Category Archives: Linux

All things *nix.

.muttrc

This is my personal Mutt .muttrc dotfile.

set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set trash="+.Trash"
set spoolfile="~/Maildir"

ISPConfig3 – DNSSEC ERROR: We are low on entropy.

It seems that ISPConfig3 checks for entropy availability to be below 200 and also 400 per the following file, /usr/local/ispconfig/server/bind_plugin.inc.php.

Line 93 and line 210 check for entropy availability.

Line 93, inside function soa_dnssec_create():

if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) {
	$app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$domain.'. Please consider installing package haveged.', LOGLEVEL_WARN);
	echo "DNSSEC ERROR: We are low on entropy. Not generating new Keys for $domain. Please consider installing package haveged.\n";
	return false;
}

Line 210, inside function soa_dnssec_update():

                if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) {
                        $app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERROR);
                        echo "DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.\n";
                        return false;
                }

My problem seems to be entropy_avail is 256.

Researching this, I found this Unix StackExchange article, kernel 5.10.119 caused the values of /proc/sys/kernel/random/entropy_avail and poolsize to be 256 – Unix & Linux Stack Exchange, that describes a recent change in the Linux Kernel 5.10.119.

I am currently on Linux kernel 5.10.127-1 (2022-06-30).

To work-around this, I adjusted the checks to both be 200, instead of one being 200 and the other 400 (on creation of DNSSEC records).

I was able to successfully generate the DNSSEC for my zone and issue /usr/local/ispconfig/server/server.sh without additional error.

This is probably NOT the best way to handle this… but I’m not sure what else to do at this point.

sed replace braces with brackets keeping content inside

Took me a minute to figure this out but it works.

Given the following string, I want to replace { and } with [ and ] keeping each number inside and only with a number inside the braces without space and without letters.

data.txt:

{1}: Today is tomorrow's yesterday.
{2}: This year is next year's yesteryear.
{3}: Foo
{10}: Bar
{100}: Baz
{91919}: Qux
{99119a9}: 42
sed -e 's/{\([0-9]\+\)}/[\1]/ data.txt
rjk@debian:~$ sed -e 's/{\([0-9]\+\)}/[\1]/' data.txt
[1]: Today is tomorrow's yesterday.
[2]: This year is next year's yesteryear.
[3]: Foo
[10]: Bar
[100]: Baz
[91919]: Qux
{99119a9}: 42
{1 2 3 4 5}: infinity and beyond.

If I want to replace anything in the braces, then I could alter the command slightly.

sed -e 's/{\(.*\)}/[\1]/ data.txt
rjk@debian:~$ sed -e 's/{\(.*\)}/[\1]/' data.txt
[1]: Today is tomorrow's yesterday.
[2]: This year is next year's yesteryear.
[3]: Foo
[10]: Bar
[100]: Baz
[91919]: Qux
[99119a9]: 42
[1 2 3 4 5]: infinity and beyond.

How to remove a systemd service

I’m not sure why systemd doesn’t remove the service, but to do so you can run through the following commands. Also check /etc/init.d/[servicename] as there may be a wrapper there as well.

If you know what service you’re looking to remove, great. If not, you can quickly find all the systemd services enabled on your system with the following command:

systemctl list-unit-files | grep enabled

You can inspect the service and find any unit information for it using the following:

systemctl cat [servicename]

To continue on, stop, disable and remove the unit links as shown below.

systemctl stop [servicename]
systemctl disable [servicename]
rm /etc/systemd/system/[servicename]
rm /etc/systemd/system/[servicename] # and symlinks that might be related
rm /usr/lib/systemd/system/[servicename]
rm /usr/lib/systemd/system/[servicename] # and symlinks that might be related
systemctl daemon-reload
systemctl reset-failed

Cacti Server

Input Validation Whitelist Protection

Cacti Data Input methods that call a script can be exploited in ways that a non-administrator can perform damage to either files owned by the poller account, and in cases where someone runs the Cacti poller as root, can compromise the operating system allowing attackers to exploit your infrastructure.

Therefore, several versions ago, Cacti was enhanced to provide Whitelist capabilities on the these types of Data Input Methods. Though this does secure Cacti more thouroughly, it does increase the amount of work required by the Cacti administrator to import and manage Templates and Packages.

The way that the Whitelisting works is that when you first import a Data Input Method, or you re-import a Data Input Method, and the script and or aguments change in any way, the Data Input Method, and all the corresponding Data Sources will be immediatly disabled until the administrator validates that the Data Input Method is valid.

