Category: Linux

All things *nix.

Cacti Server

Input Validation Whitelist Protection

Cacti Data Input methods that call a script can be exploited in ways that a non-administrator can perform damage to either files owned by the poller account, and in cases where someone runs the Cacti poller as root, can compromise the operating system allowing attackers to exploit your infrastructure.

Therefore, several versions ago, Cacti was enhanced to provide Whitelist capabilities on the these types of Data Input Methods. Though this does secure Cacti more thouroughly, it does increase the amount of work required by the Cacti administrator to import and manage Templates and Packages.

The way that the Whitelisting works is that when you first import a Data Input Method, or you re-import a Data Input Method, and the script and or aguments change in any way, the Data Input Method, and all the corresponding Data Sources will be immediatly disabled until the administrator validates that the Data Input Method is valid.

To make identifying Data Input Methods in this state, we have provided a validation script in Cacti’s CLI directory that can be run with the following options:

  • php -q input_whitelist.php –audit – This script option will search for any Data Input Methods that are currently banned and provide details as to why.
  • php -q input_whitelist.php –update – This script option un-ban the Data Input Methods that are currently banned.
  • php -q input_whitelist.php –push – This script option will re-enable any disabled Data Sources.

It is strongly suggested that you update your config.php to enable this feature by uncommenting the $input_whitelist variable and then running the three CLI script options above after the web based install has completed.

Test SMTP Auth and StartTLS

To test SMTP auth with StartTLS, I used the following method.

Base64 encode the username and password.

echo -ne "yourpassword" | base64
eW91cnBhc3N3b3Jk
echo -ne "your@email.com" | base64
eW91ckBlbWFpbC5jb20=

Connect to the SMTP server using the openssl client.

openssl s_client -connect smtp.test.com:587 -starttls smtp -crlf

Once connected to the mail server, identify myself with EHLO or HELO command.

ehlo there
250-smtp.test.com Hello [192.168.1.50]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN XOAUTH2
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

Next, issue an AUTH LOGIN command to begin login.

AUTH LOGIN
334 VXNlcm5hbWU6

I got 334 VXNlcm5hbWU6 response, which VXNlcm5hbWU6 is base64 for Username:. I entered in the base64 encoded value for my username, your@email.com and hit enter.

eW91ckBlbWFpbC5jb20=

I got 334 UGFzc3dvcmQ6 response, which UGFzc3dvcmQ6 is base64 for Password:. I entered in the base64 encoded value for my password, yourpassword and hit enter.

334 UGFzc3dvcmQ6
eW91cnBhc3N3b3Jk

The mail server verifies authentication, and in my case, it is successful.

235 2.7.0 Authentication successful

Installing Debian 11.3 on my Lenovo Yoga 2

I have an old Lenovo Yoga 2 (i5-5400u, 4GB RAM, 128GB SSD).

This 2-in-1 system does not have an ethernet port and during Debian installation using the netinstall ISO, non-free firmware is needed for the Intel wireless controller.

I went to Debian’s installer page for non-free firmware (for Bullseye) and downloaded the zip file: https://cdimage.debian.org/cdimage/unofficial/non-free/firmware/bullseye/11.3.0/

I expanded the zip all the way into the data compressed folder. Inside that I pulled the lib/firmware/iwlwifi-1762-17.ucode to the root of my USB installation media.

I booted the Debian installation again. Once it got to the search for non-free firmware screen again on I switched to a VTY so I could copy the file over.

cp /cdrom/iwlwifi-1672-17.ucode /lib/firmware/

I switched back to the graphical installer and chose to scan removable media.

I was then presented with a wireless network list to choose from and connect to then continue on with netinstall.

Disable User’s Home Folder Creation in Zentyal

By default, Zentyal creates a Home Folder for each user created through the web interface and not through Active Directory Users & Computers (dsa.msc). To disable this action, modifying the Samba stub for Zentyal is the preferred method. In order to maintain the changes across Zentyal and Samba updates, a Samba stub should be copied and modified as outlined below.

Make the custom stubs directory.

$ sudo mkdir -p /etc/zentyal/stubs/samba

Copy the default Zentyal Samba stub to the directory just created. Modifying the default Zentyal Samba stub or Samba’s configuration file in /etc/samba/shares.conf will end up getting overwritten during a Samba update or Zentyal update.

$ sudo cp /usr/share/zentyal/stubs/samba/shares.conf.mas /etc/zentyal/stubs/samba/

The best solution is to now comment out the share in the stub configuration.

Edit /etc/zentyal/stubs/samba/shares.conf.mas.

In Zentyal 7.0 (Samba 4.11), find section in the file that begins with [homes] and comment out the lines as shown below, excluding the lines that begin with %.

