Scenario; set up ssh keys to machine so that you do not require a password for use with something like scp.
First you need a slave user. If you ‘adduser’ on both machines and pick a user name. Make sure they have a shell account but do not require authentication using a password.
On the remote machine you need to run ssh-keygen when you have logged in as that user. You can do something like – su username. Once you run that you will see in /home/username/.ssh/id_rsa.pub you now have a public key, which you need to copy onto the following file on the remote machine –
You then need to ensure permissions are set properly on all the files to the user you created. chmod -R username /home/username/.ssh
Do this on both machines.
You can then – su username on the local machine and try a scp command and it should not prompt you for the password.
You can either then run a script via the crontab as that user, or if you like something like this should work –
su username -c “scp -B remotehost:/etc/somefile /tmp”
Scenario: scp using ssh keys to a machine on my network, but received the error –
protocol error: mtime.sec not present
On creating the user on the remote machine I used nologin, instead of a shell. Simply changing the user via vipw to a shell fixed the issue.
User having slowness when connecting vpn to remote office, plugged into a Mikrotik using sfp1 interface on a 100mbps connection. Speeds on site are fine, no packet loss to remote vpn point, but when connected rdp sessions are extremely slow.
Eventually I found a fix for this issue. I changed the wan interface mtu value on the Mikrotik to 1460. Since doing so the user vpn speed has drastically increased.
I needed to configure some NAT rules on a Mikrotik, but the rules only worked from outside in. The customer uses split DNS for the domain, so a local address on the mail client, and it needed a loopback rule. In the end I wrote the rules into the router using the terminal, or ssh.
Here’s an example of forwarding port 25.
Router is on 192.168.1.254
Server is on 192.168.1.250
/ip firewall nat
add chain=dstnat dst-address-type=local protocol=tcp dst-port=25 \
action=dst-nat to-address=192.168.1.250 to-port=25
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.250 protocol=tcp dst-port=25 \
You can then open up winbox, go to IP / Firewall / NAT and you will see your new rules.
Editing iptables on a Centos machine?
Firstly you can check your rules like so –
iptables-save > 08-05-2015.rules
(add your rules)
iptables-restore < 08-05-2015.rules
services iptables save
iptables -L – You should now see your new rules.
I had problems setting iptables on ubuntu so used a script to get it working and modified it for my specific ports I needed to be open.
# Flush old rules, old custom tables
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! –syn -m state –state NEW -s 192.168.0.0/24 -j DROP
# Accept inbound TCP packets
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp –dport 22 -m state –state NEW -s 192.168.0.0/24 -j ACCEPT
# Accept inbound ICMP messages
$IPT -A INPUT -p ICMP –icmp-type 8 -s 192.168.0.0/24 -j ACCEPT
$IPT -A INPUT -p ICMP –icmp-type 11 -s 192.168.0.0/24 -j ACCEPT
# Accept SNMP
$IPT -A INPUT -s 192.168.0.0/24 -p udp -m udp –dport 161 -j ACCEPT
$IPT -A INPUT -s 192.168.0.0/24 -p tcp -m state –state NEW -m tcp –dport 873 -j ACCEPT
$IPT -A INPUT -s 192.168.0.0/24 -p tcp -m state –state NEW -m tcp –dport 5666 -j ACCEPT
$IPT -A INPUT -s 192.168.0.0/24 -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT
# Accept outbound packets
$IPT -I OUTPUT 1 -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
$IPT -A OUTPUT -p tcp –dport 873 -m state –state NEW -j ACCEPT
$IPT -A OUTPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT
Run the script in sh ./script
I also used iptables-persistent – apt-get install iptables-persistent
Once you have the iptables inline, you can check with iptables -L
You need to save them to your v4 rules –
iptables-save > /etc/iptables/rules.v4
You won’t need to restart iptables-persistent, but you can by /etc/init.d/iptables-persistent restart
I had to move a mysql datadir to a new partition as it was stored in /var/lib/mysql but df -h showed the main partition being /data and the / partition was now full up. This was a Centos machine.
I stopped mysql –
I copied the mysql databases over to the new directory I created –
mkdir /data/mysql && cp -R /var/lib/mysql/* /data/mysql/
Changed the owndership –
chown -R mysql:mysql /data/mysql
I ensured the permissions were set properly and matched on both old and new directories by checking them with ls -l on the folder and inside them. They are usually 700 I believe on mysql.
I then edited the startup script –
I changed the datadir line to the new directory.
I then changed the /etc/my.cnf file to use the new directory (it was hard set here too, so you should check that).
I tried starting mysql and checking it was using the new datadir –
ps ax | grep sql
I then stopped mysql and removed the old databases in /var/lib/mysql (to free up the space)
I started mysql again – /etc/init.d/mysql but when looking at the logs I saw it was crashed, so I ran mysqlcheck -A (but with -u myuser -p -A). Once this finished I restarted mysqld and it started without any errors in the logs.
I also needed to change the socket file directory, which I defined in the my.cnf file accordingly –
I installed a certificate for apache to enable SSL on a website. To create the CSR for the authority it asks for a passphrase.
When you install the certificate and restart the httpd service it asks for the passphrase, so it needs to be removed from the private key.
To do this use the following command:
openssl rsa -in securesite.domain.net.uk.key -out securesite.domain.net.uk.nopass.key
It should ask for the pass phrase again but it will save it as the nopass version.
Make sure you change your ssl.conf file to use the new file:
I use vi a lot on nix machines and there’s a lot of useful tricks you can do to edit files.
A good trick to get rid of those annoying ^M characters from a dos file is –
So you want to type :%s/ and then ctrl & v and without spaces ctrl & m//g
What you are doing here is just a regular expression, changing ^m for // (nothing – basically removing them from the entire file (g).