Wednesday, December 2, 2015

Centos 7 Gnome Applications menu items don't respond, cannot click

 Centos 7 Gnome Applications menu items don't respond, cannot click

 
I have CentOS 7 installed with gnome. After some uptime, no items under the 'Applications' menu respond.* I can open the menus and submenus and hover over items with the mouse pointer. They will highlight correctly, but they do not respond to clicks.

The items also do not respond to keyboard navigation where I can still use the arrow keys to move around the menus and highlight items, but hitting enter etc. does not launch the application/tool highlighted.

Restarting the machine helps, but that seems a heavy handed solution to the problem.
*With the exception of the 'Activities Overview' item



This is a known issue. See here:
apps-menu: Exception: can't convert event.get_time() to an integer #7

A fix is to change line 77 of /usr/share/gnome-shell/extensions/[email protected]/extension.js


from:
 
this._app.open_new_window(event.get_time());

to:
 
this._app.open_new_window(-1);

Friday, November 6, 2015

How To Take Screenshots On The Raspberry Pi Using Command Line

 How To Take Screenshots On The Raspberry Pi Using Command Line 


1. Install scrot
sudo apt-get install scrot

2. Use command line via ssh 
 
env DISPLAY=:0 XAUTHORITY=/home/pi/.Xauthority scrot /path/to/screen.png 
 
3. Download image via SFTP 

Wednesday, November 4, 2015

yum access IPv6 reposotory on Centos 7

yum access IPV6 reposotory on Centos 7

The easiest way to disable IPv6


  edit /etc/sysctl.d/disable-ipv6.conf


and add
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1


Then issue sysctl -p

If still yum trying to access IPv6 edit /etc/yum.conf and add
ip_resolve=4






Friday, October 2, 2015

Daily mail statictics from postfix and pflogsumm via cron

On Centos

  yum install postfix-perl-scripts

create new script file

mcedit /etc/cron.daily/pflogsumm.sh

#!/bin/sh

# Mail Statistics
MAIL_LOG=/var/log/maillog
MAILHOST="YOUR.HOSTNAME.COM"
RECIPIENT="[email protected]"

# Generate the statistics and mail the result to $RECIPIENT
/usr/sbin/pflogsumm -d yesterday ${MAIL_LOG} | \
mail -s "${MAILHOST} Mail Statistics" ${RECIPIENT}



chmod +x /etc/cron.daily/pflogsumm.sh

Enjoy!
 

Wednesday, September 30, 2015

Sniffing serial port raspberry pi

To sniff serial port you need
- two serial ports (can be usb extension)
- install this software http://jpnevulator.snarl.nl/

with this commend all data will passed between interface AMA0 and USB0


 jpnevulator --ascii  --timing-print  --tty /dev/ttyAMA0 --tty /dev/ttyUSB0 -r --pass

On windows I recommend:

http://realterm.sourceforge.net/



Centos 7 Failed to start LSB: Bring up/down networking.

Error in logs:
 

-- Logs begin at lun. 2015-02-16 12:41:51 CET, end at ven. 2015-02-20 11:39:35 CET. --
févr. 20 10:11:47 localhost systemd[1]: Starting LSB: Bring up/down networking...
févr. 20 10:11:48 localhost systemd-sysctl[902]: Overwriting earlier assignment of kernel/sysrq in file '/etc/sysctl.d/51-alt-sysrq.conf'.
févr. 20 09:11:50 localhost network[816]: Démarrage de l'interface loopback :  [  OK  ]
févr. 20 09:12:09 localhost su[1116]: (to avahi) root on none
févr. 20 09:12:11 localhost network[816]: Activation de l'interface eno16777736 :  [  OK  ]
févr. 20 09:12:11 localhost network[816]: Activation de l'interface eth0 :  ERREUR   : [/etc/sysconfig/network-scripts/ifup-eth] Device  does not seem to be present, delaying initialization.
févr. 20 09:12:12 localhost network[816]: [ÉCHEC ]
févr. 20 09:12:12 localhost systemd-sysctl[1184]: Overwriting earlier assignment of kernel/sysrq in file '/etc/sysctl.d/51-alt-sysrq.conf'.
févr. 20 09:12:12 localhost systemd[1]: network.service: control process exited, code=exited status=1
févr. 20 09:12:12 localhost systemd[1]: Failed to start LSB: Bring up/down networking.
févr. 20 09:12:12 localhost systemd[1]: Unit network.service entered failed state.
févr. 20 09:22:40 localhost systemd[1]: Starting LSB: Bring up/down networking...


easy to check using:
 journalctl -ab --no-pager -u network

solution:

Add HWADDR={mac address} to all  ifcfg-* files.
 

