Pages

Tuesday, April 29, 2014

SSH-Tunneling

Main Options we use in ssh tunneling
-L [bind_address:]port:host:hostport

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listen- ing port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

 
-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).


-R [bind_address:]port:host:hostport

Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.


Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square braces or using an alternative syntax: [bind_address/]host/port/hostport.

By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server’s GatewayPorts option is enabled (see sshd_config(5)).

If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time.

-f Requests ssh to go to background just before command execution.

This is use-ful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. This implies -n. The recommended way to start X11 programs at a remote site is with something like ssh -f host xterm.

If the ExitOnForwardFailure configuration option is set to “yes”, then a client started with -f will wait for all remote port forwards to be success- fully established before placing itself in the background.

 

Difference between Reverse tunneling and Normal tunneling.

 

SSH-Tunnel

 

 

Normal tunneling

 

ssh -L 8888:www.linux.ro:80 user@computer -N

ssh -L 8888:www.linux.ro:80 -L 110:mail.linux.ro:110 \

25:mail.linux.ro:25 user@computer -N

The second example (see above) show you how to setup your ssh tunnel for web, pop3

and smtp. It is useful to recive/send your e-mails when you don't have direct access

to the mail server.

 

For the ASCII art and lynx browser fans here is illustrated the first example:

 

+--------------+<--port 22-->+--------------------+<--port 80-->o-----------+

|SSH Client|----------------------|ssh_server|----------------------|   host    |

+-------------------+                                  +----------+                                            o-----------+

localhost:8888                                            computer                             www.linuxon.ro:80

 

 

For example, if the remote server in question was myserver.example.com you could run the following command on your local system to create a tunnel as described above:

 

ssh -T -N -L 3308:localhost:3306 myserver.example.com

The meat of the command is the -L option, which tells ssh to listen on port 3308 locally and then on the remote side to forward all traffic on that port to localhost:3306. Note that the localhost here is not referring to the local system but rather where to forward things to on the remote side, in this case to localhost on the remote side.

 

ssh -T -N -L 3308:private.local:3306 myserver.example.com

Here, ssh listens on port 3308 on the local system and it forwards that data to port 3306 on private.host, but it does that via the server myserver.example.com. In other words the local traffic on port 3308 gets transferred first to the remote system which then transfers it to port 3306 on private.host. Of course, if private.local's mysql server is only listening on its local interface this won't work, you'll need something more involved.

 

ssh -R 9001:intra-site.com:80 home (Executed from 'work')

Once executed the SSH client at ‘work’ will connect to SSH server running at home creating a SSH channel. Then the server will bind port 9001 on ‘home’ machine to listen for incoming requests which would subsequently be routed through the created SSH channel between ‘home’ and ‘work’. Now it’s possible to browse the internal site
by visiting http://localhost:9001 in ‘home’ web browser. The ‘work’ will then create a connection to intra-site and relay back the response to ‘home’ via the created SSH channel.

 

 

 

Monday, April 28, 2014

SVN access manager

To use SVN Access Manager you need at least:

a working subversion installation
a MySQL Database, version 4 or higher, a PostgreSQL 8 or higher database or an Oracle 10g or higher database
an Apache web server, version 2.0 or higher with DAV, mod_authz and SVN support
PHP version 5.2 or higher with working oci8 support if using Oracle database

To use SVN Access Manager you need at least:
a working subversion installation
a MySQL Database, version 4 or higher, a PostgreSQL 8 or higher database or an Oracle 10g or higher database
an Apache web server, version 2.0 or higher with DAV, mod_authz and SVN support
PHP version 5.2 or higher with working oci8 support if using Oracle database

Go to a directory where the software can be accessed by your Apache web server. Unpack the archive. For our example do the following:
http://sourceforge.net/projects/svn-access-mana/files/
# mkdir /etc/svn
# mkdir /etc/svn-access-manager
# mkdir /usr/share/svn-access-manager
# chown apache:apache /etc/svn /etc/svn-access-manager
# cd /usr/share/svn-access-manager
# tar -xvfz svnaccessmanager-0.5.0.0.tar.gz

2.2.3 Setup a MySQL database and a database user

You need a database for SVN Access Manager and an user with full access to this database. To create the database do the following as root user of your MySQL database:

CREATE DATABASE svnadmin;
To create a user having access to this database do the following as root user of your MySQL database:

CREATE USER 'svnadmin'@ 'localhost' IDENTIFIED BY '*******';

GRANT USAGE ON * . * TO 'svnadmin'@ 'localhost' IDENTIFIED BY '*******'
WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

GRANT ALL PRIVILEGES ON `svnadmin` . * TO 'svnadmin'@ 'localhost';
After finishing the database work continue with installing SVN Access Manager.

