A6450913
/c0 PCB Version = Rev 032
/c0 PCHIP Version = 1.60
/c0 ACHIP Version = 1.90
ps ax |grep D
PID TTY STAT TIME COMMAND
5438 ? Ss 0:00 smbd -D
5441 ? Ss 0:01 nmbd -D
5503 ? S 0:00 smbd -D
32141 pts/2 S+ 0:00 grep D
mdadm --query --detail /dev/md0
on windows, use dhcploc.exe
>> https://gallery.technet.microsoft.com/DHCPLOC-Utility-34262d82
-----------------------------
on linux, you can use:
1.)
perl script https://sourceforge.net/projects/roguedetect/files/roguedetect/0.3/
(march 2017 >> problems getting it running on centos 7 >> error (tap) Can't get interface IP address at /usr/lib64/perl5/Net/RawIP.pm line 223.
2.) nmap script
https://nmap.org/nsedoc/scripts/broadcast-dhcp-discover.html
this commands where used cleaning up an ubuntu 16 version, removing xwindow related packeages
- remove x11 and components belonging to x11: apt-get purge libx11.* libqt.*
- sudo apt-get autoremove # Uninstall unneeded Packages
- sudo apt-get autoclean # Delete packages no longer installe
>> just use mount --bind
example: show up directory /var/log/apache2 under user home /home/loguser
1.) create directory /home/loguser/show_apache2_log_dir
2.) mount the directory by using command:
mount --bind /var/log/apache2 /home/loguser/show_apache2_log_dir
>> to have the directory mounted after system reboot put the mount command to startup file >> /etc/rc.local
ls /sys/class/net/
>> shows which nics are there, e.g:
br0 lo p5p1
>> p5p1 .. nothing was shown when running kernel 4.4.0-93
lspci -nnk |grep iA3 net
>> shows the ethernet device and which driver is loaded
>> here was no driver loaded
>> when starting a later kernel, you see the module and the driver is loaded
kernel: 4.4.0-96 contains module modnifo r8169
>> /lib/modules/4.4.0-96-generic/kernel/drivers/net/ethernet/realtek/r8169.ko
>> solution: upgraded just to 4.4.0-97 ;-))
(1)
when executing: /opt/amdgpu-pro/bin/clinfo
you get:
terminate called after throwing an instance of 'cl::Error'
what(): clGetPlatformIDs
Abgebrochen (Speicherabzug geschrieben)
(2) using command dmesg you see:
4.909396] [drm:amdgpu_init [amdgpu]] *ERROR* VGACON disables amdgpu kernel modesetting.
GRUB Boot: linux /boot/vmlinuz-4-4.0.97 -generic root=UUID=... ro nomodeset text
>> we need to remove the nomodeset and text from the boot parameters,
after that clinfo was running fine
to configure permantent in file: /etc/default/grub
#GRUB_CMDLINE_LINUX_DEFAULT="text"
GRUB_CMDLINE_LINUX_DEFAULT=""
#GRUB_CMDLINE_LINUX="nomodeset"
GRUB_CMDLINE_LINUX=""
>> after modification auf this file you need to run "update-grub"
#wake on lan inuc (works with latest inter bios + driver under windows 10)
inuc1: etherwake -i br0 94:c6:91:14:62:03
inuc2: etherwake -i br0 94:C6:91:14:68:2c
#shutdown windows 10 remotly
idea: user samba-comman package on linux and then command "net rpc shutdown"
settings on windonws 10 to get it running:
problem 1: Connection failed: NT_STATUS_IO_TIMEOUT
solution : open windows fireall port 445 for linux machine
problem 2: Could not initialise pipe winreg. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND
sc config RemoteRegistry start=auto
sc start RemoteRegistry
(2) problem: you get error: WERR_CALL_NOT_IMPLEMENTED on linux
solution: registry editor
>> HKLM/Software/Microsoft/Windows/CurrentVersion/Policies/System
>> create DWORD with vale LocalAccountTokenFilterPolicy >> set value to 1
execute shutdown on linux
net rpc shutdown -f -t0 -S inuc1 -U user%password
net rpc shutdown -f -t0 -S inuc2 -U user%password
screen - environment emulator
start a process that should run in a own screen process:
- screen -dmS <myscreensessionname> tail -f /var/log/messages
see which screen instances are running:
- screen -list
resume a detached screen session:
- screen -r <myscreensessionname>
detach session when session is active:
- <strg> + <a> + <d>
when you get error "Cannot open your terminal '/dev/pts/0' - please check":
- script /dev/null
1: yum install cpan
2: cpan install Net::SSH::Perl
see also: https://stackoverflow.com/questions/7011160/whats-does-the-perl-error-cant-locate-net-ssh-perl-pm-mean
problem: message log shows denial of service
https://servereye.freshdesk.com/support/solutions/articles/14000079910-qnap-nas-meldet-dos-attacke-durch-den-sensor
setcfg SNMP EnableDetectDDoS FALSE
# /etc/init.d/snmp restart
---
see the parameters on qnap system / console
>> file: /etc/config/uLinux.conf
>> section:
[SNMP]
Server Enable = TRUE
Service Enable = TRUE
Listen Port = 161
Trap Community = elbpublic
Event Mask 1 = 0
Trap Host 1 =
Event Mask 2 = 0
Trap Host 2 =
Event Mask 3 = 0
Trap Host 3 =
Version = 1
Auth Type = 0
Auth Protocol = 0
Priv Protocol = 0
User = test
Auth Key =
Priv Key =
https://humdi.net/vnstat/
vnStat is a console-based network traffic monitor for Linux and BSD that keeps a log of network traffic for the selected interface(s). It uses the network interface statistics provided by the kernel as information source. This means that vnStat won't actually be sniffing any traffic and also ensures light use of system resources.
when trying to connect to an old ssh server .. the message
comes: no matching cipher found. Their offer: des,3des-cbc
Solution:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc <ip>
------------------------
other options -> in user ssh config file
example:
cat /root/.ssh/config
Host 192.168.1.100
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
-----------------------
global in server ssh config file something like that:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
#!/bin/bash
# findDoSVisotor
#
# useful if CPU is very high .. find out the visitor, which causes the most
# network activity
#
netstat -lanp |grep ":443" | awk {' print $5'} | cut -d: -f 1 |sort |uniq -c | sort -nk 1
###########################
#!/bin/bash
# blockIPaddress.sh
#
# block IP address to access 443
#
if [ -z "$1" ]
then
echo "usage: blockIPaddress.sh <IP>"
exit
fi
iptables -A INPUT -p tcp --dport 443 -i eth0 -s $1 -j DROP
while true; do cat /proc/cpuinfo |grep -i mhz; sleep 2; done
using random numbers
e.g. overwrite harddisk /dev/sdb 1 times:
sudo shred -vn 1 /dev/sdb
e.g. overwrite just a partition /dev/sdb3 1 times:
sudo shred -vn 1 /dev/sdb3
#use case: linux system that is behind a firewall or dsl router >> connects to a cloud server and opens up a tunnel, so that someone
can access the system from the cloudserver
#(access via ssh private / public key)
#
# - improvement when hostkey is changed at target host >> use option -o UserKnownHostsFile=/dev/null otherwise the portforwarding will get disabled if it detects a new host key!
