password Archives - ☩ Walking in Light with Christ - Faith, Computing, Diary ☩ Walking in Light with Christ

Posts Tagged ‘password’

How to lock and unlock local username passwd enabled account on Linux with chage / usermod / passwd commands

Friday, April 28th, 2023

1. Check user account password status

To check the status of existing Linux account present in /etc/passwd /etc/shadow

# passwd -S user_name
user_name PS 2023-04-28 0 90 7 -1 (Password set, SHA512 crypt.)

Lock local user wth chage command

# chage -l user_name
Last password change : Feb 10, 2023
Password expires : May 11, 2023
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7

2. Unlock user with local tools usermod / passwd / chage cmds

– unlock user with usermod

# usermod -U user_name

– unlock user with passwd

# passwd -u user_name

– (remove completely expiry date)

# chage -E -1 user_name

– howto set specific expiry date

# usermod -U –expiredate ' ' user_name

3. Lock account (expire the local user account) of a local system user account

If you have some user that you don’t need to have accessibility to the Linux machines anymore

# usermod -L user_name

# passwd -l user_name

To set existing non-expired user account to expiry with chage command exec:

# chage -E0 user_name

Set user that is no longer supposed to use his account to nologin at all

# usermod -s /sbin/nologin

Tags: Account, chage, change, check, command, etc passwd, How to, maximum number, password, username
Posted in Linux, System Administration | No Comments »

How to Install ssh client / server on Windows 10, Windows Server 2019 and Windows Server 2022 using PowerShell commands

Wednesday, March 2nd, 2022

How-to-install-OpenSSH-Client-and-Server-on-Windows-10-Windows-Server-2022-Windows-2019-via-command-line-Powershell

Historically to have a running ssh client on Windows it was required to install CygWin or MobaXterm as told in my previous articles Some Standard software programs to install on Windows to make your Desktop feel more Linux / Unix Desktop and Must have software on Freshly installed Windows OS.
Interesting things have been developed on the Windows scene since then and as of year 2022 on Windows 10 (build 1809 and later) and on Windows 2019, Windows Server 2022, the task to have a running ssh client to use from cmd.exe (command line) became trivial and does not need to have a CygWin Collection of GNU and Open Source tools installed but this is easily done via Windows embedded Apps & Features GUI tool:

To install it from there on 3 easy steps:

Via Settings, select Apps > Apps & Features, then select Optional Features.

Find OpenSSH Client, then click Install

Find OpenSSH Server, then click Install

For Windows domain administrators of a small IT company that requires its employees for some automated script to run stuff for example to tunnel encrypted traffic from Workers PC towards a server port for example to secure the 110 POP Email clients to communicate with the remote Office server in encrypted form or lets say because ssh client is required to be on multiple domain belonging PCs used as Windows Desktops by a bunch of developers in the company it also possible to use PowerShell script to install the client on the multiple Windows machines.

Install OpenSSH using PowerShell

To install OpenSSH using PowerShell, run PowerShell as an Administrator. To make sure that OpenSSH is available, run the following cmdlet in PowerShell

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

This should return the following output if neither are already installed:

Name : OpenSSH.Client~~~~0.0.1.0
State : NotPresent

Name : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

Then, install the server or client components as needed:

Copy in PS cmd window

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Both of these should return the following output:

Path :
Online : True
RestartNeeded : False

If you want to also allow remote access via OpenSSH sshd daemon, this is also easily possible without installing especially an openssh-server Windows variant !

Start and configure OpenSSH Server

To start and configure OpenSSH Server for initial use, open PowerShell as an administrator, then run the following commands to start the sshd service:

# Start the sshd service
Start-Service sshd

# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'

# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it…"
New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

Connect to OpenSSH Server

Once installed, you can connect to OpenSSH Server from a Windows 10 or Windows Server 2019 device with the OpenSSH client installed using PowerShell or Command Line tool as Administrator and use the ssh client like you would use it on any *NIX host.

