Wednesday, May 15, 2013

NFS simple server/client connect

The below post gives a simple tutorial for setting up a simple server/client session with NFS using debian and opensuse 11.3

1) install the proper packages for the server,  then edit the configuration file for the server.  restart the server, validate with netstat

su
apt-get install nfs-common nfs-kernel-server *optionally nfsv4-acl-tools
cd /etc/
gvim exports (add entries to point to your location/mount point)
save and exit
/etc/init.d/nfs-kernel-server stop/start
netstat -atu | grep nfs

2) disable firewall for server, then on client side connect to the NFS server, then verify with netstat

server side as root:
ufw disable (add port entry to iptables in order to leave enabled)
client side as root:
mount  -t nfs 10.0.0.44:/mnt /mnt
verify:
df 

3) verify you are connected then check the directory permissions in order to send/receive as regular user

netstat -atu | grep nfs
cd /mnt
ls -l (check ACL's)  if wrong change them with chown
chown username:username directories
NOTE: if you have the right permissions, and you don't see anything(like mount on mount) then add the crossmnt to /etc/exports config this way you can use external storage devices and NFS

and that's it! you should have a simple server/client connect.







Posted by at No comments:

Sunday, March 31, 2013

OpenLDAP GPG KeyServer Private

The below post shows you how you can create your own Private gpg keyserver through LDAP.
tested on Fedora 17 (other distros may be different) 
NOTE: all configs are at bottom of blog

 1) install the proper packages. then change into the LDAP config directory. move slapd.d because we are using the older API then modify ldap.conf to add the servers IP
sudo -s
yum install openldap openldap-servers openldap-clients 
optionally: yum install gq (LDAP browser)
service slapd stop (stop LDAP)
cd /etc/openldap
ls -l
mv slapd.d{,-old}
gvim ldap.conf (add ip address of server) (config below)
nm-tool

2) create slapd.conf, create db directory download and install gpg-keyserver schemas, then start the server
gvim slapd.conf (config at bottom)
mkdir /var/db/openldap
chown ldap:ldap  /var/db/openldap  
download and install the schemas
 wget http://members.kstp.at/wh/pgp/openldap_pgp_keyserver.tar.gz
tar xvfz openldap_pgp_keyserver.tar.gz | cp -Rv openldap/schema/* /etc/openldap/schema
slapd -d -1 -u ldap -g ldap (use -d 128 for ACL's)

3) create the LDAP directory structure and add the extra users
gvim directory_base_user.ldif (config below)
ldapadd -H ldap://10.0.0.11 -x -D "cn=Justin,dc=Manager,dc=Private" -f directory_base_user.ldif -w dirtysecret
gvim remote_user.ldif (config below)
ldapadd -H ldap://10.0.0.11 -x -D "cn=Justin,dc=Manager,dc=Private" -f remote_user.ldif -w dirtysecret
exit as root

4) create and exchange keys with host and remote host:

cd
cd .gnupg
gpg --gen-keys (answer questions)
gpg --list-keys
gvim gpg.conf (add the entries for gpg keyserver, above picture
send and recv keys:
gpg   --keyserver ldap://10.0.0.11 --send-key C9AD4D9B (send key)
gpg   --keyserver ldap://10.0.0.11 --recv-key C9AD4D9B (recvkey)   

on the remote hot perform the same steps to create the new key and send and recv

5) use gq to view the entries




and there you have it, your own Private GPG Keyserver!!

below are the configuration files for the above:

ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=Manager,dc=Private
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://10.0.0.11