To make identifying Data Input Methods in this state, we have provided a validation script in Cacti’s CLI directory that can be run with the following options:

  • php -q input_whitelist.php –audit – This script option will search for any Data Input Methods that are currently banned and provide details as to why.
  • php -q input_whitelist.php –update – This script option un-ban the Data Input Methods that are currently banned.
  • php -q input_whitelist.php –push – This script option will re-enable any disabled Data Sources.

It is strongly suggested that you update your config.php to enable this feature by uncommenting the $input_whitelist variable and then running the three CLI script options above after the web based install has completed.

Test SMTP Auth and StartTLS

To test SMTP auth with StartTLS, I used the following method.

Base64 encode the username and password.

echo -ne "yourpassword" | base64
eW91cnBhc3N3b3Jk
echo -ne "your@email.com" | base64
eW91ckBlbWFpbC5jb20=

Connect to the SMTP server using the openssl client.

openssl s_client -connect smtp.test.com:587 -starttls smtp -crlf

Once connected to the mail server, identify myself with EHLO or HELO command.

ehlo there
250-smtp.test.com Hello [192.168.1.50]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN XOAUTH2
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

Next, issue an AUTH LOGIN command to begin login.

AUTH LOGIN
334 VXNlcm5hbWU6

I got 334 VXNlcm5hbWU6 response, which VXNlcm5hbWU6 is base64 for Username:. I entered in the base64 encoded value for my username, your@email.com and hit enter.

eW91ckBlbWFpbC5jb20=

I got 334 UGFzc3dvcmQ6 response, which UGFzc3dvcmQ6 is base64 for Password:. I entered in the base64 encoded value for my password, yourpassword and hit enter.

334 UGFzc3dvcmQ6
eW91cnBhc3N3b3Jk

The mail server verifies authentication, and in my case, it is successful.

235 2.7.0 Authentication successful

Installing Debian 11.3 on my Lenovo Yoga 2

I have an old Lenovo Yoga 2 (i5-5400u, 4GB RAM, 128GB SSD).

This 2-in-1 system does not have an ethernet port and during Debian installation using the netinstall ISO, non-free firmware is needed for the Intel wireless controller.

I went to Debian’s installer page for non-free firmware (for Bullseye) and downloaded the zip file: https://cdimage.debian.org/cdimage/unofficial/non-free/firmware/bullseye/11.3.0/

I expanded the zip all the way into the data compressed folder. Inside that I pulled the lib/firmware/iwlwifi-1762-17.ucode to the root of my USB installation media.

I booted the Debian installation again. Once it got to the search for non-free firmware screen again on I switched to a VTY so I could copy the file over.

cp /cdrom/iwlwifi-1672-17.ucode /lib/firmware/

I switched back to the graphical installer and chose to scan removable media.

I was then presented with a wireless network list to choose from and connect to then continue on with netinstall.

Disable User’s Home Folder Creation in Zentyal

By default, Zentyal creates a Home Folder for each user created through the web interface and not through Active Directory Users & Computers (dsa.msc). To disable this action, modifying the Samba stub for Zentyal is the preferred method. In order to maintain the changes across Zentyal and Samba updates, a Samba stub should be copied and modified as outlined below.

Make the custom stubs directory.

$ sudo mkdir -p /etc/zentyal/stubs/samba

Copy the default Zentyal Samba stub to the directory just created. Modifying the default Zentyal Samba stub or Samba’s configuration file in /etc/samba/shares.conf will end up getting overwritten during a Samba update or Zentyal update.

$ sudo cp /usr/share/zentyal/stubs/samba/shares.conf.mas /etc/zentyal/stubs/samba/

The best solution is to now comment out the share in the stub configuration.

Edit /etc/zentyal/stubs/samba/shares.conf.mas.

In Zentyal 7.0 (Samba 4.11), find section in the file that begins with [homes] and comment out the lines as shown below, excluding the lines that begin with %.

...
</%init>
#[homes]
#    comment = <% __('Home Directories') %>
#    path = /home/%S
#    read only = no
#    browseable = no
#    create mask = 0611
#    directory mask = 0711
% my $rb = ($recycle xor defined($recycle_exceptions->{'users'}));
% my $objects = 'acl_xattr';
% unless ($disableFullAudit) {
%   $objects .= ' full_audit';
% }
% if ($rb) {
%   $objects .= ' recycle';
% }
#    vfs objects = <% $objects %>
#    full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
#    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
% if ($rb) {
%   foreach my $key (keys %{$recycle_config}) {
%       next unless $key;
#    recycle: <% $key %> = <% $recycle_config->{$key} %>
%   }
% }

# <% @shares ? "Shares\n" : "No shares configured" %>
...

Save the file and then restart Samba.

