create swap partition using swapfile

  1. On the server there is 4GB memory and 4GB swap file on TEST server which is not enough.
  2. Now the existing swap partition is created in lvm and there is no scope to increase the size
    
    
  3. To overcome this problem create a swapfile using dd command with permission 0600
    
  4. Change the file permission to 0600
  5. Set the file as swap area
  6. Test by enabling the swap on swapfile
  7. Make this boot persistent by adding the entry in fstab
  8. Always run mount -a command to check if any error in fstab file
  9. Now disable swap on /swapfile which we have enabled manually and check swap partitions
    
    
  10. Now check boot persistence by swapon command 

ssh jailing with all commands

Steps for ssh jailing

  1. Create a user for jailing environment and set password if user doesn't exist.
    
    #useradd -m testuser
    #passwd testuser 
  2. Create a Directory Structure for Secure environment.
    
    ( In our case we are creating secure environment in /home directory. You can change it according to requirement)
    #cd /home
    #mkdir -p secure/home
    #cd /home/secure/home
    #mkdir testuser
    #chown testuser:testuser testuser
    
    
  3. Enable commands for the user in chrooted environment.
    
    #cp -pr /bin /home/secure/
    #cp -fr /lib /home/secure/
    #cp -fr /lib64 /home/secure/
    #mkdir /home/secure/usr
    #cp -pr /usr/lib /home/secure/usr/
    #cp -pr /usr/bin /home/secure/usr/
    #mkdir -p /home/secure/etc/
    #cp -p /etc/environment /home/secure/etc/ 
  4. Configuration for jailing.
    
    Edit the file sshd_config
    #vi /etc/ssh/sshd_config
    
      #SSH JAILING                     
      Match User testuser
      chrootdirectory /home/secure
      #ForceCommand internal-sftp   (If you uncomment this line it will restrict ssh connection and  only sftp connections will be allowed )
    
    
  5. # service sshd reload 
    
    
  6. After logging in from another server /home/secure will become your / partition over ssh connection.
           #ssh testuser@<ip>
Chroot Configuration for Group:
  1. Suppose there are multiple users which needs to be restricted using chroot. 
    Then create a group chroot and add users to the group
     #groupadd chroot
     #usermod -aG chroot testuser
    
  2. change sshd config like given below
     #SSH JAILING                     
     Match Group chroot 
     chrootdirectory /home/secure 
       #ForceCommand internal-sftp (If you uncomment this line it will restrict ssh connection and  only sftp connections will be allowed ) # service sshd reload 
  3. # service sshd reload 

Things to remember:
  1. The chroot directory should alway have root ownership and permission 755 
    otherwise you will get below error
    packet_write_wait: Connection to x.x.x.x port 22: Broken pipe
     
  2. Don't forget to copy /etc/environment
    otherwise you will get below error while changing shell to bash
    bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

					

Configure WIFI Without GUI in Linux

1) Find out the wireless device name.

#iw dev

2) check wireless device status up or down

#ip link show wlan0

3) scan wireless networks

#iw wlan0 scan

Now to configure and connect wireless without GUI we will require package wpa_supplicant-0.7.3-9.el6.i686


4) Create a configuration file

#wpa_passphrase >> /etc/wpa_supplicant/wpa_supplicant.conf

5) To start the device through command line

#wpa_supplicant -B -D wext -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

where -B means run wpa_supplicant in the background.
-D specifies the wireless driver. wext is the generic driver.
-c specifies the path for the configuration file.

put above command in /etc/rc.local so that after booting it will automatically connect to wireless device.

Enabling rc.local in debian9

rc.local is deprecated in debian 9 by default

To enable it

  1. create file /etc/systemd/system/multi-user.target.wants/rc.local.service

vi /etc/systemd/system/multi-user.target.wants/rc.local.service

[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99

[Install]
WantedBy=multi-user.target

2. #systemctl daemon-reload

3. #systemcl restart rc.local.service

 

Configure a simple chat server using ejabberd ( on Debian)

Hi, To create  a chat server without ldap and mysql for small organization follow the steps below ( same procedure will be for CentOS but you have to install ejabberd using yum) (Prerequisites : A DNS must be configured for server otherwise you will have to use IP instead of doamin name for configuration) Install the ejabberd package on server # apt-get install ejabberd

Check the service is running or not to register a admin user

Create admin user by typing below command #ejabberdctl register admin localhost passwordforadminuser

Edit /etc/ejabberd/ejabberd.yml file for admin user access and domain for which we are creating service

Edit default  entry like given below

Add host like given below Register admin user as admin for domain

Go to the browser and open the admin panel https://<your ip or domain >:5280/admin and login as user admin@localhost

Console will be like given below. click on Virtual Hosts

Select domain (in my case its  geekonline.in)  by clicking it.

