Pc Freak - Free Software GNU Linux, FreeBSD, Unix, Windows, Mac OS - Hacks, Goodies, Tips and Tricks and The True Meaning of life ☩ Walking in Light with Christ

Linux: Howto Disable logging for all VirtualHosts on Apache and NGINX Webservers one liner

July 1st, 2020

disable-apache-nginx-logging-for-all-virtualhosts
Did you happen to administer Apache Webservers or NGINX webservers whose logs start to grow so rapidly that are flooding the disk too quickly?
Well this happens sometimes and it also happens that sometimes you just want to stop logging especially, to offload disk writting.

There is an easy way to disable logging for requests and errors (access_log and error_log usually residing under /var/log/httpd or /var/log/nginx ) for all configured Virtual Domains with a short one liner, here is how.

Before you start Create backup of /etc/apache2/sites-enabled / or /etc/nginx to be able to revert back to original config.

# cp -rpf /etc/apache2/sites-enabled/ ~/

# cp -rpf /etc/nginx/ ~/

1. Disable Logging for All Virtual Domains configured for Apache Webserver

First lets print what the command will do to make sure we don't mess something

# find /home/hipo/sites-enabled/* -exec echo sed -i 's/#*[Cc]ustom[Ll]og/#CustomLog/g' {} \;

You will get some output like

find /home/hipo//sites-enabled/* -exec echo sed -i 's/#*[Cc]ustom[Ll]og/#CustomLog/g' {} \;

find /etc/apache2/sites-enabled/* -exec sed -i 's/#*[Cc]ustom[Ll]og/#CustomLog/g' {} \;
find /etc/apache2/sites-enabled/* -exec sed -i 's/#*[Ee]rror[Ll]og/#ErrorLog/g' {} \;

2. Disable Logging for All configured Virtual Domains for NGINX Webserver

find /etc/nginx/sites-enabled/* -exec sed -i 's/#*access_log/#access_log/g' {} \;
find /etc/nginx/sites-enabled/* -exec sed -i 's/#*error_log/#error_log/g' {} \;

f course above substituations that will comment out with '#' occurances from file configs of only default set access_log and error_log / access.log, error.log
for machines where there is no certain convention on file naming and there are multiple domains in custom produced named log files this won't work.

This one liner was inspired from a friend's daily Martin Petrov. Martin blogged initially about this nice tip for those reading Cyrillic check out mpetrov.net, so. Thanks Marto ! 🙂

No Comments »

June 29 the Feast of The Glorious and First among Apostles Peter and Paul in the Church and What were the names of The twelve Apostles

June 30th, 2020

Saint Apostle Peter and Paul are the most glorious of all Christ desciples thanks to whom by God's mercy and Grace the nations have received the good news of the Lord Jesus's Christ Crucifix for the sins of all us the sinful people whose evils and unthankfullness is on the way to reach its climax in this days of apostacy where the Church built on top of the Holy Martyrs blood and the Blood and tortures for Christ and the Truth of this two holy man is in one of its biggest temptetation caused by the Coronavirus hysteria exeggerated by the mass-media and purposing to mark a slavery upon human mind and took away the freedoms of man and change the life as we know it.

The Holy Apostles day is the End of the post-Pentecostal fasting which is in the Church from the ancient days of the Church. Rhe date selected being the anniversary of either their death or the translation of their relics.

Fasting is among the 4 main fasts in the One Holy Orthodox Church and the feast in the number of the biggest feasts of the Church. If one reads the historical records for all the places this two simple man was to preach the Gospel he is puzzled and couldn't comprehend how could it be for a simple Roman and a Fisherman to be able to walk through so many lands by boats, ships, through rivers, by carrets, on horses, donkeys, axes, elephants and God knows what kind of other animals typical for the multiple countries and lands this two most holy man has visit.
It is even more amazing that their frutis of faith planted in the nations are still present today in so many Christians through the world …

The saint Peter and Paul fasting has been set for the reason the Apostles, have fasted immediately after Pentecost the descent of the Holy spirit over The desciples of Christ on the 50th day after the Resurrection of the Lord Jesus Christ. The feast has been setup because the Apostles immerse joy of the Holy Spirit who filled their heart spirits, soul and body made them understood how much dirty and how much in sin they and all the humanity is and how much cleanness is necessery in order for them to start their hard mission of spreading the fact of the Resurrection they have witnessed with their own eyes. A small bracket to open here that Saint Paul never had the chance to see in Body the Savior just like Saint Paul and the rest of the Apostles, but he was illuminated by The Lord Jesus Christ's appearance to him on the road of the mask when he was on a journey to hunt for christians and put them to court and to death.

Saint Paul was so fierce (by his zillotism) for the Old Testamental Jewish pharisee faith who was based on human interpretation of God's laws, that he was even physically present on the Killing of Saint Archideacon Stephan.
Saint Paul was the one holding the dresses of the Killers of the first Christian martyr St. Stephan thinking that this devilish deed was truthful and pleasant to God.
But God loved Saint Paul for his Zilotism and his heart aiming to know the Truth and because of that on the Road to Damascus appeared, blinding him from the unbearable light that was emitted by the Lord Jesus Christ who has answered the simple prayer of St. Paul who was honestly looking for the truth. On the Question Saint Paul asked the Unknown bright man who appeared in Glory and surrounded by Angels and Archangels he asked "Who are you Lord"? The reply came, 'I am Jesus, whom you are persecuting'." Acts of the Holy Apostles 9:4-5.

This moment changed Paul forever to make him from a fierce persecutor to a truthful desciple. However as it is said in the Holy Scriptures noone who sees the Lord can't stay alive in the Flesh and perhaps due to that the appearance of Christ left St. Paul to be blind for 3 days until God sent Ananias to heal his eyes by the ordination of Hands in the name of Jesus Christ – again a miracle of God aiming to strengthen the weakness of Faith of Saint Paul and stimulate him to continue on the way of Salvation. Even after the healing of his eyes, later in his eyes by God's providence the eyesight of Paul become weak again and he had to dictate his Apostle letters in the New Testament to his desciples who put it on paper and quite rarely write with his own hand due to his visionary problems. But apperantly the weak physical eye sight doesn't always mean a blindness as with his spiritual eyes the holy apostle was seeing much more than with his physical eyes and one weakness of seeing the physical let him contemplate the eternal.

It is little known fact that saint Paul among with his preaching the Gospel everywhere he went had a profession of making Tents and has worked hardly along with praying day and night, and the sleepless nights of vigil, the tortures by different anti-christians, jews, pagans, philosophers, magicians and others multitude of people who led by his spiritual blindness and passions has done multiple evils and tried in all means to stop Paul to preach the Gospel. But they did not succeeded and we see today the Result as there is rarely a man in the civillized world in all continents who doesn't heard or know about him 20-teen centuries after his martyrdom in the Capital of Roman Empire Rome.

Saint Peter on the other hand was known for his simplicity and he like all of us was suffering of sickness of weakness of faith, he even rejected to know Christ thrice on the Christ trial, even though he was with Christ for the 3.5 years of Christ's preaching his Salvation Way to the world. But again just like with Paul, God made the miracle of preliminary foretelling him the future, warning him that he is about to reject Christ as his teacher a fact that occured just like prophecised by Christ earlier. Saint Peter seeing that The Lord Jesus Christ as the Son of God knows the future believed him and recover his trust in the Resurrection and with repentance came to believe and await the Resurrection of Christ which by the mercy of God he soon saw with his own eys. Soon after this mercy of God and his preparation with the Eyes of Christ and his desires to follow the will of God for his life led him to completely sacrifice all he had in his remaining earthly life for Christ. Saint Peter "Simon" (Σίμων Simōn in Greek), means stone and he is called that way for the fact he become a stone on which the Church of Christ was build and this stone is present their in the Church and everyone in both Christians and not Christians knows him well.

Saint-Apostle-Paul-and-Peter-embrace

In a dialogue between Jesus and his disciples (Matthew 16:13–19), Jesus asks, "Who do people say that the Son of Man is?" The disciples give various answers. When he asks "Who do you say that I am?", Simon Peter answers, "You are the Messiah, the Son of the living God." Jesus then declares:

Blessed are you, Simon son of Jonah, for this was not revealed to you by flesh and blood, but by my Father in heaven. And I tell you that you are Cephas (Peter) (Petros), and on this rock (petra) I will build my church, and the gates of Hades will not overcome it. I will give you the keys of the kingdom of heaven; whatever you bind on earth will be bound in heaven, and whatever you loose on earth will be loosed in heaven.

Saint Peter is known to have been in Antioch and Corinth and many other lands and is believed to have been the First PopSaint-Apostle-Paul-and-Peter-embrace.jpge of Rome.

Saint-Apostle-Peter-Crucifix-with-head-downed-cross-as-he-said-he-is-unworthy-to-die-as-the-saviour

Early Church tradition says that Peter probably died by crucifixion (with arms outstretched) at the time of the Great Fire of Rome in the year 64. This took place three months after the disastrous fire that destroyed Rome for which the emperor (Nero) wished to blame the Christians. This "dies imperii" (regnal day anniversary) was an important one, exactly ten years after Nero ascended to the throne, and it was "as usual" accompanied by much bloodshed. Traditionally, Roman authorities sentenced him to death by crucifixion. In accordance with the apocryphal Acts of Peter, he was crucified head down. Tradition also locates his burial place where the Basilica of Saint Peter was later built, directly beneath the Basilica's high altar.

On the next day 30th of June the Bulgarian Orthodox Church and some of the other Eastern Orthodox Churches celebrate another great feast The Assembly of the 12 Apostles which honors all the 12 Apostles who were the main building blocks whose preach and martyrdom for Christ put the second stones on the Building of the Church which was based on the main base cornerstone Jesus Christ whom with his holy blood for the Salvation of mankind made the existence of the Ship of Salvation (as the holy fathers) call the Church posslble.

Feast-of-The-Assembly-of-the-Holy-Apostles-and-St-Peter-and-Paul

Below are the Church Troparions and Kontaktions (Praising songs in the Church sang in Holy Liturgy) on 29 of June that every year marks Feast of the Glorious Apostles who enlightened the Universe, I put the songs in Both English and in Cyrillic translated out of Old Bulgarian (Church Slavonic).

Here are the names of the 12 Apostles as we know them by Church Tradition

The 12 disciples of Lord Jesus Christ

1. Peter
2. James
3. John
4. Andrew
5. Bartholomew or Nathanael
6. James, the Lesser or Younger
7. Judas
8. Jude or Thaddeus
9. Matthew or Levi
10. Philip
11. Simon the Zealot
12 . Thomas

Troparion — Tone 4

O first-enthroned of the Apostles, / and teachers of the universe, / intercede with the Master of all / to grant peace to the world, / and to our souls great mercy.