#cron jobs
*/5 * * * * /root/bin/checkSSH2Outside.sh >>/var/log/checkSSH2Outside.log
1 23 1 * * gzip -f /var/log/checkSSH2Outside.log >/dev/null
5 9,12,15,18,21,0 * * * /root/bin/killSSH.sh >/dev/null 2>/dev/null
#cat /root/bin/checkSSH2Outside.sh
#!/bin/bash
ts=`date`
num=`ps -ef |grep ssh |grep mydomain|grep 17000 |wc -l` >/dev/null
echo "$ts Number of found ssh processes = $num."
if [ $num -ge "1" ] ; then
echo "$ts Processes to outside are already running."
else
echo "$ts No processes found >> starting"
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ServerAliveInterval=300 -N -p 10022 -R 17000:localhost:22 user@mydomain.de
fi
#/root/bin/killSSH.sh
ps -ef |grep 17001 |grep ssh |awk {'print $2'} |xargs -n 1 kill
########################################
# rsync / ssh jail for linux on centos
########################################
- create user backup01, set home directory to /home/backup01/jail_backup in /etc/passwd:
backup01:x:501:502:backup01:/home/backup01/jail_backup:/bin/bash
- create jail directory
mkdir /home/backup01/jail_backup
chown root.root /home/backup01
chown root.root /home/backup01/jail_backup
- create backup directory for user with user rights
mkdir /home/backup01/jail_backup/backup01
chown backup01.backup01 /home/backup01/jail_backup/backupdir1
- changes in /etc/ssh/sshd_config:
Match User backup01
ChrootDirectory /home/backup01/jail_backup
AllowTcpForwarding no
X11Forwarding no
- restart ssh: /etc/init.d/sshd restart
- prepare isolated environment for user
use script: setup.chroot.for.rsync.sh ( get the script from here: https://tools.deltazero.cz/server/setup.chroot.for.rsync.sh )
>> run it from directory: /home/backup01/jail_backup/
- test user:
ssh backup01@localhost
- test rsync: (use -n for dry run)
rsync -uvzca -n -e 'ssh' messages* backup01@localhost:backupdir1
mssql connection from a linux server using odbc.
installation for centos 7:
- yum install unixodbc freetds
- /etc/dbcinst.ini
[FreeTDS]
Driver=/usr/lib64/libtdsodbc.so.0
Setup=/usr/lib64/libtdsS.so.2
FileUsage=1
UsageCount=1
- /etc/odbc.ini for example:
[db01]
Driver=FreeTDS
Description=db01
Trace=No
Server=192.168.1.111
Port=1433
Database = Database1
- try connection using: isql -v db01 dbuser <password>
- php example:
$conn = odbc_connect("Driver=FreeTDS;DSN=$dsn;Database=$database", $user, $pwd);
if (!$conn){
print '<h2> Error: Unable to connect to Database. </h2>';
}else{
$query = 'SELECT * from orders';
$result = odbc_exec($conn, $query);
while(odbc_fetch_row($result)){
$customer=utf8_encode(odbc_result($result, 1));
$title=utf8_encode(odbc_result($result, 2));
$customer_name=utf8_encode(odbc_result($result, 13));
$order_status1=utf8_encode(odbc_result($result, 14));
}
odbc_close($conn);
----------------------------------------
- see also https://zend18.zendesk.com/hc/en-us/articles/218197897-Configuring-a-Linux-Server-to-Connect-to-an-MSSQL-Database-Using-ODBC
LP 4235
https://www.triumph-adler.de/ta-de-de/produkte/produkte/produktdetails/katalog/drucksysteme/lp-4235-126910
>>download treiber
>>/Downloads/LinuxPackagesTA/LP 3235_LP 4235 series/64bit/EU/German$
>>LP3235.PPD
Einstellungen cups:
Treiber: LP 3235_LP 4235 (KPDL) (schwarz-weiß, 2-seitiges Drucken)
Verbindung: socket://192.168.178.2:9100
Standardeinstellungen: job-sheets=none, none media=iso_a4_210x297mm sides=two-sided-long-edge
how to see all dhcp requests and offers from linux commandline perspective:
#!/bin/bash
tcpdump -pvn port 67 and port 68
examples:
socat TCP-LISTEN:3389,fork TCP:192.168.2.15:3389 &
socat TCP-LISTEN:12000,fork TCP:192.168.2.15:6556 &
socat TCP-LISTEN:3389,fork TCP:192.168.2.135:3389
allow only specific resource to access the Listening port:
socat tcp4-listen:4343,fork,su=nobody,range=10.100.100.10/32 TCP:localhost:4343
>> in the example above only 10.100.100.10 is allowed to connect to port 4343
#!/bin/bash
###################################################################
#
# mountSMBgio.sh
#
# use gio mount to mount smb shares in the user scope, and link
# the mounted path to a defined directory
#
# gio is the successor of gvfs and is used since Ubuntu 18.04LTS.
# gio is also used in Linux Mint: https://linuxmint.com/
#
# gio stand for Gnome Input / Output library
#
# credentials needs to be stored in homedirectory - file .smbcredentials:
#
# format of file .smbcredentials:
# USER
# Active Directory Domain / leave emtpy if there is no Active Directory
# PASSOWRD
#
#
###################################################################
MOUNTDIR=~/mnt-photos
SMBSRV=storage1
SMBDIR=photos
#gio mount script
#!/bin/bash
gio mount smb://$SMBSRV/$SMBDIR <~/.smbcredentials
DIR="/run/user/$UID/GVfs/smb-share\:server\=$SMBSRV\,share\=$SMBDIR"
#echo $DIR
#set link to mount-point
ln -s $DIR $MOUNTDIR
##helpful commands
#see gio mounts
#gio mount -l -i
- lynis, an auditing and rootkit scanner
apt-get install lynis > after that run command: lynis audit system
- chkrootkit
apt-get install chkrootkit > run with chekrootkit
- rkhunter - a linux rootkit scanner
apt-get install rkhunter > run with rkhunter -c
- clamav - antivirus opensource
apt-get install clamav > update pattern with freshclam > clamscan -r -i <directory>
- the dig command is usually available on linux systems
- dig stands for: omain information groper
##########################
# dig samples
##########################
- just a records: dig ibm.com
- see mx records: dig ibm.com mx
- see soa records: dig ibm.com soa
- see txt records: dig ibm.com txt (here you find probably some spf records)
- see serial number of dns record from google dns server 8.8.8.8: dig @8.8.8.8 +noall +answer +multiline computer2know.de any
see also:
https://www.elektronik-kompendium.de/sites/raspberry-pi/2204031.htm
-----------------
steps:
1) find out installed version:
cat /etc/issue
>>Raspbian GNU/Linux 8 \n \l
>> find out the names: https://en.wikipedia.org/wiki/Raspberry_Pi_OS
Debian 8 = Jessie
Debian 9 = Stretch
Debian 10 = Buster
>> we have Raspbian 8 >> let's upgrade to Raspbian 9
>> Jessie > Stretch
2) install latest packages:
sudo apt-get update
sudo apt-get dist-upgrade
3) package respositories
/etc/apt/sources.list
>> deb http://mirrordirector.raspbian.org/raspbian/ stretch main contrib non-free rpi
(comment out the other lines!)
/etc/apt/sources.list.d/raspi.list
>> deb http://archive.raspberrypi.org/debian/ stretch main ui
(comment out the other lines!)
4) get new packages
sudo apt-get update
5) do the release upgrade
sudo apt-get upgrade
sudo apt-get dist-upgrade
6) clean up after upgrade
sudo apt-get autoremove
sudo apt-get autoclean
7) restart of the machine
sudo reboot
ubuntu LTS 20.4
check for bad harddrive (hdd) sectors:
#search for bad blocks
1) badblocks -v /dev/sdc > /tmp/sdc_badblocks.log
#tell linux not to use the bad blocks anymore
fsck -l /tmp/sdc_bad_blocks.log /dev/sdc
#ubunut 20.x
systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
Ubuntu 20.04.2 LTS >> set timezone
to new yorrk:
sudo timedatectl set-timezone America/New_York
to berlin:
sudo timedatectl set-timezone Europe/Berlin
Debian GNU/Linux 10 - antivirus clamav error message Could not resolve host: clamav.securiteinfo.com
Debian GNU/Linux 10 - antivirus clamav error message Could not resolve host: clamav.securiteinfo.com
error message:
curl: (6) Could not resolve host: clamav.securiteinfo.com
solution:
>> directory /usr/share/clamav-unofficial-sigs/conf.d/
>> file: 00-clamav-unofficial-sigs.conf
>> comment out line:
00-clamav-unofficial-sigs.conf
>> section:
# ========================
# SecuriteInfo Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable any SecuriteInfo database downloads, remove the appropriate
# lines below. To disable all SecuriteInfo database file downloads,
# comment all of the following lines.
si_dbs="
honeynet.hdb
# securiteinfo.hdb
securiteinfobat.hdb
securiteinfodos.hdb
securiteinfoelf.hdb
securiteinfohtml.hdb
securiteinfooffice.hdb
securiteinfopdf.hdb
securiteinfosh.hdb
"
>> comment out line securiteinfo.hdb
>> run now the command. /usr/sbin/clamav-unofficial-sigs
unknown port tcp 4190 on linux?