SIZELIMIT 0
TIMELIMIT 900
#DEREF never
#TLS_REQCERT try
#TLS_CACERT     /etc/openldap/ssl/certs/ca.pem
#TLS_CERT        /etc/openldap/ssl/certs/ldap.pem
#TLS_KEY /etc/openldap/ssl/keys/ldap.key



slapd.conf



include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/pgp-keyserver.schema
include /etc/openldap/schema/pgp-recon.schema
include /etc/openldap/schema/pgp-remte-prefs.schema

loglevel -1

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

modulepath      /usr/lib/openldap
moduleload back_bdb.la
moduleload back_ldap.la
moduleload back_monitor.la

allow bind_anon_dn
allow update_anon
allow bind_anon_cred

access to dn.base=""
        by * read

access to dn="cn=Subschema"
        by * read
access to attrs="userPassword"
        by self write
        by * auth

# OPTIONAL: gq for viewing directories etc..
access to dn="dc=Manager,dc=Private"
by * read

access to dn="ou=PGP Users,dc=Manager,dc=Private"
by * read

access to dn.subtree="uid=Justin,ou=PGP Users,dc=Manager,dc=Private"
by * read
access to dn.subtree="uid=Justin_2,ou=PGP Users,dc=Manager,dc=Private"
by * read

# read  server pgpKeyInfo 
access to dn="cn=pgpServerInfo,dc=Manager,dc=Private"
        by * read

# remote access.. change for better ACL's 
access to dn.subtree="ou=PGP Keys,dc=Manager,dc=Private"
        by * write
by * read 

access to * by * none

database bdb
directory /var/db/openldap/

suffix "dc=Manager,dc=Private"
rootdn "cn=justin,dc=Manager,dc=Private"
rootpw dirtysecret

cachesize 10000
checkpoint 128 15

index objectClass eq
index pgpCertID,pgpKeyID,pgpKeyType,pgpUserID,pgpKeyCreateTime sub,eq
index pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime sub,eq
index pgpDisabled,pgpRevoked eq

database monitor


directory_base_user.ldif


# domain
dn: dc=Manager,dc=Private
dc: Manager
objectClass: domain
objectClass: top

# person part of domain
dn: cn=Manager,dc=Manager,dc=Private
cn: Manager
sn: Manager
objectClass: person
objectClass: top

# applicationProcess and/or organizationalUnit works
dn: ou=PGP Keys,dc=Manager,dc=Private
objectclass: applicationProcess
cn: PGP KEYSERVER PRIVATE "KEYS"
ou: PGP Keys
description: gpg keyserver for private company use.

# Main area for gpg to do stuff
dn: cn=pgpServerInfo,dc=Manager,dc=Private
cn: pgpServerInfo 
objectclass: pgpserverinfo
pgpSoftware: OpenLDAP 2.4.33
pgpVersion:  gpg (GnuPG) 1.4.13
pgpBaseKeyspaceDN: ou=PGP Keys,dc=Manager,dc=Private

# applicationProcess and/or organizationalUnit works
dn: ou=PGP Users,dc=Manager,dc=Private
objectclass: applicationProcess
cn: PGP KEYSERVER PRIVATE "Users"
ou: PGP Users
description: gpg keyserver for private company use.

# company employee(s)
dn: uid=Justin,ou=PGP Users,dc=Manager,dc=Private
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: userSecurityInformation
uid: Justin
# password is test56
userPassword: {SSHA}PGJjmqxXpro95gho76Gz27qiqQp59LwM
sn: Mattock
cn: Private Company Employee(s).

# photo stuff never got it working maybe u can!
# adds using URL format
#add: jpegphoto
#jpegphoto: < file://path/to/jpeg/file.jpg

# adding a binary cert, use gpgsm to convert format(DER,PEM,etc..)
#changetype: modify
#add: userCertificate;binary
#userCertificate;binary:< file:///path/to/file/binary.asc
#objectClass: stongAuthenticationUser
#UserCertificate: file:///path/to/regular.asc


remote_user.ldif

# company employee(s)
dn: uid=Justin_2,ou=PGP Users,dc=Manager,dc=Private
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: userSecurityInformation
uid: Justin_2
# password is test56
userPassword: {SSHA}PGJjmqxXpro95gho76Gz27qiqQp59LwM
sn: Mattock_2
cn: Private Company Employee(s).
# photo stuff never got it working maybe u can!
# adds using URL format
#add: jpegphoto
#jpegphoto: < file://path/to/jpeg/file.jpg

