Linux

Common shell scripting tips

Common shell scripting tips Shell scripting built-in commands Shell scripting special symbols

Wednesday, September 22, 2021 Read

SSH failing with Error : fatal: daemon() failed: No such device

SSH failing with Error : fatal: daemon() failed: No such device /var/log/secure Oct 10 10:58:05 vps sshd[23799]: fatal: daemon() failed: No such device # rm -vf /dev/null removed `/dev/null` -bash-3.2# mknod /dev/null c 1 3 Started SSH and the SSH started responding: # service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] -bash-3.2# service sshd status openssh-daemon (pid 30608) is running…

Thursday, March 4, 2021 Read

Mount a Synology NAS folder on CentOS 7

Monday, November 9, 2020 Read

How to configure time zone and NTP on RHEL7/CentOS7

How to configure time zone and NTP on RHEL7/CentOS7 chrony includes two programs: chronyd is a daemon that starts on boot, and chronyc is a command-line client that can monitor chronyd and change runtime parameters. Use either ntpd or chronyd, not both. Configure time zone ~# timedatectl set-timezone Asia/Taipei ~# timedatectl Local time: Tue 2018-03-27 14:13:38 CST Universal time: Tue 2018-03-27 06:13:38 UTC RTC time: Tue 2018-03-27 06:13:40 Time zone: Asia/Taipei (CST, +0800) NTP enabled: no NTP synchronized: no RTC in local TZ: no DST active: n/a Configure chronyd # Install ~# yum install -y chrony # Config file ~# cat /etc/chrony.conf # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.tw.pool.ntp.org iburst --->改成本地的伺服器 server 1.tw.pool.ntp.org iburst --->改成本地的伺服器 server 2.tw.pool.ntp.org iburst --->改成本地的伺服器 server 3.tw.pool.ntp.org iburst --->改成本地的伺服器 # Start service and enable on boot ~# systemctl enable chronyd ~# systemctl start chronyd tracking parameters show system time performance ~# chronyc tracking Reference ID : 3DD8996B (61-216-153-107.hinet-ip.hinet.net) --->表示現在同步的時間伺服器，如果沒有id表示沒有同步 Stratum : 4 --->表示計算機有多少"跳hop" 表示本地的是第四層 Ref time (UTC) : Tue Mar 27 06:03:38 2018 --->最後一次測量的時間 System time : 0.000040356 seconds fast of NTP time --->調整系統時間 Last offset : +0.000163738 seconds RMS offset : 0.000163738 seconds Frequency : 21.384 ppm fast Residual freq : +0.000 ppm Skew : 675.319 ppm Root delay : 0.008527911 seconds Root dispersion : 0.066466033 seconds Update interval : 2.0 seconds Leap status : Normal --->Normal要顯示此值, Insert second, Delete second or Not synchronised. ~# chronyc sources -v 210 Number of sources = 4 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 59-124-29-241.hinet-ip.h> 3 6 37 24 -1462us[-2363us] +/- 49ms ^+ 61-216-153-107.hinet-ip.> 3 6 37 23 -556us[ -556us] +/- 64ms ^? 59-125-122-217.hinet-ip.> 0 7 0 - +0ns[ +0ns] +/- 0ns ^- 61-216-153-105.hinet-ip.> 3 6 37 23 -280us[ -280us] +/- 64ms View sync source info ~# chronyc sourcestats -v 210 Number of sources = 4 .- Number of sample points in measurement set. / .- Number of residual runs with same sign. | / .- Length of measurement set (time). | | / .- Est. clock freq error (ppm). | | | / .- Est. error in freq. | | | | / .- Est. offset. | | | | | | On the -. | | | | | | samples. \ | | | | | | | Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== 59-124-29-241.hinet-ip.h> 6 5 135 -0.454 4.553 -784us 66us 61-216-153-107.hinet-ip.> 6 6 135 +4.455 19.761 +622us 247us 59-125-122-217.hinet-ip.> 0 0 0 +0.000 2000.000 +0ns 4000ms 61-216-153-105.hinet-ip.> 6 4 136 +8.965 42.440 +1250us 495us Write system time to hardware clock ~# hwclock --systohc ~# date ; hwclock Tue Mar 27 14:07:57 CST 2018 Tue 27 Mar 2018 02:07:58 PM CST -0.938012 seconds

