HOWTO: Set up ssh keys

Leave a reply
hm 468x60 03 HOWTO: Set up ssh keys
 Powered by Max Banner Ads 

I get this question a lot. This makes automation between servers great. Nothing like being able to sync data or log in grab some information.
It is super easy. Lets get started! So we want to be able to copy files from Server02 to Server01 without getting harrased with a password. Lets start out with what we will do on Server01!
Lets log in then lets generate keys for the a account we want to use. I am using the user bob for this example. Lets run the command ‘ssh-keygen -t rsa’
Okay I have attached the output below to show you what it will ask. First it asks for a place for the files. The default is exactly where we want to put it. So hit enter. Next it asks for a passphrase. For our purproses we don’t want one. So just hit enter twice! 

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bob/.ssh/id_rsa):
Created directory '/home/bob/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Your identification has been saved in /home/bob/.ssh/id_rsa.

Your public key has been saved in /home/bob/.ssh/id_rsa.pub.

The key fingerprint is:

8d:e5:3c:5b:97:85:35:76:23:49:02:4d:ff:2b:b0:b7 bob@localhost.localdomain

The key's randomart image is:

+--[ RSA 2048]----+

(removed some cool asci art here)

Now once we are done. It creates the file structure below. 

.ssh
├── id_rsa
└── id_rsa.pub

What we are concerned with is the id_rsa.pub. Some people get fancy and scp it over to the remote box we want to setup the ssh key on. I just cat it and copy. ‘cat id_rsa.pub’

cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1DZygXl+aC68m8DdMpBfQr6yQcIchwvcwCKvuZGddutoXoL7wCdmwWsm5qLFeeRcG3Irmte8C4+KEEvWWt3+BS8r8SrQpfJ/1YluxSLgwz6CRede58aqZv+Td7Yy1dIZucfhXgGtJCIrflfHVYMI97HPMStKg3yLuX0GcdkgtviKmtDmByqtb4N4dalgPLXHbQuloi4kIOlkLLYbuQbd4g5LcrOt56d8A3OGIjYp/4oefi5eXFlgCTmWvjqerbzTle5ub8UQstqaQqbKrkTNeWzVVe96xSD3UHy8ZvHTDdlwRT5WEGyP5038HPb0O2xJgPEBK1og/XnKKFQckAWJdQ== bob@localhost.localdomain

Now I copy the ssh-rsa line to the end. Now lets jump over the other server ‘Server02′!
so I want to log into my ‘bob’ user account on Server02.
If the account has never used the ssh keys before. I just get lazy and run 

ssh-keygen -t rsa

This way I know the folders are created correctly. Now I know the file I need usually isn’t created but it might be. what I am looking for is 

authorized_keys

So lets edit this file ‘authorized_keys’ 

vi .ssh/authorized_keys

Then I hit ‘i’ to insert! You know vim right?!? then we copy my key!

ssh-rsa AAAB3NzaC1yc2EAAAABIwAAAQEA1DZygXl+aC68m8DdMpBfQr6yQcIchwvcwCKvuZGddutoXoL7wCdmwWsm5qLFeeRcG3Irmte8C4+KEEvWWt3+BS8r8SrQpfJ/1YluxSLgwz6CRede58aqZv+Td7Yy1dIZucfhXgGtJCIrflfHVYMI97HPMStKg3yLuX0GcdkgtviKmtDmByqtb4N4dalgPLXHbQuloi4kIOlkLLYbuQbd4g5LcrOt56d8A3OGIjYp/4oefi5eXFlgCTmWvjqerbzTle5ub8UQstqaQqbKrkTNeWzVVe96xSD3UHy8ZvHTDdlwRT5WEGyP5038HPb0O2xJgPEBK1og/XnKKFQckAWJdQ== bob@localhost.localdomain

Next we ‘:wq’ to exit and save.
Now here is where most people get hung up! We have to make sure the authorized_keys has the permissions of 600

chmod 600 authorized_keys

Then I ‘cd ..’ that should put us back in our home dir. Now lets test this bad boy!

