Category: Linux

Extending an XFS partition on Centos

May 29, 2020 / / 0 Comments

I came across the need to extend a partition on a Centos VM deployed in Azure which was not running LVM, but XFS. This seems to be a common way of how the templates are deployed in Azure.

I won’t go into detail on how you increase the disk space on the virtualization layer, I’ll leave that to you since it’s different for every platform and a fairly basic task.

This example is for increasing /dev/sda2. Let’s say you’ve increased your disk from 32GB to 64GB, however when issuing the below command to list your disks, you still see it at 32GB!

df -h

Resulting Output - 

Filesystem Size Used Avail Use% Mounted on
udev 1.5G 0 1.5G 0% /dev
tmpfs 291M 33M 259M 12% /run
/dev/sda2 32G 3.9G 32G 11% /
tmpfs 1.5G 4.0K 1.5G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 1.5G 0 1.5G 0% /sys/fs/cgroup
/dev/vda1 472M 171M 277M 39% /boot
tmpfs 291M 0 291M 0% /run/user/0

From here, you’ll want to run the below command to see that the OS is recognizing the increase space and just hasn’t allocated it – 

fdisk -l

Resulting Output - 

Disk /dev/vda: 64 GiB, 42949672960 bytes, 83886080 sectors

Now that we have confirmed the OS is seeing the extra space, lets assign it to the partition we need –

1) fdisk -l /dev/sda
2) p (This will print the existing partition table)
3) d (This will enter delete mode to remove the partition)
4) 2 (This is the partition number we want to delete)
5) p (This will print the partition table again to confirm)
6) n (Wizard to create new partition)
7) p (This selects type of partition, in our case P for primary)
8) 2 (Re use the partition number we had previously)
9) First sector - just press enter to accept the default
10) Last sector - same as above, this will ensure its assigned all available free space on that disk 
11) w - this will write the partition

After completing the above steps, you will be given a warning about the device or resource being busy, don’t worry this is completely fine. One more command before we reboot – 

partprobe

This will synchronize the partition to the kernel however fail due to requiring a reboot to take effect. Reboot now and execute the final step once back up –

xfs_growfs /

This will now assign all the free space available and we should be fine!

Generating a CSR to use with your own CA

March 15, 2019 / / 0 Comments

This method of generating the certificate with this CSR is useful when using for a web server, as without specifying the req_ext “SAN”, most popular browsers will display an error “ERR:certificate_common_name_invalid”

[ req ]
default_bits = 4096
prompt = no 
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = example.com
emailAddress = [email protected]
O = Example
Company OU = Example Unit
L = City
ST = State
C = US
[ req_ext ]
subjectAltName = DNS: www.example.com, DNS: mail.example.com, DNS: files.example.com

Fill in the above with relevant details and save it as yourdomain.com.conf Then, run OpenSSL using the below command :

openssl req -new -config yourdomain.com.conf -keyout yourdomain.com.key -out yourdomain.com.csr

If you are doing this for an Apache web server, you’ll have to make sure you have the a2enmod ssl enabled and add the below to your VirtualHost configuration file

 SSLEngine on
 SSLCertificateFile /home/user/certificates/yourhostcert.crt
 SSLCertificateKeyFile /home/user/certificates /yourdomain.com.key
 SSLCertificateChainFile /home/user/certificates/root_combined.cer

SNMP V3 on Ubuntu

March 4, 2019 / / 0 Comments

We will be installing 3 packages to get SNMP up and running on Linux.

apt install snmpd snmp libsnmp-dev

OR

yum -y install net-snmp net-snmp-utils    (if you are running yum)

Copy the default snmpd config file for backup purposes ( if you want to )

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak

Empty the file out by doing the below

cat /dev/null > /etc/snmp/snmpd.conf

Stop the running service of snmpd by issuing the command

systemctl stop snmpd

Create your read only user account for SNMP V3. Replace “SUPERPASSWORD” and “USERNAME” with your required information

net-snmp-create-v3-user -ro -A SUPERPASSWORD -a SHA -X SUPERPASSWORD -x AES USERNAME

Now make the service start on bootup 

systemctl enable snmpd

Start the service!

systemctl start snmpd

Find the DNS being used on linux

November 27, 2018 / / 0 Comments

This is useful when troubleshooting some network related issues and you need to find which DNS servers are being used. Since resolv.conf is not really used much anymore, it’s most likely that your DNS settings are set in the NIC configuration file, which is located at /etc/network/interfaces. 

