Archive for the ‘Mẹo vặt của hiếu râu’ Category

7
Dec

Two-Factor Authentication (Google Authenticator)

   Posted by: admin 

------------SSH-----------
# yum install pam-devel make gcc-c++ wget
https://google-authenticator.googlecode.com


# tar -jxvf libpam-google-authenticator-1.0-source.tar.bz2


# cd libpam-google-authenticator-1.0
# make
# make install
# google-authenticator


Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the to the top .

auth       required     pam_google_authenticator.so


Open file ‘/etc/ssh/sshd_config


ChallengeResponseAuthentication yes


restart sshd-> done


----------------vsftpd use password as PIN+OTP--------------------


auth       required     pam_google_authenticator.so try_first_pass forward_pass


https://github.com/chregu/GoogleAuthenticator.php/blob/master/example.php




——————- sFTP ——————


Subsystem     sftp   internal-sftp
Match Group sftpgroup
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no


—–


%h = HOME_DIR 755 root:root,


mkdir public_html, chown user:sftpgroup public_html


usermod -g sftpgroup user


mkdir otp; chown user


mv .google_au* otp


/etc/pam.d/sshd


auth       required     pam_google_authenticator.so \


try_first_pass forward_pass \


secret=${HOME}/otp/.google_authenticator




————— Apache ——————-
svn checkout http://google-authenticator-apache-module.googlecode.com/svn/trunk/ google-authenticator-apache-module-read-only
make; make install
Loadmodule authn_google_module modules/mod_authn_google.so


.htaccess


AuthType Basic
AuthName "BasicAuth with OTP"


AuthBasicProvider "google_authenticator"
Require valid-user
GoogleAuthUserPath /home/www/xxx/otp/site
GoogleAuthCookieLife 3600
GoogleAuthEntryWindow 4



--file /home/www/xxx/otp/site/username--


ZZZAAAOTPPINCODEAAAZZZ


"PASSWORD=mySecret


------


auth with username, password = mySecret+OTP
No Comments
11
Jan

iscsi multipath

   Posted by: admin

change some settings in /etc/iscsi/iscsid.conf:

node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 10
node.session.timeo.replacement_timeout = 15

/etc/init.d/iscsi start

iscsiadm -m iface -I iface0 –op=new
iscsiadm -m iface -I iface1 –op=new
iscsiadm -m iface -I iface0 –op=update -n iface.hwaddress -v 00:11:22:33:44:55
iscsiadm -m iface -I iface1 –op=update -n iface.hwaddress -v 66:77:88:99:AA:BB

iscsiadm -m discovery -t st -p 10.X.X.X
iscsiadm -m node –loginall=all
iscsiadm -m session

The configuration file (/etc/multipath.conf) is set up by default

devnode_blacklist {
  devnode "^sda$"
  devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
  devnode "^hd[a-z]"
  devnode "^cciss!c[0-9]d[0-9]*"
}
multipaths {
  multipath {


    #get wwid by #multipath -ll
    wwid 360a9800043336a414c3a3954725a7869
    alias  my-lun0
  }

}


devices {
  device {
    vendor  "NETAPP"
    product  "LUN"
    path_grouping_policy  group_by_prio
    getuid_callout  "/sbin/scsi_id -g -u -s /block/%n"
    #prio_callout  "/opt/netapp/santools/mpath_prio_ontap /dev/%n"
    features  "1 queue_if_no_path"
    path_checker  readsector0
    failback  immediate
  }
}


/etc/init.d/multipathd start
multipath -ll
restart multipathd
restart iscsi
fdisk /dev/mpath/my-lun0
mkfs.ext3 /dev/mpath/my-lun0p1
mount /dev/mpath/my-lun0p1 /mnt
No Comments
31
Oct

ssh VPN

   Posted by: admin

Scenario

In this recipe two machines will be configured:

  • A server which is a firewall and has access to a private network ¹
  • A client which initiates the connections to the server and gains direct access to the private network
 --------         /\_/-\/\/-\       -----------------
| Client |~~~~~~~/ Internet /~~~~~~| Server/Firewall |~~~[ private net ]
 --------        \_/-\/\_/\/      / ----------------- \
    ||\                           \          ||\       \
    || {tun0}                      {eth0}    || {tun0}  {eth1}
    ||                                       ||
    \-================= tunnel ==============-/

For this recipe lets number things like this:

  • the private net is 10.99.99.0/24
  • eth0 on the server has public IP 5.6.7.8
  • eth1 on the server has private IP 10.99.99.1
  • the VPN network is 10.254.254.0/30
  • tun0 on the server has private IP 10.254.254.1
  • tun0 on the client has private IP 10.254.254.2