Tuesday, September 29, 2020 Read

Install PowerDNS and PowerDNS-Admin on Ubuntu 22.04|20.04|18.04

Install PowerDNS and PowerDNS-Admin on Ubuntu 22.04|20.04|18.04 Master-Master PowerDNS with Galera Replication https://www.scaleway.com/en/docs/installing-powerdns-server-on-ubuntu-bionic/ Install PowerDNS $ sudo apt update $ sudo apt install mariadb-server -y $ sudo mysql -u root CREATE DATABASE powerdns; GRANT ALL ON powerdns.* TO 'powerdns'@'localhost' IDENTIFIED BY 'Str0ngPasswOrd'; FLUSH PRIVILEGES; USE powerdns; CREATE TABLE domains ( id INT AUTO_INCREMENT, name VARCHAR(255) NOT NULL, master VARCHAR(128) DEFAULT NULL, last_check INT DEFAULT NULL, type VARCHAR(6) NOT NULL, notified_serial INT UNSIGNED DEFAULT NULL, account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL, PRIMARY KEY (id) ) Engine=InnoDB CHARACTER SET 'latin1'; CREATE UNIQUE INDEX name_index ON domains(name); CREATE TABLE records ( id BIGINT AUTO_INCREMENT, domain_id INT DEFAULT NULL, name VARCHAR(255) DEFAULT NULL, type VARCHAR(10) DEFAULT NULL, content VARCHAR(64000) DEFAULT NULL, ttl INT DEFAULT NULL, prio INT DEFAULT NULL, change_date INT DEFAULT NULL, disabled TINYINT(1) DEFAULT 0, ordername VARCHAR(255) BINARY DEFAULT NULL, auth TINYINT(1) DEFAULT 1, PRIMARY KEY (id) ) Engine=InnoDB CHARACTER SET 'latin1'; CREATE INDEX nametype_index ON records(name,type); CREATE INDEX domain_id ON records(domain_id); CREATE INDEX ordername ON records (ordername); CREATE TABLE supermasters ( ip VARCHAR(64) NOT NULL, nameserver VARCHAR(255) NOT NULL, account VARCHAR(40) CHARACTER SET 'utf8' NOT NULL, PRIMARY KEY (ip, nameserver) ) Engine=InnoDB CHARACTER SET 'latin1'; CREATE TABLE comments ( id INT AUTO_INCREMENT, domain_id INT NOT NULL, name VARCHAR(255) NOT NULL, type VARCHAR(10) NOT NULL, modified_at INT NOT NULL, account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL, comment TEXT CHARACTER SET 'utf8' NOT NULL, PRIMARY KEY (id) ) Engine=InnoDB CHARACTER SET 'latin1'; CREATE INDEX comments_name_type_idx ON comments (name, type); CREATE INDEX comments_order_idx ON comments (domain_id, modified_at); CREATE TABLE domainmetadata ( id INT AUTO_INCREMENT, domain_id INT NOT NULL, kind VARCHAR(32), content TEXT, PRIMARY KEY (id) ) Engine=InnoDB CHARACTER SET 'latin1'; CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind); CREATE TABLE cryptokeys ( id INT AUTO_INCREMENT, domain_id INT NOT NULL, flags INT NOT NULL, active BOOL, content TEXT, PRIMARY KEY(id) ) Engine=InnoDB CHARACTER SET 'latin1'; CREATE INDEX domainidindex ON cryptokeys(domain_id); CREATE TABLE tsigkeys ( id INT AUTO_INCREMENT, name VARCHAR(255), algorithm VARCHAR(50), secret VARCHAR(255), PRIMARY KEY (id) ) Engine=InnoDB CHARACTER SET 'latin1'; CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm); $ sudo systemctl disable systemd-resolved $ sudo systemctl stop systemd-resolved $ ls -lh /etc/resolv.conf lrwxrwxrwx 1 root root 39 Jul 24 15:50 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf $ sudo unlink /etc/resolv.conf $ echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf Add official PowerDNS repository for Ubuntu 22.04|20.04|18.04.

Friday, September 25, 2020 Read

Set interface IP with netplan on Ubuntu 18.04

Set interface IP with netplan on Ubuntu 18.04 Following the notes above, check /etc/netplan and open /etc/netplan/50-cloud-init.yaml: # This file is generated from information provided by # the datasource. Changes to it will not persist across an instance. # To disable cloud-init's network configuration capabilities, write a file # /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following: # network: {config: disabled} network: ethernets: ens192: dhcp4: true ens224: dhcp4: true version: 2 It looks like you can disable cloud network, but I do not use cloud-init, so remove it:

