16
Dec

sshd 5 on Centos 5

   Posted by: admin   in Mẹo vặt của hiếu râu

# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build

http://vault.centos.org download the source package

mc src.rpm -> containIO -> F5 the source .tar.bz2

tar -jxvf openssh-5.3p1-noacss.tar.bz2

cd openssh-5.3p1

# cp contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp ../openssh-5.3p1-noacss.tar.bz2 /usr/src/redhat/SOURCES/openssh-5.3p1.tar.bz2
# cd /usr/src/redhat/SPECS
# perl -i.bak -pe ’s/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/’ openssh.spec
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/

rpm -Uvh openssh-*.rpm ; chu y, co the die service sshd

/usr/sbin/sshd -p 443

16
Dec

sudoers

   Posted by: admin   in Mẹo vặt của hiếu râu

# %wheel        ALL=(ALL)       NOPASSWD: ALL

thttpd  ALL=(ALL)    NOPASSWD: /bin/ls, /bin/w, /bin/whoami

Defaults:thttpd        !requiretty

14
Dec

VNC linux

   Posted by: admin   in Mẹo vặt của hiếu râu

yum install vnc-server

vi /etc/sysconfig/vncservers

VNCSERVERS=”2:root”

#VNCSERVERARGS[2]=”-geometry 1080×720″

VNCSERVERARGS[2]=”-geometry 1280×960″

# -nolisten tcp -nohttpd -localhost”

————-
mkdir /root/.vnc
cd /root/.vnc
vncpasswd
vi xtartup
yum install gnome-session
#!/bin/sh
# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
#setroot -solid grey
#vncconfig -iconic &
#xterm -geometry 80×24+10+10 -ls -title “$VNCDESKTOP Desktop” &
#twm &
gnome-wm &
7
Dec

vmstat - Linux IO monitoring

   Posted by: admin   in Mẹo vặt của hiếu râu

[root@proxy4 ~]# vmstat 2

procs ———–memory———- —swap– —–io—- –system– —–cpu—–

r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st

0  0   2568 154420 163468 1357600    0    0     0    36    1   10  1  0 97  1  0

0  0   2568 154420 163468 1357600    0    0     0    28   59   97  1  0 99  0  0

2  0   2568 153464 163468 1357600    0    0     0    54  112  183  4  1 95  0  0

0  0   2568 153416 163468 1357600    0    0     0     0   80  107  2  1 97  0  0

------------SSH-----------
# yum install pam-devel make gcc-c++ wget
https://google-authenticator.googlecode.com
# tar -jxvf libpam-google-authenticator-1.0-source.tar.bz2
# cd libpam-google-authenticator-1.0
# make
# make install
# google-authenticator
Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the to the top .
auth       required     pam_google_authenticator.so

Open file ‘/etc/ssh/sshd_config

ChallengeResponseAuthentication yes
restart sshd-> done
----------------vsftpd use password as PIN+OTP--------------------
auth       required     pam_google_authenticator.so try_first_pass forward_pass
https://github.com/chregu/GoogleAuthenticator.php/blob/master/example.php

——————- sFTP ——————

Subsystem     sftp   internal-sftp
Match Group sftpgroup
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no
—–
%h = HOME_DIR 755 root:root,
mkdir public_html, chown user:sftpgroup public_html
usermod -g sftpgroup user
mkdir otp; chown user
mv .google_au* otp
/etc/pam.d/sshd
auth required pam_google_authenticator.so \
try_first_pass forward_pass \
secret=${HOME}/otp/.google_authenticator

————— Apache ——————-

svn checkout http://google-authenticator-apache-module.googlecode.com/svn/trunk/ google-authenticator-apache-module-read-only
make; make install
Loadmodule authn_google_module modules/mod_authn_google.so
.htaccess
AuthType Basic
AuthName "BasicAuth with OTP"
AuthBasicProvider "google_authenticator"
Require valid-user
GoogleAuthUserPath /home/www/xxx/otp/site
GoogleAuthCookieLife 3600
GoogleAuthEntryWindow 4
--file /home/www/xxx/otp/site/username--
ZZZAAAOTPPINCODEAAAZZZ
"PASSWORD=mySecret
------
auth with username, password = mySecret+OTP

11
Jan

iscsi multipath

   Posted by: admin   in Linúc ếch bợt, Mẹo vặt của hiếu râu

change some settings in /etc/iscsi/iscsid.conf:

node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 10
node.session.timeo.replacement_timeout = 15

/etc/init.d/iscsi start

iscsiadm -m iface -I iface0 –op=new
iscsiadm -m iface -I iface1 –op=new
iscsiadm -m iface -I iface0 –op=update -n iface.hwaddress -v 00:11:22:33:44:55
iscsiadm -m iface -I iface1 –op=update -n iface.hwaddress -v 66:77:88:99:AA:BB

iscsiadm -m discovery -t st -p 10.X.X.X
iscsiadm -m node –loginall=all
iscsiadm -m session