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN
using netstat:
netstat -natop |grep 4190
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 274/dovecot aus (0.00/0/0)
>> this belongs to dovecut > and is a remote management port, that we don't need!
to remove > just deinstall the management package:
apt-get purge dovecot-managesieved
or bind the tcp 4190 just to localhost
see also: https://blog.tausys.de/2015/06/17/dovecot-offenen-externen-port-managesieve-entfernen/
problem: ubuntu 14.04.6 > certbot gets an error, when connecting >> ssl error (this happend, after letsencrypt itself renewed their ssl root certificates)
openssl s_client -servername acme-staging-v02.api.letsencrypt.org -connect acme-staging-v02.api.letsencrypt.org:443
verify error:num=20:unable to get local issuer certificate
#get root + intermediate certificate via webbroweser and store them in crt files > put them to the linux machine
root@LaboProdApp01:/usr/local/share/ca-certificates# ls
letsencrypt-inter-r3.crt letsencrypt-isrg-root-x1.crt
#run command
update-ca-certificates
Running hooks in /etc/ca-certificates/update.d....
Adding debian:letsencrypt-inter-r3.pem
Adding debian:letsencrypt-isrg-root-x1.pem
>>> creates a "big" /etc/ssl/certs/ca-certificates.crt files that is used be the openssl tools
go to directory of the cpan bin, for example:
/root/.cpan/build/Net-SSH-Expect-1.09-dIBvM1
Net-SSH-Expect-1.09-dIBvM1]# perl Makefile.PL INSTALL_BASE=/opt/mydir/bin/perl-lib
make
Skip blib/lib/Net/SSH/Expect.pod (unchanged)
Skip blib/lib/Net/SSH/Expect.pm (unchanged)
Manifying 1 pod document
[root@mysystem Net-SSH-Expect-1.09-dIBvM1]# make install
Manifying 1 pod document
Installing /opt/mydir/bin/perl-lib/lib/perl5/Net/SSH/Expect.pod
Installing /opt/mydir/bin/perl-lib/lib/perl5/Net/SSH/Expect.pm
Installing /opt/mydir/bin/perl-lib/man/man3/Net::SSH::Expect.3pm
Appending installation info to /opt/mydir/bin/perl-lib/lib/perl5/x86_64-linux-thread-multi/perllocal.pod
in your perl script you need to add the lib a the beginning:
use lib "/opt/mydir/bin/perl-lib/lib/perl5";
>> copy the "smart" script to the plugin directory:
cp /omd/versions/default/share/check_mk/agents/plugins/smart /usr/lib/check_mk_agent/plugins/
yum update fails ...
Error:
Problem: cannot install both graphviz-2.40.1-43.el8.x86_64 and graphviz-2.40.1-40.el8.x86_64
- package graphviz-gd-2.40.1-40.el8.x86_64 requires graphviz = 2.40.1-40.el8, but none of the providers can be installed
- cannot install the best update candidate for package graphviz-2.40.1-40.el8.x86_64
- problem with installed package graphviz-gd-2.40.1-40.el8.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
##this command helps a bit to get the system updated
yum update --skip-broken --nobest
##but the error still exists,
##what to do now? > maybe disable a repository?!
##show which repositories are enabledyum repolist enabled
Paketquellen-ID Paketquellen-Name:
appstream CentOS Linux 8 - AppStream
baseos CentOS Linux 8 - BaseOS
epel Extra Packages for Enterprise Linux 8 - x86_64
epel-modular Extra Packages for Enterprise Linux Modular 8 - x86_64
extras CentOS Linux 8 - Extras
>> solution: disable the CentOS-Linux-AppStream repo
>> set enabled=0
cat /etc/yum.repos.d/CentOS-Linux-AppStream.repo
[appstream]
name=CentOS Linux $releasever - AppStream
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=AppStream&infra=$infra
#baseurl=http://mirror.centos.org/$contentdir/$releasever/AppStream/$basearch/os/
gpgcheck=1
#disabled because of conflict
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
ubuntu 20 lts - manual file system check
(1)
download a "SystemRescue" system "iso", like for example:
https://sourceforge.net/projects/systemrescuecd/
(2)
boot for iso
(3)
find your partition that you want to check
-> for LVM use command:
(3-1):
lsblk
>> you see a structure like:
# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 10G 0 disk
??sda1 8:1 0 20G 0 part
??ubuntu--vg-ubuntu--lv 253:0 0 1999G 0 lvm /
sr0 11:0 1 2024M 0 rom
or
(3-1):
lvscan
ACTIVE '/dev/ubuntu-vg/ubnutu-lv' [<..GB] inherit
[if it is not active run: lvchange -ay /dev/ubuntu-vg/ubnutu-lv ]
(4)
now check the filesystem:
fsck.ext4 -cfv /dev/ubunut-vg/ubuntu-lv
##hints:
https://www.thomas-krenn.com/de/wiki/FSCK_Best_Practices
multipathd failed to get udev uid / failed to get sysfs uid / - how to disable
this error come very often in /var/log/syslog:
ov 18 15:38:08 cloud multipathd[763]: sda: add missing path
Nov 18 15:38:08 cloud multipathd[763]: sda: failed to get udev uid: Invalid argument
Nov 18 15:38:08 cloud multipathd[763]: sda: failed to get sysfs uid: Invalid argument
Nov 18 15:38:08 cloud multipathd[763]: sda: failed to get sgio uid: No such file or director
>> how to disable:
add a blacklist section to file:
/etc/multipath.conf
defaults {
user_friendly_names yes
}
blacklist {
devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st|sda)[0-9]*"
}
don't forget to restart the service: /etc/init.d/multipath-tools restart
error message:
I/O error, dev fd0, sector 0 op 0x0
(1) disable floppy in /etc/fstab
disable line with /dev/fd0 be inserting a hashtag "#"
(2) disable modprobe
/etc/modprobe.d/blacklist.conf
>> insert a new line with:
blacklist floppy
(3) reboot
: Der dpkg-Prozess wurde unterbrochen; Sie müssen manuell »dpkg --configure -a« ausführen, um das Problem zu beheben.
root@system:~# dpkg --configure
dpkg: Fehler: --configure benötigt mindestens ein Paketnamen-Argument
#solution that may help
>> run apt-get -f install
virtual linux ubuntu 20 - how to increase / root partition
problem:
not enough space in: /dev/mapper/ubuntu--vg-ubuntu--lv
solution:
1) increase harddrive in hosting environment (for example in vmware)
2) boot virtual linux system
3) cfdisk > resize partition
4) resize pvs: pvresize /dev/sda3
5) extend logical volume: lvextend -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv
6) finaly resize filesystem: resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv
7) check with: df -h
see also:
- https://kb.vander.host/operating-systems/how-to-resize-an-ubuntu-18-04-lvm-disk/
- https://packetpushers.net/ubuntu-extend-your-default-lvm-space/
scenario: copy a virtual linux system and give the new system another ip address
1) find out the new mac adress ( for example in vmware settings)
2) disconnect network interface and boot up the system
3) make changes in this files
---- /etc/hosts #maybe change ip
---- /etc/sysconfig/network-scirpts/ifcfg-eth0 #change mac to new mac + ip
---- /etc/udev/rules.d/70-persistent-net-rules #change mac to new mac
4) shutdown system
5) connect interface > start system > ping + tests
firewall-cmd could be used for example on linux centos or red hat
(1) remove old rule, that allows all source addresses (if there is such a rule)
firewall-cmd --zone=public --remove-port=8443/tcp --permanent
(2)
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.20.4.69/32" port protocol="tcp" port="8443" accept'
(3)
firewall-cmd --reload
ubuntu linux system - big size of directory /var/log/journal/
1) determine the size of the directory:
1.1) with command journalctl:
journalctl --disk-usage
>> for example: Archived and active journals take up 4.0G in the file system.
1.2) with command du (disk usage)
du -s -h /var/log/journal/
>>> for example: 4,1G /var/log/journal/
2) check settings in configfile: /etc/systemd/journald.conf
>> set max use size, for example to 1G:
SystemMaxUse=1000M
3) restart service >> this will cleanup to specified size / or age
service systemd-journald restart
HPE Intelligent Management Center - things to know
- Linux: Start Deplyment Monitoring Agent
/opt/iMC/deploy/dma.sh
- Features released in IMC PLAT 7.3 (E0706)
The default password for the administrator changes to Pwd@12345 when you install IMC.