# adding a binary cert, use gpgsm to convert format(DER,PEM,etc..)
#changetype: modify
#add: userCertificate;binary
#userCertificate;binary:< file:///path/to/file/binary.asc
#objectClass: stongAuthenticationUser
#UserCertificate: file:///path/to/regular.asc


Posted by at No comments:

Sunday, March 17, 2013

XFS: xorg font server simple server/client connect

a little outdated due to systems having TTF fonts and such, but was more curious to get this thing working.. anyways the below post shows you how to do a simple server/client connect with xorg font server

 1) install the xfs server and utilities. stop the server and prepare the config for the server to service the protocol
su
yum install xorg-x11-xfs xorg-x11-xfs-utils
chkconfig xfs on (if you want xfs starting at boot)
service xfs stop
cd /etc/X11/fs
gvim config
<--- my config if you want to use --->
#no-listen = tcp
client-limit = 10
clone-self = on
default-point-size = 120
default-resolutions = 75,75,100,100
deferglyphs = 16
use-syslog = no
error-file = /var/log/xfs.log
port = 7100
#seems to only read symlinks
catalogue = catalogue:/home/fonts2

 save..


2) prepare to the server to serve the fonts. download from the url and prepare the files/directories(catalogue:) so the server/client can communicate with each other.

cd  /home  (or wherever you want to prepare the fonts)
mkdir /home/fonts
mkdir /home/fonts2
cd /home/fonts
wget http://hea-www.harvard.edu/~fine/Tech/cursive.bdf
mkfontdir
(prepare the catalogue:)
ln -sv /home/fonts /home/fonts2
cd ../fonts2
ls -l
<start xfs manually>
/usr/bin/xfs 
netstat -atu (to verify *xfs is on)

 NOTE: url where to find fonts and where I got the info to install the *.bdf fonts                                                            http://hea-www.harvard.edu/~fine/Tech/x11fonts.html

 3) on the client side test the font server to see if we have signs of life..

/usr/bin/fslsfonts -server 10.0.0.9:7100


4) connect to the xorg font server. use xset to view what entries are there, then use xset to add the new font server, verify with xset and netstat. then use fslsfonts to pick a font to use through xterm.
xset -q      
xset fp+ tcp/10.0.0.9:7100  
xset -q
netstat -atu
fslsfonts -server 10.0.0.9:7100
xterm -fn xterm -fn -fine-cursive-medium-i-normal--0-0-72-72-c-0-iso8859-1

view cursive fonts in the terminal!! isnt it cute! 

5) OPTIONAL: add a script to gdm to auto connect the client to the server.

su
cd /etc/gdm/PostLogin
gvim Default
init 3 / reboot

<--copy/paste or make your own -->

#add your ip and port number
X_CLIENT_XFS_START= /usr/bin/xset fp+ tcp/10.0.0.9:7100

if [ -z "$GDMSESSION" ]; then
    exec $X_CLIENT_XFS_START
fi

NOTE: for wanting to connect before login(clients that depend on all fonts from the server) either disable gnome and use startx with xinitrc(add a startup in there), or (if you know gnome terms) create a script in:
/usr/share/gdm/greeter/applications/*.desktop
Posted by at No comments:

Wednesday, March 13, 2013

CRON: simple kernel pull/build with email notification

The post below shows you how to setup up a simple crontab to do simple tasks with an email notification..

 1) depending on your distro you might already have cronwrap intsalled or in the repo(s)
if not download and install
cd Downloads
wget https://pypi.python.org/packages/source/c/cronwrap/cronwrap-1.4.tar.gz
tar xvfz  cronwrap*.tar.gz
cd cron*
su
python setup.py install
which cronwrap
exit ; cd

2) /etc/anacrontab is the main config file as well as /etc/crontab for "root" jobs in the system.

this exercise does not deal with these files, but they can be modified for added root tasks for the system for regular tasks.

