.:Restrict root access by IP Address:.

howto | Posted by tuxifier
Jan 26 2012

Task

To enhance security in your datacenter you may want to restrict root logins to your Linux servers to one or few admin servers. So this is how you do it:

How to

Add the following line to your /etc/pam.d/sshd:

account  required     pam_access.so

to activate sshd to look into the file /etc/pam.d/access.conf for authentication

Now you can use the /etc/pam.d/access.conf file to configure your access conditions (there are a lot possible which are well documented in the file itself). In this case we will configure the SSH Daemon to only grant root access from one specific administration server called “myadminserver.domain.local”. Therefor you need two lines in the access.conf file:

This will allow the root login from myadminserver.domain.local

+ : root : myadminserver.domain.local

And this will deny logins from the rest of the world

- : root : ALL

This is all you need to do. The changes will take effect immediately you don’t need to restart anything.

secure

No Comments »

.: CUPS client-error-not-possible:.

Uncategorized | Posted by tuxifier
Dec 20 2011

Is one of those “self-speaking” error messages. If you run into this while printing from bash with ls -la | lp -d <printername> or while trying to print a test page from the CUPS Webinterface you should check the content of your CUPS spool directory /var/spool/cups. In most cases you’ll find a lot of files in there. You can move them away or delete them. After that you simply have to restart the CUPS Service with /etc/init.d/cups restart

All you lose is your printing history…

 

No Comments »

.:digikam rename string:.

Uncategorized | Posted by tuxifier
Dec 02 2011

Digikam is a pretty nice digital photograph management software I am using for some time now. I love the automatic renaming of files while downloading them from the camera or SD card. To build your desired file names you can use special renaming patterns. The one I use is the following:

[date:yyyy-MM-dd]_[date:dddd]_[file].[ext]{lower}

results in something like this:

2011-10-01_Samstag_P1070263.jpg

nothing else to say ;)

No Comments »

.:Suppress the “cp Do you want to overwrite” prompt on RedHat based Distros:.

commandlinefu | Posted by tuxifier
Nov 20 2011

If you ever want to overwrite the same files on RedHat based distros (CentOS, RHEL, Fedora,…) you are penetrated with the annoying “Do you want to overwrite” message on every file you’re going to overwrite. The reason is simple – RedHat based Distros by default have an alias on cp which directs to cp -i for interactive mode. To avoid the nagging messages you have the following options:

  • unalias cp
  • use the command with full path: 
    /bin/cp <options> <files> <target> instead of using only cp

No Comments »

.:Release update successfully completed – now runnig oneiric ocelot:.

Uncategorized | Posted by tuxifier
Oct 14 2011

No Comments »

.:Switching from natty narwhal to oneiric ocelot right now:.

Uncategorized | Posted by tuxifier
Oct 14 2011

No Comments »

.:Perfdata processing with mod_gearman and PNP:.

Uncategorized | Posted by tuxifier
Jun 30 2011

Requirements

  • PNP 0.6.12 or higher (I used 0.6.13)
  • Perl module Gearman::Worker (cpan Gearman::Worker)
  • Perl module Crypt::Rijndael (aptitude install libcrypt-rijndael-perl)
  • A working icinga and mod_gearman installation

PNP Installation

To install PNP enter the following lines in case of icinga (–prefix is optional)

./configure --prefix=/path/to/pnp/installation --with-nagios-user=icinga --with-nagios-group=icinga
make all
make fullinstall

Configuration

PNP

Edit the PNP process_perfdata.cfg and edit the following directives

vi /path/to/pnp/installation/etc/process_perfdata.cfg
GEARMAN_HOST = localhost:4730
ENCRYPTION = 0 (i don't use encryption in mod_gearman if you do - you just have to change the KEY variable)

mod_gearman

Edit the config file you use in the mod_gearman broker_module directive in main icinga config file icinga.cfg

broker_module=/path/to/mod_gearman/lib/mod_gearman/mod_gearman.o config=/path/to/mod_gearman/etc/mod_gearman_local.conf

Edit the file

vi /path/to/mod_gearman/etc/mod_gearman_local.conf

change perfdata=no to perfdata=yes

to activate perfdata processing to gearmand

Remove any existing PNP configuration like npcdmod.o from icinga.cfg and stop npcd if running

Restart icinga then restart gearmand

/etc/init.d/icinga restart

/etc/init.d/gearmand restart

Then check with gearman_top if there is a queue named perfdata appearing and if its “jobs waiting” queue is increasing

 

Then start your pnp_gearman worker

/etc/init.d/pnp_gearman_worker start

That’s it.