Kontakion — Tone 2

O Lord, You have taken to Yourself the steadfast and divinely-inspired heralds, the leaders of Your disciples, / for the enjoyment of Your blessings for and their rest; / for You have accepted their labors and their deaths as above all burnt offerings, / for You alone know the hearts of men.

Kontakion — Tone 2

Today Christ the Rock glorifies with highest honor / the rock of Faith and leader of the Apostles, / together with Paul and the company of the Twelve, / whose memory we celebrate with eagerness of faith, / glorifying Him Who glorified them.

ТРОПАРЬ, ГЛАС 4-Й

Апостолов первопрестольницы и вселенныя учителие, Владыку всех молите мир вселенный даровати и душам нашым велию милость.

Первенствующие из апостолов и Вселенской Церкви учителя, Владыку всех молите мир миру даровать и душам нашим великую милость.

КОНДАК, ГЛАС 2-Й

Твердыя и боговещанныя проповедатели, верх апостолов твоих, Господи, приял еси, в наслаждение благих Твоих и покой: болезни бо онех и смерть приял еси, паче всякаго всеплодия, Едине сведый сердечная.

Непоколебимых и богогласных проповедников, высших из Апостолов Твоих, Господи, Ты принял в наслаждение благ Твоих и покой, ибо страдания их и смерть благоволил принять как жертву, выше всякой жертвы, Единый, ведающий сердца наши.

ВЕЛИЧАНИЕ

Величаем вас, апостоли Христовы Петре и Павле, весь мир ученьми своими просветившия и вся концы ко Христу приведшия.

Прославляем вас, апостолы Христовы Петр и Павел, весь мир своим учением просветивших и приведших ко Христу народы всей земли.

Let by the Prayers of the Holy Apostles Peter and Paul and the Apostle James, John, Andrew, Bartholomew (Nathnael), James (the lesser or Younger), Judas, Jude (Thaddeus), Mathew (Levi), Philip, Simon Zealot and Thomas God have mercy on all Christians in our age and the ages to come till the Second Glorious Coming of Christ and in the Frightening Judgement day.

No Comments »

Make Laptop Sleep on LID (Monitor) close in Linux Debian and Ubuntu systemd Linux

June 22nd, 2020

I need to make my laptop automatically sleep on LID Screen close but it doesn't why?

If have used your laptop for long years with Windows or any Windows user is used to the default beavrior of Windows to automatically sleep the computer on PC close. This default behavior of automatically sleep on LID Close has been Windows standard for many years
and the reason behind that usually laptop is used for mobility and working on a discharging battery so a LID screen close puts the laptop in (SLEEP) BATTERY SUSPEND MODE aiming to make the charged battery last longer. However often for Desktop use in the Office LID close
trigger of laptop sleep mode is annoying and undesired I've blogged earlier on that issue and how to make laptop not to sleep on LID close on M$ Windows 10 here.

This bahavior was copied and was working in many of the Linux distributions for years however in Debian GNU / Linux and Ubuntu 16.X this feature is often not properly working due to a systemd bug. Of course closing the notebook LID screen without putting
the PC in sleep mode is not a bug but a very useful feature for those who use their laptop as a Desktop machine that is non-stop running, however for most ppl default behavior to auto-suspend the computer on Laptop Monitor close is desired.

Here is how to force the close of the laptop lid to go to suspend/sleep mode and when open the lid, it wake it up.

1. First requirement is to make sure the laptop has installed the package pm-utils, if it is not there install it with:

# apt-get install –yes pm-utils

2. Next we need to edit logind.conf and append 3 variables

# vim /etc/systemd/logind.conf

Normally the file should have a bit of commented informative lines as well as a commented variables that could be enabled like so:

[Login]
#NAutoVTs=6
#ReserveVT=6
#KillUserProcesses=no
#KillOnlyUsers=
#KillExcludeUsers=root
#InhibitDelayMaxSec=5
#HandlePowerKey=poweroff
#HandleSuspendKey=suspend
#HandleHibernateKey=hibernate
#HandleLidSwitch=suspend
#HandleLidSwitchExternalPower=suspend
#HandleLidSwitchDocked=ignore
#PowerKeyIgnoreInhibited=no
#SuspendKeyIgnoreInhibited=no
#HibernateKeyIgnoreInhibited=no
#LidSwitchIgnoreInhibited=yes
#HoldoffTimeoutSec=30s
#IdleAction=ignore
#IdleActionSec=30min
#RuntimeDirectorySize=10%
#RemoveIPC=yes
#InhibitorsMax=8192
#SessionsMax=8192

These entries are usually the files that are used by default as a systemd settings.
Before starting make a copy just you happen to mess systemd.conf, e.g.:

cp -rpf /etc/systemd/logind.conf /etc/systemd/logind.conf_bak

To make the PC LID close active append in the end of file below 3 lines:

HandleSuspendKey=suspend
HandleLidSwitch=suspend
HandleLidSwitchDocked=suspend

Save the file and to make systemd daemon reload restart the PC, even though theoretically systemd can be reloaded to digest its new /etc/systemd/logind.conf with:

# systemctl daemon-reexec

3. Assure yourself the Power Management LID setting of the Desktop Graphical User Interface are set to SUSPEND on close

I use MATE Desktop environment as it is simplistic and quite stable fork of GNOME 2.0, anyway depending on the GUI used on the Linux powered laptop e.g. GNOME / KDE Plasma / XFce etc. make sure the respective

Control Panel -> Power Management

settings are set to Force the Laptop Screen LID SUSPEND on Close.

Below is how this is done on MATE:

That's all folks, now close your Laptop and enjoy it going to sleep, open it up and get it awaked 🙂 Cheers !

No Comments »

Sysadmin tip: How to force a new Linux user account password change after logging to improve security

June 18th, 2020

Have you logged in through SSH to remote servers with the brand new given UNIX account in your company just to be prompted for your current Password immediately after logging and forced to change your password?
The smart sysadmins or security officers use this trick for many years to make sure the default set password for new user is set to a smarter user to prevent default password leaks which might later impose a severe security risk for a company Demiliterized networks confidential data etc.

If you haven't seen it yet and you're in the beautiful world of UNIX / Linux as a developer qa tester or sysadmin sooner or later you will face it.
Here of course I'm talking about plain password local account authentication using user / pass credentials stored in /etc/passwd or /etc/shadow.

Lets Say hello to the main command chage that is used to do this sysadmin trick.
chage command is used to change user password expiry information and set and alter password aging parameters on user accounts.

1. Force chage to make password expire on next user login for a new created user

# chage -d 0 {user-name}

Below is a real life example

chage-force-user-account-password-expiry-linux

2. Get information on when account expires

[hipo@linux ~]$ chage -l hipo
Last password change : Apr 03, 2020
Password expires : Jul 08, 2020
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 14

3. Use chage to set user account password expiration

The most straight forward way to set an expiration date for an active user acct is with:

# chage -E 2020-08-16 username

To make the account get locked automatically if the password has expired and the user did not logged in to it for 2 days after its expiration.

# chage -I 2 username

– Set Password expire with Minimum days 7 (-n mindays 7), (-x maxdays 28) and (-w warndays 5)

# passwd -n 7 -x 28 -w 5 username

To check the passwod expiration settings use list command:

# chage -l username
Last password change : юни 18, 2020
Password expires : юли 16, 2020
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 28
Number of days of warning before password expires : 5

chage is a command is essential sysadmin command that is mentioned in every Learn Linux book out there, however due to its often rare used many people and sysadmins either, don't know it or learn of it only once it is needed.
A note to make here is some sysadmins prefer to use usermod to set a password expire instead of chage.

usermod -e 2020-10-14 username

For those who wonder how to set password expiry on FreeBSD and other BSD-es is done, there it is done via the pw system user management tool as chage is not present there.

A note to make here is chage usually does not provide information for Linux user accounts that are stored in LDAP. To get information of such you can use ldapsearch with a query to the LDAP domain store with something like.

ldapsearch -x -ZZ -LLL -b dc=domain.com,dc=com objectClass=*

It is worthy to mention also another useful command when managing users this is getent used to get entries from Name Service Switch libraries.
getent is useful to get various information from basic /etc/ stored db files such as /etc/services /etc/shadow, /etc/group, /etc/aliases, /etc/hosts and even do some simple rpc queries.

No Comments »

Improve SSL security: Generate and add Diffie Hellman key to SSL certificate for stronger line encryption

June 10th, 2020

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography.

Traditionally, secure encrypted communication between two parties required that they first exchange keys by some secure physical means, such as paper key lists transported by a trusted courier. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.

DH has been widely used on the Internet for improving the authentication encryption among parties. The only note is it useful if both the communication sides A and B are at your control, as what DH does is just strenghten the already established connection between client A and B and not protect from Man in the Middle Attacks. If some malicious user could connect to B pretending it is A the encryption will be established.

diffie-hellman-explained

Alternatively, the Diffie-Hellman key exchange can be combined with an algorithm like the Digital Signature Standard (DSS) to provide authentication, key exchange, confidentiality and check the integrity of the data. In such a situation, RSA is not necessary for securing the connection.

TLS, which is a protocol that is used to secure much of the internet, can use the Diffie-Hellman exchange in three different ways: anonymous, static and ephemeral. In practice, only ephemeral Diffie-Hellman should be implemented, because the other options have security issues.

Anonymous Diffie-Hellman – This version of the Diffie-Hellman key exchange doesn’t use any authentication, leaving it vulnerable to man-in-the-middle attacks. It should not be used or implemented.

Static Diffie-Hellman – Static Diffie-Hellman uses certificates to authenticate the server. It does not authenticate the client by default, nor does it provide forward secrecy.

Ephemeral Diffie-Hellman – This is considered the most secure implementation because it provides perfect forward secrecy. It is generally combined with an algorithm such as DSA or RSA to authenticate one or both of the parties in the connection.

Ephemeral Diffie-Hellman uses different key pairs each time the protocol is run. This gives the connection perfect forward secrecy, because even if a key is compromised in the future, it can’t be used to decrypt all of the past messages.

diffie-hellman-dh-revised

DH encryption key could be generated with the openssl command and could be generated depending on your preference using a 1024 / 2048 or 4096 bit encryption.
Of course it is best to have the strongest encryption possible i.e 4096.

The Logjam attack

The Diffie-Hellman key exchange was designed on the basis of the discrete logarithm problem being difficult to solve. The most effective publicly known mechanism for finding the solution is the number field sieve algorithm.

The capabilities of this algorithm were taken into account when the Diffie-Hellman key exchange was designed. By 1992, it was known that for a given group, G, three of the four steps involved in the algorithm could potentially be computed beforehand. If this progress was saved, the final step could be calculated in a comparatively short time.

This wasn’t too concerning until it was realized that a significant portion of internet traffic uses the same groups that are 1024 bits or smaller. In 2015, an academic team ran the calculations for the most common 512-bit prime used by the Diffie-Hellman key exchange in TLS.

