Posts filed under ‘Linux’
How To Find My Public IP Address From Command Line On a Linux
For machines with GUI , Interface there are several ways to obtain the Public IP address. However , in Linux shell environment you need to rely on the commands(Even though there are 3rd party tools available).
Open a terminal window and type the below command:
#dig +short myip.opendns.com @resolver1.opendns.com
OR
dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
Source:https://www.cyberciti.biz/
What is the most secure way to allow a user read access to a log file
I am running Splunk Enterprise on a Linux Server in our environment. Our Security Standards , prevents the Splunk from running under root User. In this scenario , we will come across a situation , where we will not be able to read the critical Linux logs like audit , messages , secure etc.
There are several methods to achieve this , But in this post I am using the ACL method.
First , you need to set the acl’s on these files located in the /var/log folder. My Splunk is running under the user splunkadmin
# setfacl -m g:splunkadmin:r /var/log/messages
# setfacl -m g:splunkadmin:r /var/log/secure
# setfacl -m g:splunkadmin:r /var/log/maillog
The above changes will not retain , when the logs are rotated. Thus you need to create postrotate action for these logs to retain the ACL's.
1) Create a text file in the folder /etc/logrotate.d/Splunk_ACLs ( My file name is SplunkACLs).
2) Add the below entries in the file
{
postrotate
/usr/bin/setfacl -m g:splunk:r/var/log/maillog
/usr/bin/setfacl -m g:splunk:r /var/log/messages
/usr/bin/setfacl -m g:splunk:r /var/log/secure
endscript
}
You can verify the ACLS using
#getfacl /var/log/messages
On the other hand , The steps for audit files are different .
Check the current permissions
#ls -l /var/log/audit/audit.log
-rw——- 1 root root 3531590 Jun 1 00:20 /var/log/audit/audit.log
Then edit the auditd.conf file and change the log_group parameter to splunkadmin instead of root.
log_group = splunkadmin
Restart the auditd services
#service auditd restart
You can re-verify the permissions
#ls -l /var/log/audit/audit.log
-rw-r—– 1 root splunkadmin 3532862 Jun 1 00:24 /var/log/audit/audit.log
Source:
https://newbedev.com/what-is-the-most-secure-way-to-allow-a-user-read-access-to-a-log-file
How to create a Ubuntu 18.04.5 template in VSphere ESXi 6.7
As usual you need to create a VM and install Ubuntu in to it. Thereafter you need to follow the below steps to strip out the unique data being propagated to the VM’s you create from the template.
+Update the OS
#sudo apt -y update
#sudo apt -y upgrade
+Clear audit logs
truncate -s0 /var/log/wtmp
truncate -s0 /var/log/lastlog
+Clear the tmp
#rm -rf /tmp/*
rm -rf /var/tmp/*
+Clear the SSH
#rm -f /etc/ssh/ssh_host_*
+Reset the hostname
#sed -i ‘s/preserve_hostname: false/preserve_hostname: true/g’ /etc/cloud/cloud.cfg
#truncate -s0 /etc/hostname
#hostnamectl set-hostname localhost
+Clean apt
#apt clean
+Remove the default *.yaml file from the /etc/netplan. The VMware customizaion will create it’s own file 99-netcfg-vmware.yaml.
#rm -f /etc/netplan/*.yaml
+Reset the machine id
#echo -n > /etc/machine-id
+Clear the history & shutdown the VM
#history -c
#shutdown -h now
On the vCenter you need to create a VM Customization specification to be used when deploying the VM’s from the template(Refer:How to create a RHEL 7 template in VSphere ESXi 6.7 for steps).
However , when I created the VM’s from this template I realised that
- All the VM’s are having the same hostid. Some applications uses the hostid in their licensing .Thus, it has to be unique across the VM’s. Since I did not find a way to solve this while deploying the VM’, I had to do a manual modification as mentioned below on the VM’s after it being created.
#vi /etc/hosts
replace the line “127.0.1.1 localhost” with
your IP FQDN Hostname (E.g: 1.1.1.1 server.test.local server). - You need to manually select the “Connected” option in The VM network Adapter in the VM properties.
Free Radius : Auth: (0) Invalid user (Rejected: User-Name contains multiple ..s): [xxx]
Recently we performed a Yum update on our Free Radius Server. The newer version is FreeRADIUS Version 3.0.13. At that time , we started receiving complains from the users that they are not able to login to the network devices.