3) create/start your own crontab under your username located in /var/spool/cron. the simple task of resetting the kernel and pulling.


crontab -e
enter the entries for the times you want etc.. then save and exit.
MAILTO:justinmattock@gmail.com
30 21 * * * /usr/bin/cronwrap -c "/home/kernel./pull_script" -e justinmattock@gmail.com -v

NOTE: below is my simple script I used for this example



<----- copy/paste------->

#/bin/sh
# my cheesy script to pull the kernel 

for dir in /home/kernel/3.0*  
do 
cd /home/kernel/3.0 ; git reset --hard origin ;
git checkout master ; git pull ; 
git checkout Mattock ; git reset --hard origin ; make 
done



Mail info:
I used cronwrap since it makes sending info to myself much easier, and supplies good info in the email on how everything went(not just when things crap out)
crond does send emails but only if the scripts fails. to add this option add:
MAILTO= yourname@.com at the top of your crontab -e

4) create another task as "root" to complete the job

su
crontab -e
add the root commands that need to fire off after the pull and build go through.
30 22 * * * /usr/bin/cronwrap -c "cd /home/kernel/3.0 ; make modules_install ; make install" -e justinmattock@gmail.com -v

probably should of created another script, but wanted to show you don't need to make scripts to do this..

5) check the logs,(/var/log/cron) and wait for the email.. hopefully everything goes good for whatever commands you use!

the first script for pulling went good, but then when it came for the root crontab I hit a strange error:

ERROR OUTPUT:
/sbin/installkernel: line 82: new-kernel-pkg: command not found
/sbin/installkernel: line 86: new-kernel-pkg: command not found
make[1]: *** [install] Error 127
make: *** [install] Error 2

quick fix is to edit this file at 82 and 86 by adding the full path to the programs


and there you have it.. a simple cron example of pulling and resetting the kernel, then building and installing everyday between 8-9:30pm without having to do anything..because we all know how hard entering commands in a terminal can be!
Posted by at No comments:

Monday, March 11, 2013

FSCK: clean/fix BADSECTORS on a harddrive | READ/WRITE

This post is to show you how I was able to recovery a hard Drive that was reporting to have BADSECTORS on it.
NOTE: determining the BADSECTORS can be tough either its alignment or it actually has physical damage

 1) obtain a hard drive that is reporting BADSECTORS on it. over here I was able to buy one off of ebay
(keep in mind this is a BADSECTOR issue)

2) have access to the device so you can work on it

I use an external plugin to access the device through a terminal. if your device is internal then use a liveCD to perform the clean/recovery.

3) determine the state of the device. can you copy the storage device with dd or is it totally thrashed(mine was set at unknown device).


4) since I had an unknown partition I used fdisk to create a partition so you I can clean the disk  e2fsck
(the layer between hardware and software)

su
fdisk /dev/sdb
(create a new partition with fdisk save and exit)
create ext4 on the device:
/sbin/mkefs.ext4 /dev/sdb1

5) once the fresh filesystem is created one would think a simple fsck /dev/sdb1 would of done the trick!!!!

guess this is what the guy meant by having BADSECTORS!! 
(thousands of these messages)

using:
fdisk -y /dev/sdb* 
above makes it easier to say "yes" to all the BADSECTORS on this thing and hopefully will fix them.

what I was not wanting to happen..: an error out with fsck. 
"Error storing directory block information (inode=8209852, block=0, num=4181895) : Memory allocation failed"

NOTE: reading through seems this was a problem with bigfiles and x86_32. seems most of the people just used a x86_64 livecd system with fsck to fix this issue.  but not in my case

6)using fdisk create a partition scheme with small multiple partitions so e2fsck is not dealing with largefiles(bigfiles). then fill them up(WRITE) and use fsck to clean(READ)

fdisk /dev/sd*
(plenty of tutorials for this)
mkefs.ext4 /dev/sd*

NOTE:  reading through I found that with disks to repair them you need to READ/WRITE to the device to realign the sectors. hopefully this fixes my BADSECTOR issue.