Jump back to server01.
Lets test

ssh server02 id

If we are lucky we see this.

uid=501(bob) gid=502(bob) groups=502(bob)

No passwords etc. It might prompt to except an inital key but we should see no password prompt!
Also just a side note. I used the user account ‘bob’. but if you are syncing between different accounts say bob -> root
You would test your key with ‘ssh root@server02 id’ If you leave off the ‘root@’ it will use the current logged in user.
Well hope that helps!

Linux screen cheat sheet

Leave a reply

I love screen. It keeps my work going when I leave in a terminal. Here is some common ways to use it.

Make sure it is installed.

rpm -qa |grep screen

If it isn’t then we can just

yum install screen -y

Then once it goes throught the install we should see

Installed:
screen.x86_64 0:4.0.3-16.el6

Complete!

now on how to use it.

to start a screen we just type

screen

Lets say you start your rsync or script and want to detach from the screen but leave it running.
We hit

ctrl-shift-a-d

Then we see this

user@localhost
[detached]
user@localhost

Now if do a

screen -ls

This will allow us to view the available screens.

screen -ls
There is a screen on:
14559.pts-3.localhost (Detached)
1 Socket in /var/run/screen/S-user.

What that tells us there is 1 screen detached. If you wanted to reconnect we could do a

screen -r

But what if there is more then one screen.
Then we would have to specify the screen to attach to.

screen -r 14559.pts-3.localhost

Lets say after a while you and someone are checking on a big file copy. You do a

screen -ls

here is a screen on:

14559.pts-3.localhost (Attached)
1 Socket in /var/run/screen/S-user.

See that it is listed as Attached. You know your co-worker is not on.
You can forceable log into the screen kicking them off.

using the command

screen -r -D 14559.pts-3.localhost

That will kick them off and let you on!

You can also name your screens so you have a better idea of what is going on.

screen -S tango

Then an screen -ls shows

There is a screen on:
	18419.tango	(Detached)
1 Socket in /var/run/screen/S-locale

It still lists the numbers but you could then name a screen to devfiles01 so you have a better understanding of what it is.
So that is the linux screen in a nutshell.  I leave you with some common keystrokes for screen below!

 

ctrl+a+c	New screen.
ctrl+a+n	Next screen in the list.
ctrl+a+p	previous screen
ctrl+a+k	kills screen.
ctrl+a+d	leave, but leave them running and re-attachable

Social Media Security – musings on security in an unsecure cloud!

Leave a reply

Social Media Security the Return of the cloud!

I have always been a private kinda person. I shun at the idea of posting my personal information. I have a need to hide my identity.
Normally I try and do generic usernames and/or emails. I am finding that the new wave of the future is that your name is your brand. It goes against everything I have ever felt on doing stuff “online” I guess I am not the only one.
Most of my secuirty savvy friends are not on facebook. Back when I first started using gmail. I was thinking man this is great. I never have to worry about transfering data to a new phone. I just log on. BAM! I have my info. But at what cost has this convenience cost me.
I bet google knows more about me then my family and friends!
Now I wonder if that convience is worth it. Look at this article I read.
“U.S. government agencies continue to make the most requests for user data, Google says: 7,969 such requests in the first half of the year. Google says it complied with 90 percent of those requests.”

Google has complied with 90% of those requests. You probably have a file somewhere at big .gov that lists every link facebook page you ever looked at.
I am starting to rethink using social media for anything.
Course there is that pesky business of checking email/facebook every 5 mins from our phone. Who can’t live without those pesky meme’s that get recycled but are o so funny.

I might look at trying to lower my web presence. But I wonder the void of having nothing to “check” or look at while I am sitting in the supermarket line.
I feel it would be a lonely place in our digital prisons we have built ourselves.

Of course if I did decide to go sans social media. I have thought about these ways to do it.

use a hosted email then pop all my mail.
delete my gmail account. and/or try and disable it! Rotate out some generic usernames on forums
Go on a vacation to a place that doesn’t have internet. Help with the withdrawls.
Turn off cellphone go back to standard phone. strickly phone/text or a BURNER phone as my drug friends like to call it.
course a job that didn’t require me to sit on a computer daily would help.