On the Client

If you do not already have them, generate an SSH keypair for root:

$ sudo ssh-keygen -t rsa

/etc/network/interfaces: Add this stanza to the file:

iface tun0 inet static
      pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 5.6.7.8 true
      pre-up sleep 5
      address 10.254.254.2
      pointopoint 10.254.254.1
      netmask 255.255.255.252
      up route add -net 10.99.99.0 netmask 255.255.255.0 gw 10.254.254.1 tun0
      post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit 5.6.7.8

The first time we connect to the server as root we may need to acknowledge saving the servers SSH key fingerprint:

$ sudo ssh 5.6.7.8
The authenticity of host '5.6.7.8 (5.6.7.8)' can't be established.
RSA key fingerprint is aa:fe:a0:38:7d:11:78:60:01:b0:80:78:90:ab:6a:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '5.6.7.8' (RSA) to the list of known hosts.

Don’t bother logging in, just hit CTRL-C.

On the server

/etc/ssh/sshd_config: Add/modify the two keywords to have the same values as below.

PermitTunnel point-to-point
PermitRootLogin forced-commands-only

The PermitRootLogin line is changed from the default of no. You do restrict root SSH login, right?

/root/.ssh/authorized_keys: Add the following line.

tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0" ssh-rsa AAAA ..snipped.. == root@server

Replace everything starting with “ssh-rsa” with the contents of root’s public SSH key from the client(/root/.ssh/id_rsa.pub on the client).

/etc/network/interfaces: Add the following stanza.

iface tun0 inet static
      address 10.254.254.1
      netmask 255.255.255.252
      pointopoint 10.254.254.2

/etc/sysctl.conf: Make sure net.ipv4.conf.default.forwarding is set to 1

net.ipv4.conf.default.forwarding=1

This will take effect upon the next reboot so make it active now:

$ sudo sysctl net.ipv4.conf.default.forwarding=1

Using the VPN

user@client:~$ sudo ifup tun0
RTNETLINK answers: File exists
run-parts: /etc/network/if-up.d/avahi-autoipd exited with return code 2

user@client:~$ ping -c 2 10.99.99.1
PING 10.99.99.1 (10.99.99.1) 56(84) bytes of data.
64 bytes from 10.99.99.1 icmp_seq=1 ttl=64 time=96.3 ms
64 bytes from 10.99.99.1 icmp_seq=2 ttl=64 time=94.9 ms

--- 10.99.99.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 94.954/95.670/96.387/0.780 ms
user@client:~$ sudo ifdown tun0
Exit request sent.

You may get the two errors after running ifup. No problem, they are harmless.

No Comments
5
Oct

expect example

   Posted by: admin

#!/usr/bin/expect -f
set timeout 60
set env(TERM)

spawn orafed orafed
expect “assw”
send “123456\r”
expect “orafed”
send “sqlplus / as sysdba\r”
expect “SQL>”
send “startup;\r”
expect “SQL>”
send “exit\r”
expect “orafed”
send “lsnrctl start\r”
expect “command completed”
send “exit\r”

——————-

#!/usr/bin/expect -f

set timeout 60

set env(TERM)

set vuser [lindex $argv 0]

set vhost [lindex $argv 1]

spawn ssh $vuser@$vhost

expect {

“*assword” { send “thispass\r” }

timeout { exit 2 }

}

expect {

“thisTerm” { send “ssh nextuser@nextterm\r”

exp_continue }

“*assword: ” {

stty -echo

send_user “ask pass: ”

expect_user -re “(.*)\n”

send_user “\n”

send “$expect_out(1,string)\r”

stty echo

exp_continue

}

“nextTerm” { send “w\r” }

}

interact {

“done” { send_user “send ls -la\r”; send “ls -la\r”; return

}

}

expect {

“nextTerm” { send “exit\r”; exp_continue }

“thisTerm” { send — “exit\r” }

timeout {exit 3}

}

No Comments
3
Apr

solaris tips

   Posted by: admin

List all services

#svcs

svcadm [enable/disable] [service]

enable/disable X login

#/usr/dt/bin/dtconfig [-d/-e]

download packages from sunfreeware.com

#gunzip package_local.gz

#pkgadd -d package_local

#pkgrm

#reboot

change hostname in /etc/hostname.e1000g0 and /etc/nodename

enable dhcp by #touch /etc/dhcp.e1000g0

hint : flash=1, mirror=1,remove mirror part

No Comments
29
Mar

radius - ldap

   Posted by: admin

install freeradius

cd /etc/freeradius - etc/raddb

vi radiusd.conf

ldap {

server = “demo1″

identity = “myaccount”

password = “mypassword”

basedn = “OU=Users,OU=Production,DC=demo,DC=com,DC=vn”

filter = “(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=OU=Groups,OU=Production,DC=demo,DC=com,DC=vn))”