C:\Users\User> ssh username@servername

The authenticity of host 'servername (10.10.10.1)' can't be established.
ECDSA key fingerprint is SHA256:(<a large string>).
Are you sure you want to continue connecting (yes/no)?
Selecting yes adds that server to the list of known SSH hosts on your Windows client.

You are prompted for the password at this point. As a security precaution, your password will not be displayed as you type.

Once connected, you will see the Windows command shell prompt:

Domain\username@SERVERNAME C:\Users\username>

Tags: client server, Connect, created, installed, password, prompt, recommended, ssh client, username, Via Settings
Posted in System Administration, Windows | No Comments »

Rsync copy files with root privileges between servers with root superuser account disabled

Tuesday, December 3rd, 2019

rsync-copy-files-between-two-servers-with-root-privileges-with-root-superuser-account-disabled

Sometimes on servers that follow high security standards in companies following PCI Security (Payment Card Data Security) standards it is necessery to have a very weird configurations on servers,to be able to do trivial things such as syncing files between servers with root privileges in a weird manners.This is the case for example if due to security policies you have disabled root user logins via ssh server and you still need to synchronize files in directories such as lets say /etc , /usr/local/etc/ /var/ with root:root user and group belongings.

Disabling root user logins in sshd is controlled by a variable in /etc/ssh/sshd_config that on most default Linux OS
installations is switched on, e.g.

grep -i permitrootlogin /etc/ssh/sshd_config
PermitRootLogin yes

Many corporations use Vulnerability Scanners such as Qualys are always having in their list of remote server scan for SSH Port 22 to turn have the PermitRootLogin stopped with:

PermitRootLogin no

In this article, I'll explain a scenario where we have synchronization between 2 or more servers Server A / Server B, whatever number of servers that have already turned off this value, but still need to
synchronize traditionally owned and allowed to write directories only by root superuser, here is 4 easy steps to acheive it.

1. Add rsyncuser to Source Server (Server A) and Destination (Server B)

a. Execute on Src Host:

groupadd rsyncuser
useradd -g 1000 -c 'Rsync user to sync files as root src_host' -d /home/rsyncuser -m rsyncuser

b. Execute on Dst Host:

groupadd rsyncuser
useradd -g 1000 -c 'Rsync user to sync files dst_host' -d /home/rsyncuser -m rsyncuser

2. Generate RSA SSH Key pair to be used for passwordless authentication

a. On Src Host

su – rsyncuser

ssh-keygen -t rsa -b 4096

b. Check .ssh/ generated key pairs and make sure the directory content look like.

[rsyncuser@src-host .ssh]$ cd ~/.ssh/; ls -1

id_rsa
id_rsa.pub
known_hosts

3. Copy id_rsa.pub to Destination host server under authorized_keys

scp ~/.ssh/id_rsa.pub rsyncuser@dst-host:~/.ssh/authorized_keys

Next fix permissions of authorized_keys file for rsyncuser as anyone who have access to that file (that exists as a user account) on the system
could steal the key and use it to run rsync commands and overwrite remotely files, like overwrite /etc/passwd /etc/shadow files with his custom crafted credentials
and hence hack you 🙂

Hence, On Destionation Host Server B fix permissions with:

su – rsyncuser; chmod 0600 ~/.ssh/authorized_keys
[rsyncuser@dst-host ~]$

An alternative way for the lazy sysadmins is to use the ssh-copy-id command

$ ssh-copy-id rsyncuser@192.168.0.180
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
root@192.168.0.180's password:

For improved security here to restrict rsyncuser to be able to run only specific command such as very specific script instead of being able to run any command it is good to use little known command= option
once creating the authorized_keys

4. Test ssh passwordless authentication works correctly

For that Run as a normal ssh from rsyncuser

On Src Host

[rsyncuser@src-host ~]$ ssh rsyncuser@dst-host

Perhaps here is time that for those who, think enabling a passwordless authentication is not enough secure and prefer to authorize rsyncuser via a password red from a secured file take a look in my prior article how to login to remote server with password provided from command line as a script argument / Running same commands on many servers

5. Enable rsync in sudoers to be able to execute as root superuser (copy files as root)

For this step you will need to have sudo package installed on the Linux server.