But it seems the world is becoming more connected. the govt (factcheck) has said that if you don’t have a social profile you could be weird, sociopath etc. Of course they want you to believe that! Those people they can’t watch with the consensual 24/7 Big brother experiment called “social networks”.

On closing will I drop out of site. Become a ‘sociopath” or some social hermit living the life of no wires or connections. Only one way to find out.

Linux Third Party Firewalls

Leave a reply

Linux Firewalls
Iptables is it the only desktop firewall in the game for linux?

Most people think of iptables when they use linux firewalls. Where there is a few other products or third party firewall software that is available from paid versions to free. Most people decide on a few factors.

Ease of setup.
Supportability.
Possible gui’s.

Face it not everyone is an iptables wizard. There is varying degrees of peoples comfort level with linux so it is assumed a company or product might give a little extra support to the newer person to linux or someone who isn’t as comfortable with the inner workings of the OS and much less a security product.

Doing a quick search on Google. I come up with a few possible hits for third-party replacements or addons to iptables.

Injoy Firewall:
This one is a little different then the others list below. Most use the iptable sub-structure and give a easier “gui” or command set to use iptables. Injoy uses a network based device driver. That allows packet inspection before it gets to the kernel. This is great for kernel level vulnerabilities. Your stopping the traffic before it hits your kernel. One of the benefits listed is remote GUI administration. Seems this would bring in the comfort level of using a gui. Some user reviews mentioned how they enjoyed the desktop alerting feature. So they knew if something had happened.
Looks like it would be a good one to look at. I’ll have to write a review after I have had a chance to look at it.

Shorewall:
“Iptables made easy” Is the Shorewall one liner. It is built upon the iptables netfilter system. So it utilizes the power and flexiblity of iptables.
If you have trouble with using just iptables. You should try shorewall as this provides an easier to understand and setup overview of iptables rules using text files. Still might not be as user friendly as someone using a gui but has good instructions and solid support base!

IPcop:
IPCop is another one for small to midsize businesses or home use. This is a Linux firewall OS, that requires a separate server/PC to run the software. You can configure the firewall from a web gui. Which is helpful for those not so commandline savy. It is stateful firewall based on linux netfilter.
You can take an old PC and convert it to a secure internet application with IPCop, which will secure the home/small-office network from internet.

So this should be a good start to finding a firewall based on your comfort level! Let me know what your favorite firewall is!

Python debugger

Leave a reply

I am mainly putting this in here so I can remember it. I always forget. I am an old perl guy and I am so used to just running

perl -d

But in python you need a few more steps:
Put this up near the rest of your imports.

import pdb

Then find in your code where you want to “step thru” the code. insert this command.

pdb.set_trace()

Once that is done. Run you script. hopefully you will hit the place in your code where you added the above command. You shall get a prompt.
Once your in the zone err debug console. You should learn how to get around.
To continue your script hit “n” that is next. That take you to the next step in the process of your script.
Lets say you are doing a command from a variable. You think it looks good but you want to verify that it looks correct and there isn’t any odd symbols or spaces.
Just hit “p variable”
This will print out what is in an variable. This way you can see if you have any issues with verbiage.
I find this most helpful like i mention earlier with variables.
Another cool feature is to list the code around where your script is sitting at the prompt.
hit “l”
kinda easy to remember on this one. “l” = list.

Also to exit the debug session just hit “q” this will cause your program to crash!

finally if you just want to have the script start back up hit the “c” button. another easy one c = continue.
but if you have the debug trace set in loop. You might see it stop again.

So a quick overview.
set
import ‘pdb’ #import the debug mod.
sys.exit() # put there to start the debugging.
n # lets step thru this!
l # To give you an idea what code is around the debug prompt.
p # Print that variable make sure nothing is strange.
c # continue on with script execution.
q # abort! ungracefully.

Hope this helps!

LVM adding space

Leave a reply

 

Linux LVM

One of the great things about LVM is that you can add space easily. If you are about to run out of space, you just add some new space. Here is a simple break down of how we add that space
In this order:

  1. PV (physical volume)
  2. VG(volume group)
  3. LV (logical volume)

Now on to how to do each step!
It is always a good idea to back your stuff up at this point. I hope at this point backing up critical files is second nature. I’ll suppose our existing volume group is “vg_devel”, and our existing logical volume is “lv_root”.
You will need to be root to perform these tasks.