Monday, September 14, 2015

Using tar with parallel compression using pigz with multi cores processor

Using tar with parallel compression using pigz with multi cores processor

 
$ tar cvf MYDIRECTORY.tar.gz --use-compress-prog=pigz MYDIRECTORY
 
In a similar way, you can list the contents of the tarball like this: 

$ tar tvf MYDIRECTORY.tar.gz --use-compress-prog=pigz
Or you can extract the tar like this:
$ tar xvf MYDIRECTORY.tar.gz --use-compress-prog=pigz
 

Wednesday, September 2, 2015

Grep /var/log/messages by date without leading zeros

Grep /var/log/messages by date without leading zeros

 
date=`date --date="yesterday" +%b\ %e`
 
grep $date /var/log/messages 

Friday, August 28, 2015

Cisco switch - find IP connected to port

Cisco switch - find IP connected to port


"sh mac address-table". This will give which MAC is connected to which port.
"sh ip device tracking interface gigabitEthernet ". This will give which IP is connectd to a port.
"sh ip arp" will give you a IP to MAC table

Friday, August 7, 2015

Commands from bash/shell execute with long delay

Commands from bash/shell execute with long delay

to check what is going on use strace

strace -r -o trace.log echo hi
 
Sometimes /etc/hosts is missing entry about hostname
 
127.0.0.1       localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6

so just add your hostname in the end of localhost or just make new entry

127.0.0.1       localhost.localdomain localhost test1 test1.example.com
::1             localhost6.localdomain6 localhost6

or

127.0.0.1       localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
192.168.0.1     test1 test1.example.com

Monday, July 27, 2015

Spacewalk installation problems

Spacewalk installation problems

Error:
Tomcat failed to start properly or the installer ran out of tries. Please check /var/log/tomcat*/catalina.out for errors.

Solution:

yum install geronimo-jta-1.1-api.noarch
/usr/sbin/spacewalk-service restart
 
Error:
** Verifying certificate locally.
There was a problem validating the satellite certificate: 1 
 

The most current Red Hat Proxy Server installation process against RHN hosted
requires the upload of an SSL tar archive that contains the CA SSL public
certificate and the web server's key set.

Generating the web server's SSL key set and CA SSL public certificate archive:
    /root/ssl-build/test1.localdomain/rhn-org-httpd-ssl-archive-test1.localdomain-1.0-1.tar

Deploy the server's SSL key pair/set RPM:
    (NOTE: the Red Hat Satellite or Proxy installers may do this step for you.)
    The "noarch" RPM needs to be deployed to the machine working as a
    web server, or Red Hat Satellite, or Red Hat Proxy.
    Presumably 'test1.localdomain'.
Preparing packages for installation...
       
 file /etc/httpd/conf/ssl.crt/server.crt from install of rhn-org-httpd-ssl-key-pair-test1.localdomain-1.0-1.noarch conflicts 
with file from package rhn-org-httpd-ssl-key-pair-localhost.localdomain-1.0-1.noarch
       
 file  /etc/httpd/conf/ssl.csr/server.csr from install of 
rhn-org-httpd-ssl-key-pair-test1.localdomain-1.0-1.noarch conflicts 
with file from package rhn-org-httpd-ssl-key-pair-localhost.localdomain-1.0-1.noarch
       
 file /etc/httpd/conf/ssl.key/server.key from install of 
rhn-org-httpd-ssl-key-pair-test1.localdomain-1.0-1.noarch conflicts 
with file from package rhn-org-httpd-ssl-key-pair-localhost.localdomain-1.0-1.noarch
       
 file /etc/pki/spacewalk/jabberd/server.pem from install of 
rhn-org-httpd-ssl-key-pair-test1.localdomain-1.0-1.noarch conflicts 
with file from package rhn-org-httpd-ssl-key-pair-localhost.localdomain-1.0-1.noarch
Could not install /root/ssl-build/test1.localdomain/rhn-org-httpd-ssl-key-pair-test1.localdomain-1.0-1.noarch.rpm
 at /usr/bin/rhn-install-ssl-cert.pl line 69. 
 