They were also able to downgrade 80% of TLS servers that supported DHE-EXPORT, so that they would accept a 512-bit export-grade Diffie-Hellman key exchange for the connection. This means that each of these servers is vulnerable to an attack from a well-resourced adversary.

The researchers went on to extrapolate their results, estimating that a nation-state could break a 1024-bit prime. By breaking the single most-commonly used 1024-bit prime, the academic team estimated that an adversary could monitor 18% of the one million most popular HTTPS websites.

They went on to say that a second prime would enable the adversary to decrypt the connections of 66% of VPN servers, and 26% of SSH servers. Later in the report, the academics suggested that the NSA may already have these capabilities.

“A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”

Despite this vulnerability, the Diffie-Hellman key exchange can still be secure if it is implemented correctly. As long as a 2048-bit key is used, the Logjam attack will not work. Updated browsers are also secure from this attack.

Is the Diffie-Hellman key exchange safe?

While the Diffie-Hellman key exchange may seem complex, it is a fundamental part of securely exchanging data online. As long as it is implemented alongside an appropriate authentication method and the numbers have been selected properly, it is not considered vulnerable to attack.

The Diffie-Hellman key exchange was an innovative method for helping two unknown parties communicate safely when it was developed in the 1970s. While we now implement newer versions with larger keys to protect against modern technology the protocol itself looks like it will continue to be secure until the arrival of quantum computing and the advanced attacks that will come with it.

Here is how easy it is to add this extra encryption to make the SSL tunnel between A and B stronger.

On a Linux / Mac / BSD OS machine install and use openssl client like so:

# openssl dhparam -out dhparams1.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
……………………………………………………….+………..+………………………………………………………+
…
…..
…. ………………..++*++*

Be aware that the Diffie-Hellman key exchange would be insecure if it used numbers as small as those in our example. We are only using such small numbers to demonstrate the concept in a simpler manner.

# cat dhparams1.pem
—–BEGIN DH PARAMETERS—–
MIIBCAKCAQEAwG85wZPoVAVhwR23H5cF81Ml4BZTWuEplrmzSMOR9UNMnKjURf10
JX9xe/ZaqlwMxFYwZLyqtFQB2zczuvp1j+tKkSi4/TbD6Qm6gtsTeRghqunfypjS
+c4dNOVSbo/KLuIB5jDT31iMUAIDJF8OBUuqazRsg4pmYVHFm1KLHCcgcTk5kXqh
m8vXoCTlaLlmicC9pRTgQLuAQRXAF8LnVLCUvGlsyynTdc0yUFePWkmeYHMYAmWo
aBS6AMFNDvOxCubWv9cULkOouhPzd8k0wWYhUrrxMJXc1bSDFCBA7DiRCLPorefd
kCcNJFrh7rgy1lmu00d3I5S9EPH/EyoGSwIBAg==
—–END DH PARAMETERS—–

Copy the generated DH PARAMETERS headered key string to your combined .PEM certificate pair at the end of the file and save it

# vim /etc/haproxy/cert/ssl-cert.pem
….
—–BEGIN DH PARAMETERS—–
MIIBCAKCAQEAwG85wZPoVAVhwR23H5cF81Ml4BZTWuEplrmzSMOR9UNMnKjURf10
JX9xe/ZaqlwMxFYwZLyqtFQB2zczuvp1j+tKkSi4/TbD6Qm6gtsTeRghqunfypjS
+c4dNOVSbo/KLuIB5jDT31iMUAIDJF8OBUuqazRsg4pmYVHFm1KLHCcgcTk5kXqh
m8vXoCTlaLlmicC9pRTgQLuAQRXAF8LnVLCUvGlsyynTdc0yUFePWkmeYHMYAmWo
aBS6AMFNDvOxCubWv9cULkOouhPzd8k0wWYhUrrxMJXc1bSDFCBA7DiRCLPorefd
kCcNJFrh7rgy1lmu00d3I5S9EPH/EyoGSwIBAg==
—–END DH PARAMETERS—–
…..

Restart the WebServer or Proxy service wher Diffie-Hellman key was installed and Voila you should a bit more secure.

No Comments »

Report haproxy node switch script useful for Zabbix or other monitoring

June 9th, 2020

For those who administer corosync clustered haproxy and needs to build monitoring in case if the main configured Haproxy node in the cluster is changed, I've developed a small script to be integrated with zabbix-agent installed to report to a central zabbix server via a zabbix proxy.
The script is very simple it assumed DC1 variable is the default used haproxy node and DC2 and DC3 are 2 backup nodes. The script is made to use crm_mon which is not installed by default on each server by default so if you'll be using it you'll have to install it first, but anyways the script can easily be adapted to use pcs cmd instead.

Below is the bash shell script:

UserParameter=active.dc,f=0; for i in $(sudo /usr/sbin/crm_mon -n -1|grep -i 'Node ' |awk '{ print $2 }'); do ((f++)); DC[$f]="$i"; done; \
DC=$(sudo /usr/sbin/crm_mon -n -1 | grep 'Current DC' | awk '{ print $1 " " $2 " " $3}' | awk '{ print $3 }'); \
if [ “$DC” == “${DC[1]}” ]; then echo “1 Default DC Switched to ${DC[1]}”; elif [ “$DC” == “${DC[2]}” ]; then \
echo "2 Default DC Switched to ${DC[2]}”; elif [ “$DC” == “${DC[3]}” ]; then echo “3 Default DC: ${DC[3]}"; fi

To configure it with zabbix monitoring it can be configured via UserParameterScript.

The way I configured it in Zabbix is as so:

1. Create the userpameter_active_node.conf
Below script is 3 nodes Haproxy cluster

# cat > /etc/zabbix/zabbix_agentd.d/userparameter_active_node.conf
UserParameter=active.dc,f=0; for i in $(sudo /usr/sbin/crm_mon -n -1|grep -i 'Node ' |awk '{ print $2 }'); do ((f++)); DC[$f]="$i"; done; \
DC=$(sudo /usr/sbin/crm_mon -n -1 | grep 'Current DC' | awk '{ print $1 " " $2 " " $3}' | awk '{ print $3 }'); \
if [ “$DC” == “${DC[1]}” ]; then echo “1 Default DC Switched to ${DC[1]}”; elif [ “$DC” == “${DC[2]}” ]; then \
echo "2 Default DC Switched to ${DC[2]}”; elif [ “$DC” == “${DC[3]}” ]; then echo “3 Default DC: ${DC[3]}"; fi

Once pasted to save the file press CTRL + D

The version of the script with 2 nodes slightly improved is like so:

UserParameter=active.dc,f=0; for i in $(sudo /usr/sbin/crm_mon -n -1|grep -i 'Node ' |awk '{ print $2 }' | sed -e 's#:##g'); do DC_ARRAY[$f]=”$i”; ((f++)); done; GET_CURR_DC=$(sudo /usr/sbin/crm_mon -n -1 | grep ‘Current DC’ | awk ‘{ print $1 ” ” $2 ” ” $3}’ | awk ‘{ print $3 }’); if [ “$GET_CURR_DC” == “${DC_ARRAY[0]}” ]; then echo “1 Default DC ${DC_ARRAY[0]}”; fi; if [ “$GET_CURR_DC” == “${DC_ARRAY[1]}” ]; then echo “2 Default Current DC Switched to ${DC_ARRAY[1]} Please check “; fi; if [ -z “$GET_CURR_DC” ] || [ -z “$DC_ARRAY[1]” ]; then printf "Error something might be wrong with HAProxy Cluster on $HOSTNAME "; fi;

The haproxy_active_DC_zabbix.sh script with a bit of more comments as explanations is available here
2. Configure access for /usr/sbin/crm_mon for zabbix user in sudoers

# vim /etc/sudoers
zabbix ALL=NOPASSWD: /usr/sbin/crm_mon

3. Configure in Zabbix for active.dc key Trigger and Item

No Comments »

What is it like to become a father in the Age of Coronavirus Pandemics – Our baby Dimitar is born

June 4th, 2020

After a long 9 months finally on 12.05.2020 12 of May 2020 by God's grace our baby Dimitar was born. He born one day after Saint Cyril and Methodius feast in the Church on the Church Feast of Saint Ephiphanius of Cyprus, Saint German Patriarch of Constantinopol a fierce fighter for the veneration of Holy Icons, Saint martyr Ermogen patriarch of Constantinople (according to new style Calendar) and Saint Basil of Ostrog (in old calendar) . I always loved spring and especially month of May so I'm happy the baby born exactly on this month. For many 2020 broght the coronavirus pandemics brought a lot of pain and surely for us it brought an extra stress with all this mask wearing and super extra precaution measures everywhere and self-isolation but for me 2020 brought me a great joy and a good things in life, after we changed the rented apartment and we moved from Mladost 3 to Geo Milev (a district that is much more fitting my temper), now just 4 months later we have this greatest joy of having a son, something that many people dreamed all their life and suffered. For us it was about 6 years without a baby and the lack of a child in a family seems to extra strain situation. I do suffer and pray for all those people who can't have child and desperately want it and I hope God will bless many with the same joy in the coming years. I have to say having a baby fills up a great hole in the family and brings up new horizons for development of both families and the new born child. Most importantly a new opportunity is there for a new man to get into the kingdom of Heaven know Christ and hopefully end up in eternal blissfulness in Heaven with all the saints by the mercy of God. If you think for a while how all of us some time back in time were also a kid and how our mothers had many sleepless nights and feared for our health and well-being and how from a small baby we become a man who studied excelled in things, failed in others and have the opportunity and rationality to do complex things such as writting this article you get into the conclusion all this is hard to believe mind blowing miracle …

Baby-Dimitar-selected/New-man-born-into-the-world

Right out of Mother's Belly seeing the Light of the World for a first time – First Picture of the Baby before he officially had a name

Many people prayed for the easy birth of my wife as she is already 36 years old and in that years sometimes giving birth is dangerous and often many woman loose babies or are forced to be cut for the baby to be delivered from the belly with Caesarian section cut. Svetlana give a normal birth thanksfully and she delivered the baby for just 3.5 hours after she was accepted in hospital the previous day and doctors did an infusion of oxytocin (a liquid hormone that doctors use to acccelarate the birth process when the baby was over carried just like it was in our case and in the case of many woman) – Svetlana overcarried it with 5 days.

After a long struggle with my wife on selecting the name, we finally named our new born baby Dimitar born 49 centimeters / 2980 grams / Dimitar was named in honour of one of the most notorious and loved saints in the Eastern Orthodox world Saint Demitrius of Thessaloniki after a very long struggle to select the name as my wife Svetlana desired to name him Daniil (Daniel), a name which is also beautiful and belongs to the Prophet Daniel and Saint Daniel the Stylite. Svetlana had some weird ideas to name the boy Elijan (Ilia) as well as some other ideas for names like Andrei (Andrew) a very beatiful name belonging to Saint Andrew the Apostle who by the way preached on the Bulgarian Sea Coast according to Church tradition I was against not because the names are bad but because I wanted strongly to follow our well known tradition in Bulgaria to name the first born male boy after the grandfather in that case I wanted to name baby Dimitar firstly in favour of Saint Dimitar (The Myrh Bearer) of Thessaloniki to be the heavinly guide of the boy together with all the other saints under the Demitrius / Dimitrius name as well as to venerate my father who is a very hard-working and patient parent even over the years with a such a wild child which I am.