Friday, September 18, 2020 Read

Deploying OpenVPN with AD domain authentication

Deploying OpenVPN with AD domain authentication OpenVPN + PAM + SSSD + Active Directory https://computingforgeeks.com/install-and-configure-openvpn-server-on-rhel-centos-8/ https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8 https://medium.com/jerrynotes/linux-authentication-windows-ad-without-join-domain-7963c3fd44c5 # Install OpenVPN yum install openvpn -y yum -y install openssl openssl-devel -y yum -y install lzo lzo-devel -y yum install -y libgcrypt libgpg-error libgcrypt-devel # Install OpenVPN auth plugin yum install openvpn-auth-ldap -y # Install easy-rsa # Since openvpn 2.3 removed easy-rsa from the package, install it separately. yum install easy-rsa cp -rf /usr/share/easy-rsa/2.0 /etc/opevpn/ # Generate OpenVPN keys and certificates # Edit `/opt/openvpn/etc/easy-rsa/2.0/vars` parameters export KEY_COUNTRY="CN" # Country export KEY_PROVINCE="ZJ" # Province export KEY_CITY="NingBo" # City export KEY_ORG="TEST-VPN" # Organization exportKEY_EMAIL="81367070@qq.com" # Email export KEY_OU="baidu" # Unit source vars ./clean-all ./build-ca ./build-dh ./build-key-server server ./build-key client1 # Edit the OpenVPN server config: `/etc/openvpn/server.conf` port 1194 proto udp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh2048.pem server 10.8.0.0 255.255.255.0 // client IP pool push "route 192.168.1.0 255.255.255.0" // push route to clients push "redirect-gateway" // change client gateway to route VPN traffic ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf" client-cert-not-required username-as-common-name log /var/log/openvpn.log # Edit openvpn-ldap-auth config: `/etc/openvpn/auth/ldap.conf` # /etc/openvpn/auth/ldap.conf <LDAP> # LDAP server URL # Change to the AD server IP URL ldap://172.16.76.238:389 # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com # Change to the domain admin DN; you can query it with ldapsearch # Replace the IP in -h with the server IP, -D with the admin DN, -b with the base DN, and * for all # ldapsearch -LLL -x -h 172.16.76.238 -D "administrator@xx.com" -W -b "dc=xx,dc=com" "*" BindDN "cn=administrator,cn=Users,dc=xx,dc=com" # Bind Password # Password SecretPassword # Domain admin password Password passwd # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals no # TLS CA Certificate File # TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory # TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required # TLSCertFile /usr/local/etc/ssl/client-cert.pem # TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN # Base DN for auth search BaseDN "dc=boqii-inc,dc=com" # User Search Filter # SearchFilter "(&(uid=%u)(accountStatus=active))" # sAMAccountName=%u uses the sAMAccountName value as the username, # and "memberof=CN=myvpn,DC=xx,DC=com" points to the VPN user group to authenticate, # so any user can use VPN once they are in this group. SearchFilter "(&(sAMAccountName=%u)(memberof=CN=myvpn,DC=boqii-inc,DC=com))" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) # PFTable ips_vpn_users <Group> # BaseDN "ou=Groups,dc=example,dc=com" # SearchFilter "(|(cn=developers)(cn=artists))" # MemberAttribute uniqueMember # Add group members to a PF table (disabled) # PFTable ips_vpn_eng BaseDN "ou=vpn,dc=boqii-inc,dc=com" SearchFilter "(cn=openvpn)" MemberAttribute "member" </Group> </Authorization> Copy the ca.crt certificate under /etc/openvpn/key for client use.

Thursday, September 17, 2020 Read

An easy way to identify virtualization technology

An easy way to identify virtualization technology dmidecode -s system-product-name Virtualization technology VMware Workstation root@router:~# dmidecode -s system-product-name VMware Virtual Platform VirtualBox root@router:~# dmidecode -s system-product-name VirtualBox QEMU and KVM root@router:~# dmidecode -s system-product-name KVM QEMU (emulation) root@router:~# dmidecode -s system-product-name Bochs Microsoft Virtual PC root@router:~# dmidecode | egrep -i 'manufacturer|product' Manufacturer: Microsoft Corporation Product Name: Virtual Machine Virtuozzo root@router:~# dmidecode /dev/mem: Permission denied en root@router:~# dmidecode | grep -i domU Product Name: HVM domU /dev/disk/by-id If you do not have permission to run dmidecode, you can use: ls -1 /dev/disk/by-id/

Wednesday, July 29, 2020 Read

SSH certificate login guide

SSH certificate login guide Certificate login flow Before using SSH certificate login, you need to generate certificates. The steps are: The user and the server both send their public keys to the CA. The CA uses the server public key to generate a server certificate and sends it to the server. The CA uses the user public key to generate a user certificate and sends it to the user. Once certificates are in place, the user can log in. SSH handles the whole process automatically.

Wednesday, July 8, 2020 Read

Surprisingly, you can view images in the Linux CLI?

Surprisingly, you can view images in the Linux CLI? FIM sudo apt-get install fim Common shortcuts for images in FIM: PageUp / Down: previous/next image +/-: zoom in/out a: auto scale w: fit width h: fit height j / k: pan down/up f / m: flip/mirror r / R: rotate (clockwise/counterclockwise) ESC / q: quit Viu cargo install viu Lsix sudo apt-get install imagemagick wget https://github.com/hackerb9/lsix/archive/master.zip

Tuesday, April 14, 2020 Read

Load Balancing with iptables and ip rule

Load Balancing with iptables and ip rule Steps This example uses an Arch Linux device with two Internet uplinks: eth0 and eth1. The mapping is: Mark 10 (0xa) - Routing table #110 - use eth0 Mark 11 (0xb) - Routing table #111 - use eth1 We decide which uplink to use based on the packet mark. First, use ip rule to map each mark to its routing table. The default routing table priority is 32768. To ensure our tables are used, set a higher priority (for example 31000).

Wednesday, December 4, 2019 Read

Fighting ISP Cache Hijacking Again with iptables

Fighting ISP Cache Hijacking Again with iptables Cause The fight against the carrier cache problem started two years ago. The carrier even cached cnpm data. Worse, their cache servers were not only slow like a turtle in a marathon, they also crashed frequently, so I just wanted to write code but had to face a wall of red errors. Fix iptables -I FORWARD -p tcp -m tcp -m ttl --ttl-gt 20 -m ttl --ttl-lt 30 -j DROP

Monday, October 7, 2019 Read