- TCL scripts for backup / update and more: %IMCDIR%/server/conf/adapters/ICC
directory under linux for example: /opt/iMC/server/conf/adapters/ICC/Hewlett Packard/HPProcurve2500
##################################################################
# HPE IMC - using SFTP / SCP to upload firmware
##################################################################
if you need to debug SFTP / SCP process there are log files under
/opt/iMC/server/conf/log/*.log ....
This logs are a bit confusing .. so sometimes it makes sense to have the understand
how the copy process will work manual. Therefore some testing was made. Here comes the result:
-----------------------
prerequisites
-----------------------
To turn on the secury copy feature it is necessary to set "ip ssh filetransfer" on the switch:
using the command show ip ssh, you see the settings:
(config)# show ip ssh
SSH Enabled : Yes Secure Copy Enabled : Yes
TCP Port Number : 22 Timeout (sec) : 120
Host Key Type : RSA Host Key Size : 2048
>> Secury Copy Enabled has to be yes!
------------------------
sftp firmware deploy tests / using manual sftp / psftp / scp commands
------------------------
FIRMWARE located on IMC
firmware that is stored in the ICM software database is located in directory: <IMC directory>/server/data/image,
for example:
windows: c:\program files\iMC\server\data\image
/opt/iMC/server/data/image/YA_16_11_0003.swi
/opt/iMC/server/data/image/YA_15_18_0007.swi
FIRMWARE destionation on HPE / Aruba / procurve switch
the firmware files are under directory:
- /os/primary
- /os/secondary
- copy via sftp by using the psftp command from IMC
lets copy firmware YA_15_18_0007.swi via SFTP to a HPE Aruba 2530 8 Port Switch (J9774A):
#starting in directory: /opt/iMC/server/bin/
/opt/iMC/server/bin/psftp -P 22 admin@10.0.0.99
#once you are logged in change the local data path using command:
psftp> lpwd
Current local directory is /opt/iMC/server/bin
psftp> put ../data/image/YA_16_11_0003.swi /os/secondary
local:../data/image/YA_16_11_0003.swi => remote:/os/secondary
>> file copied successfully
- copy via scp (scp from a linux machine)
scp /opt/iMC/server/data/image/YA_15_18_0007.swi admin@10.0.0.99:/os/secondary
scp /opt/iMC/server/data/image/YA_15_18_0007.swi radiususer1@10.0.0.99:/os/secondary
>> both user local + radius authenticated "radiususer1" worked!!
- copy via IMC pscp command:
/opt/iMC/server/bin/pscp -P 22 /opt/iMC/server/data/image/YA_15_18_0007.swi admin@10.0.0.99:/os/secondary
/opt/iMC/server/bin/pscp -P 22 /opt/iMC/server/data/image/YA_15_18_0007.swi radiususer1@10.0.0.99:/os/secondary
>> both user local + radius authenticated "radiususer1" worked!!
#there are two flags, where you can choose the protocol
-sftp force use of SFTP protocol
-scp force use of SCP protocol
#on switch side, you see in the log:
01/05/90 00:26:47 00637 ssh: scp session from 10.0.0.10
or
I 01/05/90 00:25:17 00636 ssh: sftp session from 10.0.0.10
I 01/05/90 00:26:21 00163 update: Firmware image contains valid signature.
I 01/05/90 00:26:30 00150 update: Secondary Image updated.
##copy from windows
C:\Program Files\iMC\server\bin>pscp.exe -P 22 ..\data\image\YA_16_11_0003.swi radius.user1@10.0.0.99:/os/secondary
radius.user1@10.0.0.99's password:
YA_16_11_0003.swi | 14846 kB | 159.6 kB/s | ETA: 00:00:00 | 100%
# option -scp (speed about 800kbit)
# option -sftp (speed about 150kbit)
- IMC copy command settings:
cat /opt/iMC/server/conf/ssh_sftp_client.cfg
#linux putty
ssh-cmd = plink -P $port [-i $key-file] $user-name@$device-ip
sftp-cmd = psftp -P $port [-i $key-file] $user-name@$device-ip
- After have done some "manual" testing, lets use IMC -> Service > Deployment Task to deploy some switch firmware
to switches
------
- further readings
-------
Execute command in sftp connection through script:
https://unix.stackexchange.com/questions/315050/execute-command-in-sftp-connection-through-script
useful stuff regarding ssh/sftp and hpe switches:
https://www.kagerer.net/category/hp-switch/page/2/
webmin is a great system admin tool for several linux distributions
how to make it very secure in a easy and simple way?
>> my approach is:
bind the webfrontend to localhost only, and after that access the webfrontend using ssh and tunneled connection ;-))
- if you run: netstat -nat |grep LISTEN |grep 10000,
you see that webmin is running on all interfaces
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
- webmin runs on tcp port 10000, usually accessible for everybody (if the server is in the internet and now firewall on the server is turn on)
>> you can access the frontend using https://your-server-ip:10000/
- let change the port, so that is runs only on localhost / 127.0.0.1 tcp 10000:
edit configuration file: /etc/webmin/miniserv.conf
>> change line listen=10000 to listen=0 #this disabled udp port 10000 and that other webmins are finding us!
>> add line: allow=127.0.0.1 #allow only access from localhost, but the port will still be open!
>> add line: bind=127.0.0.1 #this binds the tcp 10000 socket to 127.0.0.1:10000 > not public visiable anymore!
>> restart the service: service webmin restart
- check if webmin now runs only on localhost port:
run command: netstat -nat |grep LISTEN |grep 10000
now it should look like:
tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN
CentOS Linux 8 > cannot update anymore
Problem:
yum update
CentOS Linux 8 - AppStream 170 B/s | 38 B 00:00
Fehler: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
Solution:
>> migrate to CentOS Stream8:
dnf --disablerepo '*' --enablerepo=extras swap centos-linux-repos centos-stream-repos
dnf distro-sync
>> after distro-sync there were some errors ... they could be solved, running command:
dnf distro-sync --nobest
##see also
- https://haydenjames.io/fix-error-failed-to-download-metadata-for-repo-appstream-centos-8/
CentOS 8 - error message: failed to download metadata fro repo AppStream
Error occured when trying to update "yum update" a minimalistic installed CentOS 8 installation.
This happends because CentOS Linux 8 has reached End of Life by end of year 2021.
You have to options now:
1) used different mirror vault.centos.org
2) upgrade to CentOS Stream
----------
Option 1): used different mirror vault.centos.org
- cd /etc/yum.repos.d/
- sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
- sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
- now run: yum update again
----------
Option 2): upgrade to CentOS Stream
- up date to latest CentOS 8: dnf update
- dnf install centos-release-stream -y --allowerasing
- synchronizse installed packages to available stream version: dnf distro-sync
- cat /etc/redhat-release, should show now the Stream relase version
-------
good pages, with more details:
- https://techglimpse.com/failed-metadata-repo-appstream-centos-8/
- https://techglimpse.com/convert-centos8-linux-centosstream/
-----------------------------------------------------------------------------------------
swaks – SMTP test tool
-----------------------------------------------------------------------------------------
-install: apt-get install swaks
-send an email to a server with port 587 / tls, after commiting this command it will be asked for a user and password:
swaks --from your-name@<your-domain> --to <user>@<destination-domain> --server <smtp-sever-name-or-ipaddress>:587 -tls -a LOGIN
https://easyengine.io/tutorials/mail/swaks-smtp-test-tool/
#sample config file
cat /etc/dhcp/dhcpd.conf
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.199.0 netmask 255.255.255.0 {
allow unknown-clients;
authoritative;
range 192.168.199.200 192.168.199.250;
option routers 192.168.199.1;
option broadcast-address 192.168.199.255;
default-lease-time 600;
max-lease-time 7200;
}
#show dhcp leases
/usr/sbin/dhcp-lease-list
To get manufacturer names please download http://standards.ieee.org/regauth/oui/oui.txt to /usr/local/etc/oui.txt
Reading leases from /var/lib/dhcp/dhcpd.leases
MAC IP hostname valid until manufacturer
===============================================================================================
44:5b:ed:7d:c6:81 192.168.199.110 Aruba-Stack-38 2022-06-02 07:07:22 -NA-
44:5b:ed:6e:f7:81 192.168.199.105 Aruba-Stack-38 2022-06-02 07:07:54 -NA-
#dhcp server commands
dhcpcd -h #show options
dhcpcd -l 3600 #set the leasetime in seconds
dhcpcd -x #exit / turn of the dhcp service
under google security, make sure two factor authentication is turned on, then you are able to create a app password, for smtp:
see also:
https://www.golinuxcloud.com/gmail-smtp-relay-server-postfix/
wget is a very useful linux command line tool:
>>> Wget - The non-interactive network downloader.