Then, Execute once logged in as root on Destionation Server (Server B)

[root@dst-host ~]# grep 'rsyncuser ALL' /etc/sudoers|wc -l || echo ‘rsyncuser ALL=NOPASSWD:/usr/bin/rsync’ >> /etc/sudoers

Note that using rsync with a ALL=NOPASSWD in /etc/sudoers could pose a high security risk for the system as anyone authorized to run as rsyncuser is able to overwrite and
respectivle nullify important files on Destionation Host Server B and hence easily mess the system, even shell script bugs could produce a mess, thus perhaps a better solution to the problem
to copy files with root privileges with the root account disabled is to rsync as normal user somewhere on Dst_host and use some kind of additional script running on Dst_host via lets say cron job and
will copy gently files on selective basis.

Perhaps, even a better solution would be if instead of granting ALL=NOPASSWD:/usr/bin/rsync in /etc/sudoers is to do ALL=NOPASSWD:/usr/local/bin/some_copy_script.sh
that will get triggered, once the files are copied with a regular rsyncuser acct.

6. Test rsync passwordless authentication copy with superuser works

Do some simple copy, lets say copy files on Encrypted tunnel configurations located under some directory in /etc/stunnel on Server A to /etc/stunnel on Server B

The general command to test is like so:

rsync -aPz -e 'ssh' '–rsync-path=sudo rsync' /var/log rsyncuser@$dst_host:/root/tmp/

This will copy /var/log files to /root/tmp, you will get a success messages for the copy and the files will be at destination folder if succesful.

On Src_Host run:

[rsyncuser@src-host ~]$ dst=FQDN-DST-HOST; user=rsyncuser; src_dir=/etc/stunnel; dst_dir=/root/tmp; rsync -aP -e 'ssh' '–rsync-path=sudo rsync' $src_dir $rsyncuser@$dst:$dst_dir;

7. Copying files with root credentials via script

The simlest file to use to copy a bunch of predefined files is best to be handled by some shell script, the most simple version of it, could look something like this.

#!/bin/bash
# On server1 use something like this
# On server2 dst server
# add in /etc/sudoers
# rsyncuser ALL=NOPASSWD:/usr/bin/rsync

user='rsyncuser';

dst_dir="/root/tmp";
dst_host='$dst_host';
src[1]="/etc/hosts.deny";
src[2]="/etc/sysctl.conf";
src[3]="/etc/samhainrc";
src[4]="/etc/pki/tls/";
src[5]="/usr/local/bin/";

for i in $(echo ${src[@]}); do
rsync -aPvz –delete –dry-run -e 'ssh' '–rsync-path=sudo rsync' "$i" $rsyncuser@$dst_host:$dst_dir"$i";
done

In above script as you can see, we define a bunch of files that will be copied in bash array and then run a loop to take each of them and copy to testination dir.
A very sample version of the script rsync_with_superuser-while-root_account_prohibited.sh

Conclusion

Lets do short overview on what we have done here. First Created rsyncuser on SRC Server A and DST Server B, set up the key pair on both copied the keys to make passwordless login possible,
set-up rsync to be able to write as root on Dst_Host / testing all the setup and pinpointing a small script that can be used as a backbone to develop something more complex
to sync backups or keep system configurations identicatial – for example if you have doubts that some user might by mistake change a config etc.
In short it was pointed the security downsides of using rsync NOPASSWD via /etc/sudoers and few ideas given that could be used to work on if you target even higher
PCI standards.