Holy Relics of Saint Demetrius the Myrh Bearer in St. Demetrius Basilica in Thessaloniki (Greece)

Saint Demetrius killing Lyaeus the Glariator (depicting the spiritual destroyment of paganism by prayerrs of Saint Demetrius and a remembrance of fact that Christian Nestor killed much powerful Gladiator Lyaeaus who killed thousands of Christians on the Arena before by the all powerful prayers of Saint Demetrius)

I find worthy to name a few of the other kid's heavinly prayer intercessors this is the well known Russian Saint Dimitrius of Rostov, The bulgarian saint Saint Demitrius of Besarabia (an ex-territory of Bulgarian Empire) and Saint Dimitrij Donskoy, there is even more saints undet the Demetrius names canonized by the church over the centuries.

The name selection of a boy turned to be much more complicated than I thought and for anyone out there that has to go through the process of awaiting a new born I recommend you to select the name in advance as selecting the name after birth in negotiation with a woman who gave birth is a terrible and hard to bear experience as her hormones are making swing moods every now and then.

/pictures/Baby-Dimitar-selected

Selecting a kid name in the past was quite an interesting process and there was various approaches here in Bulgaria, from naming the kid after a grandfather, grandmother to naming it after a big saint if he is born on a big saint's Church feast day for example if it is born on 6th of May (saint George's day) in Bulgaria it is common to name the kid Georgi or if it is Saint Cyril and Methodius Cyril.
Due to the fact the kid was born near the feast of Saint Apostole Simon the Zealot one of the names I suggested to Svetlana was Simon or Simeon even though that name was not my choice as a compromise that might fit us both. We had some discussion and we both liked the Kiril (Cyril) name, plus 11 of May was Saint Cyril and Methodius but I had an internal tension about it as we didn't have anyone in family called Kiril.

Baby-Dimitar-doctor-checks-heart

Heart works perfect Praise the Lord ! 🙂

Finally my wife stepped back and she agreed to write the name in birth register the name Dimitar so now the kid in his Birth Certificate is Dimitar Georgiev Georgiev.

Giving birth in Pandemics prevented me to be able to go and see the child until the day he and wife was discharged from Sofia's Maichin Dom University's hospital as clincally healthy.
Please excuse me if I'm turning your attention from the common IT themes Religion and Philosophy which I talk about but I thought putting a few lines for a life changing event as a baby birth is important for me personally to organize things in my head.

/pictures/Baby-Dimitar-selected

The little Big Man

The stress around the baby born is always a big deal both for the mother and the father. But in my case thanks God I was relatively calm. The feelings in the days around birth for the father are quite extreme of course and perhaps this is why many fathers drink till forgetfulness after the baby is born. This however was not the case with me, even though due to the spiritual hardships I have a drinked a couple of beers overall I stayed sober around the birth and right after it before the baby came home.

/pictures/Baby-Dimitar-selected

In front of the Prayer Chapel in Maichin Dom (where yearly the Patriarch of Bulgaria Neofit sanctifies the place with Vodosvet (Sanctification of the Water)

Talking about taking the baby I'm thankful to my dear Friends Angel / Krasimir his wife Irina and Mitko Ivanov, who were the only person to kinda of support me and come for the official dischargement ceremony in hospital. I had to organize a couple of things for the dischargement pay the bills currently in Maichin Dom the overall birth expenses for doctors, midwives, hiring room expenses (for 8 days hospitalization) was lets say normal 1345 LEVA (~ 700 EURO) much lower price than in other non-government funded hospitals in Sofia like Nadezhda where it would have been about 2300 LEVA, this is of course higher than social countries of Western Europe like Germany where a normal state funded birth would cost something like ~ 350 – 400 EUR but still very cheap if Compared to United Stateswhere a good orchestrated birth costs something like 25 to 30 000 USD.
As I heard from wife the birth experience she got was of course harsh but this is normal for the first baby where the levels of stress and uncertainty is absolutely unbearable for the your unexperienced parturient mother.

I have to express my sincere thankfulness to the great Head Doctor Miss Ivet Raicheva thanks to whom my wife succeded in normal birth and we have a healthy baby.as well Doctor Nikolay Gerdzhikov from Hospital Second Baby Specialized Hospital Sheinovo who break off the amniotic fluids baloon of my wife to accelarate the overcarried baby timely birth, as well as all the pregnancy tracking doctors of UMBAL Nadezhda (A Hispital for Woman Health).

Just like I thank warmly to all the people who have given us baby clothes, baby car chairs, subtrates, carriage cangoroos and all kind of baby toys and equipment useful in raising the baby as well as all the friends who helped with advices during the pregnancy and many hardships in this 9 months before baby come to earth and after that. This are Mitko Paskalev, Mitko Ivanov / Anastasia, Krasimir, Hristina, Father Stoyan and his wife Yanna, our godfather Familiy Galin and Andrea, uncle Emilian, Vasil Kolev, Father Flavian and all others who helped us with warm prayers and good words during the hardships of pregnancy during the Coronacrisis.

Due to the Covid, every time I had to go to the hospital to bring my wife food, pampers, fruits etc. was only possible to be delivered by a medicine personal (with a small treatment fee) as entrance of externals like me was not possible.

I did not have the chance to go inside the hospital's 12th floor to pick up my wife with the baby due to the COVID-19 Virus, hospital entrance was only allowed to the parter stage and only after they check your temperature with an electronic wireless gun-like thermometer headed right in your head …
I had to then wait with the few bouquet of flowers, chocolate candys and alcohol to hand in to the main degenerating doctor which in our case was Ivet Raicheva, I have to kindly thank this professional woman for doing all the best for my wife in assisting her in birth and succeeding in a normal birth process which in our age is quite rare about at least 80% of woman give birth with a C-Section.

Baby-with-Angel-Krasimir-Irina-and-Mitko-Ivanov

Friends and Brothers / Sisters from the Church Angel, Krasi, Irina and Mitko Ivanov

Krasimir and Irina

/pictures/Baby-Dimitar-selected

In front of Maichin Dom Me seeing my boy for a first time !

After Svetlana was accompanied in the entrance stage with a medicine worker, we made the standard few remembrance pictures on the floor and infront the hospital and on a Volkswagen Taxi headed home with the baby being in fear for the baby in every car bump.

aking-the-baby-home

The great joy of blessing to be with your Son for a first time

Once Dimitar was already home we rejoiced and placed him in his already prepared baby crib and left home wife for 40 minutes together with the baby and went out to for a quick treat for friends who were so kind to come for the baby.
The routine afterwards is expected as to every new born, a lot of breast feeding for wife, adaptated milk sometimes, changing pampers, baby bathing every day, swinging, singing songs to calm him down when he songs etc.

The responsibilities for the father of course suddenly rise as you have to be a products supporter as your wife is quite weak over the 40 days after birth, you have to clean, buy food or prepare something to eat, prepare her a breastfeeding teas, confort her and calm her. But the overall it is clear that the woman becomes much more stable version of herself after the birth she starts thinking more to the ground and dream less in fantasies as the baby helps her better see the reality and learn to sacrifice more.

Georgi-Baby-Dimitar

Let God bless and protect Dimitar by the prayers of the Holy Virgin Mary Theotokos and All Sains and help him in all the hardships from the cradle to a fully grown and wise man that he'll become one day by God's mercy!

No Comments »

Monitoring Linux hardware Hard Drives / Temperature and Disk with lm_sensors / smartd / hddtemp and Zabbix Userparameter lm_sensors report script

April 30th, 2020

monitoring-linux-hardware-with-software-temperature-disk-cpu-health-zabbix-userparameter-script

I'm part of a SysAdmin Team that is partially doing some minor Zabbix imrovements on a custom corporate installed Zabbix in an ongoing project to substitute the previous HP OpenView monitoring for a bunch of Legacy Linux hosts.
As one of the necessery checks to have is regarding system Hardware, the task was to invent some simplistic way to monitor hardware with the Zabbix Monitoring tool. Monitoring Bare Metal servers hardware of HP / Dell / Fujituse etc. servers in Linux usually is done with a third party software provided by the Hardware vendor. But as this requires an additional services to run and sometimes is not desired. It was interesting to find out some alternative Linux native ways to do the System hardware monitoring.
Monitoring statistics from the system hardware components can be obtained directly from the server components with ipmi / ipmitool (for more info on it check my previous article Reset and Manage intelligent Platform Management remote board article).
With ipmi hardware health info could be received straight from the ILO / IDRAC / HPMI of the server. However as often the Admin-Lan of the server is in a seperate DMZ secured network and available via only a certain set of routed IPs, ipmitool can't be used.

So what are the other options to use to implement Linux Server Hardware Monitoring?

The tools to use are perhaps many but I know of two which gives you most of the information you ever need to have a prelimitary hardware damage warning system before the crash, these are:

1. smartmontools (smartd)

Smartd is part of smartmontools package which contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology system (SMART) built into most modern ATA/SATA, SCSI/SAS and NVMe disks.