----------------------------------------------------------------------------
to make a offline copy of a webpage just run this command:
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://your-page-to-backup
Newer Linux kernels / procps utilities report one thread by default.
Use ps in the following way to see the threads:
For older versions of ps / kernel (2.4), use:
ps -efm
ps auxm
newer versions of ps / kernel (2.6+), you can also use:
ps -efL
ps auxH
just delete the .selected_editor file in your profile
rm ~/.selected_editor
after that the are able to choose the editor again, for example:
user@my-linux-host:~$ crontab -e
Select an editor. To change later, run 'select-editor'.
1. /bin/nano <---- easiest
2. /usr/bin/vim.basic
3. /usr/bin/mcedit
4. /usr/bin/vim.tiny
5. /bin/ed
Choose 1-5 [1]: 2
crontab: installing new crontab
>> of course you can also just edit the file .selected_editor and change the editor there directly
how to use built-in symmetric encryption?
1) create a rule to access the target using a shared password
>> Setup menu and create a rule in the Setup > Agents > Access to agents > Checkmk agent > Encryption (Linux, Windows)
2) on target host, configure the agent to run in encrypted mode
>> create file: /etc/check_mk/encryption.cfg
>> using the following content:
ENCRYPTED=yes
PASSPHRASE='MyPassword'
>> give the file the right access rights (on linux)
chmod 600 /etc/check_mk/encryption.cfg
3) how to test?
3.1 on agent machine just run a "check_mk_agent" .. you should see only strange letters
3.2 test with telnet using "telnet agentmachine 6556" .. you should also see only strange leters
3.3 on checkmk server, run the command "cmk -d agentmachine" .. you should see the normal agent data
#see also:
https://docs.checkmk.com/latest/en/agent_linux_legacy.html
problem: the service did not start after reboot!
how to start after reboot?
systemctl start isc-dhcp-server
check status?
/etc/init.d/isc-dhcp-server status
if you monitor linux server using checkmk you may get an error that there are failed systemd services, how to fix this in
case the mentiond services are not needed
on linux machine:
#systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
? check_mk@service.service loaded failed failed Checkmk agent
? cmk-agent-ctl-daemon.service loaded failed failed Checkmk agent controller daemon
#stop service
systemctl stop check_mk@service.service
systemctl stop cmk-agent-ctl-daemon.service
#disable service
systemctl disable check_mk@service.service
systemctl disable cmk-agent-ctl-daemon.service
#for manually clear out failed units, you can use the following command:
systemctl reset-failed
Dell Switches N2000 Series (N2024P)
tested with version 6.6.3.17
####################################
# Static Port security
####################################
#How to configure MAC based port security on Dell N2000, N3000, and N4000 series switches.
https://www.dell.com/support/kbdoc/de-de/000121440/how-to-configure-mac-based-port-security-on-dell-n2000-n3000-and-n4000-series-switches?lang=en
#turn on port security on port gi1/0/1 (needs configure mode)
switchport port-security
interface gi1/0/1
> switchport port-security #turn on security
> switchport port-security maximum 5 #define a maxium of 5 mac-addresses on this port
>> now all learned mac-addresses will be removed on interface gi1/0/1 and the port will authenticate them
#add static mac-addresses to an interface
console(config)# mac address-table static abcd.2233.1221 vlan 1 interface gi1/0/1
####################################
# Dynamic / Radius based Port security (mac-authentication)
####################################
console#configure
console(config)#aaa authentication dot1x default radius
console(config)#dot1x system-auth-control #enable 802.1 port-based access
console(config)#authentication enable
console(config)#radius server <radius-server-ip>
console(config)#radius server key <your-radius-key>
console(config)#aaa authorization network default radius #allow the radius server to assign vlans
#enable authentiction on device port
#MAC Authentication Bypass (MAB) >> authenticate using a MAC address as identifier
#using freeradius as authentication servers needs mab authtype pap or chap!!
console(config)#interface gi1/0/1
console(config-if-Gi1/0/1)#authentication port-control auto
console(config-if-Gi1/0/1)#mab
console(config-if-Gi1/0/1)#mab auth-type pap
console(config-if-Gi1/0/1)#switchport mode general
#uplink interface > no authentication on this port
console(config)#interface gigabitethernet 1/0/24
console(config-if-Gi1/0/24)#authentication port-control force-authorized
####################################
# useful show commands
####################################
show authentication statistics gigabitethernet 1/0/1
console(config)#show authentication
console#show authentication clients all
show authentication interface gigabitethernet 1/0/1
show radius statistics
show dot1x users #show authenticated users
show dot1x statistics gigabitethernet 1/0/1
####################################
# Documentation
####################################
https://usermanual.wiki/Dell/DellDellNetworkingN2000SeriesUsersManual136323.1551399830/html#pf42
Name of document:
Dell EMC Networking N-Series N1100-ON, N1500, N2000, N2100-ON, N2200-ON, N3000E-ON, N3100-ON and N3200-ON Switches User’s Configuration Guide Version 6.6.3
page 371: Authentication, Authorization, and Accounting
####################################
useful common dell switch commands:
####################################
#turn on ssh server
console(config)# ip ssh server
#see interfaces
show interfaces status
save settings:
console#copy running-config startup-config
#set user / password with high privileges
console(config)#username admin password adminadmin privilege 15
#privilege 15 means read and write access
#what is the ip address of the switch?
show ip interface
####################################
#log messages
####################################
#after successful mac authentication you should see in the log
<190> Dec 15 14:02:59 172.16.99.20-1 AUTHMGR[authmgrTask]: auth_mgr_sm.c(420) 548 %% INFO Client authorized on port (Gi1/0/1) with VLAN type RADIUS.
###################################
# Sample Configs
###################################
#######
#interface gi1/0/1 with some mac-auth settings
#######
interface Gi1/0/1
switchport mode general
authentication event fail action authorize vlan 200
authentication event no-response action authorize vlan 300
authentication periodic
authentication timer reauthenticate 300
authentication timer restart 60
mab
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit
#######
# Sample config when tested with freeradius server
#######
!Current Configuration:
!System Description "Dell EMC Networking N2024P, 6.6.3.17, Linux 4.14.138, Not Available"
!System Software Version 6.6.3.17
!
configure
vlan 99
exit
vlan 99
name "isolated"
exit
slot 1/0 3 ! Dell EMC Networking N2024P
stack
member 1 2 ! N2024P
exit
interface vlan 1
ip address dhcp
exit
authentication enable
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server key 7 "asdlfjasdlkfjasdklfj"
radius server auth 192.168.2.87
name "Default-RADIUS-Server"
exit
application install SupportAssist auto-restart start-on-boot
!
interface Gi1/0/1
switchport mode general
authentication timer reauthenticate 300
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit
snmp-server engineid local 800002a203fasfasdfasdf
eula-consent hiveagent reject
exit
on linux shell, as site use run:
OMD[your-site-name]:~$ cmk --debug -vvn hostname
systemctl show --property=DefaultTasksMax
>> only 64
>> increase the value, set the value to 1024 in file:
/etc/systemd/system.conf
>> reboot machine
>> the performance was much better afterwards!
see also:
https://www.ibm.com/docs/de/db2/11.5?topic=linux-troubleshooting-tasksmax-set-too-low
https://www.strato.de/faq/server/Wie-kann-ich-Performance-Einschraenkungen-bei-meinem-Server-pruefen/
under common linux system you can use the command
cat /proc/cpuinfo
to see the frequency from the cpu's
to see that on vmware on esxi linux shell, you can run the command:
- vim-cmd hostsvc/hosthardware
- vim-cmd hostsvc/hosthardware | grep -i hz
example:
[root@esxi1:~] vim-cmd hostsvc/hosthardware |grep -i hz
hz = 2596992066
hz = 2596992067,
busHz = 99884288,
description = "Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz",
hz = 2596992066,
busHz = 99884283,
description = "Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz",
see also:
https://kb.vmware.com/s/article/1031785
you can use command:
ip -br addr show
example:
root@raspi:~ $ ip -br addr show
lo UNKNOWN 127.0.0.1/8 ::1/128
enxb827ebb0b9a8 UP 192.168.2.8/24 192.168.2.9/24
>> this linux device has two ip addresses 192.168.2.8 + 192.168.2.9
cool tool in case of have trouble booting a linux machine:
https://www.supergrubdisk.org/super-grub2-disk/
if maybe the name of the partition where the root file system ( / ) is, has changed, change /etc/fstab to the correct partition name und to write the MBR (Master Boot Record) on the harddrive run "grup-install"
solution: ser2net
https://sourceforge.net/projects/ser2net/
With ser2net you can map serial devices to a port.