Tags: bin, command, copy files, copying, Dst Host, enable, execute, logins, make, password, passwordless, possible, root, root privileges, rsync, running, security policies, servers, shell script, Short, Src Host, ssh server, superuser, system, test, var, without
Posted in Linux, Networking, System Administration | 1 Comment »

How to convert .CRT SSL Certificate to .PFX format (with openssl Linux command) and Import newly generated .PFX to Windows IIS Webserver

Tuesday, September 27th, 2016

1. Converting to .CRT to.PFX file format with OpenSSL tool on GNU / Linux to import in Windows (for example, IIS)

Assuming you have generated already a certificate using the openssl Linux command and you have issued the .CRT SSL Certificate issuer file
and you need to have the new .CRT SSL Certificate installed on Windows Server (lets say on Windows 2012) with IIS Webserver version 8.5, you will need a way to convert the .CRT file to .PFX, there is plenty of ways to do that including using online Web Site SSL Certificate converter or use a stand alone program on the Windows server or even use a simple perl / python / ruby script to do the conversion but anyways the best approach will be to convert the new .CRT file to IIS supported binary Certificate format .PFX on the same (Linux certificate issuer host where you have first generated the certificate issuer request .KEY (private key file used with third party certificate issuer such as Godaddy or Hostgator to receive the .CRT / PEM file).

Here is how to generate the .PFX file based on the .CRT file for an Internal SSL Certfiicate:

openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx

On the password prompt to appear use any password because otherwise the future IIS Webserver certificate import will not work.

To do a certificate chain SSL export to be accessed from the internet.

openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -certfile internet v2.crt

2. Import the PFX file in Windows

Run: mmc, add snap, Certificates, Computer account, Local Computer; in the
Console:

Certificates (Local Computer) > Personal > Certificates: Select All Tasks > Import File

Enter previously chosen password.
You should get further the Message "Import was successful."

You can import the PFX file by simply copying it to the server where you want it imported and double click it this will open Windows Importwizzard.

Then select the IIS:

Site, Properties, Directory Security, Server Certificate, Replace the current certficate, select proper Certificate. Done.

Alternatively to complete the IIS Webserver certificate import within one step when a new certificate is to be imported:

In IIS Manager interface go to :

Site, Properties, Directory Security, Server Certificate, Server Certificate Wizard

Click on

Next

Choose

import a certificate from a .pfx file, select and enter password.

Internet_Information_Server_IIS_Windows-SSL_Certificate-import-PKF-file

3. Import the PFX file into a Java keystore

Another thing you might need if you have the IIS Webserver using a backend Java Virtual Machine on the same or a different Windows server is to import the newly generated .PFX file within the Java VM keystore.

To import with keytool command for Java 1.6 type:

keytool -importkeystore -deststorepass your_pass_here -destkeypass changeit -destkeystore keystore.jks -srckeystore server.pfx -srcstoretype PKCS12 -srcstorepass 1234 -srcalias 1 -destalias xyz

Also the .CRT file could be directly imported into the Java keystore

Import a .crt in a Java keystore

/usr/java/jre/bin/keytool -import -keystore /webdienste/java/jdk/jre/lib/security/cacerts -file certificate.crt -alias Some alias

4. Get a list of Windows locally installed certificates

To manager installed certificates on Windows 7 / 8 / 2012 Server OS is to run command via

Start -> Run

certmgr.msc

certmgr_trca_windows_check-windows-installed-ssl-certificates

One other way to see the installed certificates on your Windows server is checking within

Internet Explorer

Go to Tools _(Alt+X) → Internet Options → Content → Certificates.

To get a a complete list of installed Certificate Chain on Windows you can use PowerShell

Get-ChildItem -Recurse Cert:

That's all folks ! 🙂

Tags: command, Converting, CRT, How to, java virtual machine, key file, need, password, PFX, use
Posted in File Convert Tools, IIS, System Administration, Various, Web and CMS, Windows | No Comments »

No space left on device with free disk space / Why no space left on device while there is plenty of disk space on drive – Running out of Inodes

Tuesday, November 17th, 2015

no_space_left-on-device-while-there-is-disk-space-running-out-of-file-inodes-unix_linux_file_system_diagram.gif

On one of the servers, I'm administrating the websites started showing some Mysql database table corrup errors like:

Table './database_name/site_news_list_com' is marked as crashed and last (automatic?) repair failed
…