Disk monitoring is handled by a special service the package provides called smartd that does query the Hard Drives periodically aiming to find a warning signs of hardware failures.
The downside of smartd use is that it implies a little bit of extra load on Hard Drive read / writes and if misconfigured could reduce the the Hard disk life time.

linux:~# /usr/sbin/smartctl -a /dev/sdb2
smartctl 6.6 2017-11-05 r4594 [x86_64-linux-4.19.0-5-amd64] (local build)
Copyright (C) 2002-17, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF INFORMATION SECTION ===
Device Model: KINGSTON SA400S37240G
Serial Number: 50026B768340AA31
LU WWN Device Id: 5 0026b7 68340aa31
Firmware Version: S1Z40102
User Capacity: 240,057,409,536 bytes [240 GB]
Sector Size: 512 bytes logical/physical
Rotation Rate: Solid State Device
Device is: Not in smartctl database [for details use: -P showall]
ATA Version is: ACS-3 T13/2161-D revision 4
SATA Version is: SATA 3.2, 6.0 Gb/s (current: 3.0 Gb/s)
Local Time is: Thu Apr 30 14:05:01 2020 EEST
SMART support is: Available – device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
General SMART Values:
Offline data collection status: (0x00) Offline data collection activity
was never started.
Auto Offline Data Collection: Disabled.
Self-test execution status: ( 0) The previous self-test routine completed
without error or no self-test has ever
been run.
Total time to complete Offline
data collection: ( 120) seconds.
Offline data collection
capabilities: (0x11) SMART execute Offline immediate.
No Auto Offline data collection support.
Suspend Offline collection upon new
command.
No Offline surface scan supported.
Self-test supported.
No Conveyance Self-test supported.
No Selective Self-test supported.
SMART capabilities: (0x0002) Does not save SMART data before
entering power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 10) minutes.
SMART Attributes Data Structure revision number: 1
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x0032 100 100 000 Old_age Always – 100
9 Power_On_Hours 0x0032 100 100 000 Old_age Always – 2820
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always – 21
148 Unknown_Attribute 0x0000 100 100 000 Old_age Offline – 0
149 Unknown_Attribute 0x0000 100 100 000 Old_age Offline – 0
167 Unknown_Attribute 0x0000 100 100 000 Old_age Offline – 0
168 Unknown_Attribute 0x0012 100 100 000 Old_age Always – 0
169 Unknown_Attribute 0x0000 100 100 000 Old_age Offline – 0
170 Unknown_Attribute 0x0000 100 100 010 Old_age Offline – 0
172 Unknown_Attribute 0x0032 100 100 000 Old_age Always – 0
173 Unknown_Attribute 0x0000 100 100 000 Old_age Offline – 0
181 Program_Fail_Cnt_Total 0x0032 100 100 000 Old_age Always – 0
182 Erase_Fail_Count_Total 0x0000 100 100 000 Old_age Offline – 0
187 Reported_Uncorrect 0x0032 100 100 000 Old_age Always – 0
192 Power-Off_Retract_Count 0x0012 100 100 000 Old_age Always – 16
194 Temperature_Celsius 0x0022 034 052 000 Old_age Always – 34 (Min/Max 19/52)
196 Reallocated_Event_Count 0x0032 100 100 000 Old_age Always – 0
199 UDMA_CRC_Error_Count 0x0032 100 100 000 Old_age Always – 0
218 Unknown_Attribute 0x0032 100 100 000 Old_age Always – 0
231 Temperature_Celsius 0x0000 097 097 000 Old_age Offline – 97
233 Media_Wearout_Indicator 0x0032 100 100 000 Old_age Always – 2104
241 Total_LBAs_Written 0x0032 100 100 000 Old_age Always – 1857
242 Total_LBAs_Read 0x0032 100 100 000 Old_age Always – 1141
244 Unknown_Attribute 0x0000 100 100 000 Old_age Offline – 32
245 Unknown_Attribute 0x0000 100 100 000 Old_age Offline – 107
246 Unknown_Attribute 0x0000 100 100 000 Old_age Offline – 15940
SMART Error Log Version: 1
No Errors Logged
SMART Self-test log structure revision number 1
No self-tests have been logged. [To run self-tests, use: smartctl -t]
Selective Self-tests/Logging not supported

2. hddtemp

Usually if smartd is used it is useful to also use hddtemp which relies on smartd data.
The hddtemp program monitors and reports the temperature of PATA, SATA
or SCSI hard drives by reading Self-Monitoring Analysis and Reporting
Technology (S.M.A.R.T.) information on drives that support this feature.

linux:~# /usr/sbin/hddtemp /dev/sda1
/dev/sda1: Hitachi HDS721050CLA360: 31°C
linux:~# /usr/sbin/hddtemp /dev/sdc6
/dev/sdc6: KINGSTON SV300S37A120G: 25°C
linux:~# /usr/sbin/hddtemp /dev/sdb2
/dev/sdb2: KINGSTON SA400S37240G: 34°C
linux:~# /usr/sbin/hddtemp /dev/sdd1
/dev/sdd1: WD Elements 10B8: S.M.A.R.T. not available

3. lm-sensors / i2c-tools

Lm-sensors is a hardware health monitoring package for Linux. It allows you
to access information from temperature, voltage, and fan speed sensors.
i2c-tools was historically bundled in the same package as lm_sensors but has been seperated cause not all hardware monitoring chips are I²C devices, and not all I²C devices are hardware monitoring chips.

The most basic use of lm-sensors is with the sensors command

linux:~# sensors
i350bb-pci-0600
Adapter: PCI adapter
loc1: +55.0 C (high = +120.0 C, crit = +110.0 C)

coretemp-isa-0000
Adapter: ISA adapter
Physical id 0: +28.0 C (high = +78.0 C, crit = +88.0 C)
Core 0: +26.0 C (high = +78.0 C, crit = +88.0 C)
Core 1: +28.0 C (high = +78.0 C, crit = +88.0 C)
Core 2: +28.0 C (high = +78.0 C, crit = +88.0 C)
Core 3: +28.0 C (high = +78.0 C, crit = +88.0 C)

On CentOS Linux useful tool is also lm_sensors-sensord.x86_64 – A Daemon that periodically logs sensor readings to syslog or a round-robin database, and warns of sensor alarms.

In Debian Linux there is also the psensors-server (an HTTP server providing JSON Web service which can be used by GTK+ Application to remotely monitor sensors) useful for developers
psesors-server

If you have a Xserver installed on the Server accessed with Xclient or via VNC though quite rare,
You can use xsensors or Psensor – a GTK+ (Widget Toolkit for creating Graphical User Interface) application software.

With this 3 tools it is pretty easy to script one liners and use the Zabbix UserParameters functionality to send hardware report data to a Company's Zabbix Sserver, though Zabbix has already some templates to do so in my case, I couldn't import this templates cause I don't have Zabbix Super-Admin credentials, thus to work around that a sample work around is use script to monitor for higher and critical considered temperature.
Here is a tiny sample script I came up in 1 min time it can be used to used as 1 liner UserParameter and built upon something more complex.

SENSORS_HIGH=`sensors | awk '{ print $6 }'| grep '^+' | uniq`;
SENSORS_CRIT=`sensors | awk '{ print $9 }'| grep '^+' | uniq`; ;SENSORS_STAT=`sensors|grep -E 'Core\s' | awk '{ print $1" "$2" "$3 }' | grep "$SENSORS_HIGH|$SENSORS_CRIT"`;
if [ ! -z $SENSORS_STAT ]; then
echo 'Temperature HIGH';
else
echo 'Sensors OK';
fi
Of course there is much more sophisticated stuff to use for monitoring out there

Below script can be easily adapted and use on other Monitoring Platforms such as Nagios / Munin / Cacti / Icinga and there are plenty of paid solutions, but for anyone that wants to develop something from scratch just like me I hope this
article will be a good short introduction.
If you know some other Linux hardware monitoring tools, please share.

No Comments »

Christ is Risen Eastern Orthodox Resurrection Paschal Greeting in Different Languages

April 24th, 2020

Happy Easter to All Orthodox Christians worldwide !
We are the the bright week – this is the week after The Feast of Feasts Resurrection of Christ. This year in 2020, we Orthodox Christians celebrated this feast on 19th, 20th and 21st of April. The celebrations of the Feast of Christians and the Paschal joy continues for the whole week, so I found some time to quickly blog to share the Joy of the Resurrection of the Savior Jesus Christ who has freed all People from the Fear of the Death by Manifestating Death has been overtaken by Life Eternally.
Earlier years, I've blogged shortly on the Christ is risen in many languages. But this time I decided to extend my previous blog by adding some more details on which are the Member Churches consisting the Christ body of Holy Orthodoxy, What is the Creed of Faith (Symbol of Faith) difference Between Orthodox Christians and Roman Catholics and why we're not catholics and do celebrate Easter on a different date from Roman Catholics. Finally I will post the Paschal Greeting translated to as many languages I could find.

In the Eastern Orthodox Christian world which is the True Church of Christ consists of 15 National Churches each traced back to the Holy Apostles of Christ, each of Churches is in eucharistic Communion with the other.

Canonical Orthodox Christ Churches as of year 2020 are the following:

1. Orthodox Church of Constantinople
2. Orthodox Church of Alexandria
3. Orthodox Church of Antiochia
4. Jerusalem Patriarchal Orthodox Church
5. Bulgarian Orthodox Church
6. Georgian Orthodox Church
7. Serbian Orthodox Church
8. Russian Orthodox Church
9. Romanian Orthodox Church
10. Orthodox Church of Cyprus (archibishopship)
11. Greek Orthodox Church
12. Albanian Orthodox Church
13. Polish Orthodox Church
14. Orthodox Church of Chech Lands and Slovakia
15. American Orthodox Church

Historically Christ Church was one before the Great Schism that was perhaps the greatest tragedy of mankind after Christ's Crucifix it occured in 1054 A.D. About this saddening events, the manuscripts and contemporary saints says with this terrible event, the whole world shaked its basis. The result of the Bulla brought by Pope's messangers in Hagia Sophia Cathedral in Constantinople in the Holy Alter of the Church putting in document of official schism and the Church of the east condeming the Western Church Cuhrch action headed by the pope due to the false Creed of faith inclusion legallized by the pope with the so called 'Filioque' word formula that changed the original agreement of Church fathers decisions on the First Ecumenical Council of Constantinople in 381 A.D. (which by the way puts Anathemas on anyone who dares to change the Creed of Faith as well change by the Popes in the well known ancient Baptism Formulas like oilment (receving the sign of the holy spirit during baptism).

The historical number of Orthodox Churche dioceses were much more numerous but with the time and the hardships this are the only ones that left as official Churches, many dioceses were destroyed by the Muslims Conquests and Roman Catholics orders like the Jesuits whose fight against orthodoxy has been severe in their attempt to make the whole world to turn to the pope, this is very well known by the many remains of Uniates around Europe, especially in nowadays Ukraine. There is a lot of nations like Chechz and Hungarians whose for many centuries confessed orthodoxy but due to the economic relations with the West and the converion of their rulers (princes / Kings) etc. to Roman Catholicism has gradually converted their Eastern Churches to Roman Catholics.

The origional Nicean Creed (Nicea-Constantinople) creed of faith reads as this:

Nicean Creed of Faith ( Agreed on 381 Anno Dommini in Emperor Constantine City of Byzantine Empire Constantinople)

We believe in one God, the Father Almighty, Maker of heaven and earth, and of all things visible and invisible.

And in one Lord Jesus Christ, the only-begotten Son of God, begotten of the Father before all worlds (æons), Light of Light, very God of very God, begotten, not made, consubstantial with the Father;

by whom all things were made;

who for us men, and for our salvation, came down from heaven, and was incarnate by the Holy Ghost and of the Virgin Mary, and was made man;

he was crucified for us under Pontius Pilate, and suffered, and was buried, and the third day he rose again, according to the Scriptures, and ascended into heaven, and sitteth on the right hand of the Father;

from thence he shall come again, with glory, to judge the quick and the dead. ;

whose kingdom shall have no end.

* And in the Holy Ghost, the Lord and Giver of life, who proceedeth from the Father, who with the Father and the Son together is worshiped and glorified, who spake by the prophets.

In one Holy Catholic and apostolic Church; we acknowledge one baptism for the remission of sins; we look for the resurrection of the dead, and the life of the world to come. Amen.