7) after creating the small partitions, READ/WRITE to the partition(s). 


dmesg | grep sd*
mount /dev/sd* /mountpount(s)
cd mountpoint(s)
WRITE(s) to each partition(s) either using "yes" or "dd"(yes is faster)
yes abcdefghijklmnopqrstuvwxyz0123456789 > largefile
repeat this for all partitions until all WRITE(s)



8) once full to capacity clean them with fsck(READ) 

as you can see WRITE(s) to the disk seems to make things work better, as well as having a smaller partition for fsck(READ) to deal with.

all clean!  

9) remove the "largefile" so you have disk space to use.

from here its whatever you want.. I ended up re-partitioning so I can run windows/linux on this disk. using fsck with 100Gigs went fine without any issues after doing the above realignment READ/WRITE(s)
Posted by at No comments:

Wednesday, March 6, 2013

Automatic Login with SSH: authorized_keys(2&) | publickey(s)

For whatever reason ssh seems so buggy, even though its not. in anycase these are my findings to having a session without having to login each time or having a public Login type scenario..:

 1) adjust your firewall to allow ssh port 22

 menu>administration>firewall
2) open a terminal change into .ssh then create a new private/public key(save the artwork as well).

cd .ssh
ls -l
ssh-keygen -t rsa -f /home/justin/.ssh/id_rsa -C ' '
gvim artwork  <--copy/paste your key artwork from the screen then save -->
optional artwork from the default:
ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key >> artwork

3) add the key to the database then create authorized_keys. After creating the file(s) then create a compressed image of everything to be transferred over to the other host system either by disk drive or scp whatever you prefer.

ssh-add id_rsa
ssh-add -l
ls -l
cp id_rsa.pub authorized_keys
tar -cf ssh_key_pub.tar artwork authorized_keys id_rsa id_rsa.pub
ls -l

4) using the other machine, use scp to copy the image of files the uncompress and add the key to the database. 

scp  justin@10.0.0.17:/home/justin/.ssh/ssh_key_pub.tar .
ls -l
tar -xf ssh_key_pub.tar
ls -l
ssh-add id_rsa
NOTE: for whatever reason I hit some connection issue with scp, strange thing is everything worked as it should.
(BUGGY)

5) adjust the config file(s) so you can be using RSA authentication

su
gvim /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /home/justin/.ssh/authorized_keys
PasswordAuthentication no

/etc/ssh/ssh_config

RhostRSAAuthentication yes 
RSAAuthentication yes
PasswordAuthentication no
VisualHostKey yes

save and exit.

6) restart sshd and login

su
service sshd restart
ssh justin@10.0.0.17|3 etc..

NOTE: the first login seems to have  /usr/libexec/gcr-prompter in of which requires the password you used for the RSA keyfile, after giving the password click on the box on the bottom to remember. after the initial login all other login(s) are without a password. still need to figure out why gcr-prompter fires off.

hope this helps anybody having issues with this.
Posted by at 2 comments:

Wednesday, February 27, 2013

Calculate CIDR Netmask Manually

This is a quick tutorial on how to calculate the CIDR netmask number if you find yourself without a CIDR calculator(like taking a test or something).

 1) understand the setup for CIDR i.g. 4 groups of 8 bits equaling  32 (example)

 11111111.11111111.11111111.11111111 = 32  bits (4 groups of 8 separated by a "." )

 2) total number in each group = 255

 11111111 = 255

 WTF? each group is easily calculated with these numbers(blocks)!

