Run Levels

Posted in Informational, Services on October 7th, 2013 by termina

In Linux, you generally have run levels that range from 0-6.

0: Halt (shutdown) the system
1: Single user mode (major upgrades, maintenance, etc.)
2: Basic multi user mode
3: Full multi user mode
4: Unused (custom)
5: Multi user mode with GUI
6: Reboot

0,1 and 6 are always the same, but different distros do different things with the other run levels (for example, Debian-based systems use run level 2 for GUI and full multi-user mode)

You can see what services start at what run level by looking in the directory /etc/rc#.d where # is the run level number.

The run level number can be found in /etc/inittab (id:2:initdefault: for example)
If you were to look in /etc/rc2.d, you would see files that look like:

S99program

These are usually symbolic links to files in /etc/init.d (so a change to /etc/init.d/program would change the programs script for every run level).

Start-up scripts in Linux follow the form “start-stop” (at minimum). Many have “start-stop-restart-reload-check” or possible more.

A basic start-stop script would look like this:

#!/bin/bash
case $1 in
start)
program
;;
stop)
program
;;
esac

Don’t forget

chmod +x script

This is useful to know, especially if you are dealing with a machine that may need specific commands to be run when booting or shutting down in order to function properly (for example, in the radio station we need the client machines to run dhclient at S99 in order to obtain an IP address).

These scripts are not all run at once (by default). S##program where ## is the priority of the script.

S99 will run last, while S10 will run before most other things.

Obtain free Cisco IOS upgrades

Posted in Networking on October 7th, 2013 by termina
0. Determine who purchased the device. You will need to send an email from their CCO registered account. This does not mean it needs an active contract.
1. Log onto the device and capture all of the output of “show version”
2. Go to http://tools.cisco.com/security/center/selectIOSVersion.x  and select the “B” option to use the “show version” output
3. Choose to view all security vulnerabilties
4. Send an email to [email protected] with
  • ​The output of “show version” in the body of the e-mail
  • Serial number of the device in the body of the e-mail (yes, even though it’s in show ver)
  • A list of all vulnerabilities for the selected IOS from cisco’s website in the body of the e-mail (just copy and paste the links)
  • Request a non-vulnerable IOS version

 

​5. Wait and they should send you a link to download the IOS.

Cisco wireless access point and Windows 2008 RADIUS EAP Authentication

Posted in Networking on October 7th, 2013 by termina
Configure Windows server for RADIUS
1. Install NPS and CA authority roles if you have not already
2. Go to Computer Management. Roles – Network Policy and Access –  NPS (Local) – RADIUS Clients
3. Create new RADIUS client

 

  • ​Friendly name: Name of AP (Example: corp-ap-1141-il)
  • IP Address: IP of AP
  • Shared Secret – Manual (Generate a random 12+ digit key with no special chars)
  • Under “Advanced” tab, Vendor name: Cisco and check “RADIUS client is NAP capable”

4. Under NPS – Policies –  Network Policies create a new Policy called ‘Cisco AP Radius’

  • ​Condition Tab: Windows Groups (Domain Users)
  • Constraints Tab
    • Auth Methods: Add all three auth methods. Check MS-CHAPv2, MS-CHAP, CHAP and PAP/SPAP
    • NAS Port Type: Select Wireless 802.11 under Common 802.1x types and “Wireless Other” under “Others”
  • Settings Tab
    • Standard: add Service-Type Login

​5. When done, move the Cisco AP Radius policy to the #1 position

 
​Configure Cisco AP for RADIUS

 
1. Enter in RADIUS group information
aaa new-model
aaa group server radius rad_eap
     server 10.0.0.3 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa session-id common
radius-server host 10.0.0.3 auth-port 1812 acct-port 1813 key KEYYOUGENERATEDEARILER
dot11 ssid CompanyWifi
   no authentication open
   no wpa-psk ascii
   authentication open eap eap_methods
   authentication network-eap eap_methods

2. Try to connect with a client computer. Debug on AP with: debug radius authentication​

 

Migration of a live linux system

Posted in Backups, HowTo on April 26th, 2013 by termina

1. Prep machine or VM for the migration. On the destination server, boot with a live CD (CentOS, Debian, etc.). Partition drives.

I am assuming you are using just one partition, adding other partitions is trivial.