installation:
>> apt install ser2net
how to get the usb device id:
>> all connected usb-devices are listed here: /dev/serial/by-path/
config:
>> the config file can be found at /etc/ser2net.yaml
>> <accepter> can be tcp or telnet, if tcp is selected tab and arrow keys won't work because the data is transmitted raw
>> example:
#####################################################
%YAML 1.1
---
# This is a ser2net configuration file, tailored to be rather
# simple.
#
# Find detailed documentation in ser2net.yaml(5)
# A fully featured configuration file is in
# /usr/share/doc/ser2net/examples/ser2net.yaml.gz
#
# If you find your configuration more useful than this very simple
# one, please submit it as a bugreport
define: &banner \r\n\ port \p device \d [\B] (Debian GNU/Linux) \r\n\r\n
connection: &con001
accepter: telnet,5001
enable: on
options:
banner: *banner
kickolduser: true
telnet-brk-on-sync: true
connector: serialdev,
/dev/serial/by-path/pci-0000:00:14.0-usb-0:4:1.0,
115200n81,local
#####################################################
troubleshooting:
>> if you restart the machine the ser2net service will fail, because the usb ports are not ready on startup
>> to fix this add the following line to ser2net.service in the [Unit] section:
After=network-online.target
Wants=network-online.target
link: https://manpages.ubuntu.com/manpages/impish/man5/ser2net.yaml.5.html
touch -t 2212231634 yourfilename
Rocky Linux 9 some basics
- see hostname: hostnamectl
- change hostname: hostnamectl set-hostname new-hostname
- see all installed packages: dnf list (or rpm -qa)
- see repositories: dnf repolist
##############################
# apache with ssl:
##############################
a)with certbot: https://www.linuxteck.com/secure-apache-with-ssl-in-rocky-linux/
b)without certbot:
- install apache basic: dnf install httpd
- install apache security module: dnf install mod_ssl
- check apache version: httpd -v
- httpd service - start and enable:
-- systemctrl start httpd
-- systemctrl enable httpd
-- systemctrl status httpd
- firewall things to consider
-- firewall-cmd --list-all
-- firewall-cmd --permanent --add-port=80/tcp
-- firewall-cmd --permanent --add-port=443/tcp
-- firewall-cmd --reload
- check webpage, port 80 + 443 should work
http://your-ip/
https://your-ip/
-----------------------------------------------------------
generate own selfsigned certificate, with 3650 days expiry:
-----------------------------------------------------------
- openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 3650 -out /etc/pki/tls/certs/httpd.crt
- make changes to file: /etc/httpd/conf.d/ssl.conf
-- change: SSLCertificateFile /etc/pki/tls/certs/localhost.crt >> to: SSLCertificateFile /etc/pki/tls/certs/httpd.crt
-- SSLCertificateKeyFile /etc/pki/tls/private/localhost.key >> to: SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
- reload apache: systemctl reload httpd
----------------------------------------------
Redirect All HTTP Traffic To HTTPS
----------------------------------------------
new file: /etc/httpd/conf.d/redirect_http.conf
with content:
<VirtualHost _default_:80>
Servername rocky9
Redirect permanent / https://your-server-hostname/
</VirtualHost/>
and reload apache: systemctl reload httpd
- see also:
- https://www.linuxteck.com/how-to-install-apache-on-rocky-linux/
linux distribution blackarch:
https://blackarch.org/index.html
debian update error message - changed its suite from value 'oldstable' to 'oldoldstable'
when trying to update a debian 10 server I got this error message, when running apt-get update:
error message in german:
-------------------------
Paketlisten werden gelesen... Fertig
N: Für das Depot »http://ftp.somewhere.net/pub/linux/debian buster InRelease« wurde der »Suite«-Wert von »oldstable« in »oldoldstable« geändert.
error message in english:
-------------------------
Reading package lists... Done.
N: The "Suite" value for the repository "http://ftp.somewhere.net/pub/linux/debian buster InRelease" has been changed from "oldstable" to "oldoldstable".
solution:
-------------------------
apt-get --allow-releaseinfo-change update
after that run a "apt-get update" + "apt-get upgrade" command again, and it should work now.
steps to do:
#goto default directory
cd /etc/default
#make a backup of grub config
cp -p grub grub.save.original
#edit file /etc/default/grub >> change there the GRUB_CMDLINE_LINUX_DEFAULT to:
GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 console=tty0"
#aktivate the settings by running the command:
update-grub . /boot/grub/grub.cfg
>> now reboot and connect using a serial cable and a tool like Tera Term VT or a putty serial connection, make sure to use only 9600bps as setting.
>> enjoy this new feature, you can now administrate the machien without a display ;-)
----------------------------------------
tested on a debian based proxmox linux system:
pveversion
pve-manager/8.0.4/d258a813cfa6b390 (running kernel: 6.2.16-3-pve)
----------------------------------------
see also:
https://cweiske.de/tagebuch/serial-console-debian9.htm
very good video:
https://www.youtube.com/watch?v=rJzHpc1kQW4
see also:
https://alexskra.com/blog/ubuntu-20-04-with-software-raid1-and-uefi/
####################################################################
After installation > before reboot use the second console session to make some checks!
commands to use:
- alt + <F2> to switch to second session
- mount |grep boot #check which partition is the boot partition
- dd if=/dev/sdb1 of=/dev/sda1 #if sdb1 is the active boot partition then clone the partition, so that the other partition is also bootable
- check raid status: mdadm --detail /dev/md0
--> wait until raid sync is complete
- install efibootmgr tool: apt-get install efibootmgr
- ls -la /dev/disk/by-partuuid [see the uuid of sda1 + sdb1]
- efibootmgr -v [check if boot partuuid - from sda1 + sdb1 are in the boot list!]
----------------------------------------------------------------------------------
useful commands
#How to show status
mdadm -D /dev/md0
How to re-add a drive when RAID is in degraded mode?
$ mdadm /dev/md0 -a /dev/sdb2
mdadm: re-added /dev/sdb2
#How to remove a partition from a raid ?
mdadm /dev/md0 --remove /dev/sdc2
chia - how to convert database to version 2 when there is not enough disc space?
problem:
chia db upgrade
there is probably not enough free space on the volume where the output database will be written:
/home/sys4com/.chia/mainnet/db/blockchain_v2_mainnet.sqlite
solution:
- stop chia processes
- write v2 database to another directory: chia db upgrade --output /opt/nfs_nas01/blockchain_v2_mainnet.sqlite
- change your config.yaml file (can be found for example in .chia/mainnet/config on a linux system )
-- replace under the full_node: section from database_path:
---- db/blockchain_v1_CHALLENGE.sqlite to
---- database_path: db/blockchain_v2_CHALLENGE.sqlite
- move v1 database or delete it: cd $HOME/.chia/mainnet/db
-- move blockchain_v1_mainnet.sqlite /to/somewhere
-- rm blockchain_v1_mainnet.sqlite
- copy backup new v2 file to $HOME/.chia/mainnet/db
- start chia
links:
- https://docs.chia.net/cli/#upgrade
- https://www.reddit.com/r/chia/comments/ul87kx/chia_db_upgrade_tips/
- https://wiki.spacefarmers.io/guides/farming/upgradedb
sample:
the following to commands will be executed every 2 seconds if you run this command:
watch "du -s -h blockchain_v1_mainnet.sqlite.gz && df -h /"
Every 2.0s: du -s -h blockchain_v1_mainnet.sqlite.gz && df -h / chia-farm-nas02: Wed Dec 13 17:16:49 2023
52G blockchain_v1_mainnet.sqlite.gz
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv 457G 341G 97G 78% /
using tool rtorrent
----------------------------------------
- install: apt-get install rtorrent
- start: rtorrent
- press enter to add a torrent link > after that you will see the download in a list
- select the download and press: <strg> + <s>
- leaving rtorrent: <strg> + <q>
more information:
https://wiki.ubuntuusers.de/rTorrent/
By default diffie-hellman-group14-sha1 is disabled in Red Hat 9 or Rocky Linux.