The server is using Oracle MySQL server community stable edition on Debian GNU / Linux 6.0, so I first thought during work the server crashed either due to some bug issue in MySQL or it crashed due to some PHP cron job that did something messy. Thus to solve the crashed tables, tried using mysqlcheck tool which helped pretty fine, at many times whether there were database / table corruptions. I've run the following set of mysqlcheck commands with root (superuser) in a bash shell after logging in through SSH:

server:~# /usr/bin/mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf \–check –all-databases -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log
server:~# /usr/bin/mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf –analyze –all-databases -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log
server:~# /usr/bin/mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf \–auto-repair –optimize –all-databases -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log
server:~# /usr/bin/mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf \–optimize –all-databases -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log

In order for above commands to work, I've created the /root/.my.cnf containing my root (mysql CLI) mysql username and password, e.g. file has content like below:

[client]
user=root
password=MySecretPassword8821238

Btw a good note here is its generally a good idea (if you want to have consistent mysql databases) to automatically execute via a cron job 2 times a month, I've in root cronjob the following:

crontab -u root -l |grep -i mysqlcheck
04 06 5,10,15,20,25,1 * * /usr/bin/mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf \–check –all-databases –silent -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log 07 06 5,10,15,20,25,1 * * /usr/bin/mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf –analyze –all-databases –silent -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log 12 06 5,10,15,20,25,1 * * /usr/bin/mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf \–auto-repair –optimize –all-databases –silent -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log 17 06 5,10,15,20,25,1 * * /usr/bin/mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf \–optimize –all-databases –silent -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log

Strangely I got a lot of errors that some .MYI / .MYD .frm temp files, necessery for the mysql tables recovery can't be written inside /home/mysql/database_name

That was pretty weird and I thought there might be some issues with permissions, causing the inability to write, due to some bug or something so I went straight and checked /home/mysql/database_name permissions, e.g.::

server:/home/mysql/database_name# ls -ld soccerfame
drwx—— 2 mysql mysql 36864 Nov 17 12:00 soccerfame
server:/home/mysql/database_name# ls -al1|head -n 10
total 1979012
drwx—— 2 mysql mysql 36864 Nov 17 12:00 .
drwx—— 36 mysql mysql 4096 Nov 17 11:12 ..
-rw-rw—- 1 mysql mysql 8712 Nov 17 10:26 1_campaigns_diez.frm
-rw-rw—- 1 mysql mysql 14672 Jul 8 18:57 1_campaigns_diez.MYD
-rw-rw—- 1 mysql mysql 1024 Nov 17 11:38 1_campaigns_diez.MYI
-rw-rw—- 1 mysql mysql 8938 Nov 17 10:26 1_campaigns.frm
-rw-rw—- 1 mysql mysql 8738 Nov 17 10:26 1_campaigns_logs.frm
-rw-rw—- 1 mysql mysql 883404 Nov 16 22:01 1_campaigns_logs.MYD
-rw-rw—- 1 mysql mysql 330752 Nov 17 11:38 1_campaigns_logs.MYI

As seen from above output, all was perfect with permissions, so it should have been something else, so I decided to try to create a random file with touch command inside /home/mysql/database_name directory:

touch /home/mysql/database_name/somefile-to-test-writtability.txt touch: cannot touch ‘/scr1/data/somefile-to-test-writtability.txt‘: No space left on device

Then logically I thought the /home/mysql/ mounted ext4 partition got filled, because of crashed SQL database or a bug thus, checked with disk free command df whether there is enough space on server:

server:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/md1 20G 7.6G 11G 42% /
udev 10M 0 10M 0% /dev
tmpfs 13G 1.3G 12G 10% /run
tmpfs 32G 0 32G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 32G 0 32G 0% /sys/fs/cgroup
/dev/md2 256G 134G 110G 55% /home

Well that's weird? Obviously only 55% of available disk space is used and available 134G which was more than enough so I got totally puzzled why, files can't be written.

