Category Archives: Linux

Heart Bleed Bug – OpenSSL – part 2

I maintain more than 30 servers and several of them was affected with Heartbleed bug. CentOS released update for OpenSSL package(s) so there are no excuses not to update (yum update openssl, … ).

In the meantime, there are hundreds of sysadmins which still didn’t do anything to protect their servers and clients (https://gist.github.com/dberkholz/10169691).

Testing REMOVED.com for example:

boky@bojler ~/Downloads $ ./test.py REMOVED.com
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 4837
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 67 3A 20 67  ....#.......g: g
  00e0: 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 52 65  zip, deflate..Re
  00f0: 66 65 72 65 72 3A 20 68 74 74 70 73 3A 2F 2F 77  ferer: https://w
  0100: 77 77 2E 74 6F 73 68 69 62 61 2E 63 6F 6D 2F 74  ww.REMOVED.com/t
  0110: 69 63 2F 70 72 6F 64 75 63 74 2F 76 32 30 30 30  ic/product/v2000
  0120: 2D 73 65 72 69 65 73 2D 73 6D 61 6C 6C 2D 70 6C  -series-small-pl
  0130: 63 73 0D 0A 43 6F 6F 6B 69 65 3A 20 4A 53 45 53  cs..Cookie: JSES
  0140: 53 49 4F 4E 49 44 3D 44 39 37 36 34 38 30 32 30  SIONID=D97648020
  0150: 41 45 36 32 31 46 45 41 31 44 38 45 30 37 33 42  AE621FEA1D8E073B
  0160: 42 38 31 44 44 32 36 2E 74 61 3B 20 63 69 74 72  B81DD26.ta; citr
  0170: 69 78 5F 6E 73 5F 69 64 3D 62 35 53 33 58 6A 6B  ix_ns_id=b5S3Xjk
  0180: 4A 49 59 4B 53 31 6E 42 2F 31 45 73 4B 6C 58 46  JIYKS1nB/1EsKlXF
  0190: 6D 70 71 45 41 30 30 30 0D 0A 43 6F 6E 6E 65 63  mpqEA000..Connec
  01a0: 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65  tion: keep-alive
  01b0: 0D 0A 49 66 2D 4D 6F 64 69 66 69 65 64 2D 53 69  ..If-Modified-Si
  01c0: 6E 63 65 3A 20 54 75 65 2C 20 30 35 20 4E 6F 76  nce: Tue, 05 Nov
  01d0: 20 32 30 31 33 20 31 34 3A 32 30 3A 33 34 20 47   2013 14:20:34 G
  01e0: 4D 54 0D 0A 0D 0A 69 65 1F 0E 88 65 6C 48 9C E1  MT....ie...elH..
  01f0: 7C 8F FD AC 1C 93 A1 A8 7E 9F 00 00 00 00 00 00  |.......~.......
  0200: 0D 0A 49 66 2D 4E 6F 6E 65 2D 4D 61 74 63 68 3A  ..If-None-Match:
  0210: 20 22 31 61 66 38 36 31 2D 37 34 2D 34 64 66 32   "1af861-74-4df2
  0220: 32 34 31 34 38 39 33 30 30 22 0D 0A 0D 0A 4E 1A  241489300"....N.
....
  3fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  3fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  3fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  3ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 
WARNING: server returned more data than it should - server is vulnerable!

For security reasons, real domain which I tested is replaced with “REMOVED”

Some hosts from the list I posted above are already patched (which is good)

boky@bojler ~/Downloads $ ./test.py zoho.com
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 66
 ... received message: type = 22, ver = 0302, length = 2399
 ... received message: type = 22, ver = 0302, length = 331
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
Unexpected EOF receiving record header - server closed connection
No heartbeat response received, server likely not vulnerable

Throwing rocks to OpenSSL developers is not the good idea. Donating money for paid developers is much better option…

EoIP tunnel on Linux

Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol (stateless and light ethernet point to point tunnel protocol with 28 bytes static overhead) that creates an Ethernet tunnel between two routers on top of an IP connection. The EoIP tunnel may run over IPIP tunnel, PPTP tunnel or any other connection capable of transporting IP.