The Western Church head Bishop the Pope and local priests due to some historical regions of Spain and other parts of Western Europe's aim to fight heresies included the word Latin word Filioque in above translated text (Word which is translated as "And from the Son") in above starred line 'And in te Holy Ghost, The Lord Giver of Life who proceedeth from the Father' become 'And in the Holy Ghost, The Lord Giver of Life who proceedeth from the Father (Filioque) = and from the Son.' this was acceptable for the Eastern Churches until the moment when this Confession of Faith has been legalized for the Whole Western Church with a decree so called pope 'Bulla' with which it become the official confession of faith for the whole Catholic Church. The Eastern Church of course was following the accepted Canon rules from the first Ecumenical Council in 381 A.D. and rejected to accept the definition of the Pope at first in the Face of Saint Patriarch Photios I of Constantinople (year 810 – 893) and become official in 1054 by the rule of Pope Leo whose legates tried to claim Headship of the Pope over the whole Church and questioned the title of the Constantinople Ecumenical Patriarch Michael I Cerularius.
Along with the chages of the Creed of Faith the West, the years during centuries VII and IX centuries has already put a lot of differences in the East and West Church along doctrinal, theological, linguistic, political, and geographical lines so the split was a reflection of all this. The Latin Church was much more power hungry and more progressive for its time and authoritarian, trying to combine the Worldly power with the Spiritual one given by the line of Apostoles from Christ Ceasaris-Papism, where the Eastern Church was governed in the ancient model of the Worldly power in face of Eastern Roman empire Emperor and the Patriarch who was a governor of the Spiritual power. The schism was worsened also by the many Latins raids in the Eastern Empire Christian brothers and the sacking of Constantinople in 8-13 April year 1204. Of course both Wester and Eastern Roman Empire had an appetite for a conquest over the other and often this has lead the secular rulers on both sides to try to manipulate activities of the spiritual leaders of both to work for their interests, but the schism would never occur if the spiritual establishment of the Church which are the Holy Canons (decision of the Ecumenical Councils) were not breached by the Western Church.
One of this breaches of the Ancient canons is the Celebration of Eastern Pascha which says the Christian Pascha should never coincide with Jewish Pascha. However in the Western Church this rule was breached and nowadays The Eastern (The Day of the Resurrection of Christ) in the Roman Catholic Church (Western Church) coincides most of the years with Jewish Pascha (both Roman Catholics and the executors of Christ who never accepted him the Jews celebrate together … a sad fact).

Nowadays most of the Ancient Churches of the East together with the Eastern Orthodox Churches, who are confessing the Faith of Christ such as it was handed by the Saint Fathers has a very specific ancient way of confession of faith similar to the Creed of Faith which was a very common short ancient way to confess the faith when two Christians met it is perhaps originating from the times of the Heresies in the 1st century right after the Christ Crucifix, when the pupil of Christ used it to confirm the Glorious and unexplainable Miracle of the Resurrection of the Lord Jesus Christ from the Death in Real Body in the 3rd day from the Grave in the Cave where his body was buried.

The Greeting Formula is the well known in the Eastern Orthodox Churches such as in Bulgaria / Greece / Russia / Serbia etc. Christ is Risen.
On every easter Almost everyone in the Orthodox Christian Countires greats everyone else both in homes on the street at work or anywhere relatives friends and even unfamiliar people who has to do business deeds with the immersely joyful greeting.

ХРИСТОС ВОСКРЕСЕ / CHRIST IS RISEN !!!!! !!!

Then the greeted Person answers back

ВОЙСТИНУ ВОСКРЕСЕ / TRULY HE IS RISEN (INDEED HE IS RISEN) !!!!!!!!

In the Orthodox Churches, believers do greet themselves with this heartful joyful greeting for the whole 40 days after the Feast of Resurrection of Christ.

In Russia, Ukrain, Belarus and the surrounding Slavonic lands there is this tradition that the greeting is repeated 3 times as an interaction between person A and person B, for example.

Person A (3 times) greets:
ХРИСТОС ВОСКРЕСЕ = CHRIST IS RISEN !!!
Person B (3 times) answers:
ВОЙСТИНУ ВОСКРЕСЕ = TRULY HE IS RISEN !!!

Below is a good list with Paschal Resurrection Greeting in multiple languages, for those who has curious polyglot minds who want to learn few words in different languages.

Indo-European languages

Greek: Χριστὸς ἀνέστη! Ἀληθῶς ἀνέστη! (Khristós anésti! Alithós anésti!)

Voskresenie-Gospoda-Nashego-Iisusa-Hrista-Mosaic

Slavic languages

Church Slavonic: Хрїсто́съ воскре́се! Вои́стинꙋ воскре́се! (Xristósŭ voskrése! Voístinu voskrése!)

Belarusian: Хрыстос уваскрос! Сапраўды ўваскрос! (Chrystos uvaskros! Sapraŭdy ŭvaskros!)

Bulgarian: Христос воскресе! Воистину воскресе! (Khristos voskrese! Voistinu voskrese!), as if in Church Slavonic; Христос възкресе! Наистина възкресе! (Khristos vâzkrese! Naistina vâzkrese!) in Modern Bulgarian

Croatian: Krist uskrsnu! Uistinu uskrsnu!

: Kristus vstal z mrtvých! Vpravdě vstal z mrtvých!

Macedonian: Христос воскресе! Навистина воскресе! (Hristos voskrese! Navistina voskrese!), traditional; or Христос воскресна! Навистина воскресна! (Hristos voskresna! Navistina voskresna!)

Polish: Chrystus zmartwychwstał! Prawdziwie zmartwychwstał!

Russian: Христос воскрес(-е)! Воистину воскрес(-е)! (Khristos voskres(-е)! Voistinu voskres(-е)!) (the version with -e is in Church Slavonic, one without it is in modern Russian; both are widely used)

Rusyn: Хрістос воскрес! Воістину воскрес! (Hristos voskres! Voistynu voskres!)

Serbian: Христос васкрсе! Ваистину васкрсе! (Hristos vaskrse! Vaistinu vaskrse!) or Христос воскресе! Ваистину воскресе! (Hristos voskrese! Vaistinu voskrese!)

Slovak: Kristus vstal z mŕtvych! Skutočne vstal (z mŕtvych)! (though the Church Slavonic version is more often used)

Slovene: Kristus je vstal! Zares je vstal!

Ukrainian: Христос воскрес! Воістину воскрес! (Khrystos voskres! Voistynu voskres!)

Tosk Albanian: Krishti u ngjall! Vërtet u ngjall!

Armenian

Western Armenian: Քրիստոս յարեա՜ւ ի մեռելոց: Օրհնեա՜լ է Յարութիւնն Քրիստոսի: (Krisdos haryav i merelotz! Orhnyal e Haroutyunen Krisdosi!)

eastern dialect, Քրիստոս հարյա՜վ ի մեռելոց: Օրհնյա՜լ է Հարությունը Քրիստոսի: (Khristos haryav i merelotz! Orhnyal e Harouthyoune Khristosi!); literally "Christ is risen! Blessed is the resurrection of Christ!")

Germanic languages

Anglic languages

Scots: Christ has ryssyn! Hech aye, he his ain sel!

English: Christ is risen! He is risen indeed! Or Christ is risen! Truly, he is risen!

Old English: Crist is ārisen! Hē is sōþlīċe ārisen!

Middle English: Crist is arisen! Arisen he sothe!

Danish: Kristus er opstanden! Sandelig Han er Opstanden!

West Frisian: Kristus is opstien! Wis is er opstien!

German: Christus ist auferstanden! Er ist wahrhaft auferstanden! or Der Herr ist auferstanden! Er ist wahrhaftig auferstanden!

Icelandic: Kristur er upprisinn! Hann er sannarlega upprisinn!

Faroese: Kristus er upprisin! Hann er sanniliga upprisin!

Low Franconian languages

Dutch: Christus is opgestaan! Hij is waarlijk opgestaan! (Netherlands) or Christus is verrezen! Hij is waarlijk verrezen! (Belgium)

Afrikaans: Christus het opgestaan! Hy het waarlik opgestaan!

Norwegian

Bokmål: Kristus er oppstanden! Han er sannelig oppstanden!

Nynorsk: Kristus er oppstaden! Han er sanneleg oppstaden!

Swedish: Kristus är uppstånden! Han är sannerligen uppstånden!

Italic languages

Latin: Christus resurrexit! Resurrexit vere!

Romance languages

Aromanian: Hristolu anyie! Di alihea anyie!

Catalan: Crist ha ressuscitat! Veritablement ha ressuscitat!

French: Le Christ est ressuscité ! En vérité il est ressuscité! Or Le Christ est ressuscité ! Vraiment il est ressuscité !

Galician: Cristo resucitou! De verdade resucitou!

Italian: Cristo è risorto! È veramente risorto!

Portuguese: Cristo ressuscitou! Em verdade ressuscitou! or Cristo ressuscitou! Ressuscitou verdadeiramente!

Arpitan: Lo Crist es ressuscitat! En veritat es ressuscitat!

Romanian: Hristos a înviat! Adevărat a înviat!

Romansh: Cristo es rinaschieu! In varded, el es rinaschieu!

Sardinian: Cristu est resuscitadu! Aberu est resuscitadu!

Sicilian: Cristu arrivisciutu esti! Pibbiru arrivisciutu esti!

Spanish: ¡Cristo resucitó! ¡En verdad resucitó!

Walloon: Li Crist a raviké! Il a raviké podbon!

Baltic languages

Latvian: Kristus (ir) augšāmcēlies! Patiesi (viņš ir) augšāmcēlies!

Lithuanian: Kristus prisikėlė! Tikrai prisikėlė!

Celtic languages

Goidelic languages

Old Irish: Asréracht Críst! Asréracht Hé-som co dearb!

Irish: Tá Críost éirithe! Go deimhin, tá sé éirithe!

Manx: Taw Creest Ereen! Taw Shay Ereen Guhdyne!

Scottish Gaelic: Tha Crìosd air èiridh! Gu dearbh, tha e air èiridh!

Brythonic languages

Breton:Dassoret eo Krist! E wirionez dassoret eo!

Cornish: Thew Creest dassorez! En weer thewa dassorez!

Welsh: Atgyfododd Crist! Yn wir atgyfododd!

Indo-Iranian languages

Ossetian:Чырысти райгас! Æцæгæй райгас! Or бæлвырд райгас! (Ḱyrysti rajgas! Æcægæj rajgas or bælvyrd rajgas!)

Persian: مسیح برخاسته است! به راستی برخاسته است!‎ (Masih barkhaste ast! Be rasti barkhaste ast!)

Hindi: येसु मसीह ज़िन्दा हो गया है! हाँ यक़ीनन, वोह ज़िन्दा हो गय یسوع مسیح زندہ ہو گیا ہے! ہاں یقیناً، وہ زندہ ہو گیا ہے!‎ (Yesu Masīh zindā ho gayā hai! Hā̃ yaqīnan, voh zindā ho gayā hai!)