2. Mount drive and transfer system

 

mkdir /media/chroot
mount /dev/sda1 /media/chroot
rsync -az –exclude ‘proc’ –exclude ‘sys’ –exclude ‘dev’ –exclude ‘media’ –exclude ‘mnt’ [email protected]_server:/ /media/chroot
mkdir /media/chroot/dev
mkdir /media/chroot/proc
mkdir /media/chroot/sys
mount –bind /dev /media/chroot/dev

 

3.  Chroot into system

 

chroot /media/chroot
mount /proc
mount /sys
mv /boot/grub/device.map /boot/grub/device.map.old
grub-mkdevicemap
update-grub
install-grub /dev/sda

 

Also make sure to edit /etc/fstab with your new device IDs/partitions. You can view a list of device IDs by doing

 

ls -l /dev/disk/by-uuid

 

When you are done, reboot.

3. System show now boot successfully

 

Linux copy GPT partition table with dd

Posted in HowTo, Issues, Storage on March 22nd, 2013 by termina

I recently had to copy the partition table of a 3TB disk in a situation where tools such as sfdisk could not be installed.

Since GPT table length is dependant on the number of partitions, you need to do some investigation.

In this case, it was a ‘QNAP’ server that had fdisk (no GPT support) and parted.

On a working drive, run

parted -ms /dev/sda print

Note the number of partitions.

Formula = (128*N)+1024

Where N is the number of partitions you have. In this case I had 4, so I end up with a value of 1536

dd if=/dev/sda of=GPT_TABLE bs=1 count=1536

You now have a backup of a valid partition table you can apply to another drive

dd if=GPT_TABLE of=/dev/sdb bs=1 count=1536

Once this was done, you can manually re-add the drive.

mdadm –manage /dev/md0 –add /dev/sdb3

If you are wondering how we determined the sd[a-z], we accomplished this through hot-swapping the drive to generate logs indicating the drive.

Now why this supposedly automated RAID product required this…

Recover rpool ZFS pools and snapshots on Solaris 10 SPARC

Posted in Solaris, Storage on January 20th, 2012 by termina

I assume you’ve already taken a recursive ZFS snapshot and sent the snapshot/pool off to your local NFS server.

In this example, I have a Netra X1 with 2 drives (mirrored)

Now you need to boot your Solaris 10 CD/DVD, either from physical media or over the network


boot net -s

or


boot cdrom -s

Important: Make sure your disks are labeled correctly! (SMI)


format -e c0t0d0s0
>label
>0 (For SMI)
>modify
>Free Space Hog (Select s0, not s6)

Do the same for your other disk as well (In my case, c0t2d0s0)

Create your rpool


zpool create -f -o failmode=continue -R /a -m legacy -o cachefile=/etc/zfs/zpool.cache rpool mirror c0t0d0s0 c0t2d0s0

Mount NFS


mkdir /tmp/a
mount 192.168.1.1:/archives /tmp/a

ZFS Receive


zfs receive -dvuF rpool < /tmp/a/archive/rpool-backup

Set which pool you want to boot from


zpool set bootfs=rpool/ROOT/s10s_u8wos_08a rpool

Install boot blocks (SPARC)


installboot -F zfs /usr/platform/`uname -i`/lib/fs/zfs/bootblk /dev/rdsk/c0t0d0s0
installboot -F zfs /usr/platform/`uname -i`/lib/fs/zfs/bootblk /dev/rdsk/c0t2d0s0

Reboot


reboot -- disk

Ubuntu One Review

Posted in Reviews on August 1st, 2011 by termina

I’ve been using Dropbox since the service launched and have overall been very happy with it. My only complaint was that if you decide to pay there are only two tiers available: 50 and 100GB. ($99 and $199 a year respectively).

Having tried Ubuntu One when it first came out (when you could only use it on Linux) I was hesitant to try again. Checking out their website I was pleasantly surprised to see that we get 5GB free (compared to DropBox’s 2GB) and that getting 20GB was only $29 a year (or $2.99 a month). However, they still do not have a Windows client!

The first thing I did was install it on my Android phone. After it installed, I opened it and was greeted by a very clean looking interface. Unfortunately that was mostly illusion for as soon as I clicked ‘Log In’ it took me away from the app and opened up the default web browser to one.ubuntu.com

To make it even worse, the browser window just displayed an error of ‘Something has gone wrong’. Three more attempts, each time an error. Attempting to use their website on my laptop showed frequent timeouts at this same time.

Wow… really? That certainly raises a red flag.

After giving up for the night, the next morning I tried again and it worked on the first try.

After authenticating, it gives me the option to upload all past and future photos, all future photos or none.

Much like Photobucket the “auto-upload” does NOT allow you to define directories to grab images from, making the feature next to worthless if you use any apps that download photos to your phone. In fact the only options for the auto-upload are a checkbox to enable/disable and how quickly you want it to start uploading your photos when it detects them.

Pros:

  • 5GB of storage (compared to 2GB dropbox)
  • Finally has support for other devices
  • Cheaper upgrade option (compared to dropbox)

Cons:

  • Poorly made app (relies on web browser, doesn’t work half the time…)
  • Auto-upload is a tacked on feature with no way to customize
  • Unreliable website
  • Still no windows client? It’s been 2+ years!