 
Solution:
yum install  spacewalk-utils
*add HOSTNAME to /etc/sysconfig/networkspacewalk-hostname-rename [IP ADDRESS]
it will regenerate new SSL certificates. 
 
*recreate CA certificate on Spacewalk server 
 
 /usr/bin/rhn-ssl-tool --gen-ca --set-country="US" --set-state="NY" --set-city="Golden" --set-org="mypublisher" --set-org-unit="spacewalk.server.com" --set-common-name="spacewalk.server.com" --set-email="webmaster@server.com" --force   

  
  

Friday, July 17, 2015

How to check cisco interface index number

How to check cisco interface index number

 Remotely via SNMP:

 snmpwalk -c {community-name} -v 2c {IP} ifName

for example:
snmpwalk -c public -v 2c 192.168.0.1 ifName 


Locally on Cisco device:

> enable
#show snmp mib ifmib ifindex

[Solved] Nagvis weather map (traffic map) and Centreon & Nagios

To fix weather maps (traffic maps) with Nagvis and Nagios & Centreon you have to fix 3 things:

1. You have to modify the code of the check script (check_centreon_snmp_traffic).
In this script you have to modify the following line :

printf("|traffic_in=".$in_perfparse_traffic_str."Bits/s;$warningBit;$criticalBit;0;$speed_card                  traffic_out=".$out_perfparse_traffic_str."Bits/s;$warningBit;$criticalBit;0;$speed_card\n");

and replace with:

printf("|traffic_in=".$in_perfparse_traffic_str."Bits/s;$warningBit;$criticalBit;0;$speed_card traffic_out=".$out_perfparse_traffic_str."Bits/s;$warningBit;$criticalBit;0;$speed_card load_In=".$in_usage."%%;$warningBit;$criticalBit;0;0 load_Out=".$out_usage."%%;$warningBit;$criticalBit;0;0 traffic_In=%.2f".$in_prefix."b;".$warningBit.";".$criticalBit.";0;0 traffic_Out=%.2f".$out_prefix."b;".$warningBit.";".$criticalBit.";0;0 \n",$in_traffic,$out_traffic);

2. The file you have to modify  next is : /usr/share/nagvis/share/frontend/nagvis-js/js/NagVisCompressed.js
 
You have to find the function "drawNagVisLine"  and replace it with:

