MyDeny Script

by Ramses Soto-Navarro, ramses@sotosystems.com

Overview
The Script
Cronjob
Remove IP

Overview

mydeny.sh script adds IP addresses to /etc/hosts.deny, which have too many bad SSH login attempts. It is a simple alternative to the older python denyhosts. It searches every night for IP addresses that failed to SSH more than 20 times, via cron. If so then it adds it to hosts.deny. Logging of each denied IP will be sent to /var/log/messages as mydeny.sh. Follow the parsing logic to automatically add more libwrap services to hosts.deny. This document is for experienced Linux administrators.

The Script

#!/bin/bash

MAX=20
DATE=`date +%Y-%m-%d`
MARK=$RANDOM
TMP1=~/tmp/$MARK-1.txt
TMP2=~/tmp/$MARK-2.txt

f_findbadssh () {
mkdir -p ~/tmp/
grep $DATE /var/log/messages | grep sshd | grep "error: PAM: User not known" | awk '{print $NF}' | sort | uniq > $TMP1
for a in `cat $TMP1` ; do echo -ne "$a: " && grep $a /var/log/messages | wc -l ; done > $TMP2
sed -i 's/://g' $TMP2
}

f_addtodh () {
cat $TMP2 | while read a ; do
	IP=`echo $a | awk '{print $1}'`
	COUNT=`echo $a | awk '{print $2}'`

	if [[ COUNT -gt MAX ]] ; then
		#echo "High Bad SSH Login Count = $COUNT for $IP. Adding to /etc/hosts.deny."
		CHECK1=`grep "$IP" /etc/hosts.deny`
		if [ "$CHECK1" == "" ]; then
			logger -t mydeny.sh "Adding $IP to /etc/hosts.deny."
			echo "sshd: $IP" >> /etc/hosts.deny
		fi
	fi
done
rm -f $TMP1 $TMP2
} 

f_findbadssh
f_addtodh

Cronjob

~ # crontab -l

# Add bad SSH login IPs to hosts.deny every 2 hours.
0 */2 * * * /root/bin/mydeny.sh

! # systemctl restart cron

Remove IP

To remove the IP from hosts.deny run:

# sed -i '/61.177.172.158/d' /etc/hosts.deny

SuSE RMT Repo Installation

by Ramses Soto-Navarro ramses@sotosystems.com

Overview
Register
Install RMT
Setup MySQL Password
RMT Setup
Setup Firewall Rules
Enable SLP Broadcast
RMT Server Status
Install Repos
Setup RMT Clients
Add Repo Install Directories
Create Mini ISOs


Overview

Brief notes about how to install RMT (Repository Mirror Tool) on SuSE 15.x. The audience is experienced Linux administrators.
NOTE: Do not install Apache; on SuSE it uses Nginx. Official Documentation:https://documentation.suse.com/sles/15-SP1/single-html/SLES-rmt/index.html

Register

Verify server is registered with SUSE via regular registration procedures: yast, Product Registration.
Verify online repos are populated:

# zypper refresh
# zypper repos

Install RMT

Install the repository mirror too. If not already setup, then MySQL will also be installed.

# zypper in rmt-server
# rcmysql start
# rcnginx start
# systemctl enable mariadb
# systemctl enable nginx

Setup MySQL Password

# set +o history
# mysqladmin -u root password 'password'
# set -o history
# mysql -u root -p
>show databases;
>quit

RMT Setup

# yast, 
	Network Services, RMT Configuration.

To get credentials: ssc.suse.com, Proxies, top right, click on eye:

Database username: rmt
Password: <select password>
CA Private Key Password: <select password>

Setup firewall rules

# firewall-cmd --get-active-zones
# firewall-cmd --list-all --zone=internal
# firewall-cmd --zone=internal --add-service=snmp
# firewall-cmd --zone=internal --add-service=http
# firewall-cmd --zone=internal --add-service=https
# firewall-cmd --zone=internal --add-service=ftp
# firewall-cmd --zone=internal --add-service=squid
# firewall-cmd --zone=internal --add-service=nfs
# firewall-cmd --zone=internal --add-service=nfs3
# firewall-cmd --zone=internal --add-service=syslog
# firewall-cmd --zone=internal --permanent --add-port=427/tcp
# firewall-cmd --zone=internal --permanent --add-port=427/udp
# firewall-cmd --runtime-to-permanent
# firewall-cmd --reload

Enable SLP Broadcast

# zypper install openslp-server
# systemctl enable slpd.service
# systemctl restart slpd.service

View RMT Server Status

Look at trigger section for the time it will be udpated.

# systemctl status rmt-server-sync.timer

View Products and Repos:

# rmt-cli products list --all
# rmt-cli repos list --all

View installed products and repos:

# rmt-cli products list
# rmt-cli repos list

Install Repos

Install the repos and packages for SuSE 12 SP4, 12 SP5, 15 SP1, syncronize, then mirror.

# rmt-cli products enable SLES/12.4/x86_64 SLES/12.5/x86_64 SLES/15.1/x86_64 

Alternative:

#rmt-cli products enable 1625 1878 1763
# rmt-cli sync 
# rmt-cli mirror

Setup RMT Clients

Setup the other servers to register and install packages via the repo servers:

# wget http://test-repo1/tools/rmt-client-setup
# sh rmt-client-setup https://test-repo1.example.com
	Do you accept this certificate? [y/n] y
	Start the registration now? [y/n] y

# zypper refresh
# zypper repos
# zypper list-updates
# zypper update

Install a test package mc (midnight commander):

# zypper install mc
# zypper info mc
# zypper packages
# mc

Add Repo Install Directories

Upload ISOs and mount them, ready for local over the LAN install:

http://test-repo1.example.com/pub/suse/suse-12-sp4/dvd1
http://test-repo1.example.com/pub/suse/suse-15-sp1/dvd1
http://test2-repo1.example.com/pub/suse/suse-12-sp4/dvd1
http://test2-repo1.example.com/pub/suse/suse-15-sp1/dvd1

Create Mini ISOs

The mini ISOs will be 90MB to 100MB; makes for faster and easier remote installs over the LAN while using the repo servers. Place them in the same directory as the original ISOs:

# mksusecd --create SLE-15-SP1-mini.iso --nano SLE-15-SP1-Installer-DVD-x86_64-GM-DVD1.iso
# mksusecd --create SLE-12-SP4-mini.iso --nano SLE-12-SP4-Server-DVD-x86_64-GM-DVD1.iso

The End.

FreeBSD Mini MemStick Image with SSH Access

by Ramses Soto-Navarro ramses@sotosystems.com 10/10/2020


Overview
Download
Disk Image
Boot Ministick
Manual Startup
Auto Startup
Remount Set Root
Configure SSHD
Remote Login
SSHD Problem


Overview

The FreeBSD 10 ministick does not have sshd enabled by default. It must be manually configured. The same goes for the FreeBSD 12.1 ministick (mini memory stick image). mfsBSD already offers it by default. Here is how to enable it on the FreeBSD ministick. There are no permanent settings yet, so it will have to be entered every time - good for disaster recovery practice. More on remastering later.

Download

$ DIR="https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1"
$ wget $DIR/FreeBSD-12.1-RELEASE-amd64-mini-memstick.img.xz
$ xz -d FreeBSD-12.1-RELEASE-amd64-mini-memstick.img.xz
$ ln -s FreeBSD-12.1-RELEASE-amd64-mini-memstick.img mini.img

[Read more…]