Cannot retrieve repository metadata (repomd.xml) for repository: updates. Please verify its path and try again

Error: Cannot retrieve repository metadata (repomd.xml) for repository: updates. Please verify its path and try again

If you see this kind of error intially you don't do anything just reboot the server. This might work for you.

After the reboot try the “yum update” command.

But if you getting same error after the reboot then try the below.

1. vi /etc/yum.repos.d/fedora.repo
2. Comment out the “baseurl”.
3. Save it and exit.
4. Then try to reboot and run the yum update command.

Then you should be able to update your servers.

If it still having the same then if you having proxy on your network you can try out with that with the below configuration changes.

1. vi /etc/yum.conf
2. Add to this line “proxy=http://192.168.1.8:3128”

Then save and reboot with those configuration you should be able update your repository.

Edit Virtual Machine Startup and Shutdown Settings

You can configure virtual machines running on an ESXi host to start up and shut down with the host. You can also set the default timing and startup order for selected virtual machines. This ability allows the operating system to save data when the host enters maintenance mode or is being powered off for another reason. This setting is disabled when DRS cluster is enabled.

Procedure

1. In the vSphere Client inventory, select the host where the virtual machine is located and click the Configuration tab.

2. Under Software, click Virtual Machine Startup/Shutdown and click Properties.

The Virtual Machine Startup and Shutdown dialog box opens.

3. Select Allow virtual machines to start and stop automatically with the system.

Sources : http://vcp5.wordpress.com/2012/01/22/edit-virtual-machine-startup-and-shutdown-settings/
http://deinoscloud.wordpress.com/2010/05/17/vsphere-virtual-machine-startup-and-shutdown-behavior/

Configure fail2ban in Fedora server

If you need to monitor or mail the unauthorized login to linux server fail2ban is perfect tool for that purpose. It will trace the unauthorized access by looking at secure log file and will mail it to mention email address ( by default root ).

To install fail2ban use the yum command

• yum -y install fail2ban

Change the configuration settings

Need to configure below files in roder to work fail2ban properly.

1. /etc/fail2ban/jail.conf
2. /etc/fail2ban/action.d/sendmail-whois.conf
3. /etc/fail2ban/filter.d/sshd.conf

First go to jail.conf file and change the below configuration

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1

Add your internal IP range to the ignore IP address

# "bantime" is the number of seconds that a host is banned.

bantime = 600

The defualt ban time is 10 minutes and if you want to increase banned time then change above setting and time calculate in Seconds.

# "maxretry" is the number of failures before a host get banned.

maxretry = 3

Either you can change maxretry level here or in particular service directory which will meet u below.

# This jail corresponds to the standard configuration in Fail2ban 0.6.

# The mail-whois action send a notification e-mail with a whois request

# in the body.

[ssh-iptables]

enabled = true

filter = sshd

action = iptables[name=SSH, port=ssh, protocol=tcp]

sendmail-whois[name=SSH, dest=chamara@nic.lk, sender=fail2ban@ukusu.nic.lk]

logpath = /var/log/secure

maxretry = 3

In the above settings enabled should be true and in dest and sender you should edit as necessary to enable your mail fascility. Even if you didn't mention mail IDs then it will forwarded to root mail folder.

Note : If you use diffenrnt port and different protocol for SSH then you should port=ssh and protocol=tcp accordingly.

In sendmail-whois.conf comment the bewlo lines if you don not need the fail2ban service start and stop mails.

#actionstart = printf %%b "Subject: [Fail2Ban] <name>: started

# From: Fail2Ban <<sender>>

# To: <dest>\n

# Hi,\n

# The jail <name> has been started successfully.\n

# Regards,\n

# Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

# Option: actionstop

# Notes.: command executed once at the end of Fail2Ban

# Values: CMD

#

#actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped

# From: Fail2Ban <<sender>>

# To: <dest>\n

# Hi,\n

# The jail <name> has been stopped.\n

# Regards,\n

# Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

In sshd.conf just go through that file and check if there is unwanted filtering for ssh ban.

Enjoy with the fail2ban service for SSH. 

Dell Sel Full Error message on LCD status panel

Dell Power Edge R300 server is Displaying I1912 Sel Full Warning message.

Reference : http://support.dell.com/support/edocs/systems/pe1950/en/hom/pdf/html/about.htm

Configure: error: xml2-config not found

configure: error: xml2-config not found. Please check your libxml2 installation.

Reference : http://asherbond.com/blog/2009/05/05/configure-error-xml2-config-not-found-please-check-your-libxml2-installation/

How to give a standard Ubuntu User full root permissions.

Reference : http://bobbyallen.wordpress.com/2007/01/15/how-to-give-a-standard-ubuntu-user-full-root-permissions/

How to Setup TFTP on Ubuntu 11.10

Reference : http://icesquare.com/wordpress/how-to-setup-tftp-on-ubuntu/

Follow me settings does not work with Mobile numbers

OS : Free PBX 2.10

Issue : I have added follow me setting to one Extension and it included internal extension and Mobile number. These settings only work for Internal extension.

Solution : I have added Mobile number followed by # then it worked fine. Both Internal Extension and mobile number rang for follow me.

488 Not Acceptable with Grandstream Phone and Free PBX 2.10

If you got this kind of error then you should check the codec that used by the phone and what are the codec that were enabled from the server.

First you can view through the phone display and make sure the codec that phone used.

In Free PBX 2.10 version you can move to Settings ----> Asterix SIP settings -----> Audio Codecs

and make sure phones supported codecs are enabled.

This is almost issue with Codec.  

SIP server Outside Call access

OS : Free PBX 2.10

Requirement : I have FreePBX running VOIP server and one of ISP has provided SIP trunk. VOIP server has run without issue and incoming and outgoing calls are working fine. SIP trunk doesn't have any static IP. But we do have static IP with another ISP. And that link also plugged into the VOIP server.

I need to configure SIP phone to make calls through my VOIP server while they are out of the network (Out side.)

There are several steps that you must follow to do such configuration.

1. All Signaling and Media ports should forwarded to Asterisk

   UDP and TCP 5060 port

    2. All Signaling and Media ports should forwarded to Asterisk.

    3. The Extensions/Devices is setup to be NATed.

This confugration should done only if both SIP server and client behind the NAT.

In order to accomplish the above we need to apply some configuration information into FreePBX, some Asterisk configuration files and on your firewall/router.

Internal/External Network Information

You must edit or create the file sip.conf typically found in your /etc/asterisk directory and make sure it is owned by asterisk. We will assume that you have an internal network of 192.168.1.0/255.255.255.0 and that you have a static IP address of 24.72.182.16. If you have a dynamic IP, see the notes that follow. In this situation, you need to create or edit the following entries in your sip.conf file:

Nat=yes

externip=24.72.182.16
localnet=192.168.1.0/255.255.255.0

This tells Asterisk what IP address range is internal vs. external so that it can rewrite the SIP headers appropriately. If you have a dynamic address instead of a static address then you need to modify the above. You will need to have a domain name for the host, let’s assume you are using dyndns.com’s free service and have chosen the name mydomain.dyndns.org. Then yoursip.conf file would look like the following:

externhost=mydomain.dyndns.org
externrefresh=120
localnet=192.168.1.0/255.255.255.0

Nat=Yes

Where externrefresh tells Asterisk to recheck the IP address every 120 seconds in this case. You should adjust this higher or lower based on the frequency that this changes.

Firewall/Router Configuration

The default installation of FreePBX is configured to use UDP port 5060 as the SIP signaling port and UDP ports 10001-20000 as the RTP Media ports. All these ports must be forwarded to your FreePBX System. How to do this varies widely depending on the firewall or equipment that you are using. It is commonly referred to as Port Forwarding or maybe Destination NAT (DNAT). However it is referred, if we assume in this example that your FreePBX system has an internal IP address of 192.168.1.100 then you will want:

• UDP/5060 -> Forward to 192.168.1.100
• UDP/10001-20000 -> Forward to 192.168.1.100

Extension Information

We will assume you are using FreePBX in Extension mode but if you are using Devices/Users the same applies on the Devices page. You need to configure the extension with NAT enabled so that Asterisk knows this device is NATed and can apply the SIP rewriting rules that you previously configured in the sip.conf file. Navigate to the desired extension and scroll down to the Device Options Section.

The configuration option nat must be set to yes, and you may want to set qualify to yes as well although not necessary.

With these steps, when properly configured, your external device should be able to communicate with your FreePBX server unless you have issues on the remote end where the device is located because of badly behaved Firewalls. The remote device should be configured to use your external IP address or domain name as configured above in the sip.conf file.

Device eth0 does not seem to be present, delaying initialization

Cloned VMware Fedora 13 Server and "device eth0 does not seem to be present, delaying initialization" Error

Recently, I cloned a vmware install of Fedora 13 and after firing up the clone and trying to start networking received the error: "device eth0 does not seem to be present, delaying initialization"

It turns out that the NIC on the cloned machine was being renamed and registered to eth1.

To list the current ethn devices:

# ls /sys/class/net
eth1 lo
There is a device manager, udev, which stores the settings from the NIC of the vm prior to the cloning? process.? When you clone a vm it also changes the mac address of the NIC and as a result the vm sees it as a new NIC and assigns it to /dev/eth1.

As a result, we now have to edit the udev config file as well as the ifcfg-eth0 file to get the newly update virtual NIC card to operate on the eth0 device.

First, edit: /etc/udev/rules.d/70-persistent-net.rules

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x15ad:0x07b0 (vmxnet3) (custom name provided by external tool)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:50:56:bc:00:45", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0" ### Delete this line

# PCI device 0x15ad:0x07b0 (vmxnet3)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:50:56:bc:00:46", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1" ### Change eth1 to eth0

Delete the first SUBSYSTEM entry in the file.

Update the 'eth1' attribute in the remaining entry to 'eth0'

Edit /etc/sysconfig/network-scripts/ifcfg-eth0

Change the HWADDR to match the new mac address listed in the newly edited 70-persistent-net.rules file.
reboot. And network restart.

Source : http://www.ryanchapin.com/fv-b-4-655/Cloned-VMware-CentOS6-Server-and--quot-device-eth0-does-not-seem-to-be-present--delaying-initialization-quot--Error-.html

Copy remote content in vi editor

You can copy content from one file to another file by using vi editor.
Say for Ex: you need to copy the content of test1 file to test2 file.
vi test2 file
then Esc key and : key
type below command.
r ! cat /root/test1

Cloning Virtual Machine in VMware ESXI

To clone a virtual machine disk using the ESX host terminal:

1. Log into the VMware ESXI host's terminal.
   
2. Navigate to the virtual machine's directory using the cd command. It is located at:
   
   /vmfs/volumes/datasotre1/virtual_machine_name/
   
3. Confirm the destination directory where the clone will be copied to. Create this directory, if required.
   
   For example, if this destination directory does not exist:
   
   /vmfs/volumes/datastore1/virtual_machine_name/
   (Refer = clone)
   
   Create the directory using this command:
   
   mkdir /vmfs/volumes/datastore1/virtual_machine_name/
   (Refer = test)
   
4. Clone the virtual hard disk using the vmkfstools -i command:
   
   # vmkfstools -i "/vmfs/volumes/datastoer1/clone/clone.vmdk" /vmfs/volumes/datastore1/test/test.vmdk
   
   Note: Encapsulate objects with quotes where appropriate to ensure spaces and other special characters are interpreted correctly.
   
   The output appears similar to:
   
   Destination disk format: VMFS thick
   Cloning disk '/vmfs/volumes/datastore1/test/test.vmdk'...
   Clone: 100% done.

5. Then log on using VMware vSphere client and create Virtual machine using Existing Hardisk.
   
6. Finally point out the test.vmdk Hard Disk to create the virtual machine. Within 10 minutes time you can finish the process.

Source : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1027876

Authentication refused: bad ownership or modes for directory - autologin ssh

Auto Login SSH is not working properly.

Even though I have followed the guide line auto login ssh, but It didn't work as I expected. It always asking for user password.

Run the below command to take any clue about what was gone wrong.

ssh -v dave@new-server.com

OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to new-server.com [12.34.56.78] port 22.
debug1: Connection established.
debug1: identity file /Users/dave/.ssh/identity type -1
debug1: identity file /Users/dave/.ssh/id_rsa type 1
debug1: identity file /Users/dave/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'new-server.com' is known and matches the RSA host key.
debug1: Found key in /Users/dave/.ssh/known_hosts:8
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/dave/.ssh/identity
debug1: Offering public key: /Users/dave/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /Users/dave/.ssh/id_dsa
debug1: Next authentication method: password
dave@new-server.com's password:

Above log was not helpful to troubleshoot the issue, but I check the secure log of the remote server by issuing the below command.

Tail -F /var/log/secure

Sep 14 01:26:31 new-server sshd[22107]: Authentication refused: bad ownership or modes for directory /home/dave/
Sep 14 01:26:46 new-server sshd[22108]: Connection closed by 98.76.54.32

Checked the Permission of below Folders in Remote server

1. .ssh
2. authorized_keys
3. /home/dave/

Set the below permission to .ssh and authorized_keys

• chmod 600 .ssh/authorized_keys 

• chmod 700 .ssh 

But this is also didn't correct my problem then check my Home Folder Permission by issuing below command.

• Ls -la /home/dave

drwxr-xrwx 11 dave       dave        20480 2012-07-24 16:18 dave

Then I set the permission only to user.

 Chomd 700 /home/dave/
This was solved my problem and I was able to login without password. 

OpenVPN integration with LDAP on Debian

OpenVPN, or Open Virtual Private Network, is a tool for creating networking "tunnels" between and among groups of computers that are not on the same local network. This is useful if you have services on a local network and need to access them remotely but don't want these services to be publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.
The OpenLDAP backend allows you to integrate all kinds of applications and to realize centralized account management. This tutorial shows you how to integrate OpenVPN into the OPenLDAP backend on Debian 6.0; passwords will be stored in ldap and you can change passwords through webmail.
This tutorial is based on Debian 6.0, so I suggest you set up a minimal Debian 6.0 system with SSH; make sure you install all updates. Install below packages.

1 Install OpenVPN

Install OpenVPN and ldap support:
apt-get install openvpn openvpn-auth-ldap
Install dnsmasq:
To forward DNS traffic through the VPN you will need to install the dnsmasq package:
apt-get install dnsmasq

2 easy-rsa

The OpenVPN package provides a set of encryption-related tools called "easy-rsa". These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory.
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

Configure Public Key Infrastructure Variables

Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values:
Edit /etc/openvpn/easy-rsa/2.0/vars according to your environment.

export KEY_COUNTRY="LK" export KEY_PROVINCE="Western" export KEY_CITY="Piliyandala" export KEY_ORG="LK DOMAIN" export KEY_EMAIL="sashika@suren.lk"

Initialize The Public Key Infrastructure (PKI)

Issue the following commands in sequence to internalize the certificate authority and the public key infrastructure:
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
source ./vars
./clean-all
./pkitool --initca

Generate Certificates

With the certificate authority generated you can generate the private key for the server. This script will also prompt you for additional information. By default, the Common Name for this key will be "server". You can change these values in cases where it makes sense to use alternate values. To accomplish this, issue the following command:
./pkitool --server server

Generate Diffie Hellman Parameters Link

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:
./build-dh

Relocate Secure Keys

The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:

• ca.crt
• ca.key
• dh1024.pem
• server.crt
• server.key
  

cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/
These files don't need to leave your server. Maintaining integrity and control over these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they're encrypted and secured.

3 Configure OpenVPN Support For LDAP Auth

Configure OpenVPN auth OpenLDAP

Issue the following two commands in sequence to create the /etc/openvpn/auth folder and copy the example files of OpenVPN auth LDAP to the /etc/openvpn/auth directory.
mkdir /etc/openvpn/auth
cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/auth
Now edit /etc/openvpn/auth/auth-ldap.conf:

auth-ldap.conf file

<LDAP>

# LDAP server URL

URL ldap://192.168.8.68 ## Your LDAP server

# Bind DN (If your LDAP server doesn't support anonymous binds)

# BindDN uid=Manager,ou=People,dc=example,dc=com

BindDN uid=vpnuser,dc=example,dc=lk

# Bind Password

Password example.lk@123

# Network timeout (in seconds)

Timeout 15

# Enable Start TLS

#TLSEnable yes

# Follow LDAP Referrals (anonymously)

FollowReferrals yes

# TLS CA Certificate File

#TLSCACertFile /usr/local/etc/ssl/ca.pem

# TLS CA Certificate Directory

#TLSCACertDir /etc/ssl/certs

# Client Certificate and key

# If TLS client authentication is required

#TLSCertFile /usr/local/etc/ssl/client-cert.pem

#TLSKeyFile /usr/local/etc/ssl/client-key.pem

# Cipher Suite

# The defaults are usually fine here

# TLSCipherSuite ALL:!ADH:@STRENGTH

</LDAP>

<Authorization>

# Base DN

#BaseDN "ou=People,dc=example,dc=com"

BaseDN "dc=example,dc=lk"

# User Search Filter

#SearchFilter "(&(uid=%u)(accountStatus=active))"

SearchFilter "(&(uid=%u))" ## This can be defined according to your LDAP server.

# Require Group Membership

RequireGroup false

# Add non-group members to a PF table (disabled)

#PFTable ips_vpn_users

#<Group>

#BaseDN "ou=Groups,dc=example,dc=com"

#SearchFilter "(|(cn=developers)(cn=artists))"

#MemberAttribute uniqueMember

# Add group members to a PF table (disabled)

#PFTable ips_vpn_eng

#</Group>

</Authorization>

4 Configuring OpenVPN

We'll now need to configure our server file. There is an example file in the /usr/share/doc/openvpn/examples/sample-config-files directory. Issue the following sequence of commands to retrieve the example configuration files and move them to the required directories:
cd /usr/share/doc/openvpn/examples/sample-config-files
gunzip -d server.conf.gz
cp server.conf /etc/openvpn/
Now edit /etc/openvpn/server.conf:

server.conf file

Local 192.168.8.167 ## VPN server IP address

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

key server.key # This file should be kept secret

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.8.0 255.255.255.0" ##Your network

client-to-client

keepalive 10 120

comp-lzo

user nobody

group nogroup

persist-key

persist-tun

status openvpn-status.log

verb 3

###LDAP Integration

plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf

client-cert-not-required

Client Configuration

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/2.0/keys/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/keys
Edit the client.ovpn file to modify the following line:



Copy the client.ovpn and ca.crt files to your client system. Also you can use mutt to send the files to your mailbox. You can log into your email account and download the files.
apt-get install mutt zip
cd /etc/openvpn/easy-rsa/2.0/keys
zip config.zip client.ovpn ca.crt
mutt -s "OpenVPN client config files" www@example.com -a /etc/openvpn/easy-rsa/2.0/keys/config.zip < /usr/share/doc/openvpn/README

Client.ovpn

client

dev tun

proto udp

remote 192.168.8.167 1194

redirect-gateway def1

resolv-retry infinite

nobind

user nobody

group nogroup

persist-key

persist-tun

ca ca.crt ## This is taken from VPN server

ns-cert-type server

comp-lzo

verb 3

#LDAP authentication

auth-user-pass

If you are using Ubuntu/Fedora Client Machine then you should issue below commad to initialize VPN connectoin

openvpn client.ovpn

If you are using Windows Client machine then you the follow below steps.

Installing OpenVPN GUI On Windows XP / Vista

Download the client software here: http://openvpn.net/index.php/openvpn-client.html. After installation, put the client.ovpn and ca.crt files to C:\Program Files\OpenVPN\config.
Now you can use the account www@example.com to connect to the vpn.

Tunnel All Connections through the VPN

By deploying the above configuration, you will be able to forward all traffic from client machines through your VPN and encrypt it with transport layer security (TLS/SSL) between the client machine and the VPN server.
Now you need to redirect traffic to Real network therfore you should configure the VPN server as follows.
Now edit the /etc/sysctl.conf file to uncomment or add the following line to ensure that your system is able to forward IPv4 traffic:
File excerpt:/etc/sysctl.conf

net.ipv4.ip_forward=1

Issue the following command to set this variable for the current session:

echo 1 > /proc/sys/net/ipv4/ip_forward

Issue the following commands to configure iptables to properly forward traffic through the VPN:

/sbin/iptables -A INPUT -p tcp -i eth0 --dport 1194 -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A POSTROUTING --table nat -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/sbin/iptables -A OUTPUT -j ACCEPT

Below is not required. With the above configuration you can have fully running OpenVPN server.



This will enable all client traffic except DNS queries to be forwarded through the VPN. To forward DNS traffic through the VPN you will need to install the dnsmasq package and modify the /etc/opnevpn/server.conf package. Begin by issuing the following command:

apt-get install dnsmasq

After completing the installation the configuration will need to be modified so that dnsmasq is not listening on a public interface. You will need to find the following lines in the configuration file and make sure the lines are uncommented and have the appropriate values:
File excerpt:/etc/dnsmasq.conf

listen-address=127.0.0.1,10.8.0.1

bind-interfaces

This will configure dnsmasq to listen on localhost and the gateway IP address of your OpenVPN's tun device.
When your system boots, dnsmasq will try to start prior to the OpenVPN tun device being enabled. This will cause dnsmasq to fail at boot. To ensure that dnsmasq is properly started at boot, you'll need to modify your /etc/rc.local file once again. By adding the following line, dnsmasq will start after all the init scripts have finished. You should place the restart command below your iptables rules:
File excerpt:/etc/rc.local

/etc/init.d/dnsmasq restart

exit 0

Add the following directive to the /etc/openvpn/server.conf file:
File excerpt:/etc/openvpn/server.conf

push "dhcp-option DNS 10.8.0.1"

Finally, before attempting to connect to the VPN in any configuration, restart the OpenVPN server and dnsmasq by issuing the following commands:

/etc/init.d/openvpn restart

/etc/init.d/dnsmasq restart

Disable IPtables in Debian

How to Stop IPtables in Debian.

Use below script or command to flush the Iptables rule.

• update-rc.d -f iptables remove

OR

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

SSH Without Password

You want to use Linux and OpenSSH to automize your tasks. Therefore you need an automatic login from host A / user a to Host B / user b. You don't want to enter any passwords.

How to do it

First log in on A as user a and generate a pair of authentication keys. Do not enter a passphrase:

a@A:~> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/a/.ssh/id_rsa): 
Created directory '/home/a/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/a/.ssh/id_rsa.
Your public key has been saved in /home/a/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@A

Now use ssh to create a directory ~/.ssh as user b on B. (The directory may already exist, which is fine):

a@A:~> ssh b@B mkdir -p .ssh
b@B's password: 

Finally append a's new public key to b@B:.ssh/authorized_keys and enter b's password one last time:

a@A:~> cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
b@B's password: 

From now on you can log into B as b from A as a without password:

a@A:~> ssh b@B hostname
B

Source:http://www.linuxproblem.org/art_9.html

SSL renegotiation enabled - Mozilla Firefox

When you try to access a site  that has SSL renegotiation enabled, you get the following error:

Renegotiation is not allowed on this SSL socket.
(Error code: ssl_error_renegotiation_not_allowed)

To enable SSL renegotiation you need to point your browser to about:config. After confirming that you know what you are doing, you need to search for:

security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref

and set it to true. After this you should be able to access the site.

Shell script for Archive and remove old files.

Shell script for Archive and remove old files.

cd /var/spool

ls -l |grep ^d |awk '{print $NF}' |while read folder
# if find command support -maxdepth  option
# find . -maxdepth 1 -type d |while read folder
do
  mkdir -p /backup/spool/$folder
  find $folder -mtime +15 -exec mv {} /backup/spool/$folder \; 
  cd /backup/spool
  tar -cvzf "$folder-`date '+%Y-%m-%d'`.zip" $folder
 # Below commented line will backup the removing folders if needed. 
 # mv $folder*.tar /dump_restore/spool/
  cd /backup/spool/$folder/
  rm*
  cd /var/spool
done

Archiving Old files to one tar ball

cd /var/spool
find . -mtime +15 -type f  > /tmp/filelist
tar --create --gzip --files-from /tmp/filelist --file /dump_restore/spool/repository-`date +%Y%m%d`.tar.gz
find . -mtime +15 -type f -exec rm {} \;

source : http://www.unix.com/shell-programming-scripting/158845-script-archiving-data-folderwise.html

Apache restrict access based on IP address

Apache restrict access based on IP address to selected directories Apache web server allows server access based upon various conditions. For example you just want to restrict access to url http://sashika.suren.lk (mapped to /var/www/sashika directory) from 192.168.1.0/24 network (within intranet).

 Apache provides access control based on client hostname, IP address, or other characteristics of the client request using mod_access module.

 Open your httpd.conf file:
 # vi /etc/httpd/conf/httpd.conf

 Locate directory section (for example/var/www/sashika) and set it as follows:

<Directory /var/www/sashika/>
Order allow,deny
Allow from 192.168.1.0/24
Allow from 127
</Directory>

 
Order allow,deny: The Order directive controls the default access state and the order in which Allow and Deny directives are evaluated. The (allow,deny) Allow directives are evaluated before the Deny directives. Access is denied by default. Any client which does not match an Allow directive or does match a Deny directive will be denied access to the server.

Allow from192.168.1.0/24: The Allow directive affects which hosts can access an area of the server (i.e. /var/www/sashika/). Access is only allowed from network 192.168.1.0/24 and localhost (127.0.0.1).

Mail sending with one command without using telnet command

echo test | mailx -v -s "test" root This will test by telnet all the things......... Excellent command. nail command can used to attached any file and send it to users.

File upload script using expect

#!/usr/bin/expect

        spawn rsync -avzh -e ssh /root/backup-mail root@192.168.1.1:/root/backup/

        set pass "123456"

        expect {

        password: {send "$pass\r"; exp_continue}

        }

Error: Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding Try accessing the router by IP address instead of by hostname.

Solution: Move the WebGUI to an alternate port (Not 80 or 443) and check "Disable webConfigurator redirect rule" under System > Advanced.


 After the configuration change DNS Rebind Check Should disable and Browser HTTP_REFRER enforcement Disable.

Linux server backup Script

Linux server Backup script

#!/bin/bash

filename=/root/fwr.sh

path=/root/backup/

shift 2

if [ ! -f ${filename} ];

then

    echo "File not found!"

else

if [ ! -d ${path} ];

then

mkdir -p ${path}

fi

while [ ! -z "${path}" ] ; do

        yes | cp ${filename} ${path}

        path=$1

        shift

done

fi

filename=/etc/rc.local

path=/root/backup/

shift 2

if [ ! -f ${filename} ];

then

    echo "File not found!"

else

if [ ! -d ${path} ];

then

mkdir -p ${path}

fi

while [ ! -z "${path}" ] ; do

        yes | cp ${filename} ${path}

        path=$1

        shift

done

fi

filename=/etc/resolv.conf

path=/root/backup/

shift 2

if [ ! -f ${filename} ];

then

    echo "File not found!"

else

if [ ! -d ${path} ];

then

mkdir -p ${path}

fi

while [ ! -z "${path}" ] ; do

        yes | cp ${filename} ${path}

        path=$1

        shift

done

fi

filename=/etc/hosts

path=/root/backup/

shift 2

if [ ! -f ${filename} ];

then

    echo "File not found!"

else

if [ ! -d ${path} ];

then

mkdir -p ${path}

fi

while [ ! -z "${path}" ] ; do

        yes | cp ${filename} ${path}

        path=$1

        shift

done

fi

filename=/etc/sysconfig/network

path=/root/backup/

shift 2

if [ ! -f ${filename} ];

then

    echo "File not found!"

else

if [ ! -d ${path} ];

then

mkdir -p ${path}

fi

while [ ! -z "${path}" ] ; do

        yes | cp ${filename} ${path}

        path=$1

        shift

done

fi

filename=/etc/sysconfig/network-scripts/*

path=/root/backup/network-scripts

shift 2

if [ ! -d ${path} ];

then

mkdir -p ${path}

fi

while [ ! -z "${path}" ] ; do

        yes | cp -Rp ${filename} ${path}

        path=$1

        shift

done

filename=/etc/squid/*

path=/root/backup/squid

shift 2

if [ ! -d ${path} ];

then

mkdir -p ${path}

fi

while [ ! -z "${path}" ] ; do

        yes | cp -Rp ${filename} ${path}

        path=$1

        shift

done

filename=/etc/mail/*

path=/root/backup/mail

shift 2

if [ ! -d ${path} ];

then

mkdir -p ${path}

fi

while [ ! -z "${path}" ] ; do

        yes | cp -Rp ${filename} ${path}

        path=$1

        shift

done

filename=/var/qmail/*

path=/root/backup/qmail

shift 2

if [ ! -d ${path} ];

then

mkdir -p ${path}

fi

while [ ! -z "${path}" ] ; do

        yes | cp -Rp ${filename} ${path}

        path=$1

        shift

done

Unable to determine enabled services from ldap - Zimbra

You may face suddenly an error of Network services in Zimbra

To check whether its same issue or something else, try

# su zimbra

$zmcontrol status

Then you may found couple of services are not running, then try restarting it

$zmcontrol restart

Now you may get the same error stating “unable to determine enabled services from LDAP”

 Congratulations ! your default 365 days of SSL certificate has expired. So simple,    you have to renew the certificate.

Steps to follow :

1) First stop all services of Zimbra

su – zimbra -c ‘zmcontrol stop’

2) Delete all certificate related files in Zimbra
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/ssl/.rnd

3) Delete all keys related to existing certificate

/opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su – zimbra -c ‘zmlocalconfig -s -m nokey mailboxd_keystore_password’`
(use commas carefully)

4) Edit certificate parameter

vi /opt/zimbra/bin/zmcertmgr

# Find line
# SUBJECT=”/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}”
# and change to your company name
SUBJECT=”/C=US/ST=N\/A/L=N\/A/O=xxxxxxxxxxx/OU=xxxxxxxxxxx/CN=${zimbra_server_hostname}”

# then find and change you want value days expire cert validation_days=365 to validation_days=3650
# save /opt/zimbra/bin/zmcertmgr

5) Create and deploy new self sign certificates

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca -localonly
/opt/zimbra/bin/zmcertmgr createcrt self -new
/opt/zimbra/bin/zmcertmgr deploycrt self

su – zimbra -c ‘zmcontrol start’

/opt/zimbra/bin/zmcertmgr deploycrt self
/opt/zimbra/bin/zmcertmgr deployca

su – zimbra -c ‘zmupdateauthkeys’
/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Now you can enjoy Zimbra without any certificate issues for next 10 years