Skip to main content

Posts

Showing posts from 2009

SED-Replace multiple lines with a single line

A useful option of sed command to replace multiple lines with a single line upon matching a given string. $ cat -n file.txt Hello world Hello nobody nobody Somebody anybody If you want to replace the lines 2 and 3 with another line "Hello everybody" the below command will help. $ sed '/nobody$/{N;s/Hello nobody\nnobody/Hello everybody/}' file.txt $ cat -n file.txt 1 hello world 2 Hello everybody 3 Somebody 4 anybody

SMTP authentication through TELNET

It's common that we use TELNET to port 25 of Mail server to check the connectivity and to ensure the Mail flow. It's also possible to perform SMTP authentication in TELNET session $ telnet yourmailserver 25 type “HELO”, hit Enter. AUTH LOGIN Now you have to enter your email ID and then your password encoded in BASE64. For converting your email and password to Base64 use the conversion tools at WebPan or Ostermiller Reference WebPan.com KongTechnology

echo colourfully

# for i in `cat num.txt`; do echo -en '\E[3'$i'm'"\033[1mPsycho Tux\033[0m " ; done; # for i in `cat num.txt`; do echo -en '\E[47;3'$i'm'"\033[1mPsycho Tux\033[0m " ; done; # cat num.txt 1 2 3 4 5 6 7 8 9 0

Block direct SSH to root, but not to root equivalent

The PermitRootLogin no option of /etc/ssh/sshd_config will block all the users with UID 0. Below is an option to overcome this. # vi /etc/ssh/sshd_config ###PermitRootLogin no AllowUsers newuser guest psychotux hari DenyUsers root # /etc/init.d/sshd restart Here users listed along with AllowUsers can be normal user or root equivalent.

Hardware clock failure in ISA system

In ISA systems /sbin/hwclock will fail to fetch the Hardware clock and will throw an error similar to below. # hwclock select() to /dev/rtc to wait for clock tick timed out # hwclock --show select() to /dev/rtc to wait for clock tick timed out But the --directisa option of hwclock will work here. # /sbin/hwclock --directisa So as a permanent solution we can rename the existing binary /sbin/hwclock and create a new Wrapper as below 1. Find the version of hwclock # hwclock --version 2. Rename the binary by suffixing the version number # cd /sbin # mv hwclock hwclock-x.y 3. Create a wrapper for the hwclock-x.y named hwclock # cat > hwclock << HERE #!/bin/bash /sbin/hwclock-x.y --directisa \$@ HERE 4. Give necessary execute permission and reboot the server # chmod +x hwclock 5. Check the hardware clock, System Time, NTP, etc. To synchronize system time with Hardware clock we can use hwclock --hctosys And an optional reboot # reboot

Basic Linux Configuration backup

#!/bin/bash # Title: Linux Primary Configuration Backup # Version: 1.5 # Last update: 06-08-2012 # Author: Hareesh V V # E Mail: tux.psycho@gmail.com # Web: http://www.psychotux.com DATE=`date +%d%m%y` BKP=~/`hostname`.BACKUPS_$DATE /bin/mkdir -p $BKP tar -cjf $BKP/etc_$DATE.tar.bz2 /etc /sbin/ifconfig > $BKP/ifconfig /sbin/route -n > $BKP/route /sbin/runlevel > $BKP/runlevel /sbin/chkconfig --list | grep 3:on > $BKP/chkconfig_init_3 /sbin/chkconfig --list | grep 5:on > $BKP/chkconfig_init_5 /bin/hostname > $BKP/hostname lsmod > $BKP/lsmod cat /etc/hosts > $BKP/etc_hosts cat /etc/resolv.conf > $BKP/etc_resolv  cat /etc/grub.conf > $BKP/grub_conf  #crontab -l > $BKP/crontab /sbin/iptables -L  > $BKP/iptables_filter /sbin/iptables -t nat -L > $BKP/iptables_nat /sbin/iptables-save > $BKP/iptables cat /etc/sysconfig/iptables-config > $BKP/iptables-config /bin/netstat -ntpl > $BKP/netstat mount > $BKP/mount f