After reviewing the logs , we noticed the error “Auth: (0) Invalid user (Rejected: User-Name contains multiple ..s)” being logged during the authentication. This is due to the changes applied in the filter file(/etc/raddb/policy.d/filter ).
Before Update:
if (&User-Name =~ /\\.\\./ ) {
After Update:
if (&User-Name =~ /\.\./ ) {
The new Regex syntax style doesn’t escape backslashes anymore. So you need to ensure that the correct_escapes = true property is set in /etc/raddb/radiusd.conf.
How to properly update kernel in RHEL/CentOS 7/8 Linux
When you perform a yum update in CentOS 7 or higher , you will notice the newer kernel version is not reflected. You can use the below commands to verify the current version.
#uname -r
#hostnamectl
You can confirm whether the new kernel is installed successfully or not by using the command below;
#yum list kernel
#grep saved /boot/grub2/grubenv
In order to apply the kernel you need to restart the server.
In some instances you need to manually set the correct kernel version to boot by using the below commands;
#awk -F\’ ‘$1==”menuentry ” {print i++ ” : ” $2}’ /etc/grub2.cfg
(If you have multiple versions installed all of them will be listed with 0 , 1 & etc. In the example the newer version is 0,)
#sudo grub2-set-default 0
Source1: https://www.howtoforge.com/
Source2: https://www.golinuxcloud.com/
How to modify the iSCSI initiator ID in Linux
When you deploy Linux VM’s using a Template (in ESXi) ,you may come across a situation , where the iSCI initiator ID on these VM’s will be identical. To resolve this issue we need to modify the iscsi initiator ID’s.
In case if you have logged in to the iscsi session already you need to log out first.
#iscsiadm -m node -T iqn.xxxxxxxxxxxxxx -p iscsiserver-ip -u
Thereafter:
backup the file initiatorname.iscsi
#cp /etc/iscsi/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi.bak
#echo “InitiatorName=`/sbin/iscsi-iname`” > /etc/iscsi/initiatorname.iscsi
You can login again to the iscsi session
#iscsiadm -m node -T iqn.xxxxxxxxxxxxxx -p iscsiserver-ip -l
Source:https://www.thegeekdiary.com/
sudo: effective uid is not 0, is sudo installed setuid root
When messing with up acl’s you may come across situation where the sudo will be stopped from functioning. Especially , when you typed sudo you may notice the error “sudo: effective uid is not 0, is sudo installed setuid root”.
To diagnose the issue
Step1:
Check the /etc/sudoers file , whether you have added the group or the user name in the sudoers file for e.g: user abc
abc ALL=(ALL) NOPASSWD: ALL
Step2: if the output of the step 1 is correct check the permission on sudo as below (Output of a working sudo)
# ls -l /usr/bin/sudo
—s–x–x 2 root root 190904 Mar 4 18:21 /usr/bin/sudo
# stat /usr/bin/sudo
…
Access: (4111/—s–x–x) Uid: ( 0/ root) Gid: ( 0/ root)
In case , if you find the output of Step 2 is not matching with yours you can reset the permission to default
# rpm –setperms sudo.
How can I create a disk partition on a disk that is greater than 2TB in size on Red Hat Enterprise Linux?
When we try to partition a disk that is larger than 2 TB , you must use the parted utility instead of fdisk. In this example I am referring to my disk as /dev/sdj
#parted /dev/sdj
Using /dev/sdj
Welcome to GNU Parted! Type ‘help’ to view a list of commands.
(parted)
#(parted) mklabel —–> This will create a GPT label on the disk.
Warning: The existing disk label on /dev/sdj will be destroyed and all data on this disk will be lost. Do you want to continue?
Yes/No? Yes
New disk label type? [gpt]? gpt
(parted)
(parted) print
Model: Linux device-mapper (dm)
Disk /dev/sdj: 5662310.4MB ————-> Note down this value as we will be using it the below commands)
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
Create the partition:
(parted) mkpart primary 0 5662310.4MB
(parted) print ——–> Use this command to verify the partition created.
Unlike , the fdisk , you don’t need to issue the write command to save the changes. Simply type quit to exit from the parted utility. Thereafter , you could proceed with the file system creation.