This article also is in the official Icinga wiki

No Comments »

.:Apache2 mod-authnz-ldap Active Directory authentication:.

howto | Posted by tuxifier
Jun 30 2011

Apache authentication against MS Active Directory can be very useful from time to time – so here is how to do it.

First you need to verify if you have mod-authnz-ldap available for apache2 and if you have activated it (Ubuntu a2enmod authnz_ldap). Then you need a User in your AD with read permission (standard user) whose credentials you’ll youse in the AuthLDAPBindDN and AuthLDAPBindPassword lines.

Then you can put the following lines in your <Directory “/some/nice/webroot”></Directory> (or Location) section

<Directory "/some/nice/webroot">
   AuthLDAPBindDN "CN=John Doe,OU=_Users,DC=example,DC=com"
   AuthLDAPBindPassword "t0ps3cr3t"
   AuthLDAPURL "ldap://<domaincontroller_name_or_ip>/ou=_Users,dc=demo,dc=lab?sAMAccountName?sub?(objectClass=*)"
   AuthType Basic
   AuthName "USE YOUR WINDOWS ACCOUNT"
   AuthBasicProvider ldap
   # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
   AuthUserFile /dev/null
   require valid-user
</Directory>

(instead of the standard AuthName, AuthType, AuthUserFile and Require valid-user directives of HTTP Basic Auth)

Restart Apache and try to login your protected webpage with your Active Directory Accound using the sAMAccountName

Hint

To find out the right DN to bind you can use your Windows Account in combination with ldapsearch:

ldapsearch -LLL -x -H ldap://<domaincontroller_name_or_ip:389 -b 'ou=_Users,dc=example,dc=com' -D 'DOMAIN\user' -w 'p@ssword' '(sAMAccountName=<yourfilter>)'

maybe you need to play around a bit with ldapsearch to get what you need

done

Tags:
No Comments »

.:Create ringtone for Tiptel IP 280:.

fun, howto | Posted by tuxifier
Jun 08 2011

Task

The tiptel IP 280 IP phone supports the upload of own ringtones. The format it requires (8kHz mono 16Bit WAV µlaw respectively mu-law compressed) is a bit uncommon.

But you can convert any mp3 file to the above audio format with the following tools and steps:

Tools

Steps

  • Open audacity
  • File -> Import -> Audio -> select your mp3 file
  • Select the part of the mp3 file you want to convert to a ringtone
  • Edit -> Trim to remove the rest of the mp3 you don’t want to have in your ringtone
  • Convert Stereo to mono
    • Click on the name of the song (in the Track Control Panel to left of the waveform, where the downward pointing arrow is). This brings down a selection menu.
    • Select the Split Stereo Track option.
    • Click on the name of one of the resulting tracks then on “mono” using the same menu
    • Close the other track by clicking on [X] on the Track Control Panel.
  • Look at the Project Rate button at bottom left of the screen. Select 8000
  • Click File > Export and in the “Export File” dialogue, choose “other uncompressed files” in the file types dropdown, then a file name to export to. Click Options and in the “Format” dropdown, select “WAV (Microsoft 16 bit PCM)”. Click OK then Save. If the Metadata Editor pops up at any stage, click OK. Metadata tags are not needed.
  • Open a terminal and enter 
    • sox file_name_of_audacity_export.wav -U file_name_of_ulaw_compressed.wav 
  • Upload the file_name_of_ulaw_compressed.wav to your tiptel via web-interface (use a short file name with no special characters like ringer.wav)
  • Select the uploaded file as ringtone
  • Call yourself and listen :)

done

Tags: ,
No Comments »

.:List processes consuming most memory:.

commandlinefu | Posted by tuxifier
May 24 2011 
ps ww -e --sort -rss o pid,pmem,command,rss,size,vsz | head -n50

yahol – yet another handy oneliner

Tags: ,
No Comments »