Listing posts
Displaying posts 1 - 5 of 326 in total2024-03-13
ssh and ssh ddos»
Install fail2ban:
1 | apt-get install fail2ban |
Configure fail2ban:
Put this file in in /etc/fail2ban/jail.d/local.conf
(it is a modified copy of jail.conf
):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | [DEFAULT] # space separeted list of IP addresses, CIDR masks, DNS hosts ignoreip = 127.0.0.1/8 192.168.1.1/24 # number of seconds that a host is banned bantime = 3600 # a host is banned if it has generated "maxretry" during the # last "findtime" seconds findtime = 600 maxretry = 1 [sshd] enabled = true maxretry = 1 mode = extra [sshd-ddos] enabled = true maxretry = 1 |
Starting, status, unblock IPs:
1 2 3 4 5 6 7 8 9 10 | # restart service after any config modification systemctl restart fail2ban # show jailing info/counters fail2ban-client status fail2ban-client status sshd fail2ban-client status sshd-ddos # look suspicious IPs in the logs journalctl -f -t sshd |
Ban management:
1 2 3 4 5 6 | # unlock blocked IPs fail2ban-client unban IP1 IP2 IP3 ... fail2ban-client unban --all # block an IP fail2ban-client -vvv set sshd banip x.x.x.x |
SSH tips
You can allow or deny access to specific users by editing /etc/ssh/sshd_config
:
1 2 3 4 5 | # allow ssh access only to users A and B and disallow all the others AllowUsers user_a user_b # deny ssh access only to users A and B and allow all the others DenyUsers user_a user_b |
in this way the SSH demon triggers a faster failure+ban for the disallowed users.
Source: debianizzati, digitalocean, stackoverflow
~~~ * ~~~
2024-03-09
1 | apt-get install nut # install server
|
Set MODE=standalone
in /etc/nut/nut.conf
.
Append the user definition in /etc/nut/upsd.users
:
1 2 3 4 | [monuser] password = ApAssWorD allowfrom = localhost upsmon master |
Optionally, set the daemon to listen only on IPv4 (defaults to both v4 and v6), append in /etc/nut/upsd.conf
:
1 | LISTEN 127.0.0.1 3493 |
I had a Powercom KIN-1200AP
connected via an USB to serial converter:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | # find the converter lsusb | grep Serial # Bus 001 Device 009: ID 067b:2303 Prolific Technology, Inc. PL2303 Serial Port # create an udev rule to fix its device name, # append this in /etc/udev/rules.d/10-local.rules ACTION=="add", KERNEL=="ttyUSB[0-9]*", SUBSYSTEMS=="usb", ATTRS{idVendor}=="067b", ATTRS{idProduct}=="2303", SYMLINK+="ttyUSB_UPS" # append the UPS definition in /etc/nut/ups.conf [myups] driver = powercom port = /dev/ttyUSB_UPS desc = "Main supply" loadPercentage = {6.1343,-0.3808,1.075,0.1811} batteryPercentage = {5.0000,0.3268,-825.00,0.46511,0} |
Now I have a Line-Interactive Eaton 5E 850i
connected via USB:
1 2 3 4 5 | # append the UPS definition in /etc/nut/ups.conf [myups] driver = usbhid-ups port = auto desc = "Main supply" |
If you encounter the error usb_submit_urb(ctrl) failed: -1
when pluggin in the USB cable then append to your kernel boot params the NOGET quirk for this UPS (idVendor=0463, idProduct=ffff):
1 | usbhid.quirks=0x0463:0xffff:0x08 |
Check the configured UPS status with the command upsc myups
.