Root Cause
The fdisk command only supports the legacy MBR partition table format (also known as msdos partition table)
* MBR partition tables use data fields that have a maximum of 32 bit sector numbers, and with 512 bytes/sector that means a maximum of 2^(32+9) bytes per disk or partition is supported.
*MBR partition table can not support accessing data on disks past 2.19TB due to the above limitation
Note that some older versions of fdisk may permit a larger size to be created but the resulting partition table will be invalid.
The parted command can create disk labels using MBR (msdos), GUID Partition Table (GPT), SUN disk labels and many more types.
* The GPT disk label overcomes many of the limitations of the DOS MBR including restrictions on the size of the disk, the size of any one partition and the overall number of partitions.
* Note that booting from a GPT labelled volume requires firmware support and this is not commonly available on non-EFI platforms (including x86 and x86_64 architectures).
How to reject emails that tagged as SPAM by spamassassin
Hi Guys,
I have wrote a seperate blog post on how to configure spamassassin ,spamass-milter & sendmail to combat SPAM. But this article focus on how to reject emails that are tagged as SPAM by spamassassin. By default the emails will not be rejected , and it will be delivered to the MTA as it is.
In order to achieve this , you need to modify the spamass-milter configuration file in /etc/sysconfig/spamass-milter , and uncomment the line
EXTRA_FLAGS=”-m -r 15″
and modify the -r value to based on your needs, and leave the -m as it is, this will prevent the spamass-milter modifying the header. In my case I have set the -r value to 5 . Do not forget to restart the spamassassin , spamass-milter & sendmail services.
That’s it.
How to Configure Sendmail & SpamAssassin for SPF Check
We had a Sendmail Server (8.14.7) running on CentOS Server, The server acts as a Secondary MX and SMART hosts for many domains. In this scenario we decided to install the SpamAssassin to force the Sendmail server to validate SPF records prior to accepting the email. I have written the below post to explain the whole process with few notes on troubleshooting I had to perform during the installation & configuration stages.
-Sendmail (already installed and running)
-SpamAssassin v. 3.4.0 (already installed with CentOS , use spamassassin -V to check the version)
– Spam-ass milter
So let’s start with the process;
+ Install spam-ass milter
# yum install perl-Mail-SPF perl-Mail-DKIM perl-Razor-Agent pyzor poppler-utils re2c ( These are the prerequisites)
# Download the RPM from https://centos.pkgs.org/7/epel-x86_64/spamass-milter-0.4.0-7.el7.x86_64.rpm.html and install by rpm -i “rpm name”
+ Start the spamassassin & spamass-milter services
# systemctl start spamassassin
# systemctl start spamass-milter.service
Now we need to force sendmail daemon to use the milter for antispam processing. Add the below lines in sendmail.mc (** do not forget to backup the files before modifying it)
======================================================================================
dnl #
dnl # SPAMASSASSIN dnl
dnl **
dnl ** enable spamassassin-milter to scan for spam using spamassassin **
dnl **
INPUT_MAIL_FILTER(`spamassassin’, `S=unix:/var/run/spamass-milter/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m’)dnl
define(`confMILTER_MACROS_CONNECT’,`t, b, j, _, {daemon_name}, {if_name}, {if_addr}’)dnl
define(`confMILTER_MACROS_HELO’,`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}’)dnl
dnl # END LOCAL ADDITIONS
dnl #
======================================================================================
+ save the file & quit it
+ Compile the Sendmail configuration & restart the sendmail services.
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf ( or you could simply type make)
# systemctl restart sendmail
To confirm whether all these components are working fine with the relevant SPF check you need to run ,
# spamassassin -D < /usr/share/doc/spamassassin-3.4.0/sample-spam.txt 2>&1 |grep -i spf
Thereafter we could analyze whether the email are being filtered properly with the SPF Check, to check that run
# grep spf /var/log/maillog
if it is not functioning well you should look for the errors & start troubleshooting it. In my case it was throwing the below error;
“Mar 4 15:34:20 mail spamd[11685]: spf: lookup failed: addr is not a string at /usr/share/perl5/vendor_perl/IO/Socket/IP.pm line 662.”
After few minutes of googling , we found out that , it was a bug in the perl-socket module in CentOS 7 , thus you need to
# yum install epel
# yum update perl-Socket –enablerepo=cr
You need to restart the sendmail , spamassassin & spamass-milter services for the changes to take effect and review the log again for any errors.
