Posts Tagged ‘linux’

Ssh on different ports on different interfaces (linux).

To have sshd listen on a different port on two interfaces, you can configure the /etc/ssh/sshd_config like so:

vi /etc/ssh/sshd_config

ListenAddress 10.10.10.10:22
ListenAddress 11.11.11.11:6666

This will have sshd listening on port 22 on the interface configured with IP address 10.10.10.10 and port 6666 on the interface configured with IP address 11.11.11.11.

Restart sshd:

systemctl restart sshd

CentOS – create a swap file.

I have done a few times before but don’t have to do it very often, just noting it here.

Create an empty file. The following will create a 1GB file.:

# dd if=/dev/zero of=/var/swapfile bs=1024 count=1024000
1024000+0 records in
1024000+0 records out
1048576000 bytes (1.0 GB) copied, 10.9243 s, 96.0 MB/s

Change the permission:

# chmod 0600 /var/swapfile

Create the swap area:

# mkswap /var/swapfile
Setting up swapspace version 1, size = 1023996 KiB
no label, UUID=957c2a0c-30f9-4dd7-89ed-d88b9f471294

Enable the swap area:

# swapon /var/swapfile

Enable the swap area at boot by adding it to the /etc/fstab:

# vi /etc/fstab

/var/swapfile swap swap defaults 0 0

Disable the swap area:

# swapoff /var/swapfile

MySQL DB access via shell.

Here is a decent secure way to get yourself access to your MySQL/MariaDB databases from a shell script in linux:

# umask 277
# vi /somedirectory/.supersecretfile
# ls -l /somedirectory/.supersecretfile
-r——–. 1 root root 36 Feb 2 11:58 /somedirectory/.supersecretfile
# umask 022

# mysql –defaults-file=/somedirectory/.supersecretfile -e “SOME SQL COMMAND”

CentOS – disable ciphers in openssh

I used the following procedure to disable the weak ciphers enabled in openssh on CentOS 7:

You could probably guess where you this should be configured, but one of the challenges can be getting of complete list of what is supported.

Get a list of supported ciphers:

# ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

To disable one or more, you need to explicitly specify the ciphers you do want to use. For example, arcfour:

# vi /etc/ssh/sshd_config

Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

And then, restart sshd:

# systemctl restart sshd

And check:

$ ssh -c arcfour localhost
no matching cipher found: client arcfour server 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

Filtering out unwanted/unneeded message in rsyslog

I wanted to log as much useful information as I could from a Avaya phone system to my CentOS 7.x syslog server running rsyslogd.

That was easy, as I may noted before here:

# vi /etc/rsyslog.conf

if $fromhost-ip startswith ‘aaa.bbb.ccc.ddd‘ then /var/log/mylog.log
& ~

# systemctl restart rsyslog

However, I found my log flooded with the same unneeded messages over and over. To prevent those message from being logged into any of the log files, I made the following configuration changes:

# vi /etc/rsyslog.conf

:msg, contains, “what I want to filter out” ~

# systemctl restart rsyslog

Linux – Extract Files from an RPM file.

Make sure you copy the rpm to a temp area to extract the files.

# rpm2cpio somerpm | cpio -idmv

Mount SMB/CIFS share at boot in CentOS 7.

Mounting a Windows (CIFS) file share in CentOS 7 has changed a little when using a Windows domain to authenticate.

First, you need to have the cifs-util package installed. This will allow you to mount cifs/smb filesystems.

The syntax in the /etc/fstab has not changed, but the way the credential options are stored for domains is a little different. I use a hidden file that is read only to store the Windows credentials.

/etc/fstab:

//winserver/sharename /mntpoint cifs credentials=/usr/local/etc/.myfile,iocharset=utf8,file_mode=0774,dir_mode=0774 0 0

Here is the change. In the past, I was able to specify the domain with the username in the credential file like so:
/usr/local/etc/.myfile:

username=mydomain\myusername
password=mypassword

Now, the domain needs to be specified on its own line like so:

username=myusername
password=mypassword
domain=mydomain

CentOS 7 change timezone.

To List all timezones:

# timedatectl list-timezones

To set to the new timezone:

# timedatectl set-timezone newtimezone

Sample output:

# timedatectl list-timezones | grep Angeles
# timedatectl set-timezone America/Los_Angeles
# date
Thu Mar 5 11:56:43 PST 2015
# ls -l /etc/localtime
lrwxrwxrwx. 1 root root 41 Mar 5 11:56 /etc/localtime -> ../usr/share/zoneinfo/America/Los_Angeles

To view your current timezone configuration:

# timedatectl status

Chroot SFTP only on CentOS 6.

CentOS: 6.6

When setting an SFTP server, you may want to restrict or jail the SFTP users to only one location without restricting all aspects of openssh. This is how I restricted SFTP without impacting all of openssh:

Create the group you will match to and therefore add users to to grant SFTP access:

# groupadd sftp

Create a user:

# useradd -G sftp -d /into -s /sbin/nologin testuser

Notice the home directory. This is the logical root location for the user. Also, note that the shell is nologin to prevent ssh access.

Set the password:

# passwd testuser

Make a backup copy of the sshd_config file and make the following changes to the existing file:

# cp -rp sshd_config sshd_config.orig
# vi sshd_config

# JGZ – Force to use openssh in-process sftp server
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

# JGZ – Match to group to chroot
Match Group sftp
ChrootDirectory /sftpdir/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

Restart the service:

# service sshd restart

It is very important that the directory permissions are correct. Create directories and set permissions:

# mkdir /sftpdir
# chmod 755 /sftpdir
# ls -ld /sftpdir
drwxr-xr-x. 3 root root 4096 Feb 27 05:53 /sftpdir
# mkdir /sftpdir/testuser
# chmod 755 /sftpdir/testuser
# ls -ld /sftpdir/testuser/
drwxr-xr-x. 3 root root 4096 Feb 27 14:57 /sftpdir/testuser/
# mkdir /sftpdir/testuser/into
# chown testuser.sftp /sftpdir/testuser/into
# chmod 755 /sftpdir/testuser/into
# ls -ld /sftpdir/testuser/into
drwxr-xr-x. 2 testuser sftp 4096 Feb 27 15:07 /sftpdir/testuser/into/

It should be simple enough to create a script to create new users. Basically, this what you need:
# useradd -G sftp -d /intocbb -s /sbin/nologin testuser1
# mkdir -p /home/testuser1/incoming
# chown testuser1.sftp incoming/
# passwd testuser1

Linux “at” command

Long ago I used to use the at command quite often in a Unix environment. I would just use the following syntax:

# at now /path/scriptname

And it worked.

Now, in Ubuntu, when I use the same syntax, I get the following:

syntax error. Last token seen: /
Garbled time

The solution is to enter “at now” and hit enter. At the at> prompt, enter the full path and name of the script you want to run. Then, hit Ctrl-D to run the job and exit out of at.

# at now
warning: commands will be executed using /bin/sh
at> /path/scriptname
at>
job 7 at Thu Oct 30 11:30:00 2014

Return top

INFORMATION

LinkedIn Profile