Readers of my previous posts, will be aware I noticed issues with apf under systemd; further details can found here.
Further updates and improvements were reported here. On a side note I’ve never received a response to the issue I raised on rfxn’s github.
I acknowledge that life can take people away from open-source projects , so I’ve created my own fork with some extras. Not only have I made improvements over the systemd solution provided on this blog previously. The fork also includes auto update with email alert and an un-install bash script.
This is a follow up to this post. The below script is written with automated CPANEL updates in mind, but could be quite easily modified to be used with any automated updates with logs.
!/bin/bash cd /var/cpanel/updatelogs # Change to cpanel updates logs directory. VAR1=$(ls -tr up*|tail -1) # Find the latest log and set it as a variable. egrep 'Error:|error:|Another app is currently holding the yum lock|Segmentation fault' $VAR1 > /tmp/update-check # Check for errors and output to temp file if egrep 'Error:|error:|Another app is currently holding the yum lock|Segmentation fault' /tmp/update-check; then # If then to check for errors and send email alert if required. /bin/mail -s "$(echo -e "Check to see if updates work, failed\nX-Priority: 1")" < /tmp/update-check root fi unset VAR1 # Unset variable.
Cronjob should be scheduled about an hour after updates:
#!/bin/bash /usr/local/sbin/apf --start &> /tmp/check-apf if egrep 'unable to load iptables module|timed out while attempting to gain lock|could not process allow_hosts|could not process deny_hosts|apf does not appear to have rules loaded|could not verify that interface|trust rules unchanged since last refresh' /tmp/check-apf; then /usr/local/sbin/apf --stop echo "APF Aborted" exit 1 else echo "All ok" fi exit 0
From looking at /etc/apf/internals/functions.apf, the egrep should cover all possible errors. If anyone thinks I’ve missed any, please feel free to let me know.
I have confirmed results in systemd failure by changing un-trusted interface to a interface which doesn’t exist on my system.
This is an update to the blog posted here. The original scripts have an issue when updates are available, in the fact that there is an alert sent if the updates are not installed. Being as the whole point is to check whether updates work, rather than updating; this is unwanted behaviour. So the scripts have been rewritten:
#!/bin/bash /usr/bin/timeout 120 /usr/bin/yum update --assumeno &> /tmp/check-update # check for rpm database & dependency errors rm -rf /tmp/yum_save_tx* # clear yum saved transactions if egrep 'Error:|error:|Another app is currently holding the yum lock|Segmentation fault' /tmp/check-update; then # if condition checks yum output for errors and sends email if there is any /bin/mail -s "$(echo -e "Check to see if updates work, failed\nX-Priority: 1")" < /tmp/check-update root fi
#!/bin/bash /bin/timeout 120 /bin/yum update --assumeno &> /tmp/check-update # check for rpm database & dependency errors rm -rf /tmp/yum_save_tx* # clear yum saved transactions if egrep 'Error:| error:|Another app is currently holding the yum lock|Segmentation fault' /tmp/check-update; then # if condition checks yum output for errors and sends email if there is any /bin/mail -s "$(echo -e "Check to see if updates work, failed\nX-Priority: 1")" < /tmp/check-update root fi
As linux systems admin you may have multiple servers, in this case it would make sense to automate updates. But even with the best monitoring failed updates can occasionally go unnoticed, with crontab and the below script; this can be avoided.
Create the script with you choice of editor: /usr/local/sbin/ifupdateswork.sh
#!/bin/bash /bin/timeout 120 /bin/yum update --assumeno &> /tmp/check-update || /bin/mail -s "$(echo -e "Check to see if updates work, failed\nX-Priority: 1")" < /tmp/check-update root
#!/bin/bash /usr/bin/timeout 120 /usr/bin/yum update --assumeno &> /tmp/check-update || /bin/mail -s "$(echo -e "Check to see if updates work, failed\nX-Priority: 1")" < /tmp/check-update root
Lets breakdown the script before we go any further:
timeout 120 – This causes yum to automatically closes after 2 minutes, this prevents the script from causing the automatic update from failing.
yum update –assumeno – The script is only for testing updating works, not to install updates; this is what the assume no flag does.
&> /tmp/check-update – Writes (also overwrites) error and standard output to /tmp/check-update
|| /bin/mail -s “$(echo -e “Check to see if updates work, failed\nX-Priority: 1″)” < /tmp/check-update root – Email is only sent if for any reason updates would fail, subject is set to: Check to see if updates work, failed. Importance Priority 1 is set in the header of the email. Uses /tmp/check-update as the body of the email. Then sends the email to root, normally an alias would be used for root so the email is sent to the system administrator; but alias’s are not covered here.