You can also print which DNS is being used on a per interface basis by doing the below – 

Identify the NIC you want to use by using 

ifconfig

Once the names of the NIC’s have been printed, find the one you want and issue this command 

nmcli device show <INTERFACE NAME> | grep IP4.DNS

Obviously replace the “<INTERFACE NAME>” with you know what.

Expanding disks in Linux

October 21, 2018 / / 0 Comments

So expanding disks in Linux seems to be somewhat of a headache sometimes. The easiest method I have found is once you have increased the space via your hypervisor, you will need to expand the disk by booting into a live ISO and using the partition manager there. Once that is done, apply the changes, reboot and expand the drive from inside the OS.

You will want to use the below commands to find the name of the volume – 

fdisk -l
df -h

Afterwards, you can use the below command to add the newly added free space to your volume – 

lvextend -r -l +100%FREE  /dev/mapper/***VOLUMEGOESHERE***

Bash script loops

October 21, 2018 / / 0 Comments

I’ve recently had to do some a project where I needed to launch a specific application on login of user account in an Ubuntu environment and where if it was closed, it would re-open again countless times. This is accomplished with the below – 

sudo install -b -m 755 /dev/stdin /opt/autolaunch.sh << EOF
!/bin/bash
xset -dpms
xset s off

while true; do
***APPLICATION COMMAND GOES HERE***
done
EOF

The above installs the script to launch at startup from the location /opt/autolaunch.sh. The first two commands are disabling power saving and the screensaver. The last part is the while loop.

SSH Security on Linux

October 18, 2018 /

I have installed a service called “Fail2Ban” which I have found greatly useful as this dynamically updates your IP Tables on your machine by blocking IP’s which have had to many failures/attempts to login via SSH. You can configure with the commands below – 

  1. Install the application 
apt-get install fail2ban

2) Familiarise yourself with the sample config file /etc/fail2ban/jail.conf

3) Make a new “jail.local” file in the above directory with your favourite text editor. I use nano in my case. 

nano /etc/fail2ban/jail.local

4) Add the options you wish to use from the service, I’ve added the below to control my SSH – 

[DEFAULT]
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600

With the above options we have chosen to ban after 5 incorrect attempts with a total ban time of 3600 seconds. What’s good to note about the “jail.local” is that Fail2Ban keeps it’s configuration in /etc/fail2ban/jail.conf, however it can also load configuration from jail.local. So it’s best if we leave the default config file as is, since this might be changed in a version upgrade by the authors!

After the above is done, you will want to activate some basic IP Tables rules. Such as the below to allow SSH connections in the first place to the machine. I have also included port 80 and 443, as mine is a web server.

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
sudo iptables -A INPUT -j DROP

You will now want to make these rules persistent, so that they do not disappear after a reboot.

sudo dpkg-reconfigure iptables-persistent

That’s it, we now have a setup ready to function and block/ban potentially malicious traffic attempts. Let’s restart the service and be done with it! ( I prefer stopping and starting services, just so I feel in control of what’s going on )

sudo service fail2ban stop
sudo service fail2ban start

One final step is to check whether the newly implemented rules are indeed working. Attempt to SSH into the server incorrectly the amount of times you chose above and once you cannot SSH into the machine with a response anymore, you should see a new IP Table rule created in your list. 

You may check that by issuing 

sudo iptables -S

You should see a rule similar to the below 

-A fail2ban-ssh -s X.X.X.X/32 -j REJECT --reject-with icmp-port-unreachable