function drawNagVisLine(objectId, lineType, cuts, x, y, z, width, colorFill, colorFill2, perfdata, colorBorder, bLinkArea, bLabelShow, yOffset) {
for(var i=0; i < x.length; i++) {
x[i] = parseInt(x[i], 10);
y[i] = parseInt(y[i], 10);
}
var xStart=x[0];
var yStart=y[0];
var xEnd=x[x.length - 1];
var yEnd=y[y.length - 1];
if(perfdata == null)
perfdata = [];
width = parseInt(width, 10);
var perfdataA="N/A";
var perfdataB="N/A";
var cut=cuts[0];
var cutIn=cuts[1];
var cutOut=cuts[2];
switch (lineType) {
case '10':
if(x.length == 2) {
var xMid=middle(xStart, xEnd, cut);
var yMid=middle(yStart, yEnd, cut);
} else {
var xMid=x[1];
var yMid=y[1];
}
drawArrow(objectId, 1, xStart, yStart, xMid, yMid, z, width, colorFill, colorBorder);
drawLinkOrLabel(objectId, 1, lineType, xMid, yMid, z, perfdataA, perfdataB, bLinkArea, bLabelShow);
drawArrow(objectId, 2, xEnd, yEnd, xMid, yMid, z, width, colorFill, colorBorder);
drawLinkOrLabel(objectId, 2, lineType, xMid, yMid, z, perfdataA, perfdataB, bLinkArea, bLabelShow);
break;
case '11':
var xMid=middle(xStart, xEnd, cut);
var yMid=middle(yStart, yEnd, cut);
drawArrow(objectId, 1, xStart, yStart, xEnd, yEnd, z, width, colorFill, colorBorder);
drawLinkOrLabel(objectId, 1, lineType, xMid, yMid, z, perfdataA, perfdataB, bLinkArea, bLabelShow);
break;
case '12':
var xMid=middle(xStart, xEnd, cut);
var yMid=middle(yStart, yEnd, cut);
drawSimpleLine(objectId, 1, xStart, yStart, xEnd, yEnd, z, width, colorFill, colorBorder);
drawLinkOrLabel(objectId, 1, lineType, xMid, yMid, z, perfdataA, perfdataB, bLinkArea, bLabelShow);
break;
case '13':
if(x.length == 2) {
var xMid=middle(xStart, xEnd, cut);
var yMid=middle(yStart, yEnd, cut);
} else {
var xMid=x[1];
var yMid=y[1];
}
if(isset(perfdata[2]) && isset(perfdata[2][1]) && isset(perfdata[2][2])) // HERE
perfdataA = perfdata[2][1] + perfdata[2][2]; // HERE
drawArrow(objectId, 1, xStart, yStart, xMid, yMid, z, width, colorFill, colorBorder); 
drawLinkOrLabel(objectId, 1, lineType, middle(xStart, xMid, cutIn), middle(yStart, yMid, cutIn), z, perfdataA, perfdataB, bLinkArea, bLabelShow);
if(isset(perfdata[3]) && isset(perfdata[3][1]) && isset(perfdata[3][2])) // HERE
perfdataA = perfdata[3][1] + perfdata[3][2]; // HERE
drawArrow(objectId, 2, xEnd, yEnd, xMid, yMid, z, width, colorFill2, colorBorder);
drawLinkOrLabel(objectId, 2, lineType, middle(xEnd, xMid, cutOut), middle(yEnd, yMid, cutOut), z, perfdataA, perfdataB, bLinkArea, bLabelShow);
break;
case '14':
if(x.length == 2) {
var xMid=middle(xStart, xEnd, cut);
var yMid=middle(yStart, yEnd, cut);
} else {
var xMid=x[1];
var yMid=y[1];
}
yOffset = yOffset + width;
if(isset(perfdata[2]) && isset(perfdata[2][1]) && isset(perfdata[2][2])) // HERE
perfdataA = perfdata[2][1] + perfdata[2][2]; // HERE
if(isset(perfdata[4]) && isset(perfdata[4][1]) && isset(perfdata[4][2])) // HERE
perfdataB = perfdata[4][1] + perfdata[4][2] + '/s'; // HERE
drawArrow(objectId, 1, xStart, yStart, xMid, yMid, z, width, colorFill, colorBorder);
drawLinkOrLabel(objectId, 1, lineType, middle(xStart, xMid, cutOut), middle(yStart, yMid, cutOut), z, perfdataA, perfdataB, bLinkArea, bLabelShow, yOffset);
if(isset(perfdata[3]) && isset(perfdata[3][1]) && isset(perfdata[3][2])) // HERE
perfdataA = perfdata[3][1] + perfdata[3][2]; // HERE
if(isset(perfdata[5]) && isset(perfdata[5][1]) && isset(perfdata[3][2])) // HERE
perfdataB = perfdata[5][1] + perfdata[5][2] + '/s'; // HERE
drawArrow(objectId, 3, xEnd, yEnd, xMid, yMid, z, width, colorFill2, colorBorder);
drawLinkOrLabel(objectId, 3, lineType, middle(xEnd, xMid, cutIn), middle(yEnd, yMid, cutIn), z, perfdataA, perfdataB, bLinkArea, bLabelShow, yOffset);
break;
case '15':
if(x.length == 2) {
var xMid=middle(xStart, xEnd, cut);
var yMid=middle(yStart, yEnd, cut);
} else {
var xMid=x[1];
var yMid=y[1];
}
yOffset = yOffset + width;
if(isset(perfdata[4]) && isset(perfdata[4][1]) && isset(perfdata[4][2])) // HERE
perfdataA = perfdata[4][1] + perfdata[4][2] + '/s' ; // HERE
drawArrow(objectId, 1, xStart, yStart, xMid, yMid, z, width, colorFill, colorBorder);
drawLinkOrLabel(objectId, 1, lineType, middle(xStart, xMid, cutOut), middle(yStart, yMid, cutOut), z, perfdataA, perfdataB, bLinkArea, bLabelShow, yOffset);
if(isset(perfdata[5]) && isset(perfdata[5][1]) && isset(perfdata[5][2])) // HERE 
perfdataA = perfdata[5][1] + perfdata[5][2] + '/s' ;     // HERE
drawArrow(objectId, 3, xEnd, yEnd, xMid, yMid, z, width, colorFill2, colorBorder);
drawLinkOrLabel(objectId, 3, lineType, middle(xEnd, xMid, cutIn), middle(yEnd, yMid, cutIn), z, perfdataA, perfdataB, bLinkArea, bLabelShow, yOffset);
break;
default:
alert('Error: Unknown line type');
}
}