If you get an error "No database selected" during installation check if the database user has sufficient rights to access and to work with the database!

SVN-Subversion installation and configuration

 

Installing SVN

yum install mod_dav_svn subversion
Add it in httpd conf or in httpd/conf.d/subversion.conf

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

<Location /svn>
DAV svn
SVNParentPath /var/www/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile /etc/svn-auth-users
Require valid-user
</Location>

Creating User for accessing the SVN

htpasswd -cm /etc/svn-auth-users user1
New password:
Re-type new password:
Adding password for user user1

## Create user2 ##
htpasswd -m /etc/svn-auth-users user2
New password:
Re-type new password:
Adding password for user user2

Creating the directories and correcting permissions

mkdir /var/www/svn
cd /var/www/svn

Creating repositories

svnadmin create testrepo
chown -R apache.apache testrepo


## If you have SELinux enabled (you can check it with "sestatus" command) ##
## then change SELinux security context with chcon command ##

chcon -R -t httpd_sys_content_t /var/www/svn/testrepo

## Following enables commits over http ##
chcon -R -t httpd_sys_rw_content_t /var/www/svn/testrepo

or else disable the selinux
setenforce 0
Restart the service

systemctl restart httpd.service
## OR ##
service httpd restart

## CentOS / RHEL ##
/etc/init.d/httpd restart
## OR ##
service httpd restart

 

Friday, April 25, 2014

Linux Acl in detail

Let's assume we have /dev/sda1 mounted on /data1 and we want to enable the acl option.

[root@server ~]# tune2fs -l /dev/sda1
To enable ACLs on a filesystem, we must set the fs default and remount:
[root@server ~]# tune2fs -o acl /dev/sda1
[root@server ~]# mount -o remount,acl /data1
Use getfacl to view ACLs:

[root@server ~]# touch /data1/foo.txt
[root@server ~]# getfacl /data1/foo.txt
getfacl: Removing leading '/' from absolute path names
# file: data1/foo.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
Use setfacl to set ACLs, with -m to modify and -x to remove a given ACL.
give user ram read+write+execute on a file:

[root@server ~]# setfacl -m u:ram:rwx /data1/foo.txt
give group peeps read+write on a file:
[root@server ~]# setfacl -m g:peeps:rw /data1/foo.txt
remove ram's ACL permissions:
[root@server ~]# setfacl -x u:ram /data1/foo.txt
set the default ACL permissions on a directory:
[root@server ~]# setfacl -m d:g:peeps:rw /data1/stuff/
revoke write permission for everyone:
[root@server ~]# setfacl -m m::rx /data1/foo.txt
When ACLs are present, an ls -l will show a plus sign to notify you:

[root@server ~]# ls -l /data1/foo.txt
-rw-rwxr--+ 1 root root 0 Dec 3 14:54 /data1/foo.txt
Note that the mv and cp -p commands will preserve ACLs. If you have defaults set on a parent directory, new files in that directory will inherit those settings.
If you want to remove all ACLs, reverting back to the base unix permissions of owner, group and other:

[root@server ~]# setfacl --remove-all /data1/foo.txt

Thursday, April 24, 2014

Flush Your Local DNS Cache

 

Windows Vista/Windows 7:
ipconfig /flushdns
Successfully flushed the DNS Resolver Cache.

Windows XP
ipconfig /flushdns
Successfully flushed the DNS Resolver Cache.

Mac OS X 10.5.2 and above
dscacheutil -flushcache

Mac OS X 10.5.1 and below
Click on the Finder icon in your dock. Open your Applications folder.
Inside the Applications folder, click on Utilities and then Terminal.
Type the following command in the Terminal window and press Enter:
lookupd -flushcache

Linux

nscd -i hosts
– Clear local DNS cache for current user.
nscd -I hosts
– Clear local DNS cache for all users.