Then very logically, I thought it might be that /home directory has remounted as read only, because the SSD memory disk on server is failing and checked for errors in dmesg, i.e.:

server:~# dmesg|grep -i error

Also checked how exactly was partition mounted, to check whether it is (RO) read-only:

server:~# mount -l|grep -i /home
/dev/md2 on /home type ext4 (rw,relatime,discard,data=ordered)

Now everything become even more weirder, as obviously the disk continued to be claiming no space left on device, while in reality there was plenty of disk space.

Then after running a quick research on the internet for the no space left on device with free disk space, I've come across this great superuser.com thread which let me realize the partition run out of inodes and that's why no new file inodes could be assigned and therefore, the linux kernel is refusing to write the file on ext4 partition.

For those who haven't heard of Linux Partition Inodes here is link to Wikipedia and a quick quote:

In a Unix-style file system, the inode is a data structure used to represent a filesystem object, which can be one of various things including a file or a directory. Each inode stores the attributes and disk block location(s) of the filesystem object's data.[1] Filesystem object attributes may include manipulation metadata (e.g. change,[2] access, modify time), as well as owner and permission data (e.g. group-id, user-id, permissions).[3]
Directories are lists of names assigned to inodes. The directory contains an entry for itself, its parent, and each of its children.

Once I understood it is the inodes, I checked how many of them are occupied with cmd:

server:~# df -i /home
Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/md2 17006592 17006592 0 100% /home

You see, there were 0 (zero) free file inodes on server and that was the reason for no space left on device while there was actually free disk space

To clean up (free) some inodes on partition, first thing I did is to delete all old logs which were inside /home and files I positively know not to be necessery, then to find which directories allocating most innodes used:

server:~# find . -xdev -type f | cut -d "/" -f 2 | sort | uniq -c | sort -n

If you're on a regular old fashined IDE Hard Drive and not SSD or you have too much files inside this command will take really long …:

Therefore a better solution might be to frist:

a) Try to find root folders with large inodes count:

for i in /home/*; do echo $i; find $i |wc -l; done
Try to find specific folders:

You should get output like:

/home/new_website
606692
/home/common
73
/home/pcfreak
5661
/home/hipo
33
/home/blog
13570
/home/log
123
/home/lost+found
1
…

b) Then once you know the directory allocating most inodes, run the command again to see the sub-directories with most files (eating) partition innodes:

for i in /home/webservice/*; do echo $i; find $i |wc -l; done
…

One usual large folder which could free you some nodes is the linux source headers, but in my case it was simply a lot of tiny old logs being logged on the system for few years in the past without cleaning:

After deleting the log dirs and cache folder in my case /home/new_website/{log,cache}:

server:~# rm -rf /home/new_website/log/*
server:~# rm -rf /home/new_website/cache/*

a) Then, stopping Apache webserver to check prevent Apache to use MySQl databases while running database repair and restaring MySQL:

server:~# /etc/init.d/apache2 stop Restarting MySQL server
..
server:~# /etc/init.d/mysql restart
..

b) And re-issuing MySQL Check / Repair / Optimize database commands:

mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf \–check –all-databases -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log
…
mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf –analyze –all-databases -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log
…
mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf \–auto-repair –optimize –all-databases -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log
…
mysqlcheck –defaults-extra-file=/etc/mysql/debian.cnf \–optimize –all-databases -u root -p`grep -i password /root/.my.cnf |sed -e 's#password=##g'`>> /var/log/cronwork.log
…

c) And finally starting the Apache Webserver again:

server:~# /etc/init.d/apache2 start

Some innodse got freed up:

server:~# df -i /home Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/md2 17006592 16797196 209396 99% /home

And hooray by God's Grace and with help of prayers of The most Holy Theotokos (Virgin) Mary, websites started again !