Find another function "drawLine" and replace with:
 
drawLine: function() {
var x=this.parseCoords(this.conf.x, 'x');
var y=this.parseCoords(this.conf.y, 'y');
var width=addZoomFactor(this.conf.line_width);
if(width <= 0)
width = 1; // minimal width for lines
var colorFill='';
var colorFill2='';
var colorBorder='#000000';
var setPerfdata=[];
setPerfdata[0] = Array('dummyPercentIn', 88, '%', 85, 98, 0, 100);
setPerfdata[1] = Array('dummyPercentOut', 99, '%', 85, 98, 0, 100);
setPerfdata[2] = Array('dummyActualIn', 88.88, 'mB/s', 850, 980, 0, 1000);
setPerfdata[3] = Array('dummyActualOut', 99.99, 'mB/s', 850, 980, 0, 1000);
switch (this.conf.summary_state) {
case 'UNREACHABLE':
case 'DOWN':
case 'CRITICAL':
case 'WARNING':
case 'UNKNOWN':
case 'ERROR':
case 'UP':
case 'OK':
case 'PENDING':
colorFill = oStates[this.conf.summary_state].color;
break;
default:
colorFill = '#FFCC66';
break;
}
if(this.conf.line_type == 13 || this.conf.line_type == 14 || this.conf.line_type == 15) {
colorFill  = '#000000';
colorFill2 = '#000000';
setPerfdata = splicePerfdata(this.conf.perfdata);
if(setPerfdata == 'empty'
|| !isset(setPerfdata[0]) || setPerfdata[0][0] == 'dummyPercentIn'
|| !isset(setPerfdata[1]) || setPerfdata[1][0] == 'dummyPercentOut'
|| (this.conf.line_type == 14 && (
!isset(setPerfdata[2]) || setPerfdata[2][0] == 'dummyActualIn'
|| !isset(setPerfdata[3]) || setPerfdata[3][0] == 'dummyActualOut'))) {
var msg="Missing performance data - ";
if(setPerfdata == 'empty')
msg += "perfdata string is empty";
else {
if(isset(setPerfdata[0]) && setPerfdata[0][0] == 'dummyPercentIn')
msg += "value 1 is \'" + setPerfdata[0][1] + "\'";
if(isset(setPerfdata[1]) && setPerfdata[1][0] == 'dummyPercentOut')
msg += " value 2 is \'" + setPerfdata[1][1] + "\'";
if(this.conf.line_type == 14) {
if(isset(setPerfdata[2]) && setPerfdata[2][0] == 'dummyActualIn')
msg += " value 3 is \'" + setPerfdata[2][1] + "\'";
if(isset(setPerfdata[3]) && setPerfdata[3][0] == 'dummyActualOut')
msg += " value 4 is \'" + setPerfdata[3][1] + "\'";
}
}
this.conf.summary_output += ' (Comp:Bouh: ' + msg + ')';
} else {
if(setPerfdata[2][2] === null || setPerfdata[2][2] === '' //HERE
|| setPerfdata[3][2] === null || setPerfdata[3][2] === '') { //HERE
setPerfdata = this.calculateUsage(setPerfdata);
}
if(setPerfdata[2][2] !== null && setPerfdata[2][2] == '%' && setPerfdata[2][1] !== null) { //HERE
colorFill = this.getColorFill(setPerfdata[2][1]); //HERE
} else {
colorFill = '#000000';
this.perfdataError('First', setPerfdata[3][1], this.conf.name, this.conf.service_description); //HERE
}
if(setPerfdata[2][2] !== null && setPerfdata[2][2] == '%' && setPerfdata [2][1] !== null) { //HERE
colorFill2 = this.getColorFill(setPerfdata[2][1]); //HERE
} else {
colorFill2 = '#000000';
this.perfdataError('Second', setPerfdata[3][1], this.conf.name, this.conf.service_description); //HERE
}
}
}
if(this.conf.summary_problem_has_been_acknowledged === 1 || this.conf.summary_in_downtime === 1) {
colorBorder = '#666666';
colorFill = lightenColor(colorFill, 100, 100, 100);
}
var cuts=[this.conf.line_cut, this.conf.line_label_pos_in, this.conf.line_label_pos_out];
drawNagVisLine(this.conf.object_id, this.conf.line_type, cuts, x, y,
this.conf.z, width, colorFill, colorFill2, setPerfdata, colorBorder,
this.needsLineHoverArea(),
(this.conf.line_label_show && this.conf.line_label_show === '1'),
parseInt(this.conf.line_label_y_offset));
}, 