Wednesday, April 23, 2014

Creating a custom Nagios function

Nagios Exit Codes
Exit Code Status
0 OK
1 WARNING
2 CRITICAL
3 UNKNOWN
Create the Script to be added as the Plugin

#!/bin/bash
used_space=`df -h / | grep -v Filesy | awk '{print $5}' | sed 's/%//g'`
case $used_space in
[1-84]*)
echo "OK - $used_space% of disk space used."
exit 0
;;
[85]*)
echo "WARNING - $used_space% of disk space used."
exit 1
;;
[86-100]*)
echo "CRITICAL - $used_space% of disk space used."
exit 2
;;
*)
echo "UNKNOWN - $used_space% of disk space used."
exit 3
;;
esac

try to put the script in same plugin directory with the other ones
/usr/lib/nagios/plugins/

make it executable
Add Your New Command to Nagios Checks on Nagios Monitoring Server

Define new command in /etc/nagios/objects/commands.cfg
define command{
command_name usedspace_bash
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c usedspace_bash
}
Add Your Script to NRPE configuration on client host
command[usedspace_bash]=/usr/lib/nagios/plugins/usedspace.sh

 

adding to configuration
/etc/nagios/servers/<name-0f-config>.cfg
define service {
use generic-service
host_name Hostname
service_description Custom Disk Checker In Bash
check_command usedspace_bash
}

 

 

Tuesday, April 22, 2014

Adding ESXI to Nagios

yum install perl-Pod-Perldoc perl-CPAN openssl-devel
# wget http://dl.fedoraproject.org/pub/epel/6/i386/perl-Nagios-Plugin-0.35-1.el6.noarch.rpm
# wget http://mirror.centos.org/centos/6/os/i386/Packages/perl-Config-Tiny-2.12-7.1.el6.noarch.rpm
# wget http://mirror.centos.org/centos/6/os/i386/Packages/perl-Params-Validate-0.92-3.el6.i686.rpm
# rpm -ivh perl-Nagios-Plugin-0.35-1.el6.noarch.rpm perl-Config-Tiny-2.12-7.1.el6.noarch.rpm perl-Params-Validate-0.92-3.el6.i686.rpm
# cd /root
# tar xvzf VMware-vSphere-Perl-SDK-4.1.0-254719.i386.tar.gz
# cd vmware-vsphere-cli-distrib/
# ./vmware-install.pl

# cd /usr/lib/nagios/plugins/
Download check_esx3.pl and make it executable
http://exchange.nagios.org/components/com_mtree/attachment.php?link_id=2154&cf_id=29
chmod +x check_esx3.pl


vim /usr/local/nagios/etc/objects/vmware.cfg
First define all your hosts as shown below

# Host esx01
define host{
use vmware-server
host_name esxi01
alias VMWare ESXi 01
address IP Address
}
define host{
use vmware-server
host_name esxi02
alias VMWare ESXi 02
address IP Address
}
# Similarly you can define all the hosts

# Now define a hostgroup for your Esxi Hosts:

define hostgroup{
hostgroup_name Esxi-Servers ; The name of the hostgroup

alias Vmware Servers ; Long name of the group

members esxi01,esxi02
}

# Now create the service definition as shown below
# check cpu
define service{
use generic-service
host_name esxi01
service_description ESXi CPU Load
check_command check_esx_cpu!80!90
}

# check memory usage
define service{
use generic-service
host_name esxi01
service_description ESXi Memory usage
check_command check_esx_mem!80!90
}

# check net
define service{
use generic-service
host_name esxi01
service_description ESXi Network usage
check_command check_esx_net!102400!204800
}

# check runtime status
define service{
use generic-service
host_name esxi01
service_description ESXi Runtime status
check_command check_esx_runtime
}

# check io read
define service{
use generic-service
host_name esxi01
service_description ESXi IO read
check_command check_esx_ioread!40!90
}

# check io write
define service{
use generic-service
host_name esxi01
service_description ESXi IO write
check_command check_esx_iowrite!40!90
}

Define the commands related to ESXi in the /usr/local/nagios/etc/objects/command.cfg file

vim /usr/local/nagios/etc/objects/commands.cfg
# check vmware esxi machine
# check cpu
define command{
command_name check_esx_cpu
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l cpu -s usage -w $ARG1$ -c $ARG2$
}

# check memory usage
define command{
command_name check_esx_mem
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l mem -s usage -w $ARG1$ -c $ARG2$
}

# check net usage
define command{
command_name check_esx_net
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l net -s usage -w $ARG1$ -c $ARG2$
}

# check runtime status
define command{
command_name check_esx_runtime
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l runtime -s status
}

# check io read
define command{
command_name check_esx_ioread
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l io -s read -w $ARG1$ -c $ARG2$
}

# check io write
define command{
command_name check_esx_iowrite
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l io -s write -w $ARG1$ -c $ARG2$
}

Adding configuration to nagios

vim /usr/local/nagios/etc/nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/vmware.cfg