$ sudo zs samba restart

Confirm the changes by looking at /etc/samba/shares.conf.

Increase LVM Partition in Linux

Some notes on increasing LVM partition in Linux.

Terminology

  • Physical Volume (PV): This can be created on a whole physical disk (think /dev/sda) or a Linux partition.
  • Volume Group (VG): This is made up of at least one or more physical volumes.
  • Logical Volume (LV): This is sometimes referred to as the partition, it sits within a volume group and has a file system written to it.
  • File System: A file system such as ext4 will be on the logical volume.

Increase or Expand Logical Volume

To increase/expand a logical volume (lv from here onward), it can be done without needing to reboot or experiencing any downtime on the system.
My volume group (vg here onward) is debian-vg; it contains all my lv’s.

root@debian:~# vgdisplay
  --- Volume group ---
  VG Name               debian-vg
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  8
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                5
  Open LV               5
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               39.76 GiB
  PE Size               4.00 MiB
  Total PE              10178
  Alloc PE / Size       7151 / 27.93 GiB
  Free  PE / Size       3027 / 11.82 GiB
  VG UUID               QPsbEO-d7Q4-OlbR-9BQL-4C1k-04oq-R8QcG6

As you can see above, the Free PE / Size indicates how much available to use to increase/expand a lv I have.
To look at the logical volumes, I use lvdisplay command.

 --- Logical volume ---
  LV Path                /dev/debian-vg/home
  LV Name                home
  VG Name                debian-vg
  LV UUID                61YQXT-wTDM-Fb66-1Fy0-U9dK-tHcn-Kzf1M8
  LV Write Access        read/write
  LV Creation host, time debian, 2018-06-11 10:03:17 -0400
  LV Status              available
  # open                 1
  LV Size                10.00 GiB
  Current LE             2560
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:4

My home logical volume is currently 10GB in size, indicated by LV Size above.
If I want to expand this to 12GB, I would issue the following:

root@debian:~# lvextend -L+2G /dev/debian-vg/home
  Size of logical volume debian-vg/home changed from 10.00 GiB (2560 extents) to 12.00 GiB (3072 extents).
  Logical volume debian-vg/home successfully resized.

Looking at lvdisplay output again, I see that it is now 12GB, but I need to expand the filesystem now.

 --- Logical volume ---
  LV Path                /dev/debian-vg/home
  LV Name                home
  VG Name                debian-vg
  LV UUID                61YQXT-wTDM-Fb66-1Fy0-U9dK-tHcn-Kzf1M8
  LV Write Access        read/write
  LV Creation host, time debian, 2018-06-11 10:03:17 -0400
  LV Status              available
  # open                 1
  LV Size                12.00 GiB
  Current LE             3072
  Segments               2
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:4

This partition is ext4, so I will use resize2fs as below:

root@debian:~# resize2fs /dev/debian-vg/home
resize2fs 1.43.4 (31-Jan-2017)
Filesystem at /dev/debian-vg/home is mounted on /home; on-line resizing required
old_desc_blocks = 2, new_desc_blocks = 2
The filesystem on /dev/debian-vg/home is now 3145728 (4k) blocks long.

Note: If using xfs, use xfs_growfs in lieu of resize2fs
That should do it, now I can issue df -h and confirm that my /home partition is now 12GB.

root@debian:~# df -h
Filesystem                   Size  Used Avail Use% Mounted on
udev                         991M     0  991M   0% /dev
tmpfs                        201M   24M  177M  12% /run
/dev/mapper/debian--vg-root  7.4G  2.3G  4.7G  33% /
tmpfs                       1003M     0 1003M   0% /dev/shm
tmpfs                        5.0M     0  5.0M   0% /run/lock
tmpfs                       1003M     0 1003M   0% /sys/fs/cgroup
/dev/mapper/debian--vg-tmp   544M  924K  503M   1% /tmp
/dev/sda1                    236M   37M  187M  17% /boot
/dev/mapper/debian--vg-var   7.7G  2.5G  4.9G  34% /var
tmpfs                        201M     0  201M   0% /run/user/1000
/dev/mapper/debian--vg-home   12G   41M   12G   1% /home