To connect Linux with Mikrotik over EoIP tunnel, you’ll need THIS.

The install procedure:

# wget http://www.serveradminblog.com/wp-content/uploads/2016/03/linux-eoip-0.5.tar.gz
# tar -xvzf linux-eoip-0.5.tar.gz
# cd linux-eoip-0.5
# ./configure
# make
# make install

Copy eoip.cfg to /etc dir, change settings inside according to your needs and save the file. If you use dynamic=1 option, take attention that there is no authorization,
and it is not secure. It is not good idea to use this feature with public ip or insecure(not completely under your control, each host) network.

For not lets suppose you need only one tunnel to remote IP address 1.1.1.1

[zeoip0]
id=1
dst=1.1.1.1

On Mikrotik create EoIP tunnel with the same ID (1) and set your server’s IP address as remote IP.  Run eoio with

# /usr/local/bin/eoip /etc/eoip.cfg

Add IP address to your eoip interface

# /sbin/ifconfig zeoip0 10.254.254.2 netmask 255.255.255.252 up

And optionally add routes (if you have any)

# route add -net 10.2.0.0/16 gw 10.254.254.1

Add the last few lines inside rc.local to enable tunnel after reboot. The eoip interface can be threaten just like any other interface.

# ifconfig
zeoip0    Link encap:Ethernet  HWaddr 5B:25:C9:44:6A:79  
          inet addr:10.254.254.2  Bcast:10.254.254.3  Mask:255.255.255.252
          inet6 addr: fe80::5425:d9ff:fe80:6b79/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:167397 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138861 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:14934574 (14.2 MiB)  TX bytes:12520192 (11.9 MiB)
# ps ax|grep dhcp
5180 ?        Ss     0:02 /usr/sbin/dhcpd eth1 zeoip0
27356 pts/1    S+     0:00 grep dhcp

As you can see, you can run dhcp server on eoip interface. Just open /etc/sysconfig/dhcpd and add DHCPDARGS=”eth1 zeoip0″ inside. Save the file and restart dhcp server.

Logrotate settings

As you probably know, the default logrotate period on RH based distros is 7 days. From my point of view, this number is to big for production servers (files can became extremely large so grep through them can be very slow).

To change this behavior, open /etc/logrotate.conf and replace weekly line with daily. Also, increase the number of files you would like to keep from 4 to something larger (for example 40 or 50 which means 40 or 50 days)

It should looks a like

# see "man logrotate" for details
# rotate log files weekly
#weekly
daily
 
# keep 4 weeks worth of backlogs
rotate 70

Extra Packages for Enterprise Linux – EPEL HowTo

EPEL (Extra Packages for Enterprise Linux) is a volunteer-based community effort from the Fedora project to create a repository of high-quality add-on packages that complement the Fedora-based Red Hat Enterprise Linux (RHEL) and its compatible spinoffs, such as CentOS and Scientific Linux.

Adding EPEL repo is very easy:

wget http://ftp.heanet.ie/pub/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm

From unknown reason for me, CentOS 6.x goes without php-mcrypt package and it is impossible to install this rpm from base repos. Some apps will complain about this and one of the solutions is to install this rpm from EPEL repo… After you added EPEL repo, type:

yum install php-mcrypt

UnixStickers project

I usually don’t like a stickers on the notebooks. Especially the large one which after some time became dirty and ugly. Also, it isn’t very nice to open your laptop on the presentation in front of the 200 attendees while the laptop looks a like teenage room with posters on the wall.

That is the main reason why I always keep my laptop nice and clean.

But I changed my mind a few days ago when I heard about unixstickers.com project. The main idea behind this project is to test the Linux user’s interest in customizing pc and notebook case with a sticker of a favorite distribution.