Conclusion

Avoid Ubuntu One.

Unlike Dropbox (which supports every OS I’ve thrown at it) you will be unable to use Ubuntu One while you’re at work/school assuming they run Windows. Same for OSX.

Their Android app is flaky and still needs quite a bit of work. Their website was having difficulties which does not bode well for their infrastructure.

If you have your files “in the cloud” you want to be guaranteed you will be able to access them.

To sum it up: Ubuntu One isn’t worth it, even when you’re using the Free plan.

LDAP User Add Script

Posted in Code, LDAP, Security on September 13th, 2010 by termina

A bug with phpldapadmin in Ubuntu 10.04 has forced me to find other ways to add a generic Linux account to LDAP.

This consists of three files; I keep them in /root/ldap and have a symlink to add_ldap_user.sh in /usr/local/bin

add_ldap_user.sh Script

last.uid The last used UID, auto-incriments

user.ldif Sample linux account in LDIF format

add_ldap_user.sh


#!/bin/bash
NEWUID=`cat /root/ldap/last.uid`
echo -ne "First Name: "
read FIRST
echo -ne "Last Name: "
read LAST
echo -ne "User Name: "
read USERNAME

sed “s/FIRST/`echo $FIRST`/g” /root/ldap/user.ldif > /root/ldap/temp
sed “s/LAST/`echo $LAST`/g” /root/ldap/temp > /root/ldap/temp2
sed “s/USERNAME/`echo $USERNAME`/g” /root/ldap/temp2 > /root/ldap/temp
sed “s/USERUID/`echo $NEWUID`/g” /root/ldap/temp > /root/ldap/temp2

ldapadd -x -w`cat /etc/ldap.secret` -D “cn=admin,dc=YOUR,dc=HOSTNAME” < /root/ldap/temp2
echo `expr $NEWUID + 1` > /root/ldap/last.uid
rm /root/ldap/temp
rm /root/ldap/temp2
passwd $USERNAME

user.ldif


dn: cn=FIRST LAST,ou=People,dc=YOUR,dc=HOSTNAME
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
givenName: FIRST
sn: LAST
cn: FIRST LAST
uid: USERNAME
userPassword: {MD5}QaJUwABOZ6gUsv/xOD/FOQ==
gidNumber: 100
homeDirectory: /home/USERNAME
loginShell: /bin/bash
uidNumber: USERUID

last.uid

1900

Note that because the LDIF contains a place-holder password, you must be able to run ‘passwd LDAP-USER’ on the host you are running this on.

tshark MAC address filtering

Posted in Networking, Security on June 24th, 2010 by termina

Had to troubleshoot a Solaris box but couldn’t go by IP address since it wasn’t picking one up.


tshark -i eth1 -R "eth.addr == 00:03:ba:05:0d:60"

OpenSolaris mod_bw Apache2 Bandwidth Limiting

Posted in Services, Solaris on May 11th, 2010 by termina

Install needed software

pkg install gsed wget SUNWapch22 sunstudioexpress

Yes, sunstudioexpress is really necessary. gcc will NOT work with mod_bw.
Download mod_bw

cd /tmp
wget http://ivn.cl/files/source/mod_bw-0.8.tgz
gunzip mod_bw-0.8.tgz
tar xf mod_bw-0.8.tar
cd mod_bw

Build/install the module. We need to make sure the SunStudioExpress binaries are chosen before anything else, so add it to the beginning of PATH.

export PATH=/opt/SunStudioExpress/bin:$PATH

We also need to make a symlink to /usr/ucb/echo (this is a bug with the apxs included in opensolaris, not with mod_bw)

mkdir /usr/ucb
ln -s /usr/bin/echo /usr/ucb/echo

Now cross your fingers and build the module

/usr/apache2/2.2/bin/apxs -i -a -c mod_bw.c

If it complains about .h files, you can find them here:

/usr/apache2/2.2/include
/usr/apr/1.3/include
/usr/apr-util/1.3/include

Once apxs finishes, it should automatically add the following entry to /etc/apache2/2.2/conf.d/modules-32.load

LoadModule bw_module          /var/apache2/2.2/libexec/mod_bw.so

Add the following to /etc/apache2/2.2/httpd.conf

BandWidthModule On

BandWidth all 40000

MinBandWidth all 10000

ForceBandWidthModule On

Restart apache2 and check on it’s status

svcadm restart apache22

svcs -a | grep apache22

online          1:55:27 svc:/network/http:apache22

If it’s in maintenance mode, check the log file

/var/svc/log/network-http:apache22.log