Smokes your problems, coughs fresh air.

Author: halfgaar (Page 4 of 26)

Halfgaar is Wiebe. Wiebe is a contributing author on this weblog. He also has a lot of stuff (such as long, in-depth articles) on his personal website.

Wiebe's day job is as a senior software developer and system administrator at YTEC.

In his free time, he built the free, open-source FlashMQ software. Together with Jeroen and Rowan, he is now building a managed MQTT hosting business around his open masterpiece.

Sending mail from a NATed host with Postfix

When sending mail from a host behind NAT, you will run into trouble when the “From” says “root@host.localdomain”, because receiving servers will refuse that domain.

I’m not quite sure why, but setting myorigin used to be enough. Now I need to do this in main.cf:

# For when you have a host behind NAT that is refusing to 
# use hostname.realdomain.net as specified as origin.
# You can test with: 
# postmap -q "fubar@hostname.somelocaldomain" regexp:/etc/postfix/sender_canonical
sender_canonical_maps = regexp:/etc/postfix/sender_canonical

And in sender_canonical:

/^(.*@)host.*$/     ${1}hostname.realdomain.net

Or more generic:

/^(.*@.*\.)company$/     ${1}company.nl

And as usual, I use a relay host.

Download dmcrypt (cryptsetup) encryption key from remote server and auto mount

One of the inconveniences of encryption is the need to open the encrypted volume by hand when the computer/server boots. Luckily, you can easily automate that securely. You need a machine that will act as a key server, whether that’s a Raspberry Pi or some VPS you hire.

Take a server that will act as a key server and create a passwordless user:

adduser --disabled-password cryptsetupkeys
su - cryptsetupkeys
mkdir keys
chmod go-rwx keys

We’re going to use ~/.ssh/authorized_keys to give access to the key to one public key, and only from one IP (to prevent someone stealing your computer from also auto-unlocking it):

from="2a01:1b0:5256:1:2:3:4:5",command="/usr/local/bin/catkey.sh keys/server1.key" ssh-rsa AAA...vJxw== root@server1
from="1.2.3.4",command="/usr/local/bin/catkey.sh keys/server2.key" ssh-rsa AAA...vJxw== root@server2

The /usr/local/bin/catkey.sh can be:

#!/bin/bash
#
# Script to be used as only permitted command to echo the key
# data for cryptsetup encrypted partitions. 
# 
# from="1.2.3.4",command="/usr/local/bin/catkey.sh keys/server1.key" ssh-rsa AAA...vJxw== root@server2
#
# http://blog.bigsmoke.us/2016/05/22/download-dmcrypt-cryptsetup-encryption-key-from-remote-server-and-auto-mount
 
keyname="$1"
keyfile="$HOME/$keyname"
hostname="$(hostname)"
mailto="you@example.com"
mailfrom="Autokeydecryptor <you@example.com>"
subject="Cryptsetup key access for '$keyname', '$USER' on '$hostname'"
 
if [ -z "$keyname" ]; then
  message="key name not specified"
  echo "$message"
  echo "$message" | mail -a "From: $mailfrom" -s "$subject" "$mailto"
  exit 1
fi
 
if [ ! -f "$keyfile" ]; then
  message="$keyfile not found or is not a regular file"
  echo "$message"
  echo "$message" | mail -a "From: $mailfrom" -s "$subject" "$mailto"
  exit 1
fi
 
cat -- "$keyname"
message="This is an audit of the access to cryptsetup keys on server '$hostname', account '${USER}', key '$keyname'. This should normally only happen on boot of the server which has the cryptsetup partition."
echo "$message" | mail -a "From: $mailfrom" -s "$subject" "$mailto"

Then on the machine that has the encrypted volume, put the following in something like /etc/rc.local:

ssh -4 -o PasswordAuthentication=no "cryptsetupkeys@server.example.com" "dummy" | cryptsetup --key-file - luksOpen /dev/raidvg/mainencrypted maindecrypted
# put the proper entry in /etc/fstab so this mount works
mount /mnt/decryptedvolume

Or better yet put that in a separate script to be called from /etc/rc.local, because /etc/rc.local often has -e in the shebang, so it would stop on any error in that script, possibly failing to execute your command. Why that -e is there is a mystery to me, but that’s another story.

The less obvious flags explained:

  • -4 is to make sure the from clause will always work, also if your ISP suddenly gives you IPv6.
  • -o PasswordAuthentication=no is necessary to be sure the command fails if the login fails. Otherwise, should your IP address change, the command may hang on password input (if it’s not smart enough to detect a non-interactive terminal).

Preventing degraded array on every boot

I had a server that booted with a degraded array every time, because there was a USB drive attached to it, that messed up the auto detection. I solved it by putting this in mdadm.conf:

# This is to try to solve the problem that the array always boots as degraded when I boot the server with a USB disk attached.
# http://serverfault.com/questions/722360/debian-server-has-degraded-mdam-array-on-every-boot/
DEVICE /dev/disk/by-id/ata-*

Then run:

update-initramfs -u

I still don’t know what went wrong, though. It can plainly see what drivse should be in the array.

Better nagios SMS and E-mail messages

Just for my references. I made changes to it before, but I now added the comments to them (for custom notifications and acknowledgements):

define command{
        command_name    notify-host-by-email
        command_line    /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nComment: $NOTIFICATIONCOMMENT$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert ($SHORTDATETIME$): $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}
 
define command{
        command_name    notify-service-by-email
        command_line    /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nComment: $NOTIFICATIONCOMMENT$\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert ($SHORTDATETIME$): $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
 
define command{
        command_name    notify-host-by-sms
        command_line    /usr/local/sbin/send-sms.sh -n $CONTACTPAGER$ -m "$HOSTNAME$: $NOTIFICATIONTYPE$, $HOSTSTATE$ ($NOTIFICATIONCOMMENT$)"
}
 
define command{
        command_name    notify-service-by-sms
        command_line    /usr/local/sbin/send-sms.sh -n $CONTACTPAGER$ -m "$SERVICEDESC$ on $HOSTNAME$ $NOTIFICATIONTYPE$ ($NOTIFICATIONCOMMENT$): $SERVICEOUTPUT$"
}

Teamviewer replacements

ChunkVNC consists of three parts, InstantSupport, Repeater and Viewer.

UltraVNC SC is a mini (166k) UltraVNC Server that can be customized and preconfigured for download by a Customer. UltraVNC SC does not require installation and does not make use of the registry. The customer only have to download the little executable and Click to make a connection. The connection is initiated by the server, to allow easy access thru customers firewall.

Iptables: limiting amount of connections per IP

Short and improved version of this.

To allow SSH TCP connections, but after more than 20 NEWs in 20s, drop:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m recent --rcheck --seconds 20 --hitcount 20 --name sshbadguys --rsource -j DROP
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name sshbadguys --rsource

To check current list (from the man page):

cat /proc/net/xt_recent/sshbadguys

Test with:

#!/bin/bash
ip="1.2.3.4"
port="22"
for i in {1..100}
do
  echo "attempt $i"
  # do nothing just connect and exit
  echo "exit" | nc ${ip} ${port};
done

« Older posts Newer posts »

© 2024 BigSmoke

Theme by Anders NorenUp ↑