Marathi: Yeshu Khrist uthla ahe! Kharokhar uthla ahe!

Abkhazian: Kyrsa Dybzaheit! Itzzabyrgny Dybzaheit!

Afro-Asiatic languages

Semitic languages

Standard Arabic: المسيح قام! حقا قام!‎ (al-Masīḥ qām! Ḥaqqan qām!) or المسيح قام! بالحقيقة قام! (al-Masīḥ qām! Bi-l-ḥaqīqati qām!)

Aramaic languages

Classical Syriac: ܡܫܝܚܐ ܩܡ! ܫܪܝܪܐܝܬ ܩܡ!‎ (Mshiḥa qām! sharīrāīth qām! or Mshiḥo Qom! Shariroith Qom!)

Assyrian Neo-Aramaic: ܡܫܝܚܐ ܩܡܠܗ! ܒܗܩܘܬܐ ܩܡܠܗ!‎ (Mshikha qimlih! bhāqota qimlih!)

Turoyo: ܡܫܝܚܐ ܩܝܡ! ܫܪܥܪܐܝܬ ܩܝܡ!‎ (Mshiḥo qāyem! Shariroith qāyem!)

East African languages

Tigrinya: Christos tensiou! Bahake tensiou!

Amharic: Kristos Tenestwal! Bergit Tenestwal!

Hebrew: המשיח קם! באמת קם!‎ (Hameshiach qam! Be'emet qam!)

Maltese: Kristu qam! Huwa qam tassew! or Kristu qam mill-mewt! Huwa qam tassew!

Egyptian

Coptic: (Pi'Christos aftonf! Khen oumetmi aftonf!)

Judeo-Berber: Lmasih yahye-d ger lmeytin! Stidet yahye-d ger lmeytin!

Dravidian languages

Tamil: கிறிஸ்து உயிர்த்தெழுந்தார், மெய்யாகவே அவர் உயிர்த்தெழுந்தார்.

Malayalam: ക്രിസ്തു ഉയിര്ത്തെഴുന്നേറ്റു! തീര്ച്ചയായും ഉയിര്ത്തെഴുന്നേറ്റു! (Christu uyirthezhunnettu! Theerchayayum uyirthezhunnettu!)

Eskimo–Aleut languages

Aleut: Kristusaaq Aglagikuk! Angangulakan Aglagikuk!

Pacific Gulf Yupik: Kristusaq ungwektaq! Pichinuq ungwektaq!

Central Yupik: Kristuussaaq unguirtuq! Ilumun unguirtuq!

Mayan languages

Tzotzil: Icha'kuxi Kajvaltik Kristo! Ta melel icha'kuxi!

Tzeltal: Cha'kuxaj Kajwaltik Kristo! Ta melel cha'kuxaj!

Austronesian languages

Malayo-Polynesian

Batak: Tuhan nunga hehe! Tutu do ibana hehe!

Carolinian: Lios a melau sefal! Meipung, a mahan sefal!

Cebuano: Nabanhaw Si Kristo! Nabanhaw gayud!

Waray: Hi Kristo nabanwaw! Matuod nga Hiya nabanhaw!

Chamorro: La'la'i i Kristo! Magahet na luma'la' i Kristo!

Fijian: Na Karisito tucake tale! Io sa tucake tale!

Filipino: Nabuhay muli Si Kristo! Nabuhay talaga!

Hawaiian: Ua ala hou ʻo Kristo! Ua ala ʻiʻo nō ʻo Ia!

Indonesian: Kristus telah bangkit! Dia benar-benar telah bangkit!

Kapampangan: Y Kristû sinûbli yáng mèbié! Sinûbli ya pin mèbié!

Malagasy: Nitsangana tamin'ny maty i Kristy! Nitsangana marina tokoa izy!

Cook Islands Māori: Kuo toetu’u ‘ae Eiki! ‘Io kuo toetu’u mo’oni!

Austroasiatic languages: Mon-Khmer

: Preah Christ mean preah choan rous leong vinh! trung mean preah choan rous leong vinh men!

Vietnamese

: Chúa Ki-tô đã sống lại! Ngài đã sống lại thật!

Thai

Thai: พระคริสต์เป็นขึ้นจากความตาย! or พระคริสต์ทรงกลับคืนพระชนม์ชีพ!

Basque

Basque: Cristo Berbiztua! Benetan Berbiztua!

Japanese

Japanese: ハリストス復活！実に復活！ (Harisutosu fukkatsu! Jitsu ni fukkatsu!)

Korean

Korean 그리스도 부활하셨네! 참으로 부활하셨네! (Geuriseudo buhwalhasyeonne! Chameuro buhwalhasyeonne!)

Na-Dené languages

Athabaskan languages

Navajo: Christ daaztsą́ą́dę́ę́ʼ náádiidzáá! Tʼáá aaníí daaztsą́ą́dę́ę́ʼ náádiidzáá!

Tlingit: Xristos Kuxwoo-digoot! Xegaa-kux Kuxwoo-digoot!

Niger–Congo languages

: Kristo Ajukkide! Kweli Ajukkide!

Swahili: Kristo Amefufuka! Amefufuka kweli kweli!

Gikuyu: Kristo ni muriuku! Ni muriuku nema!

Quechuan languages

Quechua: Cristo causarimpunña! Ciertopuni causarimpunña!

Mongolic languages

Classical Mongolian: Есүс дахин амилсан, Тэр үнэхээр амилсан! (Yesus dahin amilsan, ter uneheer amilsan)

Turkic languages

Turkish: Mesih dirildi! Hakikaten dirildi!

Uyghur: ‫ئەيسا تىرىلدى! ھەقىقەتىنلا تىرىلدى!‬‎ (Əysa tirildi! Ⱨəⱪiⱪətinla tirildi!)

Azerbaijani: Məsih dirildi! Həqiqətən dirildi!

Chuvash: Христос чĕрĕлнĕ! Чăн чĕрĕлнĕ! (Hristos čĕrĕlnĕ! Čyn čĕrĕlnĕ!)

Khakas: Христос тірілді! Сыннаң тірілді! (Hristos tíríldí! Sınnañ tíríldí!)

Uzbek: Масих тирилди! Хақиқатдан тирилди! (Masih tirildi! Haqiqatdan tirildi!)

Sino-Tibetan languages

Chinese: 基督復活了！他確實復活了！ (Jīdū fùhuó-le! Tā quèshí fùhuó-le!) or 耶穌復活了，真的他復活了！ (Yēsū fùhuó-le, Zhēnde tā fùhuó-le!)

Uralic languages

Estonian: Kristus on üles tõusnud! Tõesti on üles tõusnud!

Finnish: Kristus nousi kuolleista! Totisesti nousi!

Hungarian: Krisztus feltámadt! Valóban feltámadt!

Karelian: Hristos nouzi kuollielois! Tovessah nouzi!

Constructed languages

International auxiliary languages

Esperanto: Kristo leviĝis! Vere Li leviĝis!

Ido: Kristo riviveskabas! Ya Il rivivesakabas!

Interlingua: Christo ha resurgite! Vermente ille ha resurgite! or Christo ha resurrecte! Vermente ille ha resurrecte!

Quenya: (Hristo Ortane! Anwave Ortanes!)

Klingon: Hu'ta' QISt! Hu'bejta'!

No Comments »

Linux Local User Accounts Password Security policies Hardening – Set Password expiry, password quality, limit repatead access attempts, add directionary check, increase logged history command size

April 10th, 2020

For everyone that has to to manage Linux servers which are holding thousand of users for example UNIX Jump hosts (hop stations) or Free Shells, VPS shared developer hosts etc. setting a good password policies is a basis for proprietary confidential data protection .
Password expiry in jump host machines that are using LDAP authentication to grant access to users, 2 factor authentication or passwordless authentication policies is not a scope of this article, as they are handled by the LDAP authentication service sssd daemon on the login Unix host.
However there are many machines nowadays holding shared local users and setting a good password expiry policy on them is an essential to guarantee less probability of some external unathenticated intruder to be able to break in with some old user account of an employee that is no longer working for the company. Even for home brew Linux machines setting a password policy is a must if you don't want to end up some day with a strange logins from Asia unknown IPs and at a worst case a rooted machine …

1. Change user password / passphrases at least one every 90 days

Perhaps the best practice of local password security, practiced in most IT companies like IBM, Hewlett Packard, SAP, Amazon is to have a password policy expiry of 3 months this is done to fulfill the recommended PCI security standards recomendations.
A more paranoid ones perhaps prefer even shorter password expiry spans like 1 month but I think this is a bit too much and 3 months of local existing user password expiry is in the middle of too permissive and too restrictive pwd approach.
It is a very good security practice to set a password complexity and length
Control over password expiry on Linux is handled from /etc/login.defs, default settings for password policy is to never expire, below is a configuration from my Debian Linux.

PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7

Here is /etc/login.defs that is a good security practice to implement on RHEL or CentOS

PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 10
PASS_WARN_AGE 14

One note to make here is PASS_MAX_DAYS is not understood on .deb based Linuxes but will be understand by the OS only on RPM distros RHEL / Fedora etc.

Config options meaning is:

PASS_MIN_LEN – Minimum password length
PASS_MIN_DAYS – The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If not specified, -1 will be assumed (which disables the
restriction).
PASS_WARN_AGE – The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no
warning will be provided.

Getting the user set user expiry date is done with the chage cmd

root@linux:~# chage -l hipo
Last password change : окт 17, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
root@linux:~#

root@linux:/home/test# chage -l test
Last password change : окт 07, 2017
Password expires : яну 05, 2018
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
root@linux#

To set a certain special user, to lets say non-privileged user used by sysadmin to never expire:

root@linux:~# chage -M 99999 username

2. Increase requirements for password quality

This is done through the libpwquality system library that is present on virtually any modern fresh new GNU / Linux distribution install.
The paswrod requirements to authenticate access to system is configured via /etc/security/pwqualtity.conf or for more verbose user specific pwd authentication requirements with rules to be set in /etc/security/pwquality.conf.d/*.conf.
Many things could be configured via this simple name = value config just to mention few

minlen – minimum lenght of changing passowrd
minclass – the minimum amount of characters required for new pass (digit, uppercase, lowercase, others).
maxrepeat – maximum number of same repeatable consecutive characters in new set pass.
dcredit – require at least one digit in the new pass

A good set of configuration options one could benit from is as follows:

minlen = 10
dcredit = -1
lcredit = -1
ucredit = -1
ocredit = -1
minclass = 2
maxrepeat = 4
minclass = 4
maxclassrepeat = 0

For full supported capabitilies of libpwquality check out man pwquality.conf

3. Limit repeated access attempts by locking out the user ID if more than 6 unsuccesful login

In Red Hat Enterprise Linux 7 and CentOS the pam_faillock PAM module allows system administrators to lock out user accounts after a specified number of failed attempts. Limiting user login attempts serves mainly as a security measure that aims to prevent possible brute force attacks targeted to obtain a user's account password.

