Systems Administration Problem Solvers
www.tediosity.com
Random UNIX Related Items
Add: route add -host attacker_ip 127.0.0.1 -blackhole
Remove: route delete -host attacker_ip 127.0.0.1 -blackhole
The above will route all traffic from the “attacker_ip” to a blackhole.
This is useful when you see someone relentlessly attacking any daemon on your server (ssh, http, ftp, etc).
[ad#Google Adsense]
I, and most everyone I deal with, use SMIME e-mail certificates from Verisign/Thawte/Home Brew. Unfortunately, these e-mails can not be viewed on an BlackBerry (without BES) or iPhone.
I overcame this by creating an alias on my server that would receive e-mails, decrypt them, and send them back to me -> UNENCRYPTED.
[NOTE: If you are reading this and clean up my technique, please email me your updates! admin -at- tediosity.com]
1. Install openssl on your server
2. Export your key and cert from your desktop machine in PFX format and upload it to your server.
3. Run this command on your cert:
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
The output of the above will be your key and cert in 1 file (mycert.pem). Make two separate files with mycert.pem: key and cert. Place these two files in: /usr/decrypt
4. Download this Python script: http://phd.pp.ru/Software/Python/extract_mime.tgz
Put the extracted file in: /usr/decrypt
5. Use this wrapper [name: extract_mime] and place it in /usr/decrypt
———————
#! /bin/sh
if ! cd /usr/decrypt/; then
echo “Cannot cd to work dir”
exit 1
fi
TMPFILE=”_mail_tmp.$$”
rm -rf $TMPFILE # to be on safe side
# get message from sendmail
cat – > $TMPFILE
# parse message
/usr/decrypt/extract_mime.py /usr/decrypt/$TMPFILE >>log 2>>err
# clean up
rm -rf $TMPFILE
————–
6. [ASSUMES SENDMAIL IS YOUR MTA] Edit your aliases file and add:
decrypt: “| /usr/decrypt/extract_mime”
7. Cron this script for every 5 minutes:
/usr/decrypt/check.sh
———–
#!/bin/sh
if [ -f /usr/decrypt/smime.p7m ];
then
/usr/local/bin/openssl smime -decrypt -binary -inform DER -in /usr/decrypt/smime.p7m -inkey /usr/decrypt/key -recip /usr/decrypt/cert| mail -s “Your unencrypted e-mail” youremail@yourdomain.com
rm /usr/decrypt/smime.p7m
else
exit
fi
————-
NOTE:It appears there is now an app for the iPhone and iPad to read SMIME e-mails and documents. It is available in the appstore: CLICK HERE
Edit /etc/rc.conf
The primary IP of the machine will be defined by a line that looks similar to this:
ifconfig_rl0=”inet 192.168.1.2 netmask 255.255.255.0″
To add additional IPs you simply:
ifconfig_rl0_alias0=”inet 192.168.1.3 netmask 255.255.255.255″
ifconfig_rl0_alias1=”inet 192.168.1.4 netmask 255.255.255.255″
Moving to a Larger Hard Drive
Applicable to: FreeBSD 4.3 and Higher
This Sheet describes the procedure I used to move my company’s FreeBSD system to a larger hard drive.
1. Verify that the system supports two hard drives. If not, rebuild the kernel with support for two hard drives:
# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
2. Shutdown and install the additional drive as the slave on the primary IDE controller. Be sure to set the existing drive from ‘single’ to ‘master.’
3. Boot to single user mode:
ok boot -s
# fsck -p
# mount -u /
# mount -a -t ufs
# swapon -a
4. Run sysinstall:
# /stand/sysinstall [This is now just sysinstall on newer versions
1. Choose ‘Configure,’ then ‘Fdisk’ from the menu, then choose drive ‘ad1.’
2. In the FDISK Partition Editor, choose ‘A’ to use the entire disk, then choose ‘W’ to write the changes to disk. Press ‘Q’ to continue.
3. Choose ‘Standard’ at the “Install Boot Manager” dialog box.
4. Back at the sysinstall menu, choose ‘Label’.
5. In the Disklabel Editor, create the following partitions:
ad1s1a /mnt 512MB as UFS
ad1s1b swap 512MB as swap
ad1s1e /mnt/usr remaining as UFS
Note: To get partition ‘a’, tell Disklabel Editor the mount point is ‘/’, then change it to ‘/mnt’ using the ‘M’ option.
Choose ‘W’ to write changes to disk, then choose ‘Q’ to continue.
6. Exit sysinstall.
5. If the new filesystems aren’t automatically mounted, mount them by hand:
# mount /dev/ad1s1a /mnt
# mount /dev/ad1s1e /mnt/usr
6. Copy the existing filesystems:
# tar clf – -C / -X /mnt . | tar xpvf – -C /mnt
# tar clf – -C /usr . | tar xpvf – -C /mnt/usr
7. Shutdown and remove the old hard drive. Be sure to set the new drive from ‘slave’ to ‘single.’
8. Boot to single user mode:
ok boot -s
9. If softupdates are compiled into the kernel, enable soft updates on the new drive:
# tunefs -n enable /usr
10. Mount the remaining filesystems:
# fsck -p
# mount -u /
# mount -a -t ufs
# swapon -a
11. Verify that all of the filesystems are properly mounted:
# mount
/dev/wd0s1a on / (ufs, local, writes: sync 8 async 204)
/dev/wd0s1e on /usr (ufs, local, soft-updates, writes: sync 366 async 13493)
procfs on /proc (procfs, local)
12. Reboot and observe startup messages to ensure the system is functioning properly.
[ad#Google Adsense]
Works most of the time:
rsync –archive -partial -progress –rsh=ssh