Linux, Postfix, Tips & Tricks, Web Hosting

Email alert for SSH logins

November 22, 2022 ServerAdmin Leave a comment

It is good idea to get notified when someone logs into your Linux server.

First be sure that your server is able to send email (at least Postfix + valid ptr)

Open /etc/profile and at the bottom add the following:

if [ -n "$SSH_CLIENT" ]; then
TEXT="$(date): ssh login to ${USER}@$(hostname -f)"
TEXT="$TEXT from $(echo $SSH_CLIENT|awk '{print $1}')"
echo $TEXT|mail -s "ssh login $(hostname -f)" EMAIL@DOMAIN.TLD
fi

Replace EMAIL@DOMAIN.TLD with your email

Save file and logout/login again. Check your inbox

Red Hat/CentOS, Tips & Tricks

Simple pushtogit script

June 24, 2022 ServerAdmin Leave a comment

Create new file and add the next lines inside (for example pushtogit.sh)

 
#!/bin/bash
echo " ====================== running command from" $PWD
cd $PWD
git add .
echo -n " ====================== commit message: "
read message
git commit -m "$message"
git push -u origin master
echo " ====================== done..."

Save the changes and add the alias inside .bashrc

alias pushtogit="/home/USER/PATH/pushtogit.sh"

Red Hat/CentOS, Server project

SUDO CVE-2021-3156 and how to upgrade CentOS 6

January 30, 2021 ServerAdmin 1 Comment

Sudo is a powerful utility built in almost all Linux distributions and we have a bad news for you – a recent privilege escalation vulnerability (CVE-2021-3156) has been discovered.

The vulnerability affects all the following sudo versions:

All legacy versions from 1.8.2 to 1.8.31p2
All stable versions from 1.9.0 to 1.9.5p1

A successful exploitation allows any unprivileged user to escalate its privileges to root on the vulnerable host. Of course, since it’s a privilege escalation vulnerability, it requires access to a local user on the vulnerable host in order to actually exploit it.

To test your host for this vulnerability just execute the next command

sudoedit -s /

In case you receive the next response

usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

your host is safe but in case you receive the something like

sudoedit: /: not a regular file

please upgrade

For CentOS 7 and CentOS 8 this is not a problem (yum -y update sudo) but if you’re using CentOS 6 then there are no way to upgrade from the official mirrors (since CentOS 6 is EOL)

You can download the rpm files from HERE (https://www.sudo.ws/download.html#binary)

Or directly
https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo-1.9.5-3.el6.x86_64.rpm
https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo-logsrvd-1.9.5-3.el6.x86_64.rpm

Then install the rpms with

rpm -U sudo-1.9.5-3.el6.x86_64.rpm
rpm -U sudo-logsrvd-1.9.5-3.el6.x86_64.rpm

Linux, Networks, Red Hat/CentOS, Server project

Time and date on CentOS 7 Howto

July 29, 2019 ServerAdmin Leave a comment

NTP stands for Network Transport Protocol and it is used to keep the time on the servers synced with each other using a common reliable source to get the time.

The example below is for a basic NTP client/server setup.

NTP client

Install NTP with

yum install ntp

Then check timezone with

timedatectl

If you’re not satisfied with your timezone and you wish to change, first list available zones with

timedatectl list-timezones

and set your time zone with command below: (e.g. Berlin)

timedatectl set-timezone Europe/Berlin

Active the NTPD service at boot:

systemctl enable ntpd
systemctl start ntpd

To get a basic report you can use commands ntpstat or date

And to get some information about the time synchronization process

ntpq -p

All of your NTP configurations is available in /etc/ntp.conf file.

To be able to use your server as a NTP server for local network, please be sure you have a line

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

where 192.168.1.0/24 is a local network you want to sync with your NTP server.

You can get the public NTP servers specific to your region from pool.ntp.org.

PHP

Laravel whoops output – How to hide. env passwords

January 26, 2019 ServerAdmin 3 Comments

As of Laravel 5.5.13, there’s a new feature that allows you to blacklist certain variables in config/app.php under the key debug_blacklist.

When an exception is thrown, whoops will mask these values with asterisks * for each character.

To activate this feature, add the next lines inside config/app.php

...
    'debug_blacklist' => [
        '_ENV' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_SERVER' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_POST' => [
            'password',
        ],
    ],
...