I always like to run the command in test mode by adding the ‘-t’ option to each command. Once I am comfortable re-run the command without the ‘-t’. Once you get the commands down. You can ignore that extra step. Believe me do this enough and it will be second nature.

Add the new disk to the machine/virt and format whatever space we want on it as type 8e (Linux LVM). I’ll assume this is now /dev/sda3.
Sometimes the swap or boot might grab an odd number. You can print out he partitions with the command

fdisk -l
There you get a nice list and info on each partition.

Create a physical volume:

pvcreate /dev/sda3

Add the physical volume to the VG(volumne Group):
vgextend vg_devel /dev/sda3

Do a quick check see how things are going.
vgdisplay vg_devel
You should see something like:
VG Name vg_devel
System ID
Format lvm2
Metadata Areas 2
Metadata Sequence No 5
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 1
Open LV 0
Max PV 0
Cur PV 2
Act PV 2
VG Size 29.51 GiB
PE Size 4.00 MiB
Total PE 7554
Alloc PE / Size 7554 / 29.51 GiB
VG UUID iNVP6I-TuvK-Fdme-QIPV-FVSy-g60l-exZJxz
See the space we have!

Extend the LV(Logical volume):

lvresize -l 100%VG /dev/vg_devel/lv_root
The “-l 100%VG” says to resize the space in the volume group assigned to this logical volume. The argument can be given multiple ways. Do a man lvcreate to get all the relevant ways.

Lets check our work!
lvdisplay

Time to resize the filesystem.
e2fsck -f /dev/vg_devel/lv_root
It made me do that first.
resize2fs /dev/vg_devel/lv_root

Red Hat Enterprise Linux 6.4 beta now available | ZDNet

Leave a reply

Red Hat Enterprise Linux 6.4 beta now available | ZDNet.

linux cloud computing

Leave a reply

 

Just recently started to test cloudstack , ovirt/RHEV, and openstack.   Think we are going to go ovirt/RHEV and openstack.
I’ll let you guys know if we run into any issues.

 

 

 

 

 

 

 

quick curl sessions how to

Leave a reply

I have to setup scripts to connect to various api’s.  I find that curl has a nice way to set a session into a file.

curl -X POST –cookie-jar session.txt  –data “username=blahblahblah&password=mypassword” \

https://server:6667/api/v1

To use the session in previous run we use command.

curl -X GET –cookie session.txt  https://server:6667/api/v1/datagroup

 

Disclaimer:  I am creating the session.txt file in the directory I am running the script in.

 

 

 

Broad overview of linux firewalls

Leave a reply

A firewall is either a software or hardware implementation, or a blend of both, that is designed to prevent unauthorized access to your system or a private network. All traffic to and from your system or network passes through a firewall where it is examined and either allowed through or not based on the criteria specified.

On any Linux based system, there is a very powerful firewall called iptables nad ip6tables, incorporated as part of the kernel. This is the only backend firewall implementation and can be directly configured. Third party GUI frontend applications to help in configuration are also available. Iptables is used for IP version four addresses, ip6tables for IP version six and they both work by filtering packets using chains to specify rule sets. A packet traverse from the top of the chain and moves down until it gets a rule. The three basic chains are input, output and forward chain. Other than filtering, iptables has two other features; connection tracking and network address translation. This packet filtering function occurs in the both the third and fourth layer of Open System Interconnect Framework.

There are other third party firewall software implementation that runs on the Linux platform, some stable ones are; ClearOS,IPCop, Monowall and eBox Platform. A Linux firewall can also be implemented as hardware.

The main idea is to isolate important machines by placing a highly secured machine between them and the network connection. There are numerous Linux based operating system distributions that have been designed to be used on a machine acting as a router or firewall, some of them are; Alpine Linux, FREESCO, Gibraltar, Halon Security, Endian Firewall, ClarkConnect among many others. In this case the firewall is the only machine connected to the network and the rest of the machines in the network get their filtered network connection through it and any sensitive data will be concealed safely behind the firewall.