And that`s all !!
 
 
found here 

Wednesday, April 22, 2015

How to get a list of users logged on vsftpd ?

The easiest ways setup setproctitle_enable=YES in vsftpd.conf and you can do a ps aux on host to see connected users.

also if vsftpd is PAM-enabled, set session_support in vsftpd.conf.

Tuesday, March 31, 2015

Selinux blocked access via SSH authorized_keys

Selinux blocked access via SSH authorized_keys

How to fix selinux context ?

 

To fix login for users with home in /home:

semanage fcontext -at home_root_t /home
semanage fcontext -at user_home_dir_t /home/user
semanage fcontext -at ssh_home_t /home/user/.ssh
semanage fcontext -at ssh_home_t /home/user/.ssh/authorized_keys
restorecon -Rv /home


For users in other directory than home for example  /data/home
first line because /data is separate file system (without it still did not work)

semanage fcontext -at root_t /data
semanage fcontext -at home_root_t /data/home
semanage fcontext -at
home_user_t /data/home/rarus/
semanage fcontext -at ssh_home_t  /data/home/rarus/.ssh/
semanage fcontext -at ssh_home_t  /data/home/rarus/.ssh/authorized_keys
restorecon -Rv /data/home


Tuesday, March 3, 2015

Unexpected DDOS: Blocking China with ipset and iptables

Blocking China

As Craig discusses, there's really no option but to block everyone from China. Unfortunately for me, I wasn't using ipfw as a firewall so I couldn't follow his advice. Having finally figured out how to do this I thought I'd write a step-by-step guide assuming you've not got a firewall already set up.
Note; this all assumes you run Debian.

Set up iptables

iptables is a firewall application for Linux and it's already installed on Debian systems.
If you already have iptables set up and in use, skip this section and go straight to the ipset section.
Create a file where we can declare some rules to use:
sudo nano /etc/iptables.firewall.rules
Inside there you'll want to paste the following:
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT
Save that. Next, we need to apply those rules – this is just a text file, and we need to instruct iptables to actually use it.
sudo iptables-restore < /etc/iptables.firewall.rules
That should have loaded the rules and applied them; you can check by
iptables -L
The output of that command ought to look like
Chain INPUT (policy ACCEPT)
   target     prot opt source               destination
   ACCEPT     all  --  anywhere             anywhere
   REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
   ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
   ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
   ACCEPT     icmp --  anywhere             anywhere
   LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
   DROP       all  --  anywhere             anywhere

   Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination
   DROP       all  --  anywhere             anywhere

   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination
   ACCEPT     all  --  anywhere             anywhere
Great, it's working! But if you reboot the server it won't be. So lets fix that by creating a file which will run at boot.
sudo nano /etc/network/if-pre-up.d/firewall
Inside that file paste:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
Save it. Now we must make sure it's allowed to execute:
sudo chmod +x /etc/network/if-pre-up.d/firewall
Done. The firewall is now running with those rules applied and those rules will be re-applied every time the server reboots. But it's not blocking China yet; it's only blocking anything not on port 80 or 443 (http and https).