The configuration file (/etc/multipath.conf) is set up by default

devnode_blacklist {
  devnode "^sda$"
  devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
  devnode "^hd[a-z]"
  devnode "^cciss!c[0-9]d[0-9]*"
}
multipaths {
  multipath {
    #get wwid by #multipath -ll
    wwid 360a9800043336a414c3a3954725a7869
    alias  my-lun0
  }

}
devices {
  device {
    vendor  "NETAPP"
    product  "LUN"
    path_grouping_policy  group_by_prio
    getuid_callout  "/sbin/scsi_id -g -u -s /block/%n"
    #prio_callout  "/opt/netapp/santools/mpath_prio_ontap /dev/%n"
    features  "1 queue_if_no_path"
    path_checker  readsector0
    failback  immediate
  }
}

/etc/init.d/multipathd start

multipath -ll
restart multipathd
restart iscsi
fdisk /dev/mpath/my-lun0
mkfs.ext3 /dev/mpath/my-lun0p1
mount /dev/mpath/my-lun0p1 /mnt
31
Oct

ssh VPN

   Posted by: admin   in Mẹo vặt của hiếu râu

Scenario

In this recipe two machines will be configured:

  • A server which is a firewall and has access to a private network ¹
  • A client which initiates the connections to the server and gains direct access to the private network
 --------         /\_/-\/\/-\       -----------------
| Client |~~~~~~~/ Internet /~~~~~~| Server/Firewall |~~~[ private net ]
 --------        \_/-\/\_/\/      / ----------------- \
    ||\                           \          ||\       \
    || {tun0}                      {eth0}    || {tun0}  {eth1}
    ||                                       ||
    \-================= tunnel ==============-/

For this recipe lets number things like this:

  • the private net is 10.99.99.0/24
  • eth0 on the server has public IP 5.6.7.8
  • eth1 on the server has private IP 10.99.99.1
  • the VPN network is 10.254.254.0/30
  • tun0 on the server has private IP 10.254.254.1
  • tun0 on the client has private IP 10.254.254.2

On the Client

If you do not already have them, generate an SSH keypair for root:

$ sudo ssh-keygen -t rsa

/etc/network/interfaces: Add this stanza to the file:

iface tun0 inet static
      pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 5.6.7.8 true
      pre-up sleep 5
      address 10.254.254.2
      pointopoint 10.254.254.1
      netmask 255.255.255.252
      up route add -net 10.99.99.0 netmask 255.255.255.0 gw 10.254.254.1 tun0
      post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit 5.6.7.8

The first time we connect to the server as root we may need to acknowledge saving the servers SSH key fingerprint:

$ sudo ssh 5.6.7.8
The authenticity of host '5.6.7.8 (5.6.7.8)' can't be established.
RSA key fingerprint is aa:fe:a0:38:7d:11:78:60:01:b0:80:78:90:ab:6a:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '5.6.7.8' (RSA) to the list of known hosts.

Don’t bother logging in, just hit CTRL-C.

On the server

/etc/ssh/sshd_config: Add/modify the two keywords to have the same values as below.

PermitTunnel point-to-point
PermitRootLogin forced-commands-only

The PermitRootLogin line is changed from the default of no. You do restrict root SSH login, right?

/root/.ssh/authorized_keys: Add the following line.

tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0" ssh-rsa AAAA ..snipped.. == root@server

Replace everything starting with “ssh-rsa” with the contents of root’s public SSH key from the client(/root/.ssh/id_rsa.pub on the client).

/etc/network/interfaces: Add the following stanza.

iface tun0 inet static
      address 10.254.254.1
      netmask 255.255.255.252
      pointopoint 10.254.254.2

/etc/sysctl.conf: Make sure net.ipv4.conf.default.forwarding is set to 1

net.ipv4.conf.default.forwarding=1

This will take effect upon the next reboot so make it active now:

$ sudo sysctl net.ipv4.conf.default.forwarding=1

Using the VPN

user@client:~$ sudo ifup tun0
RTNETLINK answers: File exists
run-parts: /etc/network/if-up.d/avahi-autoipd exited with return code 2

user@client:~$ ping -c 2 10.99.99.1
PING 10.99.99.1 (10.99.99.1) 56(84) bytes of data.
64 bytes from 10.99.99.1 icmp_seq=1 ttl=64 time=96.3 ms
64 bytes from 10.99.99.1 icmp_seq=2 ttl=64 time=94.9 ms

--- 10.99.99.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 94.954/95.670/96.387/0.780 ms
user@client:~$ sudo ifdown tun0
Exit request sent.

You may get the two errors after running ifup. No problem, they are harmless.