+ A new cron.d job will be created automatically for the spamassassin update in the /etc/cron.d/sa-update file.
Few advice, do not modify any files in /usr/share/spamassassin , since these files will be overwritten with spamassassin updates. Thus always modify the /etc/mail/local.cf for any customizations and it is a system wide configuration.
Secondly you could refer the below samples , that you could use for any customization and whitelisting stuff with in spamassassin.
========================================================================
# How many hits before a message is considered spam.
required_hits 5.0
# Text to prepend to subject if rewrite_subject is used
rewrite_header Subject [*****SPAM*****]
# Encapsulate spam in an attachment
report_safe 1
# Enable the Bayes system
use_bayes 1
# Enable Bayes auto-learning
bayes_auto_learn 1
bayes_path /home/spamd/
bayes_file_mode 0666
# Enable or disable network checks
skip_rbl_checks 0
use_razor2 0
use_dcc 0
use_pyzor 0
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
# ok_languages all
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
# ok_locales all
# Whitelist important senders
whitelist_from *@xyz.xx
========================================================================
That’s it , but during this process i came across useful blog sites and forums posts that helped me to work on this task and they are listed below for your reference as well.
https://blesseddlo.wordpress.com/2010/04/01/sendmail-spamassassin-spamass-milter-milter-greylist/
https://www.rosehosting.com/blog/how-to-install-spamassassin-on-a-virtual-server-with-centos-6/
https://www.jethrocarr.com/2013/10/26/spf-with-spamassassin/
http://forums.sentora.org/showthread.php?tid=1118
https://it.megocollector.com/linux/install-spamassassin-on-centos-6/
http://forum.icewarp.com/forum/showthread.php?1809-Spamassassin-SPF-and-spoofing
https://centos.org/forums/viewtopic.php?t=60477
https://vamsoft.com/support/tools/spf-policy-tester (This will validate you SPF check in the email server)
http://spamassassin.1065346.n5.nabble.com/return-path-test-td1869.html
https://www.howtoforge.com/community/threads/spamassassin-version.74/
Update1:
In January 2018 , barracuda removed the RBL from the SA ruleset (it was under 72_active.cf in /usr/share/spamassassin)
To add this rule , you need to register via the below URL; http://barracudacentral.org/account/register
and then you need to manually edit the local.cf file add the below texts and restart the services
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_BRBL eval:check_rbl(‘brbl’,’bb.barracudacentral.org’)
tflags __RCVD_IN_BRBL net
header __RCVD_IN_BRBL_2 eval:check_rbl_sub(‘brbl’, ‘127.0.0.2’)
meta RCVD_IN_BRBL __RCVD_IN_BRBL_2 && !RCVD_IN_BRBL_LASTEXT
describe RCVD_IN_BRBL Received is listed in Barracuda RBL bb.barracudacentral.org
score RCVD_IN_BRBL 1.2
tflags RCVD_IN_BRBL net
header RCVD_IN_BRBL_LASTEXT
eval:check_rbl(‘brbl-lastexternal’, ‘bb.barracudacentral.org’)
describe RCVD_IN_BRBL_LASTEXT Last external is listed in Barracuda RBL bb.barracudacentral.org
score RCVD_IN_BRBL_LASTEXT 2.2
tflags RCVD_IN_BRBL_LASTEXT net
endif
Update 2:
Recently we were blacklisted by backscatter and the reason for listing was , sending out NDR for non valid emails. Thus we have add the below line in the local.cf configuration file
whitelist_bounce_relays myrelay.mydomain.net (Replace it with your outgoing email server name) If you have multiple servers , you could add them all here in multiple lines . Once the above is added and the spamassassin is restarted , issue the below command to verify for any config errors #spamassassin --lint The below URL contains additional information to test the backscatter rule via sample bounce messages. https://wiki.apache.org/spamassassin/VBounceRuleset https://forums.untangle.com/feedback/11356-backscatter-spamassassin.html
Update 3:
After some time we realized the above settings , does not fulfill our requirement and had to modify the sendmail.mc as below
Original Config
define(confPRIVACY_FLAGS',authwarnings,novrfy,noexpn,restrictqrun’)dnl
Change it to
define(confPRIVACY_FLAGS',authwarnings,nobodyreturn’)dnl#
Compile the sendmail and restart the sendmail services.
Hope you like it.. 