Tags: blog, cnf, command, count, cron job, disk space, Filesystem Size Used Avail Use Mounted, home, home directory, left, Linux Partition Inodes, linux partition run out of inodes, log, logs, no free space left while there is disk space on disk linux, password, plenty, quote, Restarting Mysqsl, root, running, servers, tmpfs, usr bin, var
Posted in Curious Facts, Everyday Life, Linux, Performance Tuning, Remote System Administration, System Administration, Various, Web and CMS | 1 Comment »

Check and log routinely multiple servers load avarage for Linux / UNIX server overloads

Friday, March 13th, 2015

It is a very useful thing if you have to administer a large group of Linux / UNIX servers and you're not running web monitoring such as Nagios / Icinga / Munin / monit to Raise Email or other kind of Alert / Warning notices to periodically check the system load avarage with uptime command and log to a file and if necessery send emails in case if some server too high load avarage is matched on servers.

Below little script could be a basis for development of a script to raise email SMS alerts in case if a Linux / BSD / UNIX system gets CPU overloaded.

#!/bin/bash
user='G18134';
pass='#7';
commands_to_exec='uptime; uname -a; cat /proc/cpuinfo |grep -i proc|wc -l';
all_servers_f='all_servers_list.txt';
log='server_load.txt';
cat /dev/null > $log;
while read line; do echo "-=== Server $line ===-" | tee -a $log; sshpass -p $pass ssh $user@$(echo $line) $commands_to_exec < /dev/null | tee -a $log; done < $all_servers_f

The run_commands_on_multiple_servers.sh script is available for download also is here. The script can be easily adopted to run any other commands or trigger alerts, anyways if you need something more complex I would recommend to still stick to monit (utility for monitoring servers on UNIX system / Zabbix etc.

To be working the script requires to have sshpass (tool) installed as it uses it to pass the SSH credentials password to remote server. Note that you have to keep the script with strong permissions if other people have access to your home folder as this might reveal password and help someone to hack into your servers. The script is very useful if you have to login and execute a command to multiple UNIX group servers behind DMZed (Firewall) Zone only through a Windows HOP machine as it works out of the box with latest versions of MobaXTerm (which is a Windows Terminal client that absolutely rox and the SWIFF Army knfie of the Windows Admin who comes from a Linux background ! 🙂

Tags: avarage, Below, case, command, login, multiple, password, script, servers, something, ssh, unix
Posted in Everyday Life, FreeBSD, Linux, Linux and FreeBSD Desktop, Monitoring, Networking, Programming, System Administration, Various | No Comments »

How to SSH client Login to server with password provided from command line as a script argument – Running same commands to many Linux servers

Friday, March 6th, 2015

ssh-how-to-login-with-password-provided-from-command-line-use-sshpass-to-run-same-command-to-forest-of-linux-servers

Usually admins like me who casuanlly need to administer "forests" (thousands of identicallyconfigured services Linux servers) are generating and using RSA / DSA key authentication for passwordless login, however this is not always possible as some client environments does prohibit the use of RSA / DSA non-pass authentication, thus in such environments to make routine server basic package rpm / deb upgrades or do other maintanance patching its necessery to use normal ssh user / pass login but as ssh client doesn't allow password to be provided from prompt for security reasons and therefore using some custom bash loop to issue single command to many servers (such as explained in my previous article) requires you to copy / paste password on password prompt multiple times. This works its pretty annoying so if you want to run single command on all your 500 servers with specifying the password from password prompt use sshpass tool (for non-interactive ssh password auth).

SSHPASS official site description:

sshpass is a utility designed for running ssh using the mode referred to as "keyboard-interactive" password authentication, but in non-interactive mode.

Install sshpass on Debian / Ubuntu (deb based) Linux

sshpass is installable right out of regular repositories so to install run:

apt-get install —yes sshpass

Install sshpass on CentOS / Fedora (RPM based) Linux

sshpass is available also across most RPM based distros too so just use yum package manager

yum -y install sshpass

If its not available across standard RPM distro provided repositories, there should be RPM on the net for distro just download latest one and use wget and rpm to install:

wget -q http://dl.fedoraproject.org/pub/epel/6/x86_64/sshpass-1.05-1.el6.x86_64.rpm

rpm -ivh sshpass-1.05-1.el6.x86_64.rpm

How Does SshPass Works?