Save the file and clear the config cache with

php artisan config:clear

After this, all keys added inside debug_blacklist array will be replaced with asterisks (************)

Hardware

Intel CPUs affected by Spectre & Meltdown

December 1, 2018 ServerAdmin Leave a comment

Intel® Core™ i3 processor (45nm and 32nm)
Intel® Core™ i5 processor (45nm and 32nm)
Intel® Core™ i7 processor (45nm and 32nm)
Intel® Core™ M processor family (45nm and 32nm)
2nd generation Intel® Core™ processors
3rd generation Intel® Core™ processors
4th generation Intel® Core™ processors
5th generation Intel® Core™ processors
6th generation Intel® Core™ processors
7th generation Intel® Core™ processors
8th generation Intel® Core™ processors
Intel® Core™ X-series Processor Family for Intel® X99 platforms
Intel® Core™ X-series Processor Family for Intel® X299 platforms
Intel® Xeon® processor 3400 series
Intel® Xeon® processor 3600 series
Intel® Xeon® processor 5500 series
Intel® Xeon® processor 5600 series
Intel® Xeon® processor 6500 series
Intel® Xeon® processor 7500 series
Intel® Xeon® Processor E3 Family
Intel® Xeon® Processor E3 v2 Family
Intel® Xeon® Processor E3 v3 Family
Intel® Xeon® Processor E3 v4 Family
Intel® Xeon® Processor E3 v5 Family
Intel® Xeon® Processor E3 v6 Family
Intel® Xeon® Processor E5 Family
Intel® Xeon® Processor E5 v2 Family
Intel® Xeon® Processor E5 v3 Family
Intel® Xeon® Processor E5 v4 Family
Intel® Xeon® Processor E7 Family
Intel® Xeon® Processor E7 v2 Family
Intel® Xeon® Processor E7 v3 Family
Intel® Xeon® Processor E7 v4 Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series
Intel® Atom™ Processor C Series
Intel® Atom™ Processor E Series
Intel® Atom™ Processor A Series
Intel® Atom™ Processor x3 Series
Intel® Atom™ Processor Z Series
Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series
Intel® Pentium® Processor J Series
Intel® Pentium® Processor N Series

Source: https://www.tweaktown.com

Mint Linux

Skype for Linux 8.13 not working

January 12, 2018 ServerAdmin 3 Comments

The latest Skype for Linux update (8.13.) seems broken on Ubuntu 14.04/Mint Linux 17.x. The application loads but all I can see is the white window with the menu.

During load, I see the application screen for a second before the center of the application window turns white again. Reinstall process didn’t help

Since official fix doesn’t exist (for now), the only solution is to remove the latest version and install the older one

sudo apt-get remove skypeforlinux
sudo apt-get install skypeforlinux=8.11.0.4

optionally you can “lock” Skype so it won’t ask for update (at least until they fix this problem)

sudo apt-mark hold skypeforlinux

Hardware, Linux

Librem 5 – A Security and Privacy Focused Phone

September 30, 2017 ServerAdmin Leave a comment

The idea to build and use the phone OS which doesn’t rely on Apple or Google is quite old. Since the Ubuntu Edge project, there have been several attempts, but nothing which can even scratch those two giants.

The new attempt is here – The Purism project, which is seeking funds right now (link here). The idea is to build a true Linux powered smartphone that focuses on security by design and privacy protection by default.

The device will ship with GNOME Shell UI or KDE Plasma Mobile UI by default. Also, through various partnerships and development efforts in the community, the users will be able to replace it with other UIs!

Once again, here is the LINK. Pledges starts from $20 so you can support it if you like.

Tips & Tricks

There is no suitable CSPRNG installed on your system

March 3, 2017 ServerAdmin Leave a comment

Some PHP packages may stop working after update with error message: “There is no suitable CSPRNG installed on your system”.

The reason for this that they stopped using OpenSSL and now they need access to /dev/urandom which isn’t readable by your PHP configuration.

To fix this problem, all you need to do is to add /dev/urandom to your open_base configuration which limits the files that can be accessed by PHP to the specified directory-tree (or trees).

In case you’re using php-fpm, add the “/dev/urandom” in existing php_admin_value[open_basedir] definition (or add this line if it doesn’t exist)

For example:

php_admin_value[open_basedir] = /var/www/html/domain.tld:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom

or if you’re using mod_fcgi, inside .php-fcgi-starter script add parameter

-d open_basedir="/var/www/html/domain.tld:....:/dev/urandom"

Tips & Tricks

CentOS 6.x boot GRUB on software RAID /dev/md0

February 28, 2017 ServerAdmin Leave a comment

If you’ve just installed CentOS 6.x on software RAID and it won’t boot from /dev/md0, don’t worry. It can be fixed.

– Insert CentOS media/DVD and boot in rescue mode (select “Rescue mode” during boot)
– Select the “start shell” option
– chroot with

chroot /mnt/sysimage

– install GRUB into /dev/md0 with

grub-install /dev/md0

– enter exit and than reboot

The other option is to enter into rescue mode and inside grub shell type the next commands:

grub> device (hd0) /dev/sda
grub> device (hd1) /dev/sdb
grub> root (hd0,0)
grub> setup (hd0)
grub> root (hd1,0)
grub> setup (hd1)
grub> quit

ServerAdminBlog