The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,512 other followers

Archive for the ‘*nix’ Category

« Previous Entries

{Updated} Linux server security checklist. #sysadmin 

Posted by jpluimers on 2019/03/11

Most tips are OK, but:

  1. for password related policies, please read these:
  2. If you do DNS, implement DNSSEC
  3. I think ipv6 is OK, but like ipv4 needs to be firewalled
  4. Be really careful with fail2ban and similar tools: they are easy ways to lock yourself out as well, for instance by someone doing a nice (D)DoS on you.

Tips: [WayBack40 Linux Server Hardening Security Tips [2017 edition] – nixCraft

Via:

–jeroen

Posted in *nix, *nix-tools, Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

sudo command doesn’t source /root/.bashrc – Unix & Linux Stack Exchange

Posted by jpluimers on 2019/03/08

TL;DR:

  • sudo -i is not an interactive logon to root
  • sudo -i bash is interactive and *does* execute /root/.bashrc

Source: [WayBack] sudo command doesn’t source /root/.bashrc – Unix & Linux Stack Exchange

–jeroen

Posted in *nix, *nix-tools, bash, Power User | Leave a Comment »

sed in a bash script: backslash escape anything that looks suspicious

Posted by jpluimers on 2019/02/26

Did I ever tell I dislike regular expressions and old-skool shells?

They’re not good for anything but basic commands, so if you try any scripts in them, you’re basically lost.

If you disagree, please read [WayBack] Don’t write Shell scripts. I would recommend Python, but I tried “pip search mysql”…. – Kristian Köhntopp – Google+) and [WayBack] How did this shit ever work? by the same author.

On the other hand: on many system, the baseline isn’t much more than a shell and a very limited tool set.

With nx like systems that usually comes down to sed and a shell like bash.

Since I wanted to modify an openssh hardening script to cover more permutations that was using sed in a bash script, I had not much choice but to bite the bullet.

TL;DR:

When you use any of the below characters, prepend them with a backslash as they have a bash meaning in addition to a sed meaning.

  • ? becomes \?
  • ( becomes \(
  • ) becomes \)
  • | becomes \|

The script

Hopefully by now it’s [Archive.is] been merged into https://github.com/comotion/gone/blob/github/modules/ssh. If not, it’s at https://github.com/jpluimers/gone/blob/jpluimers-ssh-hardening-patch/modules/ssh.

The diff: [Archive.is] https://github.com/jpluimers/gone/commit/329bf12a320704080e68eee90f4c099e92d8388d?diff=unified

The relevant portion (which also uses backslashes as line continuation and wrap a command over multiple lines [WayBack]):

sed -i \
-e 's/#\?MaxAuthTries *[0-9]*.*/MaxAuthTries 2/' \
-e 's/#\?PermitRootLogin *\(yes\|no\).*/PermitRootLogin no/' \
-e 's/#\?UsePrivilegeSeparation *\(yes\|no\|sandbox\).*/UsePrivilegeSeparation sandbox/' \
-e 's/#\?StrictModes *\(yes\|no\).*/StrictModes yes/' \
-e 's/#\?IgnoreRhosts *\(yes\|no\).*/IgnoreRhosts yes/' \
-e 's/#\?PermitEmptyPasswords *\(yes\|no\).*/PermitEmptyPasswords no/' \
-e 's/#\?ChallengeResponseAuthentication *\(yes\|no\).*/ChallengeResponseAuthentication yes/' \
-e 's/#\?KerberosAuthentication *\(yes\|no\).*/KerberosAuthentication no/' \
-e 's/#\?GSSAPIAuthentication *\(yes\|no\).*/GSSAPIAuthentication no/' \
-e 's/#\?GatewayPorts *\(yes\|no\).*/GatewayPorts no/' \
-e 's/#\?X11Forwarding *\(yes\|no\).*/X11Forwarding no/' \
-e 's/#\?PrintMotd *\(yes\|no\).*/PrintMotd no/' \
-e 's/#\?PrintLastLog *\(yes\|no\).*/PrintLastLog yes/' \
-e 's/#\?TCPKeepAlive *\(yes\|no\).*/TCPKeepAlive no/' \
-e 's/#\?PermitUserEnvironment *\(yes\|no\).*/PermitUserEnvironment no/' \
-e 's/^\(HostKey .*ssh_host_dsa_key\)/#\1/' \
sshd_config

–jeroen

 

 

 

Posted in *nix, *nix-tools, bash, bash, Development, Power User, Scripting, sed, sed script, Software Development | Leave a Comment »

Ubiquity UniFi SDN – Server status “UniFi Controller is starting up… Please wait a moment”

Posted by jpluimers on 2019/02/22

When your UniFi Cloud Key web interface shows this [Archive.is] after upgrading:

 

UniFi Controller is starting up…

Please wait a moment

 

Then you just ran into a bug which seems to occur most with 5.9.29 of the UniFi software: [Archive.is] “UniFi Controller is starting up…” “Please wait a moment” “5.9.29” – Google Search

The easiest way is to restore from a backup: this usually works.

For that you need ssh access, which usually is with the ubnt user. But you could have made life more complicated when you followed these:

Steps from [WayBack] UniFi Controller is starting up… Please Wait A Moment – Ubiquiti Networks Community (thanks [Archive.is] About mrfoxdk – Ubiquiti Networks Community!):

  1. SSH to the Unifi CloudKey
  2. dpkg -P unifi
  3. Open a browser and browse the URL of CloudKey
  4. Login
  5. Press “Install” under UniFi
  6. Wait for the process to complete, and then wait a bit for the service to be brought online.
  7. Recover the configuration backup from the latest backup

Removing and reinstalling the UniFi software, then restore from backup

Step 2 above will purge the unifi software of the cloud key as per dpkg --help:

Read the rest of this entry »

Posted in *nix, Power User, Ubiquiti, WiFi | Leave a Comment »

How to collect HAProxy metrics

Posted by jpluimers on 2019/02/21

For my link archive:

[WayBackHow to collect HAProxy metrics

Once you’ve figured out what to monitor, it’s time to collect HAProxy metrics! Use either HAProxy’s built-in tools or third-party programs to get the info you need.

Note that the heading of the listen configuration for the built-in statistics page now should be like michael-sqlbot explains in [WayBackHAProxy 1.7 Statistics Setup – Server Fault:

listen stats
    bind :9000

He posted more HAProxy insights, for instance [WayBackunderstanding HAProxy Frontend and Backend current session stats – Server Fault.

–jeroen

 

 

 

Posted in *nix, HAProxy, Power User | Leave a Comment »

« Previous Entries
 
%d bloggers like this: