Etikettarkiv: linux

Setting up MSMTP for Protonmail

2024-07-1 Ichimusai

This is the config that worked for me.

First generate an SMTP token and a separate address for the system to use within Protonmail, otherwise this is not going to work without installing mail-bridge or something similar.

This will be special@domain.com

MSMTP Configuration file

Configuration file is /etc/msmtprc
File owner should be root:msmtp
File permissions 0660

defaults
tls on

account default
  host smtp.protonmail.ch
  port 587
  from special@domain.org
  set_from_header on
  auth on
  user special@domain.org
  password SMTP_TOKEN_GOES_HERE
  auth plain

Installation

Install the following components:

sudo apt install msmtp msmtp-mta mailutils bsd-mailx

Configuration

Edit the configuration file for mail /etc/mail.rc and add the following line to it:

set mta=/usr/bin/msmtp

You may also set up aliases if you like in the file /etc/aliases where you can add lines such as:

root: master@domain.org
caroline: caroline@example.com
defaul: admin@domain.org

English

Ubuntu Login-Notify

2024-06-30 Ichimusai

This is a useful hack for VPS servers to send an email as a login-notify to an email address.

Prerequisites

You need to have a working mail subsystem on your host so that the mail command works.

This works with Ubuntu 22.04 and later versions.

Modify PAM to notify on login

Open the file /etc/pam.d/common-session and at the bottom add the following line:

session optional pam_exec.so /root/script/login-notify

Login-Notify script

Create the following script in /root/script/login-notify

#!/bin/bash                                                                                
                                                                                           
#                                                                                          
# This script is run by PAM from /etc/pam.d/common-session by adding the following         
# line to the bottom of the configuration file:                                            
#                                                                                          
# session optional pam_exec.so /root/script/login-notify                                   
#                                                                                          
# Make sure the script is executeable                                                      
#                                                                                          
# ichi@ichimusai.org                                                                       
# Revision 1.0.0                                                                           
#                                                                                          
                                                                                           
                                                                                           
[ "$PAM_TYPE" = "open_session" ] || exit 0                                                 
{                                                                                          
    echo "User:    $PAM_USER"                                                              
    echo "Ruser:   $PAM_RUSER"                                                             
    echo "Rhost:   $PAM_RHOST"                                                             
    echo "Service: $PAM_SERVICE"                                                           
    echo "TTY:     $PAM_TTY"                                                               
    echo "Date:    `date +"%y%m%d-%H%M%S"`"                                                
    echo "Server:  `hostname -s`"                                                          
} | mail -s "[`hostname -s`] $PAM_SERVICE login: $PAM_USER" anders@sikvall.se &

This script will now be executed upon login and should send an email to the recipient with login matters.

English

Show IP on console of linux servers

2023-04-26 Ichimusai

It’s quite easy, what you want to do is edit the file /etc/issue and use the special command \4 for the IPv4 address and \6 for the IPv6 address.

If you want you can also specify a specific NIC by using it like \4{enp0s3} for example.

Now everytime you boot, logout from the console etc it will shop the IP address of the server.

English

Fix ”mosh” locale

2022-11-7 Ichimusai

When logging in with mobile shell (mosh) sometimes in Ubuntu the locales will mismatch. This is easily fixed by using the following two commands:

# locale-gen "en_US.UTF-8"
# update-locale LC_ALL="en_US.UTF-8"

Substitute the locale for the one you wish to use in both places and then run this. For Swedish locale use sv_SE.UTF-8 as an example.

English

Bind caps lock to something useful

2020-04-10 Ichimusai

Making the stupid caps lock into something useful is simple. Bind the COMPOSE function to it and have great time writing special characters.

Edit the file /etc/default/keyboard

Find the line for XKBOPTIONS and edit that to read

XKBOPTIONS="compose:caps"

Reboot your system and be happy.

English

Sleep resume in Ubuntu screws up mouse pad

2019-04-14 Ichimusai

I found that my Lenovo laptops did not always get the mousepad right when coming out of sleep or hibernate. After a bit of research I found that a modprobe remove and insert of the psmouse kernel module did the trick.

To automatize this you can insert a file in the systemd control structure to fix the problem yourself (if you are experiencing it). Below is a block of code. Save this to a file in /lib/systemd/system-sleep/touchpad

#!/bin/sh

PATH=/sbin:/usr/sbin:/bin:/usr/bin

case "$1" in
    pre)
    #code execution BEFORE sleeping/hibernating/suspending
    # unload touchpad driver
	/usr/sbin/modprobe -r psmouse
    ;;
    post)
    #code execution AFTER resuming
    # reload touchpad driver
	/usr/sbin/modprobe psmouse
    ;;
esac

exit 0

English

Borg Backup

2017-02-1 Ichimusai

The Borg

A very useful utility is the Borg Backup system, or just Borg. It’s a deduplicating backup system meaning that is scans the files and when it finds data that is already in the backup the data in the second and all other subsequent files are replaced with a reference to the first instance of that data.

The idea is that the same data is only stored once. All the backups you take after the initial one stores only the differences and the new data that has been accumulated since the last backup. This means that backing up after the initial backup is done is very fast, efficient, saves bandwidth and storage space.

Traditional backups have usually a full backup every month and then they take increments daily or so. If you need to restore a file you need to take the latest full backup, then apply each increment that was taken after. With the borg backup that is not necessary as you can view the file system exactly as it looked upon each and every backup point taken.

In fact you can mount the whole backup as a file system and then traverse it from there. It’s very effective. So let’s get started because face it, you don’t back up as much as you should do!

Borg can be used for multiple platforms but my commands here will be for linux.

The first step is to create a repository, this may sit on a different machine, NAS, attached USB drive or even on the same machine, of course you want multiple backups really so you can take the borg backup locally and then rsync it to as many locations as you feel is necessary.

Take the backup

The first step is to create the dir of the the backup repo and then we need to initialize it for being used with borg. This is quite simply done as:

$ sudo mkdir /bup
$ sudo borg init /bup

When the repository has thus been created it is time for the first initial backup. The format should be clear in a bit, it’s not complicated and can look like this:

$ sudo borg create --progress --info --stats /bup::lenovo-170202_163423 /home /root /boot /etc /var

The command above should be a single line. The first thing we give to borg is the command, in this case it is create to create a new backup set for us. Then we have some flags, –progress shows a progress indicator while borg is working that details also the number of bytes being read, backed, compressed and deduplicated. The next –info sets the information level borg presents to us and –stats lets borg summarize the operation with some statistics.

The next part of the command the /bup::lenovo-170202_163423 specifies the backup location and backup name. The name is given after the double colon :: mark. In this case its composed of the date yymmdd and time hhmmss of when the backup is started, doing that makes it easy to find the right set of data later when a restore is needed.

Why did I prefix it with lenovo? Well my main linux laptop is a lenovo and I also have other computers, like an ASUS laptop etc. The beauty with deduplicating backups is that I backup multiple machines to the same repo. By doing that it will deduplicate across the machines and if I have the same files and data in multiple places it will just be replaced by references to the data that is already in the backup.

The final part of the command is just all paths I want to include in this backup. They can vary from time to time. I might backup /home daily but /root only once a week if I want. No problem at all with borg.

Restoring a backup

No system of backup is actually deployed before you have attempted and successfully retrieved data from it so that you know what to do in an emergency as well as being able to extract old data mistakenly erased or restore a full system after a hard drive crash.

Restoring a borg backup works a little different from what you may be used to. First of all you can of course extract the data fully or just single files if you know their paths just like with any other backup system. The restore command is called extract in borg.

$ sudo borg extract /bup::lenovo-170202_163423

This will extract the entire archive and then you can move the files into their respective locations. You can also extract for example only the etc folder from the archive:

$ sudo borg extract /bup::lenovo-170202_163423 etc

Extraction always writes in the current working directory. Therefore you should first extract then move the files into their correct location in your file system or if all the backups are taken from the root of the file system / then you can cd there before extracting but I recommend extracting on a different volume first and then restoring from there. The reason is that there is usually a lot of stuff in a backup that you may not always want to restore.

Mounting the backup as a file system

So borg actually offers another way also. You can mount the backup as a volume, or you can mount the whole repo and see all the backup points made, select which one you want and then just copy the files from there to the live system.

$ sudo borg mount /bup::lenovo-170202_163423 /mnt

This will mount the backup lenovo-170202_163423 in the file system at /mnt. You can then cd to /mnt and then use cp etc to copy the files to their right places.

When done you can dismount it (otherwise other processes can’t backup, the repo is locked while mounted)

$ sudo umount /mnt

Borg uses fuserfs to mount local directories.

You may also mount the whole repository:

$ sudo borg mount /bup /mnt

Now when you go into the /mnt folder you will see all your backup names as directories:

$ ls
161204_040001 170101_203409 170113_040001 170117_040001 170121_040001 170125_010344 170128_030332
161206_040001 170108_040001 170114_040001 170118_040001 170122_214910 170125_040001 170128_040001
161218_174848 170111_040001 170115_040002 170119_040001 170123_040001 170126_040001 170129_040001
161225_040001 170112_040001 170116_040001 170120_040001 170124_040002 170127_040001 170201_082851

As you can see I generally name my backups with YYMMDD_HHMMSS just so it’s easy for me to find a specific date.

I can then cd to one of them

$ cd 170112_040001
$ ls
boot etc home root var vmlinuz vmlinuz.old

When done, don’t forget to unmount the archive as no new backups can be taken while it is mounted.

There you go. Start using.

English

More effective CIDR-blocking

2017-01-31 Ichimusai

Previously we have talked about how to block certain addresses using the firewall in Linux (iptables) but if you have a large number of CIDR blocks, say whole countries like China (about 7000 blocks) this will not be keen on the CPU in the server.

Especially the script that inserts it by repeatedly calling iptables. The first few hundred calls will be quit but then is slows down as the kernel won’t process so many insertions in the iptables lists.

There is another way that is just as effective called blackholing the ip ranges you wish to block from your server. This is done by adding routes for those packest that leads nowhere.

# ip route add blackhole <ip address>

This works quite beautifully with tens of thousands of addresses of course. As before we should read the CIDR files we want in order to create the null routes that is needed.

Here is a script that will read a directory of CIDR files and null route all of them.

for f in /etc/iptables/hosts-banned/*
do
    LINES=$(wc -l $f | awk '{print $1}')
    echo -n "Processing k-line file $f with $LINES blocks... "
    date +"%H:%M:%S"
    while read p
    do
        ip route add blackhole $p
    done < $f
done

The CIDR files in this case resides in /etc/iptables/hosts-banned/ an they can be gotten from online or you may add any address ranges you want, perhaps based on automatic firewalling.

To remove a certain blacholed range or ip you can do the same thing again changin the ip route add to an ip route del command instead.

ip route del <ip address>

You can produce a script that removes them by doing the following:

ip route | grep blackhoe | awk '{ print "ip route del " $2 }' >unblock
chmod 700 unblock
./unblock

That’s it, they are all now cleared.

English

Ubuntu persistent network interface names

2016-12-11 Ichimusai

In Ubuntu 16.x the systemd is used more than in the previous versions. This also means it is now responsible for setting up your network cards. Many people have been sort of surprised that their eth0 have changed to something like enp0s25. This is of course an improvement from before, there was no real telling in which order NICs would be assigned names so potentially a hardware change could offset eth0 and eth1 and so on.

The new way is actually not too bad but if you like me do a lot of manual configurations on the fly to the network interfaces their names can be tedious to type and also remember. But of course there is a rather simple mechanism to change this so you can select your own names for the interfaces such as lan0 and dmz1 or why not wifi plain and simple if there is never to be any more than one wifi card in the computer.

This is a step-by step guide that was tested under Ubuntu 16.10 and worked for me. Please leave your comments if you have problems, improvements or any such things to add.

Getting the names

First of all we need to find out what the names of the NICs we have in the system actually are. Here is a dump from my laptop using the ifconfig command to list all interfaces:

root@kraken:~# ifconfig -a
enp0s25: flags=4098<BROADCAST,MULTICAST> mtu 1500
 ether f0:de:f1:8d:89:fe txqueuelen 1000 (Ethernet)
 RX packets 0 bytes 0 (0.0 B)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 0 bytes 0 (0.0 B)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
 device interrupt 20 memory 0xf2a00000-f2a20000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
 inet 127.0.0.1 netmask 255.0.0.0
 inet6 ::1 prefixlen 128 scopeid 0x10<host>
 loop txqueuelen 1 (Local Loopback)
 RX packets 3143 bytes 204307 (204.3 KB)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 3143 bytes 204307 (204.3 KB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.168.1.3 netmask 255.255.255.0 broadcast 192.168.1.255
 inet6 fe80::846f:cc3d:2984:d240 prefixlen 64 scopeid 0x20<link>
 ether 00:24:d7:f0:a3:a4 txqueuelen 1000 (Ethernet)
 RX packets 4600 bytes 5069857 (5.0 MB)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 3348 bytes 592050 (592.0 KB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wwp0s29u1u4i6: flags=4098<BROADCAST,MULTICAST> mtu 1500
 ether 02:80:37:ec:02:00 txqueuelen 1000 (Ethernet)
 RX packets 0 bytes 0 (0.0 B)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 0 bytes 0 (0.0 B)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

We are looking for two things in the above, the MAC address and the name of the network interface card we want to rename. The NICs we have here are named after the type of card, the bus it is attached to etc. What used to be called eth0 is now referred to as enp0s25 and wlan0 is wlp3s0 and there is also a WAN card in the machine called wwp0s29u1u4i6 which definitely is a mouthful.

Okay, so we would like to rename these to more sensible names. First we pick the names such as eth0, wlan0, wan0 etc. Then we note down the MAC address of each card. You find this highlighted in red in the above dump next to the keywork ”ether”. Once we have that we can tell the systemd to rename the cards in the way we want. By connecting the name to the MAC address it should also be persistent and not affected by inserting a new card into the computer system.

In directory /etc/systemd/network we will create the following files:

root@kraken:/etc/systemd/network# ll
 total 20
 drwxr-xr-x 2 root root 4096 Dec 11 04:28 ./
 drwxr-xr-x 5 root root 4096 Nov 24 15:03 ../
 -rw-r--r-- 1 root root 55 Dec 6 23:44 01-eth0.link
 -rw-r--r-- 1 root root 56 Dec 6 23:39 02-wifi.link
 -rw-r--r-- 1 root root 55 Dec 6 23:40 03-wan.link

These link files can be used to match a device and then change its parameters. So they consists of a matching section and then a link section. The first one called 01-eth0.link contains the following lines:

[Match]
  MACAddress=f0:de:f1:8d:89:fe

[Link]
  Name=eth0

We can then create the other ones in the same way. When we are done with that we need to do two things. First we need to update the initial ram file system in boot because some of these may already be up during boot time (such as eth0). This is done with the following command:

root@kraken:/etc/systemd/network# update-initramfs -u
 update-initramfs: Generating /boot/initrd.img-4.8.0-30-generic
 W: Possible missing firmware /lib/firmware/i915/kbl_guc_ver9_14.bin for module i915
 W: Possible missing firmware /lib/firmware/i915/bxt_guc_ver8_7.bin for module i915
 W: mdadm: /etc/mdadm/mdadm.conf defines no arrays.

Once we have done this we can reboot our computer.

When up again we can check the network names again:

anders@kraken:~$ ifconfig -a
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
 ether f0:de:f1:8d:89:fe txqueuelen 1000 (Ethernet)
 RX packets 0 bytes 0 (0.0 B)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 0 bytes 0 (0.0 B)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
 device interrupt 20 memory 0xf2a00000-f2a20000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
 inet 127.0.0.1 netmask 255.0.0.0
 inet6 ::1 prefixlen 128 scopeid 0x10<host>
 loop txqueuelen 1 (Local Loopback)
 RX packets 1732 bytes 110296 (110.2 KB)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 1732 bytes 110296 (110.2 KB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wan0: flags=4098<BROADCAST,MULTICAST> mtu 1500
 ether 02:80:37:ec:02:00 txqueuelen 1000 (Ethernet)
 RX packets 0 bytes 0 (0.0 B)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 0 bytes 0 (0.0 B)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.168.1.3 netmask 255.255.255.0 broadcast 192.168.1.255
 inet6 fe80::1ed7:d5ac:433d:70c5 prefixlen 64 scopeid 0x20<link>
 ether 00:24:d7:f0:a3:a4 txqueuelen 1000 (Ethernet)
 RX packets 93 bytes 71048 (71.0 KB)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 137 bytes 18113 (18.1 KB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

As you can see we now have eth0, wlan0 and wan0 instead of the default names. So if you like me work from the command line mainly you will be happy that ifconfig eth0 now works just like it did before the systemd entered the scene and if you have firewall scripts you can of course rename your interface to something that is useful to you such as lan, wan and dmz or whatever makes sense.

English

Creating a SSH chroot jail

2015-04-4 Ichimusai

So you need to create a place where you can let people in to dump their files using ssh but you do not want them to be poking around in your machine?

Unix is by its own a very open system. You can cd around in most places and looka at what is installed where, even read a lot of the configuration files in /etc and what not. Also by default in many systems you are allowed to peek into other users home directories even if you can’t change something you can get a lot of info from them and even cp the whole thing. Unless they’ve changed permissions.

This is written for Ubuntu by the way, but most modern Linuxen would work very similar to this and SSH is pretty standard so is most of the other things in here. If you have any problems you can let me know in the comment section.

Let’s say you have a friend who wants to put his backups on your machine and you want to put yours on his but you don’t want him to see what else you have on there. You need to create a chrooted environment for the guy when he logs on.

Here is how you do this.

First of all you need to decide where to place your ”jail”. The jail is the root in the chrooted environment, we will refer to this as a jail throughout this article. The jail can be put in /var/jail or somewhere similar perhaps you prefer /mnt/jail and mount it on a separate volume alltogether or why not make use of /opt/jail. Whatever you decide is fine.

You need to create your jail and a few other top level directories first. Let’s first gain root privileges:

$ sudo bash

Now create a directory structure

# cd /var
# mkdir -p jail/{dev,bin,home,etc,lib}
# chown -R root:root jail

Next step is to creat the /dev/null file as this is needed by many things…

# mknod -m 666 /var/jail/dev/null c 1 3

Next step is to copy some needed files from /etc into the jailed etc:

# cd /var/jail/etc
# cp /etc/ld.so.cache .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/hosts .

You can not link to the /etc real files because they would loop when you actually chroot… so that won’t work.

It’s now time to give the guys something to do in the jail. You need to add bash as a minimum at least. Whatever else you want to add also is okay, but don’t add too many commands. We will add the following commands: bash, rsync, ls, less, gzip, bzip2.

# cd /var/jail/bin
# cp /bin/{bash,ls,gzip,bzip2} .
# cp /usr/bin {rsync,less} .

Now you need to get your libraries over to the lib in the chroot. You can either figure out one by one which are needed by using the ldd command on each of our commands in the bin directory but that takes far too long. Let’s just throw them in there:

# cp -r /lib/* /var/jail/lib/

Create the chrooted user in the system: (In all the following [username] means the actual user name you want to add to the system. Your first one is probably a test user.)

# adduser -b /var/jail/home [username]

Then create his home dir:

# mkdir /var/jail/home/[username]
# chown -R username:username /var/jail/home/[username]
# chmod 700 /var/jail/home/[username]

When all this is done you need to tell SSH to put the user in jail when he logs on to your system. This is done by adding the following at the END OF THE FILE /etc/ssh/sshd_config:

Match User [username]
        chrootdirectory /var/jail/
        X11Forwarding no
        AllowTcpForwarding no
        AuthorizedKeysFile /var/jail/home/%u/.ssh/authorized_keys

That last part, the AuthorizedKeysFile is not needed if you do password logins, but if you want to be able to do rsa/dsa key logins with SSH you need to put that line in there, otherwise SSH will look for the keys in the wrong place!

If you are addin SSH keys also, you should do the following:

# cd /var/jail/home/[username]
# mkdir .ssh
# chown [username]:[username] .ssh
# chmod 700 .ssh

Then put the authorized_keys in there and chown it to the username and chmod it to 600 and it should work out of the box.

MSMTP Configuration file

Installation

Configuration

Prerequisites

Modify PAM to notify on login

Login-Notify script

The Borg

Take the backup

Restoring a backup

Mounting the backup as a file system

Photos and other rants