linux – Page 4 – David Goodwin

July 18, 2014July 18, 2016

Debian http_proxy setting

Need to set a HTTP proxy within a Debian system ?

Assuming your proxy server is on 192.168.0.1 and listening on port 3128, then the below may help …

( If you need authentication you can use username:password@ like you would in an old style web browser – e.g. http://username:password@192.168.0.1:3128. )

/etc/profile.d/proxy.sh

Add /etc/profile.d/proxy.sh containing

export http_proxy=http://192.168.0.1:3128

/etc/apt/apt.conf.d/99HttpProxy

Add /etc/apt/apt.conf.d/99HttpProxy containing

Acquire::http::Proxy "http://192.168.0.1:3128";

/etc/wgetrc

Edit /etc/wgetrc and add

http_proxy = http://192.168.0.1:3128

(some system commands rely on wget, and may not otherwise use an environment variable, e.g. debootstrap; the http_proxy setting should be present by default but commented out).

(This is all, in a round about way, relayed to the http proxy security vulnerability announced in July 2016 – see httpoxy.org for more info)

April 11, 2014

Installing Debian (Jessie) on an Intel NUC D54250WYK

Product – D54250WYK / boxd54250wykh3 – via e.g. Ballicom or eBuyer

It’s an Intel i5 4250U processor (dual core, laptop processor). Supports up to 16gb of RAM and the Intel 5000 graphics thing in it.

The box itself is really small – and silent. A laptop size hard disk can fit into it (2.5″ hdd).

Issues :

BIOS needs updating before it can be installed (apparently); See Intel’s website – currently here – it’s just a case of downloading the .BIO file and sticking it on a USB stick and pressing F7 on boot and following through the prompts.
Most Linux distros do not yet support the network card (Intel 559/I218-V) – I had to netboot a Debian unstable netboot iso image (from here )

Good things –

BTRFS root filesystem + booting etc just worked with Jessie.
X configuration just works – even though it’s quite a new graphics chipset.
Boot time is VERY fast – currently <5 seconds.

December 22, 2013August 10, 2015

ipmi / linux / dell poweredge SC1435

We recently bought two Dell SC1435 servers off eBay. They seemed cheap and quite well specced (dual 4 core CPUs, plenty of RAM for us) – perhaps ideal for redundant mail servers.

Anyway, they’re IPMI 2.0 compliant – meaning they should be controllable remotely (e.g serial console, forceful power cycling etc without the need for some sort of graphical KVM console or DRAC card.).

(A few years later, I bought a Dell t300 from Ebay; the below works for it too)

Here are some notes on setting up/configuring IPMI support and how it can be used – :

Continue reading “ipmi / linux / dell poweredge SC1435”

December 12, 2013December 23, 2013

Moving towards ‘inbox zero’

Over time my inbox grows larger and larger…. and eventually it starts to take ages to sync/navigate around – 15,000+ messages in an inbox can’t help. Continue reading “Moving towards ‘inbox zero’”

July 25, 2013

iptables – rule deletion by number

Deletion is easiest if you know the rule number. Rather than counting down, it’s easiest to use –

iptables -nL –line-numbers

Which may show something like :

Continue reading “iptables – rule deletion by number”

April 17, 2013November 29, 2014

Fail2ban filter for WordPress

With the annoying brute force wordpress hack going round, one way to protect your site(s) would be to use fail2ban, with a configuration something like (which I’ve shamelessly lifted from http://blog.somsip.com/2011/12/protecting-apache-webservers-from-wordpress-admin-login-dictionary-attacks/ ).

The below seems to be working, and given it’s relative simplicity it’s obvious how you’d go about changing to protect other POST based scripts from brute force attacks.

As with all fail2ban rules, it’s not going to work if the attacker changes IP often (but from scanning the logs so far, it doesn’t seem to be the case that they are).

Obvious caveats :

Users who can’t remember their password(s) will get blocked.
It’s not going to protect you from a distributed attack (multiple IPs) very well
You may want to perform other counter-measures (like putting Apache http authentication in for URLs matching /wp-login.php)

In /etc/fail2ban/jail.conf :

[apache-wp-login]
enabled = true
port = http,https
filter = apache-wp-login
logpath = /var/www/vhosts/*/statistics/logs/access_log
maxretry = 5
findtime = 120

And In /etc/fail2ban/filter.d/apache-wp-login.conf :

[Definition]
failregex = <HOST> - - .* "POST /wp-login.php HTTP/.*" 200

ignoreregex =

Where a “hacking” access.log entry looks a bit like :

107.21.107.144 - - [02/Feb/2014:12:50:01 +0000] "POST /wp-login.php HTTP/1.0" 200 4344 "-" "-"

March 24, 2013May 5, 2013

Script to fix NFS (Debian Squeeze + Backports bits)

I have a NFS server running Debian Squeeze. Additionally it’s using the 3.2.x kernel from backports, and the nfs-kernel-server from backports too.

Sometimes NFS breaks, and gives helpful messages like :

mount.nfs: connection timed out

or just:

Stale NFS handle on clients.

While I’m confident that my /etc/exports and other configuration files are correct, it still insists on misbehaving.

Below is a random shell script I seem to have created to fix the NFS server –

#!/bin/bash
set -e
/etc/init.d/nfs-kernel-server stop
/etc/init.d/nfs-common stop
/etc/init.d/rpcbind stop

rm -Rf /var/lib/nfs
mkdir /var/lib/nfs
mkdir /var/lib/nfs/v4recovery /var/lib/nfs/rpc_pipefs

for f in /var/lib/nfs/etab \
/var/lib/nfs/rmtab \
/var/lib/nfs/xtab; do
[ -e $f ] || touch $f
done

/etc/init.d/rpcbind start
sleep 2
/etc/init.d/nfs-common start
sleep 2
/etc/init.d/nfs-kernel-server start

echo "NFS may now work"

exportfs -f

Yes… “NFS may now work” … that sums it up about right.

December 28, 2012June 26, 2013

Virtualbox 4.2 VM autostart on Debian Squeeze & Wheezy

One new feature of VirtualBox 4.2 is that it has support for auto-starting vm’s on bootup of the host server (via init etc). This means I can remove my hackish ‘su – vbox -c “VBoxHeadless –startvm VMName &”‘ additions in /etc/rc.local, and the VM’s will also hopefully be terminated gracefully on shutdown.

The docs/guides online which I could find were a bit cryptic, or incomplete, so here’s what I ended up doing :

Continue reading “Virtualbox 4.2 VM autostart on Debian Squeeze & Wheezy”

December 7, 2012January 23, 2013

Migrating an ext3 filesystem to ext4 (Debian Squeeze)

Interestingly (well, perhaps not really) this is very easy.

In my case, I’m hoping that the migration will lead to faster fsck times (currently it’s taking about an hour, which is somewhat excessive, each time the server crashes for whatever reason).

In my case, the filesystem is /dev/md0 and mounted at /home – change the bits below as appropriate.
Continue reading “Migrating an ext3 filesystem to ext4 (Debian Squeeze)”

December 7, 2012December 12, 2012

Debian Squeeze (NFS broken with backports kernel)

Our office server has been running the Squeeze-Backports kernel for some time – without issue – until today. Amongst the things it ‘should’ do, is act as an NFS server for the office computers (giving us a common /home directory).

Every so often, NFS breaks for some reason. Perhaps in some way, the NFS server feels a need to keep a hold over me.
Continue reading “Debian Squeeze (NFS broken with backports kernel)”