Script to find normal users above UID 500

Script to find normal users above UID 500 and their Shell History. This works in Linux . Other NIXes may require modification. #!/bin/bash USERS=`grep ":5*:*:" /etc/passwd | grep "/bin/bash" | awk -F: '{print $1}'` HOME=`grep ":5*:*:" /etc/passwd | grep "/bin/bash" | awk -F: '{print $6}'` for i in $USERS do egrep -i "reboot|init|shutdown|halt|poweroff" `grep $i: /etc/passwd | cut -f6 -d:`/.bash_history done

Ever alive SSH session

If you are facing Session timeout issue whenever you are leaving an open session idle for some time you can make use of TCP Keepalive option in putty. 1. Open Putty 2. Go to Connection->Seconds between keepalives(0 to turn off) . Give a keepalive value here in seconds, preferably 120 or above. Advanced 1. If you are using portaputty you can set it in config file .\putty\sessions\Default%20Settings . Set TCPKeepalives=120 . 2. Right inside Linux or any other UNIX we can use /etc/ssh/ssh_config . Set the variable ServerAliveInterval 60 . 3. We can use screen command also. ssh host -t screen -xRe^oo . 4. Screen can exist with Putty as well. Go to Connections -> SSH -> Remote command . Then specify screen -xRe^oo Further Readings HowtoGeek Metafilter

VSFTPD-chrooted user with limited directory access

Create a user with home directory /foo . Otherwise we can create a normal user and then edit /etc/passwd to change the home directory (useradd hari -d /foo). Here we chose the latter option since it's a sensible directory and we don't wnat to take risk by putting .bash files. # useradd hari # grep hari /etc/passwd hari:x:796:796::/home/hari:/bin/bash Now change the home directory to /foo # vi /etc/passwd # grep hari /etc/passwd hari:x:796:796::/foo:/sbin/nologin Note that we have changed the home directory from /home/hari to /foo and the shell from /bin/bash to /sbin/nologin Added the below two lines in /etc/vsftpd/vsftpd.conf for enabling chroot functionality. # vi /etc/vsftpd/vsftpd.conf chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list Now add the user hari to Chroot List file. # echo hari >> /etc/vsftpd.chroot_list Now verify the permission of /foo, /foo/tux and /foo/beastie [root@psycho ~]# ls -ld /foo/ drwxrwx--- 17 root ft

Restricting su Access to System and Shared Accounts

This chapter shows how to restrict people from su-ing to system and shared accounts even if they know the passwords. Example for Restricting su Access to root Create a new group for each set of users that are allowed to su to the root # groupadd rootmembers Add all users who are allowed to su to the root account to the new member groups created above. The following requirement will be configured: - Only the user named hari should be able to su to root - # usermod -G rootmembers hari Next add the three authentication lines highlighted in bold to the /etc/pam.d/su file as shown below: auth sufficient /lib/security/$ISA/pam_rootok.so auth required /lib/security/$ISA/pam_stack.so service=system-auth auth sufficient /lib/security/$ISA/pam_stack.so service=su-root-members auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth session required /lib/security/$ISA/pam

Lock user account on frequent login failures

Add the following two lines highlighted in blue to the /etc/pam.d/system-auth file as shown below: auth required pam_env.so auth required pam_tally.so onerr=fail per_user deny=3 reset auth required pam_access.so auth sufficient pam_unix.so likeauth nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account required pam_tally.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.

Enforce stronger password in Linux

The pam_cracklib module checks the password against dictionary words and other constraints. E.g. if you define password length minlen=10, then you will get 1 credit for e.g. using a single digit number in your password if you defined dredit=1. This means that pam_cracklib will accept a password of the length of minlen-credit. If you don't use a digit number, then the minimum length of the password would be minlen. There was no way to tell the module that a password _must_include a digit number. The following example shows how to enforce the following password rules: pam_cracklib.so minlen=8 Minimum length of password is 8 pam_cracklib.so lcredit=-1 Minimum number of lower case letters is 1 pam_cracklib.so ucredit=-1 Minimum number of upper case letters is 1 pam_cracklib.so dcredit=-1 Minimum number of digits is 1 pam_cracklib.so ocredit=-1 Minimum number of other characters is 1 To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the follo