With the pam_faillock module, failed login attempts are stored in a separate file for each user in the /var/run/faillock directory.
Locking account if a number of unsuccessful login attempts are made is a very good security practice as this will block long lasting attempts to brute force local user credentials.

To do so add the following line immediately before the pam_unix.so statement in the AUTH section of /etc/pam.d/system-auth and /etc/pam.d/password-auth:

auth required pam_faillock.so preauth silent deny=6 unlock_time=1800 fail_interval=900

Now try to ssh to the machine. After the number of 6 failed attemp threshold is reached, user account will be locked.
In /var/log/secure the default location where RHEL / CentOS / Fedora and other RPM based distros store their login success and failure messages you should get a message like:

Aug 15 10:40:43 linux sshd[29038]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.43.135.1 user=hipo
Aug 15 10:40:43 linux sshd[29038]: pam_faillock(sshd:auth): Consecutive login failures for user deepak account temporarily locked

4. Set blockout user lockout duration to 30 minutes

Once a user is blocked after a number of failure attempts, it is normal to block that user to some reasonable duration like 30 minutes in most cases, however some paranoid administrators
prefer to block the user forever until the user contacts and requests the administrator to unlock him his "by mistake" blocked user by the login policies.

To automatically set a clerance of blocked user, add the following line immediately after the pam_unix.so statement in the AUTH section of /etc/pam.d/system-auth and /etc/pam.d/password-auth:

auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800 fail_interval=900

And add the following line immediately before the pam_unix.so statement in the ACCOUNT section of /etc/pam.d/system-auth and /etc/pam.d/password-auth:
account required pam_faillock.so

5. Check and reset fail lock number attempts from user

To check failure counts from user

root@linux:~# pam_tally –user hipo
Login Failures Latest failure From
hipo 3 08/28/19 22:00:50 10.55.135.3

To reset the faillog counter

root@linux:~# pam_tally2 –user hipo –reset

To check now the login failure counter

root@linux:~# pam_tally2 –user hipo
User hipo (1000) has 0

P.S. You can use also faillock instead of pam_tally

6. Check user new set passwords against dictionary with pam_pwquality.so

pam_pwquality – is the PAM module to perform password quality checking

To have it installed and possible to use on a Linux system you will need to have some kind of variation of the pam_pwquality package installed, for example on Debian Linux this is provided by libpam-pwquality package.
Default Debian installs does not have it installed so to have it do the usual:

debian:~# apt-get install –yes libpam-pwquality

Most RPM based distributions RHEL / Fedora etc. comes preinstalled with it, so it can be straight used.

To get an idea about what kind of checks it does on new password set, here is an extract from man pam_pwquality

      The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.
       The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the
       first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.
       The checks for strength are:
       Palindrome
           Is the new password a palindrome?
       Case Change Only
           Is the new password the the old one with only a change of case?
       Similar
           Is the new password too much like the old one? This is primarily controlled by one argument, difok which is a number of character changes (inserts, removals, or replacements) between the old
           and new password that are enough to accept the new password.
       Simple
           Is the new password too small? This is controlled by 6 arguments minlen, maxclassrepeat, dcredit, ucredit, lcredit, and ocredit. See the section on the arguments for the details of how these
           work and there defaults.
       Rotated
           Is the new password a rotated version of the old password?
       Same consecutive characters
           Optional check for same consecutive characters.
       Too long monotonic character sequence
           Optional check for too long monotonic character sequence.
       Contains user name
           Check whether the password contains the user's name in some form.
       Dictionary check
           The Cracklib routine is called to check if the password is part of a dictionary.
       These checks are configurable either by use of the module arguments or by modifying the /etc/security/pwquality.conf configuration file. The module arguments override the settings in the
       configuration file.

The benefit you will get once it is installed is the new Improved password enforcement policies that every sysadmin or security expert needs, below is output of libpam pwquality security strict policies in action.

[root@host ~]# passwd build
Changing password for user build.
New password: @teztpassy1
BAD PASSWORD: The password contains less than 1 uppercase letters
New password: @teztPassy
BAD PASSWORD: The password contains less than 1 digits
New password: teztPassy1
BAD PASSWORD: The password contains less than 1 non-alphanumeric characters
passwd: Have exhausted maximum number of retries for service

Once a strict password is given that is matching the enforced password security policy password will have to be repeated 3 times and not 2 times as the usual passwd user command does.

[root@host ~]# passwd build
Changing password for user build.
New password: @teztPassy1
Retype new password: @teztPassy1
passwd: all authentication tokens updated successfully.

7. Set User Session Timeout in 15 minutes

Another good security practice is to set the SSH logged in users active sessions to disconnect after lets say 20 minutes (1200 seconds).
This is done by using the TMOUT embedded variable in bash shell.
To give it a try how it works on any of your active bash session export TMOUT variable to 300 secs.

export TMOUT=300

Keep the shell opened for 5 minutes without any activity and you'll get automatically disconnected.
TMOUT variable can be set as a default for all users through placing it in /etc/bashrc or /etc/profile.
or only to certain users by appending it to selected users ~/.bashrc or ~/.bash_profile.
However as some of the most advanced users could notice its existence by issuing env command and checking the current environment variables
and decide to get rid of it with unset TMOUT it is good idea to make the variable readonly to do so append in /etc/bashrc

TMOUT=900
readonly TMOUT
export TMOUT

Now the risk that logged in user forgot his console active on a public place and someone got access to his account through that is minimized, however
for some users that might be quite annoying as any forgot console will get dropped off after short time and that could be quite irritating ..

8. Increase size of logged User commands history HISTFILE and HISTFILESIZE variables

There are 2 embedded bash variables that controls the size of logged commands after user logs in to their bash shell this is HISTFILE and HISTFILESIZE
The difference between HISTSIZE and HISTFILESIZE is that HISTSIZE limits the number of commands shown by the command history while HISTFILESIZE limits the number of commands which can be saved in $HISTFILE.

When one exits the bash, if there are more than $HISTSIZE number of commands which have been executed in the single bash session, the contents of $HISTFILE will be replaced by the $HISTSIZE number of commands. If there are less than or equal to $HISTSIZE number of commands in the bash session, these commands will be appended to $HISTFILE as long as $HISTFILESIZE permits.

The number of commands to be remembered in the history can be specified by the environment variable HISTSIZE.
Below is example of some values that will log up to 20000 of commands run by the user, this is much desired as the default logged in commands is only 1000 and if you tend to run many commands daily and this history size is exceeded in a couple of days.

export HISTSIZE=2000
export HISTFILESIZE=20000

To make this permanent for all server existing users add the records to /etc/profile or /etc/bashrc to make custom HISTORYFILESIZE add it to $HOME/.bashrc or ~/.bash_profile.

To apply (test) new exported changes either relogin to the shell or run:

linux~:# source /etc/profile

You can run shopt command to force to append the history commands to $HISTFILE even though there are more than $HISTSIZE number of commands which have been executed in the bash session:

# shopt -s histappend

9. Display TIMESTAMP in command history using HISTTIMEFORMAT

The normal way history command does show the history of previously user run commands is in line ordered form. This is not very useful for auditing purpose.
If for example you need to track a certain user activity as you cannot exactly see when the history logged command was issued.

Here is example what I mean:

linux~:# history|head -n 5
7 tail -f /var/log/apache2/error.log|grep -i seg
8 php -v
9 /usr/bin/php5.6 -v
10 w
11 tail -f /var/log/apache2/php_error.log

To set a basic date-month-year time timestamp formatting you can append

linux:~# export HISTTIMEFORMAT=’%F %T ‘

in /etc/profile /etc/bash.bashrc to apply it for all users or
for local users to ~/.bashrc ~/.bash_profile

The resulted formatting will be:

linux:~# history| tail -n 5
31 2020-05-07 10:06:34 sudo su – root
32 2020-05-07 10:06:34 w
33 2020-05-07 10:06:34 sudo su – root
34 2020-05-07 10:06:36 history
35 2020-05-07 10:06:45 history| tail -n 5

To show printed the exact day of week and written with letters you instead of numeric:

linux:~# export HISTTIMEFORMAT="%a %h %d – %r "

history log output results then will be as so:

linux:~# history |tail -n 2
101 Monday May 07 – 07:39:53 PM top
102 Monday May 22 – 07:39:54 PM history
That's all folks Enjoy !

ТРОПАРЬ, ГЛАС 4-Й

КОНДАК, ГЛАС 2-Й

ВЕЛИЧАНИЕ

I need to make my laptop automatically sleep on LID Screen close but it doesn't why?

1. First requirement is to make sure the laptop has installed the package pm-utils, if it is not there install it with:

2. Next we need to edit logind.conf and append 3 variables

3. Assure yourself the Power Management LID setting of the Desktop Graphical User Interface are set to SUSPEND on close

1. Force chage to make password expire on next user login for a new created user

2. Get information on when account expires

3. Use chage to set user account password expiration

1. Create the userpameter_active_node.conf Below script is 3 nodes Haproxy cluster

3. Configure in Zabbix for active.dc key Trigger and Item

1. smartmontools (smartd)

2. hddtemp

3. lm-sensors / i2c-tools

Nicean Creed of Faith ( Agreed on 381 Anno Dommini in Emperor Constantine City of Byzantine Empire Constantinople)

Indo-European languages

Slavic languages

Germanic languages

Anglic languages

Swedish: Kristus är uppstånden! Han är sannerligen uppstånden!

Italic languages

Baltic languages

Celtic languages

Goidelic languages

Brythonic languages

Welsh: Atgyfododd Crist! Yn wir atgyfododd!

Indo-Iranian languages

Afro-Asiatic languages

Semitic languages

Aramaic languages

East African languages

Dravidian languages

Eskimo–Aleut languages

Mayan languages

Austronesian languages

Austroasiatic languages: Mon-Khmer

Vietnamese

Thai

Basque

Japanese

Korean

Na-Dené languages

Niger–Congo languages

Quechuan languages

Mongolic languages

Turkic languages

Sino-Tibetan languages

Uralic languages

Constructed languages

1. Change user password / passphrases at least one every 90 days

2. Increase requirements for password quality

3. Limit repeated access attempts by locking out the user ID if more than 6 unsuccesful login

4. Set blockout user lockout duration to 30 minutes

5. Check and reset fail lock number attempts from user

6. Check user new set passwords against dictionary with pam_pwquality.so

7. Set User Session Timeout in 15 minutes

8. Increase size of logged User commands history HISTFILE and HISTFILESIZE variables

9. Display TIMESTAMP in command history using HISTTIMEFORMAT

To show printed the exact day of week and written with letters you instead of numeric:

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

About Myself

Recent Comments

Tags

Top Post Views

blogtopsites

1. Create the userpameter_active_node.conf
Below script is 3 nodes Haproxy cluster