Using ipset to block China

You can't manually add a few thousand IP addresses to your iptables, and even doing it automatically is a bad idea because it can cause a lot of CPU load (or so I've read). Instead we can use ipset which is designed for this sort of thing. ipset handles big lists of ip addresses; you just create a list and then tell iptables to use that list in a rule.
Note; I assume that the entirety of the following is done as root. Adjust accordingly if your system is based on sudo.
apt-get install ipset
Next, I wrote a small Bash script to do all the work, which you should be able to understand from the comments in it. Create a file:
nano /etc/block-china.sh
Here's what you want to paste into it:
# Create the ipset list
ipset -N china hash:net

# remove any old list that might exist from previous runs of this script
rm cn.zone

# Pull the latest IP set for China
wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone

# Add each IP address from the downloaded list into the ipset 'china'
for i in $(cat /etc/cn.zone ); do ipset -A china $i; done

# Restore iptables
/sbin/iptables-restore < /etc/iptables.firewall.rules
Save the file. Make it executable:
chmod +x /etc/block-china.sh
This hasn't done anything yet, but it will in a minute when we run the script. First, we need to add a rule into iptables that refers to this new ipset list the script above defines:
nano /etc/iptables.firewall.rules
Add the following line:
-A INPUT -p tcp -m set --match-set china src -j DROP
Save the file. To be clear, my full iptables.firewall.rules now looks like this:
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block anything from China
# These rules are pulled from ipset's china list
# The source file is at /etc/cn.zone (which in turn is generated by a shell script at /etc/block-china.sh )
-A INPUT -p tcp -m set --match-set china src -j DROP

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT
Right now, nothing has changed with the server because no new rules have been applied; to do so, run the block-china.sh script:
/etc/block-china.sh
This should show some output as it pulls a fresh list of Chinese based IPs and then, after a few seconds or so, it will complete and drop you back to a command prompt.
To test if it worked, run:
iptables -L
You should now see a new rule blocking China – the output ought to look like this:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere             match-set china src
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
Almost done! This works, and will continue to work on re-boots. But, IP addresses change and that list will grow stale over time. If you want to pull and apply an updated list of IPs you can just run the block-china.sh script again.
We can also set the machine to do that automatically via a cron job:
crontab -e
Add a line such as this:
* 5 * * * /etc/block-china.sh
This will run /etc/block-china.sh at 5am every day. The user running the script will need to be root or have root privileges.

Going Further

I don't think there's much more a server admin can do to protect themselves against DDOS. The next thing to try would be a service such as CloudFlare, which has clever and automated protection from this sort of stuff.

References

As is often the case, this post is cobbled together from other sources as I figured out what needed doing. The ever reliable Linode documentation is responsible for the initial iptables part, and the gist of the ipset was from dr0u. My thanks to both!

found at https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables/

Wednesday, February 11, 2015

Remove little black rectangle on screen - raspberry pi

To rid yourself of the annoying little black rectangle do the following, its only a work around but it does work.


Create a script, mine starts my kiosk as well so is called /home/pi/screen.sh

this script should look like:
#!/bin/bash
startx –help
while true; do chromium –kiosk –incognito –enable-plugins http://your web addresshere.html;sleep 180s;done


The 2nd line is my kiosk – you probably wont need it but I put it there anyway.

Then add the following line
 @/home/pi/screen.sh

to the file:

/etc/xdg/lxsession/LXDE-pi/autostart

Reboot and watch the splash screen followed by a brief black flash and then your screenly, kiosk, or whatever your running without the black rectangle.