Make the script only executable by root: $ chmod u+x /usr/local/sbin/ifupdateswork.sh
Now schedule using crontab, I suggest running this script about an hour before the automated updates so for example mine looks like this:
This Weekend I decided to challenge myself, to setting a Tranmisson Server with Arch Linux on a KVM. For those of you not aware Arch Linux is a minimalist, with a lot of self config; a rolling release with latest packages.
These are the steps I followed:
Boot The KVM with install ISO, which can be downloaded from here: https://www.archlinux.org/download/
Openvpn configuration will vary depending on the provider, essentailly though provider will provide .opvn files for each server. This needs copying to a *.vpn, for example vpn.conf. Now create /etc/pass.txt add your vpn credentials, username first line; password 2nd. Update the following in vpn.conf:
Edit 04/08/2020 – Not sure when paypal’s 2fa offering updated, but this post is now redundant. All you need do now is login in to your paypal account, settings, security, “Manage 2-factor authentication” and select Authenticator APP.
I just tried using 2fa (Two Factor Authentication) with Paypal, by default I am offered one option and that is to be sent a SMS, or If I dig a bit further a TOTP (Time-based One-time Password algorithm) from Symantec but you either need to sign up to Symantec VIP or after going through some loops; you can use Google Authenticator.
So I opted to go through the loops and setup Google Authenticator.
So all seemed good now… Until made a purchase on ebay, to find I wasn’t prompted for my 2fa; apparently because my ebay & paypal account are linked. So if my ebay account is hacked, my 2fa on paypal is worthless. So now I looked at Ebay’s 2fa offering and I am presented with the same options as Paypal (and the same loops for TOTP).
At this point I disabled 2fa on paypal and have gone back to relying on passwords, I am using a password manager with a strong password generator; rather than relying 2fa options available. I recommend Roboform, Lastpass or Keepass.
If unlike me the above doesn’t put you off using Paypal’s 2fa, then feel free to try the following:
SMS – After logging in click the settings cog (top right), then SECURITY, then Security key and follow the on screen instructions.
Bus 001 Device 004: ID 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet
Bus 001 Device 005: ID 413d:2107
Bus 001 Device 006: ID 0424:7800 Standard Microsystems Corp.
Bus 001 Device 003: ID 0424:2514 Standard Microsystems Corp. USB 2.0 Hub
Bus 001 Device 002: ID 0424:2514 Standard Microsystems Corp. USB 2.0 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
I am currently using this with Raspbian in conjunction with a Zabbix server. Installing is as follows:
if [ "$1" = "-g" ]
tempered | grep -oP '(?<=/dev/hidraw1 0: temperature) [\d.]+'
SNMP OID: .126.96.36.199.188.8.131.52.8
Edit 10/11/19 – /dev/hidraw1 needs to accessible by non root users. This should be done with a udev rule, but I couldn’t get this this to work; if any has an answer to this please comment below. Anyway so I fudged it by adding /bin/chmod 666 /dev/hidraw1 to rc.local. On distos running systemd, a systemd unit will probably need to be created and enabled; I won’t advise how to that here as a google search will give results pretty quickly.
If you don’ want to use a network monitor server you could just set a cronjob to check the temperature and send an email alert if temperature is to high, for example:
sudo crontab -e
*/15 * * * * /bin/bash /home/pi/check-temp.sh
This will check the temperature every 15 minutes and send an alert if required.
a=$(/usr/local/bin/tempered | grep -oP '(?<=/dev/hidraw1 0: temperature) [\d.]+')
if [ $a \> $b ];
echo "Temperature" $a"c, normal";
unset a b
Will call /home/pi/alert.py and send alert if temperature is over 40 °c (to change this update b= ).
# import necessary packages
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
# create message object instance
msg = MIMEMultipart()
message = os.environ.get('a')
# setup the parameters of the message
password = "password"
msg['From'] = "firstname.lastname@example.org"
msg['To'] = "email@example.com"
msg['Subject'] = "Temperature Alert! Value in body is in Centigrade"
# add in the message body
server = smtplib.SMTP('mailserver.example.com: 25')
# Login Credentials for sending the mail
# send the message via the server.
server.sendmail(msg['From'], msg['To'], msg.as_string())
print "successfully sent email to %s:" % (msg['To'])
Your VPN provider such as Private Internet Access or NordVPN, will (should) have firewall rules in place; which provides protection to prevent access to your connected devices. This is just an extra layer of security and is more peace of mind than anything.
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j DROP
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A OUTPUT -p tcp -m tcp --dport 22 -j DROP
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o wlan0 -j ACCEPT
The most important lines are:
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j DROP
The first line of these 2 allows inbound connections from the vpn if a service (such as a webpage) has been requested outbound from your device. The 2nd line drops all other inbound traffic.
P.S Please feel free to comment.