Click on users to create / edit users

Add users like given below

Configure pidgin as below  

Enabling usb wifi on CentOS 7

Enabling usb wifi  on Centos is really a difficult job. most of the times it requires drivers compilation and adding /removing modules which may be time consuming.

Its better to upgrade kernel to the latest release

To upgrade the kernel without kernel compilation follow below steps

Step 1: Install elrepo to your CentOS 7 system

# rpm –import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

# rpm -ivh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm

# yum –enablerepo=elrepo-kernel list available |grep kernel

# yum –enablerepo=elrepo-kernel install kernel-ml*  (select kernel-ml as they are the stable release kernels)

# grub2-set-default “CentOS Linux (4.18.1-1.el7.elrepo.x86_64) 7 (Core)”

reboot your system and configure network to the wireless usb card.

 

Mount Google Drive on Linux (Debian) Server

For mounting Google Drive on your server. you will require two things.
  1. A project created and configured with OAuth client id and scecret on Google
  2. google-drive-ocamlfuse installed and configured
Create Project

1. go  to  https://console.developers.google.com/apis/dashboard

and create new project



Click on create credentials



Select OAuth Client ID



Click on configure Consent Screen



Provide email address and product name



To Create Client ID select others and provide Name and click on create



It will give you OAuth Client ID and Secret. Please note it down and keep safe.



Installation of google-drive-ocamlfuse On debian 9
1. First install the required packages
apt-get install libcurl4-gnutls-dev libfuse-dev libgmp-dev libsqlite3-dev camlp4-extra debianutils libcurl4-gnutls-dev perl  m4 pkg-config zlib1g-dev

2. adduser <user> fuse ( adding user to group fuse usrmod also works)

3. Set the Permissions

#sudo chown root.fuse /dev/fuse
#sudo chmod 660 /dev/fuse

4. Install Google Drive Ocamlfuse

# su <user>
# opam init
# opam update
# opam install depext
# eval `opam config env`
# opam depext google-drive-ocamlfuse
# opam install google-drive-ocamlfuse
# . /home/*user*/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true

#/home/user/.opam/system/bin/google-drive-ocamlfuse -headless -label googledrive -id <OAuth Client ID> -secret <OAuth Client Secret>

It will give you one url ask you to visit that url and get the code from the webpage and provide it



Open that url in browser and copy paste  the verification code to termianl

create mount point

# mkdir /mnt/Google-drive

#  /home/user/.opam/system/bin/google-drive-ocamlfuse -label googledrive /mnt/Google-drive/

Above command will enable that mount only for the user and not others not even root

To enable mount point for user root

edit file /etc/fuse.conf and uncomment below line

#user_allow_other

Then run below command

#sudo -u user /home/user/.opam/system/bin/google-drive-ocamlfuse -o allow_root -label googledrive /Google-drive/ > /var/log/gdrive_mount.log 2>&1 &

Add below line (/etc/rc.local)

sudo -u  user /home/user/.opam/system/bin/google-drive-ocamlfuse -o allow_root -label googledrive /Google-drive/  2>$1  & 

Thus only user and root will be able to use mounted drive.

 

Country settings in AWStats



By implementing this setting in AWStats you can track the Geo location of visitor of your website.