#password_attribute = userPassword

# set this to ‘yes’ to use TLS encrypted connections

# to the LDAP database by using the StartTLS extended

# operation.

# The StartTLS operation is supposed to be used with normal

# ldap connections instead of using ldaps (port 689) connections

start_tls = no

# tls_cacertfile        = /path/to/cacert.pem

# tls_cacertdir         = /path/to/ca/dir/

# tls_certfile          = /path/to/radius.crt

# tls_keyfile           = /path/to/radius.key

# tls_randfile          = /path/to/rnd

# tls_require_cert      = “demand”

# default_profile = “cn=radprofile,ou=dialup,o=My Org,c=UA”

# profile_attribute = “radiusProfileDn”

#access_attr = “dialupAccess” <<——– comment this line

# Mapping of RADIUS dictionary attributes to LDAP

Uncomment ldap in authorize and authenticate sessions
vi clients.conf
client 10.100.0.0/24 {
secret          = mypassword
shortname       = hcm-network-vl100
}
vi users
DEFAULT Auth-Type = LDAP
Fall-Through = 1
radtest user pass 127.0.0.1 0 testing123
No Comments
29
Mar

httpd - ldap

   Posted by: admin

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

AuthType Basic
AuthBasicProvider ldap
AuthName “DEMO”
AuthLDAPURL “ldap://demo1.demo.com.vn:3268 demo2:3268/DC=demo,DC=com,DC=vn?samAccountName?sub?(objectCategory=person)”

AuthLDAPBindDN demo\myaccount

AuthLDAPBindPassword mypassword

Require ldap-group OU=Groups,OU=Production,DC=demo,DC=com,DC=vn

No Comments
23
Mar

USB 3G modem 4linux

   Posted by: admin

#lsusb

vendor=0×0471 product=0×1237

#rmmod usb-storage

#modprobe usbserial vendor=0×0471 product=0×1237

—————————————–

#file wvdial.conf
#internet Dialer version 1.56
#created by Cyblade
#Written for the E220 usb modem
[Dialer Defaults]
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Stupid Mode = 1
Modem Type = Analog Modem
ISDN = 0
Phone = *99***1#
Modem = /dev/ttyUSB0
username = username
Password = password
Dial Command = ATDT
Baud =466600
Init4 = AT+CGDCONT=1,”IP”,”e-connect”

—————————-

/etc/modprobe.d/modprobe.conf

options usbserial vendor=0×0471 product=0×1237
No Comments
28
Jul

GSMSMSD - KQEMU

   Posted by: admin

gsmsmsd -a ‘tail -n 30 > /SMS_IN/`date +%y%m%d-%H%M%S`’ -d /dev/ttyS0 -b 9600 -s /SMS_OUT -t sm -f no_cb no_stat sms &

autoexec=xampp changes=/dev/hda1/ noagp nosound nopcmcia noauto

qemu.exe -L . -m 256M -hda hda.img -cdrom slaxdev.iso -localtime -M pc -net nic -net user -redir tcp:3306::3306 -redir tcp:8080::80 -redir tcp:2222::22 -boot d -vnc 127.0.0.1:100 -k en-us -serial COM1

No Comments
17
Jun

LVS

   Posted by: admin

package included in HA

vi /etc/ha.d/ldirectord.conf

checktimeout=3

checkinterval=10

autoreload=yes
quiescent=yes
virtual=10.10.50.28:2323
real=10.10.50.165:2323 gate 80
real=10.10.50.162:2323 gate 80
service=simpletcp
scheduler=wrr
protocol=tcp
persistent=300
netmask=255.255.255.255
checktype=connect
checkport=2323
echo 1 > /proc/sys/net/ipv4/vs/expire_quiescent_template
perl -MCPAN -e shell
>install LWP::UserAgent
>install Mail::Send
/etc/init.d/ldirectord start
ipvsadm -L -n [ -c | --rate | --persistent-conn | --stats]
– direct route —
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/lo/arp_anounce
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/all/arp_anounce
ifconfig lo:1 10.10.50.28/32 -arp up
No Comments
Back to top
Previous EntriesNext Entries