Category Archives: Linux

ssh-keygen

Scenario; set up ssh keys to machine so that you do not require a password for use with something like scp.

First you need a slave user. If you ‘adduser’ on both machines and pick a user name. Make sure they have a shell account but do not require authentication using a password.

On the remote machine you need to run ssh-keygen when you have logged in as that user. You can do something like – su username. Once you run that you will see in /home/username/.ssh/id_rsa.pub you now have a public key, which you need to copy onto the following file on the remote machine –

/home/username/.ssh/authorized_keys

You then need to ensure permissions are set properly on all the files to the user you created. chmod -R username /home/username/.ssh

Do this on both machines.

You can then – su username on the local machine and try a scp command and it should not prompt you for the password.

 

You can either then run a script via the crontab as that user, or if you like something like this should work –

su username -c “scp -B remotehost:/etc/somefile /tmp”

Mikrotik & dtls Cisco connect vpn slowness

User having slowness when connecting vpn to remote office, plugged into a Mikrotik using sfp1 interface on a 100mbps connection. Speeds on site are fine, no packet loss to remote vpn point, but when connected rdp sessions are extremely slow.

Eventually I found a fix for this issue. I changed the wan interface mtu value on the Mikrotik to 1460. Since doing so the user vpn speed has drastically increased.

Mikrotik Hairpin NAT

I needed to configure some NAT rules on a Mikrotik, but the rules only worked from outside in. The customer uses split DNS for the domain, so a local address on the mail client, and it needed a loopback rule. In the end I wrote the rules into the router using the terminal, or ssh.

Here’s an example of forwarding port 25.

Router is on 192.168.1.254

Server is on 192.168.1.250

/ip firewall nat
add chain=dstnat dst-address-type=local protocol=tcp dst-port=25 \
action=dst-nat to-address=192.168.1.250 to-port=25
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.250 protocol=tcp dst-port=25 \
out-interface=bridge-local action=masquerade

 

You can then open up winbox, go to IP / Firewall / NAT and you will see your new rules.

 

iptables on ubuntu 14.04.1 LTS

I had problems setting iptables on ubuntu so used a script to get it working and modified it for my specific ports I needed to be open.

#!/bin/sh

IPT=”/sbin/iptables”

# Flush old rules, old custom tables
$IPT –flush
$IPT –delete-chain

# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! –syn -m state –state NEW -s 192.168.0.0/24 -j DROP

# Accept inbound TCP packets
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp –dport 22 -m state –state NEW -s 192.168.0.0/24 -j ACCEPT
# Accept inbound ICMP messages
$IPT -A INPUT -p ICMP –icmp-type 8 -s 192.168.0.0/24 -j ACCEPT
$IPT -A INPUT -p ICMP –icmp-type 11 -s 192.168.0.0/24 -j ACCEPT
# Accept SNMP
$IPT -A INPUT -s 192.168.0.0/24 -p udp -m udp –dport 161 -j ACCEPT
# RSYNC
$IPT -A INPUT -s 192.168.0.0/24 -p tcp -m state –state NEW -m tcp –dport 873 -j ACCEPT
# NRPE
$IPT -A INPUT -s 192.168.0.0/24 -p tcp -m state –state NEW -m tcp –dport 5666 -j ACCEPT
#SMTP
$IPT -A INPUT -s 192.168.0.0/24 -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT

# Accept outbound packets
$IPT -I OUTPUT 1 -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
$IPT -A OUTPUT -p tcp –dport 873 -m state –state NEW -j ACCEPT
$IPT -A OUTPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT

Run the script in sh ./script
I also used iptables-persistent – apt-get install iptables-persistent
Once you have the iptables inline, you can check with iptables -L
You need to save them to your v4 rules –

iptables-save > /etc/iptables/rules.v4

You won’t need to restart iptables-persistent, but you can by /etc/init.d/iptables-persistent restart

Move MySQL datadir to new partition

I had to move a mysql datadir to a new partition as it was stored in /var/lib/mysql but df -h showed the main partition being /data and the / partition was now full up. This was a Centos machine.

I stopped mysql –

/etc/init.d/mysqld stop

I copied the mysql databases over to the new directory I created –

mkdir /data/mysql && cp -R /var/lib/mysql/* /data/mysql/

Changed the owndership –

chown -R mysql:mysql /data/mysql

I ensured the permissions were set properly and matched on both old and new directories by checking them with ls -l on the folder and inside them. They are usually 700 I believe on mysql.

 

I then edited the startup script –

vi /etc/init.d/mysqld

I changed the datadir line to the new directory.

I then changed the /etc/my.cnf file to use the new directory (it was hard set here too, so you should check that).

I tried starting mysql and checking it was using the new datadir –

/etc/init.d/mysqld start

ps ax | grep sql

I then stopped mysql and removed the old databases in /var/lib/mysql (to free up the space)

I started mysql again – /etc/init.d/mysql but when looking at the logs I saw it was crashed, so I ran mysqlcheck -A (but with -u myuser -p -A). Once this finished I restarted mysqld and it started without any errors in the logs.

I also needed to change the socket file directory, which I defined in the my.cnf file accordingly –
socket=/data/mysql/mysql.sock

 

Remove the passphrase from the certificate.

I installed a certificate for apache to enable SSL on a website. To create the CSR for the authority it asks for a passphrase.

When you install the certificate and restart the httpd service it asks for the passphrase, so it needs to be removed from the private key.

 

 

To do this use the following command:

openssl rsa -in securesite.domain.net.uk.key -out securesite.domain.net.uk.nopass.key

It should ask for the pass phrase again but it will save it as the nopass version.

Make sure you change your ssl.conf file to use the new file:

SSLCertificateKeyFile “/path/to/certficates/securesite.domain.net.uk.nopass.key”

 

Vi – Useful tricks

I use vi a lot on nix machines and there’s a lot of useful tricks you can do to edit files.

 

A good trick to get rid of those annoying ^M characters from a dos file is –

 

:%s/(ctrl-v)(ctrl-m)//g

 

So you want to type :%s/  and then ctrl & v and without spaces ctrl & m//g

 

What you are doing here is just a regular expression, changing ^m for // (nothing – basically removing them from the entire file (g).