> ssh 10.0.0.1
> Unable to negotiate with 10.0.0.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1
You can enable the support for the key exchange method:
> update-crypto-policies --set DEFAULT:SHA1
> reboot the server
! you should consider updating the remote site thou !
check network sockets
- use tool ss
>> ss - another utility to investigate sockets
- summary: ss -s
- all sockets: ss -a
- all udp sockets: ss -u -a
- all tcp sockets: ss -t -a
checkmk linux agent >= 2.2 - how to allow only specific ip address to query the agent on port 6556?
tested with agent version 2.2:
check IP allowlist
cmk-agent-ctl status
Version: 2.2.0p22
Agent socket: operational
IP allowlist: any
Legacy mode: enabled
No connections
current solution: use agent bakery to restrict the access to specific ip address, not yet tested how to configure it manually - in the past / with older
clients it was very easy (xinetd settings etc.)
------------
see also:
- https://docs.checkmk.com/latest/en/agent_linux.html
to install the mysql connector for python via a binary distribution you need add the mysql yum repository
>> https://dev.mysql.com/doc/refman/8.0/en/linux-installation-yum-repo.html#yum-repo-setup
after that you can issue the following command to see the available packages:
>> sudo yum --disablerepo=\* --enablerepo='mysql*-community*' list available
to install the mysql connector for python issue the following command:
>> sudo dnf install mysql-connector-python3.x86_64
Cloud provider mail - security audit -> issues: Portmapper service is running > how to protect port 111 udp / tcp on a linux system?
>> Portmapper servers
Portmapper is a service usually used with NFS. When this is not properly firewalled, it can be abused to conduct DDOS attacks. We recommend that all portmapper services be behind a firewall, and restricted to only IPs that need to contact them.
For Linux machines, please add firewall rules to block port 111 on both UDP and TCP:
iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP
-------------------------------------------------------------------
How to enable persistant blocking on Debian 10?
=====================================
To add a firewall rule in Debian 10 that persists after a system reboot, you can use the iptables-persistent package. Here's how to do it:
First, make sure you have the iptables-persistent package installed. If not, you can install it using the following command:
sudo apt-get update
sudo apt-get install iptables-persistent
After installation, you can add your firewall rules using the iptables command as you did in your example:
sudo iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
sudo iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP
Once you've added your rules and tested them to make sure they're working as expected, you can save them to be persistent across reboots using the iptables-save command:
sudo iptables-save > /etc/iptables/rules.v4
This command saves the current iptables rules to the specified file (/etc/iptables/rules.v4 in this case).
>> you can check the saved file, if there are the rules that you expected, my files look like:
rules.v4:
-----------
cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Mon Mar 4 11:41:03 2024
*filter
:INPUT ACCEPT [423811499:394356840419]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [465873471:475296529519]
-A INPUT -p udp -m udp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
COMMIT
# Completed on Mon Mar 4 11:41:03 2024
After saving the rules, you can ensure that they are loaded at boot time by enabling the netfilter-persistent service:
sudo systemctl enable netfilter-persistent
>>> now you can reboot your server and the rules from rules.v4 file should be loaded
- os: rocky linux 9 / like red hat linux 9
- mysql client in use: package: mysql
- database is running in a docker container .. on local tcp port 3307
- when trying to connect to the local 3307 port - the command line says:
mysql -u root -p -h 127.0.0.1 -P 3307
Enter password:
ERROR 1043 (08S01): Bad handshake
found solution:
-----------------------
1) remove mysql client: yum remove mysql
1.1) install mariadb client: yum install mariadb
1.2) try again >> works
[root@my-system]# mysql -u root -p -h 127.0.0.1 -P 3307
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.1.73 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
------------------------------
hints
------------------------------
it does not work if I try to use localhost instead of 127.0.0.1 > because the local socket is beeing used:
[root@my-system]# mysql -u root -p -h localhost -P 3307
Enter password:
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
>> therefore use: 127.0.0.1 as host, if you want to use tcp socket!
yum install httpd-tools
#install
sudo dnf install epel-release –y
sudo dnf install fail2ban –y
systemctl status fail2ban.service
#configuration
/etc/fail2ban
cp jail.conf jail.local
in nginx section enable: enabled = true
#system restart
sudo systemctl enable fail2ban
activating fail2ban: sudo systemctl enable fail2ban
#start
start: systemctl start fail2ban
#checking status
check client status: fail2ban-client status
detail status: fail2ban-client status nginx-http-auth
#how to unban an ip address?
fail2ban-client set nginx-http-auth unbanip 188.22.34.13
#want more log files?
fail2ban log file: /var/log/fail2ban.log
--------
see also
- https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-rocky-linux-9
problem: you want to connecto to a legacy / old client something like an old switch > but you get the message: Bad server host key: Invalid key length
>> you probably need to allow key lenght with 1024, the default is >= 2024
things you can do:
- update-crypto-policies --set DEFAULT:SHA1
create a file: /etc/ssh/ssh_config.d/my.conf
Ciphers=+3des-cbc
RSAMinSize=1024
default setting is to have chrony installed
you can check with: rpm -qa |grep chrony
check file /etc/chrony.conf
in may case this was the ntp setting:
pool 2.rocky.pool.ntp.org iburst
comment out this line and change to your preferred ntp server
>> replace pool line with your ntp server
-------------------------------------------------------------
show update interval and other ntp status:
chronyc tracking
--------------------------------------------------------------
configure shorter update interval (default is 1024 seconds):
server ptbtime1.ptb.de iburst minpoll 4 maxpoll 6
server ptbtime2.ptb.de iburst minpoll 4 maxpoll 6
server ptbtime3.ptb.de iburst minpoll 4 maxpoll 6
poll explanation:
minpoll poll
This option specifies the minimum interval between requests sent to the server as a power of 2 in seconds. For example, minpoll 5 would mean that the polling interval should not drop below 32 seconds. The default is 6 (64 seconds), the minimum is -6 (1/64th of a second), and the maximum is 24 (6 months). Note that intervals shorter than 6 (64 seconds) should generally not be used with public servers on the Internet, because it might be considered abuse. A sub-second interval will be enabled only when the server is reachable and the round-trip delay is shorter than 10 milliseconds, i.e. the server should be in a local network.
maxpoll poll
This option specifies the maximum interval between requests sent to the server as a power of 2 in seconds. For example, maxpoll 9 indicates that the polling interval should stay at or below 9 (512 seconds). The default is 10 (1024 seconds), the minimum is -6 (1/64th of a second), and the maximum is 24 (6 months).
----------------------------------------------------------------
show sources:
chronyc sources -v
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* ptbtime1.ptb.de 1 6 17 23 +179us[+1141us] +/- 6840us
^- ptbtime2.ptb.de 1 6 17 23 +1743us[+1743us] +/- 5624us
^- ptbtime3.ptb.de 1 6 17 22 +950us[ +950us] +/- 6064us
use s-nail instead!!
- dnf install s-nail
- echo "testmail" | s-nail -s test mymail@mailer.org
---
see also:
https://www.claudiokuenzler.com/blog/1360/where-is-mailx-command-rocky-linux-el-9-s-nail-package
installation via docker ...
-------------------------------------------------------
cd /opt/
mkdir netdisco
mkdir netdisco/logs
mkdir netdisco/config
mkdir netdisco/nd-site-local
chown -R 901:901 netdisco/
#the cursor is still in /opt directory
curl -Ls -o docker-compose.yml https://tinyurl.com/nd2-dockercompose
vi docker-compose.yml (just check the file)
netstat -nat (check if tcp 5000 Listening port is free)
apt-get install docker.io (ubuntu 20)
apt-get install docker-compose
apt-get install docker-compose-v2
#build the docker:
root@linux:/opt/netdisco# docker-compose up
ERROR: The Compose file './docker-compose.yml' is invalid because:
Unsupported config option for services.netdisco-do: 'profiles'
>> comment out line with profiles! after that try again!