Follow the procedure to implement the settings
#mkdir /usr/local/share/GeoIP
#cd /tmp wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
#gunzip GeoIP.dat.gz mv GeoIP.dat /usr/share/GeoIP
#wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

or or or

#yum install mod_geoip
#yum install geoipdate
#yum install geoip-devel

Now Edit the file configuration file for your website in /etc/awstats  and  search below lines

#LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /pathto/GeoIPCity.dat"
#LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat"

and change to

GeoIPCity.dat LoadPlugin="geoip GEOIP_STANDARD /usr/share/GeoIP/GeoIP.dat"
LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /usr/share/GeoIP/"

It may give you error like below



















To Fix this error run below commands
#yum install perl-CPAN
#cpan YAML
#cpan Geo::IP::PurePerl Geo::IP
#ldconfig -v

  

Web based terminal : shellinabox

First install epel repository  
#yum install epel-release

Install shellinabox by below command

#yum install shellinabox

The shellinabox config file is located in /etc/default/shellinabox file by default in Debian/Ubuntu systems. In RHEL/CentOS/Fedora, the default location of config file is /etc/sysconfig/shellinaboxd.

To change web terminal color scheme to white on black follow the following steps

#vim /etc/sysconfig/shellinaboxd
 comment below line
 OPTS="--disable-ssl-menu -s /:LOGIN"

uncomment below line
 OPTS="--user-css Normal:+black-on-white.css,Reverse:-white-on-black.css --disable-ssl-menu -s /:LOGIN"

This enables right change in profile on right click on browser.

restart the service

note* sometimes the white-on-black.css is not installed. then service will not restart/start and will give error

workaround :

cd /usr/share/shellinabox/

#cp black-on-white.css white-on-black.css
#sed -i s/ffffff/111111/g white-on-black.css
#sed -i s/000000/ffffff/g white-on-black.css
#sed -i s/111111/000000/g white-on-black.css

now restart the service.

(you can change colours by changing the hex colour code in css.)

now for web terminal open a link

https://ip-address:4200 (default port is 4200 you can change it to any by editing config file i.e. /etc/sysconfig/shellinaboxd)



  

Encrypting a shell script

Go to the link https://www.datsi.fi.upm.es/~frosal/sources/ and download latest stable source for shc
in this case the latest source is  shc-3.8.9b.tgz

#cd /usr/local 
#sudo wget  https://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9b.tgz
#sudo tar -zxvf shc-3.8.9b.tgz
#cd shc-3.8.9
#make
#make test
#make strings
#make expiration
#mkdir -p /usr/local/man/man1
#make install

now shc in installed on your system in /usr/local/bin

to encrypt the script

#shc -help gives the complete information about how we can use the package

shc -help
shc Version 3.8.9b, Generic Script Compiler
shc Copyright (c) 1994-2015 Francisco Rosales <frosal@fi.upm.es>
shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-rvDTCAh] -f script

 -e %s Expiration date in dd/mm/yyyy format [none]
 -m %s Message to display upon expiration ["Please contact your provider"]
 -f %s File name of the script to compile
 -i %s Inline option for the shell interpreter i.e: -e
 -x %s eXec command, as a printf format i.e: exec('%s',@ARGV);
 -l %s Last shell option i.e: --
 -r Relax security. Make a redistributable binary
 -v Verbose compilation
 -D Switch ON debug exec calls [OFF]
 -T Allow binary to be traceable [no]
 -C Display license and exit
 -A Display abstract and exit
 -h Display help and exit

 Environment variables used:
 Name Default Usage
 CC cc C compiler command
 CFLAGS <none> C compiler flags

 Please consult the shc(1) man page.


###### simple encryption ####
write a test script like below

#!/bin/bash 
echo Test Script

#shc -f test
This will create 2 files test.x (executable binary) and test.x.c(C source code) 

test.x is an executable file
test.x may or may not run on system depending upon kernel as it is non traceable

to overcome this problem we must compile our script as traceable and redistributable 
so that it can run on any system by any user.

#shc -Tf test (or you can write it in simple way shc -T -f test)

***** Encryption with expiration date and message *****

provide expiration date with -e in dd/mm/yyyy format and with -m type a message which you want to display after script expiration

#shc -e 01/01/2000 -m "This script expired.Contact your admin" -Tf test

Since the date is in past the encrypted script is already expired and after running ./test.x it will give message "This script expired.Contact your admin"

### The one more thing you can do with this is compile the C source code into the binary by below command.##

#gcc -o <binary-file-name> test.x.c

This will create c compiled binary file of your script. 
The only difference between the shc compiled binary and c compiled binary is shc compiled binary is stripped while the c compiled binary is not stripped. (non stripped binaries have debugging information built into it)
This is something different that you should try.