...
</%init>
#[homes]
#    comment = <% __('Home Directories') %>
#    path = /home/%S
#    read only = no
#    browseable = no
#    create mask = 0611
#    directory mask = 0711
% my $rb = ($recycle xor defined($recycle_exceptions->{'users'}));
% my $objects = 'acl_xattr';
% unless ($disableFullAudit) {
%   $objects .= ' full_audit';
% }
% if ($rb) {
%   $objects .= ' recycle';
% }
#    vfs objects = <% $objects %>
#    full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
#    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
% if ($rb) {
%   foreach my $key (keys %{$recycle_config}) {
%       next unless $key;
#    recycle: <% $key %> = <% $recycle_config->{$key} %>
%   }
% }

# <% @shares ? "Shares\n" : "No shares configured" %>
...

Save the file and then restart Samba.

$ sudo zs samba restart

Confirm the changes by looking at /etc/samba/shares.conf.

Increase LVM Partition in Linux

Some notes on increasing LVM partition in Linux.

Terminology

  • Physical Volume (PV): This can be created on a whole physical disk (think /dev/sda) or a Linux partition.
  • Volume Group (VG): This is made up of at least one or more physical volumes.
  • Logical Volume (LV): This is sometimes referred to as the partition, it sits within a volume group and has a file system written to it.
  • File System: A file system such as ext4 will be on the logical volume.

Increase or Expand Logical Volume

To increase/expand a logical volume (lv from here onward), it can be done without needing to reboot or experiencing any downtime on the system.
My volume group (vg here onward) is debian-vg; it contains all my lv’s.

root@debian:~# vgdisplay
  --- Volume group ---
  VG Name               debian-vg
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  8
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                5
  Open LV               5
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               39.76 GiB
  PE Size               4.00 MiB
  Total PE              10178
  Alloc PE / Size       7151 / 27.93 GiB
  Free  PE / Size       3027 / 11.82 GiB
  VG UUID               QPsbEO-d7Q4-OlbR-9BQL-4C1k-04oq-R8QcG6

As you can see above, the Free PE / Size indicates how much available to use to increase/expand a lv I have.
To look at the logical volumes, I use lvdisplay command.

 --- Logical volume ---
  LV Path                /dev/debian-vg/home
  LV Name                home
  VG Name                debian-vg
  LV UUID                61YQXT-wTDM-Fb66-1Fy0-U9dK-tHcn-Kzf1M8
  LV Write Access        read/write
  LV Creation host, time debian, 2018-06-11 10:03:17 -0400
  LV Status              available
  # open                 1
  LV Size                10.00 GiB
  Current LE             2560
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:4

My home logical volume is currently 10GB in size, indicated by LV Size above.
If I want to expand this to 12GB, I would issue the following:

root@debian:~# lvextend -L+2G /dev/debian-vg/home
  Size of logical volume debian-vg/home changed from 10.00 GiB (2560 extents) to 12.00 GiB (3072 extents).
  Logical volume debian-vg/home successfully resized.

Looking at lvdisplay output again, I see that it is now 12GB, but I need to expand the filesystem now.

 --- Logical volume ---
  LV Path                /dev/debian-vg/home
  LV Name                home
  VG Name                debian-vg
  LV UUID                61YQXT-wTDM-Fb66-1Fy0-U9dK-tHcn-Kzf1M8
  LV Write Access        read/write
  LV Creation host, time debian, 2018-06-11 10:03:17 -0400
  LV Status              available
  # open                 1
  LV Size                12.00 GiB
  Current LE             3072
  Segments               2
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:4

This partition is ext4, so I will use resize2fs as below:

root@debian:~# resize2fs /dev/debian-vg/home
resize2fs 1.43.4 (31-Jan-2017)
Filesystem at /dev/debian-vg/home is mounted on /home; on-line resizing required
old_desc_blocks = 2, new_desc_blocks = 2
The filesystem on /dev/debian-vg/home is now 3145728 (4k) blocks long.

Note: If using xfs, use xfs_growfs in lieu of resize2fs
That should do it, now I can issue df -h and confirm that my /home partition is now 12GB.

root@debian:~# df -h
Filesystem                   Size  Used Avail Use% Mounted on
udev                         991M     0  991M   0% /dev
tmpfs                        201M   24M  177M  12% /run
/dev/mapper/debian--vg-root  7.4G  2.3G  4.7G  33% /
tmpfs                       1003M     0 1003M   0% /dev/shm
tmpfs                        5.0M     0  5.0M   0% /run/lock
tmpfs                       1003M     0 1003M   0% /sys/fs/cgroup
/dev/mapper/debian--vg-tmp   544M  924K  503M   1% /tmp
/dev/sda1                    236M   37M  187M  17% /boot
/dev/mapper/debian--vg-var   7.7G  2.5G  4.9G  34% /var
tmpfs                        201M     0  201M   0% /run/user/1000
/dev/mapper/debian--vg-home   12G   41M   12G   1% /home