 128+64+32+16+8+4+2+1 = 255 (each bit(block) has a number, add all of them to get 255)

 -----------------------------------------------------------------------------------------------------------------------------------------------------

 3) Calculate the CIDR netmask of /30

 a) count out 30 bits of 1 one(s) and the rest are zero(s) equaling 32 bit(s)

  11111111.11111111.11111111.11111100

    30 one(s) and 2 zero(s) which equal = 32 bits

 4) seperate and count each group:

 11111111.11111111.11111111.11111100

 group 1 = 11111111 = 255
128+64+32+16+8+4+2+1 = 255

 group 2 = 11111111 = 255
128+64+32+16+8+4+2+1 = 255

 group 3 = 11111111 = 255
128+64+32+16+8+4+2+1 = 255

 group 4 = 11111100 = 252
128+64+32+16+8+4 = 252

 NOTE: for each zero in a group remove a bit(block) starting from 1(right to left)
128+64+32+16+8+4+2+1 = 255

 the calculated CIDR netmask of /30 = 255.255.255.252

------------------------------------------------------------------------------------------------------------------------------------------------------

diagram of CIDR:

 
Netmask              Netmask (binary)                 CIDR     Notes    
_____________________________________________________________________________
255.255.255.255  11111111.11111111.11111111.11111111  /32  Host (single addr)
255.255.255.254  11111111.11111111.11111111.11111110  /31  Unuseable
255.255.255.252  11111111.11111111.11111111.11111100  /30    2  useable
255.255.255.248  11111111.11111111.11111111.11111000  /29    6  useable
255.255.255.240  11111111.11111111.11111111.11110000  /28   14  useable
255.255.255.224  11111111.11111111.11111111.11100000  /27   30  useable
255.255.255.192  11111111.11111111.11111111.11000000  /26   62  useable
255.255.255.128  11111111.11111111.11111111.10000000  /25  126  useable
255.255.255.0    11111111.11111111.11111111.00000000  /24 "Class C" 254 useable

255.255.254.0    11111111.11111111.11111110.00000000  /23    2  Class C's
255.255.252.0    11111111.11111111.11111100.00000000  /22    4  Class C's
255.255.248.0    11111111.11111111.11111000.00000000  /21    8  Class C's
255.255.240.0    11111111.11111111.11110000.00000000  /20   16  Class C's
255.255.224.0    11111111.11111111.11100000.00000000  /19   32  Class C's
255.255.192.0    11111111.11111111.11000000.00000000  /18   64  Class C's
255.255.128.0    11111111.11111111.10000000.00000000  /17  128  Class C's
255.255.0.0      11111111.11111111.00000000.00000000  /16  "Class B"
     
255.254.0.0      11111111.11111110.00000000.00000000  /15    2  Class B's
255.252.0.0      11111111.11111100.00000000.00000000  /14    4  Class B's
255.248.0.0      11111111.11111000.00000000.00000000  /13    8  Class B's
255.240.0.0      11111111.11110000.00000000.00000000  /12   16  Class B's
255.224.0.0      11111111.11100000.00000000.00000000  /11   32  Class B's
255.192.0.0      11111111.11000000.00000000.00000000  /10   64  Class B's
255.128.0.0      11111111.10000000.00000000.00000000  /9   128  Class B's
255.0.0.0        11111111.00000000.00000000.00000000  /8   "Class A"
  
254.0.0.0        11111110.00000000.00000000.00000000  /7
252.0.0.0        11111100.00000000.00000000.00000000  /6
248.0.0.0        11111000.00000000.00000000.00000000  /5
240.0.0.0        11110000.00000000.00000000.00000000  /4
224.0.0.0        11100000.00000000.00000000.00000000  /3
192.0.0.0        11000000.00000000.00000000.00000000  /2
128.0.0.0        10000000.00000000.00000000.00000000  /1
0.0.0.0          00000000.00000000.00000000.00000000  /0   IP space
Note: I dont want to plagerise so i have to give most of the credit to the people in this forum who discussed on
how to get this calculated. I just(hopefully) made sense of the confusion!
http://www.techexams.net/forums/ccna-ccent/38980-help-figuring-out-cidr-notation-calculations.html
Posted by at No comments:
Subscribe to: Posts (Atom)