The stickers are small and nice so I didn’t wait to much before I decided to create an order. Two days ago I received them

Sorry for the bad image quality (the image is made with my phone because the Canon camera is not at home 🙁 ). You can see that stickers are very nice and small so they fits perfectly. Another good idea behind this project is that every time when someone buys Linux Mint sticker, they donate 0.10€ to Mint Linux project.

Very very nice idea

I forget to say that price is very nice – only 0,45€ for one sticker. The link is HERE

scp, ssh and rsync without prompting for password – howto

Using scp, rsync and ssh requires the password unless you add the public key from src host to authorised_keys on destination host.

scp and rsync commands are used to transfer or backup files between known hosts or by the same user on both the hosts.

Lets say you want to copy between two hosts SOURCE and DESTINATION. SOURCE is the host where you would run the scp, ssh or rsync command.

On the SOURCE host, run

# ssh-keygen -t rsa

It will prompt for a passphrase but do not enter anything. Instead, just press the enter key. It’ll generate an identification (private key) and a public key. Do not ever share the private key with anyone!
The public key will be generated in ~/.ssh/id_rsa.pub.

For example in root/.ssh/id_rsa.pub

Copy id_rsa.pub file to DESTINATION inside the /root/.ssh/
On DESTINATION host, login as the remote user which you plan to use (in this case root) and copy the contents of id_rsa.pub to /root/.ssh/authorized_keys

# cat id_rsa.pub >> /root/.ssh/authorized_keys
# chmod 700 /root/.ssh/authorized_keys

If this file authorized_keys does not exists, the command above will create it. Make sure you remove permission for others to read this file.

On some distros, ssh by default does not allow root to log in. To enable root login, edit /etc/ssh/sshd_config and changing the option of PermitRootLogin from no to yes (on DESTINATION host). Restart sshd to apply changes and that is it.

In case you want to ssh, scp or rsync from DESTINATION to SOURCE host you will be asked for password. You can reverse the steps above (generate the public key on DESTINATION and copy it to the SOURCE host) and it will work in both directions.

In case that one server gets hacked, the other one will be too 🙂

Switching from Windows to Linux – is it possible ?

Few days ago I had a failure with my computer. The Windows installation on C partition decided to die. It was impossible to recover it and the only solution was to backup my emails, desktop and my documents, then format.

Luckily I had a dual boot with Mint Linux and it was extremely easy to backup my files… Also, like I said a few days ago, I became a father and the whole day was like the days before… Tea is very nice baby and she had a very nice schedule (eat, sleep, dump) and yesterday was the same. While I was in “the father loop” I decided to abandon Windows XP.

The reasons:

  • it is an old OS and Win 7 works much better
  • I’m lazy and I don’t have enough time to reinstall it. I will keep the Win XP license sticker just like a note that I had a Win XP on this notebook.

What exactly do I need from my computer:

  • LAMP (done)
  • Winbox (done via Wine)
  • Netbeans, Eclipse (they work better on Linux)
  • MySQL workbench (it works perfectly on Linux)
  • Putty, Pidgin, Skype, XChat, Firefox, Chrome, Thunderbird, … (done)
  • Photoshop (Gimp can be used for the basic image manipulation. I already gave up from my professorial photography career so I can live without Photoshop)
  • Corel (maybe Inkscape can be a replacement… I’m still not sure…I didn’t use Corel for years and I don’t need it at all.)
  • TrueCrypt (it works fine)

Three days after I switch to Linux, I’m still trying to forget on Windows. For now, I’m doing well.

Don’t worry… I still didn’t forget on FreeRadius howtos. I’m working on the next post about Freeradius and MySQL. Also, I have a few tricks which you should consider in case you want to tune your MySQL and FreeRadius.

Best regards

Edit:

Ten days later, I’m still struggling. 🙂