Configure the monitor in /etc/nut/upsmon.conf
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | MONITOR myups@localhost 1 monuser ApAssWorD master # setup a custom script to notify you NOTIFYCMD /opt/ups/nut_notify_cmd.sh # customize notification messages NOTIFYMSG ONLINE "UPS: Power restored - shutdown cancelled" NOTIFYMSG ONBATT "UPS: Power failure - shutdown countdown started" NOTIFYMSG REPLBATT "UPS: Battery exhausted, replacement needed" NOTIFYMSG SHUTDOWN "UPS: Battery low - running immediate shutdown" # enable some logging NOTIFYFLAG ONLINE SYSLOG+EXEC NOTIFYFLAG ONBATT SYSLOG+EXEC NOTIFYFLAG LOWBATT SYSLOG+WALL+EXEC NOTIFYFLAG REPLBATT SYSLOG+WALL+EXEC NOTIFYFLAG SHUTDOWN SYSLOG+WALL NOTIFYFLAG COMMOK SYSLOG NOTIFYFLAG COMMBAD SYSLOG |
Add the nut
user to dialout
group:
1 | useradd -G dialout nut |
Restart the services and test the ups:
1 2 3 4 5 6 | systemctl restart nut-driver systemctl restart nut-server systemctl restart nut-monitor upsc -l # list all monitored UPSes upsc myups # show UPS details and status |
Note: Uninstall xfce-powermanager
or you will get an USB communication error requiring a system reboot in order to clear it.
Note: To cleanly unmount VeraCrypt volumes you can use this NOTIFYCMD
script:
1 2 3 4 5 6 7 8 9 10 11 12 13 | #!/bin/bash # /opt/ups/nut_notify_cmd.sh - nut NOTIFYCMD script # put in /etc/sudoers.d/local: # nut raoul = (root) NOPASSWD: /sbin/shutdown, /opt/systemd-units/vc-mounter.rb if [ "$NOTIFYTYPE" = "ONBATT" ]; then /opt/bin/shutdown -h 600 & elif [ "$NOTIFYTYPE" = "ONLINE" ]; then sleep 3 # wait for first command to start /opt/bin/shutdown -c & fi |
that uses this useful shutdown script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | #!/usr/bin/ruby $VERBOSE = nil # /opt/bin/shutdown - emulate shutdown command and unmount VeraCrypt volumes require 'optparse' require 'shellwords' opts = {} OptionParser.new{|o| o.banner = "Usage: #{File.basename __FILE__} [options]" o.on('-r', '--reboot [N]', Float, 'Reboot after N seconds (default=0)') do |n| opts.merge! action: :reboot, delay: n.to_f end o.on('-h', '--poweroff [N]', Float, 'Poweroff after N seconds (default=0)') do |n| opts.merge! action: :shutdown, delay: n.to_f end o.on('-c', '--cancel', 'Cancel a pending operation') do |enabled| opts.merge! action: :cancel end opts.merge! help: o.to_s }.parse! case opts[:action] when :cancel `pgrep -fl vc-mounter.rb` if $?.to_i == 0 puts 'aborted' exit end # kill all but yourself pids = `pgrep -f ruby.*shutdown`.split("\n").map(&:to_i) - [Process.pid] pids.each{|pid| system "kill #{pid}" } when :reboot, :shutdown sleep opts[:delay] `sudo swapon | grep " file " | cut -f 1 -d " "`.strip.split("\n"). each{|f| system "sudo swapoff #{f.shellescape}" } system 'sudo /opt/systemd-units/vc-mounter.rb umount' system "sudo /usr/sbin/shutdown -#{opts[:action] == :reboot ? :r : :h} 0 &" else puts opts[:help] end |
Source: eaton ups setup
~~~ * ~~~
~~~ * ~~~
2024-03-06
1 2 3 4 5 | # from file convert image.gif[0] first_frame.gif # from stdin cat image.gif | convert -'[0]' first_frame.gif |
Source: stackoverflow
~~~ * ~~~
2024-03-04
- find your current locale
1 2 | locale | grep LC_TIME
# => LC_TIME="en_US.UTF-8"
|
edit the corresponding file
/usr/share/i18n/locales/en_US
change values to your liking:
1 2 3 4 | d_t_fmt "%a %d %b %Y %T %Z" d_fmt "%Y//%m//%d" t_fmt "%T" date_fmt "%a %d %b %Y %T %Z" |
- regenerate locales and re-login
1 2 | locale-gen update-locale |
Source: linuxopsys