Custom boot / splash screen - Raspberry Pi

Displaying an image during boot instead of the default command line scrolling text - custom boot/splash screen on Raspberry Pi

This is based on the guide here. 
This solution works but there are a few seconds of text shown before the boot image appears.
To hide it edit /boot/cmdline.txt

and change to:

console=tty3

add 
logo.nologo
to see booting use alt+f3
Install fbi

sudo apt-get install fbi
Copy the splashscreen image to be used
Copy your custom splash image into: /etc/ and name it "splash.png".
Presumably the resolution to use is 1920x1080px.
Create A Script

sudo nano
 
Paste the following into the text editor:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          asplashscreen
# Required-Start:
# Required-Stop:
# Should-Start:      
# Default-Start:     S
# Default-Stop:
# Short-Description: Show custom splashscreen
# Description:       Show custom splashscreen
### END INIT INFO


do_start () {

    /usr/bin/fbi -T 1 -noverbose -a /etc/splash.png    
    exit 0
}

case "$1" in
  start|"")
    do_start
    ;;
  restart|reload|force-reload)
    echo "Error: argument '$1' not supported" >&2
    exit 3
    ;;
  stop)
    # No-op
    ;;
  status)
    exit 0
    ;;
  *)
    echo "Usage: asplashscreen [start|stop]" >&2
    exit 3
    ;;
esac

:


Exit and save the file as: /etc/init.d/asplashscreen

(using a name starting with 'a' will ensure it runs first)
Finally make the script executable and install it for init mode:

sudo chmod a+x /etc/init.d/asplashscreen
sudo insserv /etc/init.d/asplashscreen

sudo reboot 
 

Getting Out Of Black Screen

If you get a black screen at the end of booting (if you've not setup auto running the GUI etc) use CTRL + ALT + F2 to get the command prompt
 
 
found at http://www.raspberry-projects.com/pi/pi-operating-systems/raspbian/custom-boot-up-screen 

Tuesday, February 3, 2015

Centos 7 and XRDP

To install XRDP on Centos 7 the best way is :

1. install nux repo
# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm

2. Install xrdp with gnome and vnc server

Install Gnome
# yum groupinstall "GNOME Desktop" "Graphical Administration Tools"

Install xrdp and tigervnc
# yum -y install xrdp tigervnc-server

3. When  is installed, let`s start the xrdp service.
 
# systemctl start xrdp.service

Setup ssh keys between servers

1. Create key
# ssh-keygen -t rsa

2. Copy id to other server
#  ssh-copy-id [email protected]

-- type password.

From now on you can login without password just:

#ssh server.address.com

Friday, January 9, 2015

How to mount LVM partitions from rescue mode (Fedora/CentOS/RedHat)

How to mount LVM partitions from rescue mode (Fedora/CentOS/RedHat)

Boot your rescue media.

Scan for volume groups:
# lvm vgscan -v

Activate all volume groups:
# lvm vgchange -a y

List logical volumes:
# lvm lvs –all

With this information, and the volumes activated, you should be able to mount the volumes:
# mount /dev/volumegroup/logicalvolume /mountpoint


found at: http://jim-zimmerman.com/?p=587

Wednesday, January 7, 2015

How can I get my external IP address in bash?

 How can I get my external IP address in bash?


I'd recommend getting it directly from a DNS server.
Most of the answers here all go over HTTP to a remote server. Some of them require parsing of the output, or rely on the User-Agent header to make the server respond in plain text. They also change quite frequently (go down, change their name, put up ads, might change output format etc.).
  1. The DNS response protocol is standardised (the format will stay compatible).
  2. Historically DNS services (OpenDNS, Google Public DNS, ..) tend survive much longer and are more stable, scalable and generally looked after than whatever new hip whatismyip.com HTTP service is hot today.
  3. (for those geeks that care about micro-optimisation), this method should be inherently faster (be it only by a few micro seconds).
Using dig with OpenDNS as resolver:

dig +short myip.opendns.com @resolver1.opendns.com
 
Perhaps alias it in your bashrc so it's easy to remember
 
alias wanip='dig +short myip.opendns.com @resolver1.opendns.com'

Responds with a plain ip address:
$ wanip
80.100.192.168
 
found at: http://unix.stackexchange.com/questions/22615/... 

Cybermap

Internet Storm Center Infocon Status

Internet Storm Center Infocon Status
Internet Storm Center Infocon Status