5
Oct

expect example

   Posted by: admin   in Mẹo vặt của hiếu râu

#!/usr/bin/expect -f
set timeout 60
set env(TERM)

spawn orafed orafed
expect “assw”
send “123456\r”
expect “orafed”
send “sqlplus / as sysdba\r”
expect “SQL>”
send “startup;\r”
expect “SQL>”
send “exit\r”
expect “orafed”
send “lsnrctl start\r”
expect “command completed”
send “exit\r”

——————-

#!/usr/bin/expect -f

set timeout 60

set env(TERM)

set vuser [lindex $argv 0]

set vhost [lindex $argv 1]

spawn ssh $vuser@$vhost

expect {

“*assword” { send “thispass\r” }

timeout { exit 2 }

}

expect {

“thisTerm” { send “ssh nextuser@nextterm\r”

exp_continue }

“*assword: ” {

stty -echo

send_user “ask pass: ”

expect_user -re “(.*)\n”

send_user “\n”

send “$expect_out(1,string)\r”

stty echo

exp_continue

}

“nextTerm” { send “w\r” }

}

interact {

“done” { send_user “send ls -la\r”; send “ls -la\r”; return

}

}

expect {

“nextTerm” { send “exit\r”; exp_continue }

“thisTerm” { send — “exit\r” }

timeout {exit 3}

}

29
Jul

Gammu SMSD

   Posted by: admin   in Lăng nhăng lít nhít

C:\>”C:\Program Files\Gammu 1.29.92\bin\gammu-smsd.exe” -i -c “C:\Program Files\Gammu 1.29.92\bin\smsdrc”

Service GammuSMSD installed sucessfully

Gammu-1.29.92-Windows.exe

# This is a sample Gammu SMSD configuration file. It’s required for gammu-smsd,

# see gammu-smsdrc(5) for documentation.

# Gammu configuration, this section is like section “gammu” in “gammurc” file,

# see gammurc(5) for documentation.

[gammu]

device = com3:

model = 6110

connection = at115200

#synchronizetime = yes

#logfile = gammulog # this is not used at all in SMSD mode

#logformat = textall

#use_locking = yes

#gammuloc = gammu.us

#startinfo = yes

# When uncomment this section and insert numbers here, smsd will process

# incoming sms only from numbers written here (incoming sms from all other

# numbers will be deleted)

#[include_numbers]

#number1 = 1234

# When uncomment this section and insert numbers here, smsd will process

# incoming sms from all numbers not written here (incoming sms from numbers

# written here will be deleted). This is “black” list.

# Note: after using “include_numbers” section this one will be ignored

#[exclude_numbers]

#number1 = 1234

# General SMSD settings, see gammu-smsdrc(5) for detailed description.

[smsd]

# SMSD service to use, one of FILES, MYSQL, PGSQL, DBI

service = sql

# PIN for SIM card

PIN = 1234

# File (or stderr, syslog, eventlog) where information will be logged

logfile = smsdlog

# Amount of information being logged, each bit mean one level

debuglevel = 0

# Configuration for using more phones on same database

#phoneid = MyPhone1

# Script to be executed when new message has been received

#runonreceive = /some/script

# Commication frequency settings

commtimeout = 30

sendtimeout = 30

#receivefrequency = 0

# Phone communication settings

#checksecurity = 1

#resetfrequency = 0

# Delivery report configuration

#deliveryreport = no

#deliveryreportdelay = 10

# Ignoring broken SMSC

#skipsmscnumber = +48602123456

# Database backends congfiguration

user = user

password = password

pc = 192.168.1.1

# pc can also contain port or socket path after colon (eg. localhost:/path/to/socket)

database = smsd

# DBI configuration

driver = native_mysql

# driverspath = /usr/lib/dbd/

# Database directory for sqlite

# dbdir = /var/lib/smsd

# Files backend configuration

inboxpath = d:\sms\in

outboxpath = d:\sms\out

sentsmspath = d:\sms\sent

errorsmspath = d:\sms\error

#inboxformat = unicode

#transmitformat = auto

#outboxformat = detail

19
May

stunnel and zebedee

   Posted by: admin   in Linux nông dân, Lăng nhăng lít nhít

download http://www.winton.org.uk/zebedee/download.html

server side :

zebedee -s -u # udp mode

zebedee -s # tcp mode

zebedee -s -d -v 5 # d=detach v=verbose

client side :

zebedee 8080:server-ip:80  # listen 8080 forward to server-ip:80

zebedee -u 5353:server-ip:53 -z 0 -k 0 -d -v 5 # z=compress k=encrypt d=detach v=verbose

iptables -t nat -A OUTPUT -p udp -d server-ip –dport 53 -j REDIRECT –to-ports 5353

stunnel

cd /etc/stunnel

openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem

vi test.conf

cert=/etc/stunnel/stunnel.pem

debug=7

foreground=yes

[test]

accept=2525

connect=25

#stunnel /etc/stunnel/test.conf
client side

cd /etc/stunnel

vi test.conf

debug=7
foreground=yes
client=yes
[test]
accept=local-ip:2525
connect=remoteip:2525
[pop3ssl]
accept=995
connect=110
#stunnel /etc/stunnel/test.conf