#build the docker > when error message "no configuration file provided: not found" appears:
root@linux: /usr/libexec/docker/cli-plugins/docker-compose up
#check docker
docker ps
#check if port 5000 comes up!
http://server-name:5000/
#on webfrontend enter a subnet to discover like
#192.168.2.0/24
#under Admin > Discover All you see the status of the discovery
#under Admin > User Management
>> add an admin user + password and remove the guest account
#disable anoymous logon:
./netdisco/config/deployment.yml
#see also:
- https://hub.docker.com/r/netdisco/netdisco
- https://stackoverflow.com/questions/45764477/docker-compose-error-while-creating-mount-source-path (when read-only filesystem error occurs)
>> dependencies:
dnf install jq
>> add the following lines to the bottom of /etc/profile:
# Function to fetch and display a random quote
display_daily_quote() {
quote=$(curl -s "https://api.quotable.io/random" | jq -r '.content + " - " + .author')
echo
echo "Daily Quote:"
echo "-------------"
echo "$quote"
echo
}
# Call the function to display the
display_daily_quote()
- download nicehash os image file, you get for example: nhos-2.0.0-beta-06.img.xz
- extract the file using 7zip software
- use a flash tool to write the file to a hdd or to a usb stick, like balenaEtcher
- edit the configuration file in json format on the created drive
mining_address: <enter here the address you get from your hivehash account>
worker_name: <your name> (optional file .. maximum 15 characters)
---
see also:
https://www.nicehash.com/guide/nicehash-os-user-guide
https://www.nicehash.com/guide/nicehash-os-user-guide
>> apply change:
nmcli con down enp0s3 && nmcli con up enp0s3
>> check actual configuration
ip addr
error: dnf-makecache.service loaded failed failed dnf makecache
solution (if you don't need the automatic cache update service):
===============================================
systemctl --failed
systemctl disable dnf-makecache.service
systemctl disable dnf-makecache.timer
systemctl reset-failed
solution:
RockyLinux9 / Redhat Linux9:
sudo dnf install net-snmp-utils
problem: an old client cannot login to a ssh server anymore, the old client could be an Aruba Mobility wlan controler with an old firmware
solution: enable ssh-rsa temporary on your linux server, or leave it enabled it there are no security concerns
#add ssh-rsa to sshd_config file
/etc/ssh/sshd_config
HostKeyAlgorithms +ssh-rsa
#dont'f forget to restart the ssh service, so that the new configuration is activated
service sshd restart
use command namei:
>> namei - follow a pathname until a terminal point is found
>> with using "--modes"
============================================
sample:
namei --modes /omd/sites/mysite/var/mkeventd/messages/1703631600.log.gz
f: /omd/sites/mysite/var/mkeventd/messages/1703631600.log.gz
drwxr-xr-x /
lrwxrwxrwx omd -> /opt/omd
drwxr-xr-x /
drwxr-xr-x opt
drwxr-xr-x omd
drwxr-xr-x sites
drwxr-x--x mysite
drwxr-x--- var
drwxr--r-- mkeventd
drwxr-xr-x messages
-rw-r--r-- 1703631600.log.gz
not magic way:
use winscp to copy the right agent onto the server
use tool like dnf or yum to install the package on linux
or use some magic:
#example for rpm package
find /omd/versions/default/ |grep rpm$ | xargs -n 1 dnf install
You are probably missing the "epel" repository.
Follow these steps to enable the "epel" repository:
> sudo dnf upgrade --refresh
> sudo dnf config-manager --set-enabled crb
> sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
> sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm
verify:
>> dnf repolist | grep epel
source: https://computingpost.medium.com/how-to-install-epel-on-rocky-linux-9-8-5efffda6a284
just follow this great guide:
https://wiki.crowncloud.net/?How_to_Install_PHP_8_2_in_Rocky_Linux_8
situation:
server a (old server)
server b (new server - which already has been upgraded - php version - database etc..)
#sync files from server a > to b:
#!/bin/bash
rsync --dry-run -v -uzae ssh /var/www/html/nextcloud/ root@server-b:/var/www/html/nextcloud/
#rsync -v -uzae ssh /var/www/html/nextcloud/ root@server-b:/var/www/html/nextcloud/
#don't forget to backup the database using mysql command on server a, copy the sql file to server b and restore it there
using a command like "mysql -u root -p nextcloud <backup-of-server-a-database.sql"
#update nextcloud on commandline (rocky linux)
cd /var/www/html/nextcloud
[root@cloud nextcloud]# sudo -u apache php updater/updater.phar
sample commands:
#show current ruleset
firewall-cmd --list-all
#show actual rules (permanent means > rules are there also after reboot)
firewall-cmd --list-service
firewall-cmd --list-service --permanent
firewall-cmd --add-service=http
firewall-cmd --remove-service=http
firewall-cmd --runtime-to-permanent
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
#handle icmp types
firewall-cmd --add-icmp-block=echo-request
firewall-cmd --list-icmp-blocks
firewall-cmd --remove-icmp-block=echo-request
firewall-cmd --get-icmptypes
further reading:
- https://www.server-world.info/en/note?os=Rocky_Linux_8&p=firewalld&f=1
rocky linux 9 - how to extend partition
- you increased the virtual harddisk for example on esxi host
- the harddisk is /dev/sda for example
- use command: cfdisk /dev/sda
-- use resize to increase for example /dev/sda5
-- make sure to leave cfdisk using write
- use command "vgs" to check the volume group, example:
VG #PV #LV #SN Attr VSize VFree
rl 1 2 0 wz--n- 46.82g 0
- now run pvrsize /dev/sda5
pvresize /dev/sda5
Physical volume "/dev/sda5" changed
1 physical volume(s) resized or updated / 0 physical volume(s) not resized
- now run "vgs" again > you should see the increased hdd:
vgs
VG #PV #LV #SN Attr VSize VFree
rl 1 2 0 wz--n- 146.82g 100.00g
- now increase the locical volume
lvextend -l +100%FREE /dev/mapper/rl-root
Size of logical volume rl/root changed from 41.98 GiB (10747 extents) to 141.98 GiB (36347 extents).
Logical volume rl/root successfully resized.
- last step: increase the filesystem
if filesystem is ext use: resize2fs /dev/mapper/rl-root
if xfs - here comes a sample:
xfs_growfs /dev/mapper/rl-root
meta-data=/dev/mapper/rl-root isize=512 agcount=4, agsize=2751232 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=0
= reflink=1 bigtime=1 inobtcount=1 nrext64=0
data = bsize=4096 blocks=11004928, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=16384, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
data blocks changed from 11004928 to 37219328
see also:
https://www.onesystems.ch/blog/lvm-festplatte-vergroessern-ohne-neue-partition/
to use livestatus command, you need to access the linux shell and login via ssh: now you have the command "lc:
########################
#sample to query hosts
########################
lq "GET hosts\nColumns: host_name description address state"
lq "GET hosts\nColumns: host_name description address state host_hard_state"
my-first-ap1;;10.199.0.247;1;1
########################
#sample to query services
########################
#sample when service ping / is ok
lq "GET services\nColumns: host_name description state host_hard_state service_hard_state"
my-first-ap1;PING;0;0;0
#sample when host + service ping is in hard_state
lq "GET services\nColumns: host_name description state host_hard_state service_hard_state"
my-first-ap1;PING;2;1;2
further documentation:
https://docs.checkmk.com/latest/en/livestatus.html
install proxmox guest tools:
dnf -y install qemu-guest-agent
systemctl enable qemu-guest-agent
systemctl start qemu-guest-agent
please make sure that you have enabled the: Use QEMU Guest Agent setting under the virtual machine options
-------------------------------------
- https://hotkey404.com/installing-rocky-9-on-proxmox/
create file: /etc/httpd/conf.d/redirect-443.conf,
with this content:
---------------------------------------------------------------------
RewriteEngine On
# Never forward request for .well-known (important when using Let's Encrypt)
RewriteCond %{REQUEST_URI} !^/.well-known
# Next 2 lines: Force redirection if incoming request is not on 443
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}$1 [L]
---------------------------------------------------------------------
restart apache: systemctl restart httpd
there is no official snmp support to monitor the Pensando PSM installation itself, but you can enable snmp service on the underlaying linux. The linux is an "Alma linux" so you could use this guide to get snmp service running:
https://reintech.io/blog/setting-up-snmp-monitoring-almalinux-9
and afterwards you an run the command "pensave-config.sh", so that the settings will also be there after a reboot
!! notice .. after each PSM update, you need to active / install snmp again ... !!
computer2know :: thank you for your visit :: have a nice day :: © 2024