Normally openssh (ssh) client binary uses direct TTY (/dev/tty)= an abbreviation for PhyTeleTYpewriter or (the admin jargon call Physical Console access) instead of standard remotely defined /dev/pts = Virtual PTY.
To get around this Sshpass runs ssh in a dedicated TTY to emulate the password is indeed issues by interactive keyboard user thus fooling remote sshd server to thinking password
is provided by interactive user.

SSHPass use

Very basic standard use which allows you to pass the password from command line is like this:

sshpass -p 'Your_Password_Goes_here123' ssh username@server.your-server.com

Note that the server you're working is shared with other developers they might be able to steal your username / password by using a simple process list command such as:

ps auxwwef
…

In my case security is not a hot issue, as I'm the only user on the server (and only concern might be if someone hacks into the server 🙂

Then assuming that you have a plain text file with all your administered servers, you can easily use sshpass in a Bash Script loop in order to run, lets say a package upgrade across all identical Linux version machines:

while read line; do
sshpass -p 'Your_Password_Goes_here123' ssh username@$line "apt-get update && apt-get upgrade && apt-get dist-upgrade" < /dev/null;
done < all_servers_list.txt

Change the command you like to issue across all machines with the string "apt-get …"
Above command can be used to keep up2date all Debian stable server packages. What you will do on servers is up to your imaginations, very common use of above line would be if you want to see uptime /netstat command output across all your network servers.

while read line; do
sshpass -p 'Your_Password_Goes_here123' ssh username@$line "uptime; who; netstat -tunlp; " < /dev/null;
done < all_servers_list.txt

As you can guess SshPass is swiss army knife tool for admins whoneed to automate things with scripts simultaneously across number of servers.

Happy SSH-ing 🙂

Tags: authentication, command, description, forest, Install, line, Linux, network servers, official, password, rpm, script, server, server packages, username, www
Posted in Everyday Life, Linux, Programming, System Administration, Various | No Comments »

Turn your Windows PC / notebook to Wireless Router with My Wifi Router 3.0 and TP-Link TL-WN722N

Wednesday, January 7th, 2015

my-wifi-router-3.0-turn-regular-windows-notebook-to-wifi-router

I've been to home of my wife's parents and for this Christmas, they have received second hand Acer Aspire notebook as a Christmas gift. So far they were using internet using their Windows XP PC which is getting internet here in Belarus via UTP network cable using ByFly ZTE ADSL router modem. As ADSL modem lacked wifh WI-FI Antenna (support) and there was already the Acer notebook which had to access the internet preferrably via Wireless connection, the option was to get a WI-FI router and connect it to the ADSL modem but as this would cost (20 EUR at minimum) and there was alreay Wireless (Receiver) adapter TP-LINK TL-WN722N unused, I decided to try make the TP-LINK Receiver and Windows XP PC to act as a small Home Made Wireless (software) router.

Until I succeeded I've tried multiple softwares which all failed to turn the Windows PC to Wi-Fi Hotspot.
Here is list of few of the softwares I tried that didn't worked for some reason:

1. Wifi HotSpot Creator

Turn your PC into a Wi-Fi Router for Free!

Instantly share your internet connection with your friends and peers over Wi-Fi. Turns your PC into a Wi-Fi Router! And its Free! Wifi HotSpot Creator is said to be able to convert any Mac OS X and Windows PC to hotspot here is Wifi HotSpot Creator download website
Wifi HotSpot Creator is said to work with Windows Vista / XP / 7 / 8, however as I said it doesn't work for me on Windows XP.

2. Virtual Wifi router

Here is

With Virtual WiFi Router you can create a WiFi hotspot for WiFi Reverse Tethering on Windows 7 and for wifi supported mobiles and other wifi enabled computer to create a network and to share internet. Virtual Wifi Router in a minute converts your PC into a WiFi hot spot for free.

To make the program working it depends on .NET 4.5. Though the program looked like a superb it unfortunately was crashing on Windows XP. Below are few screenshots from program working on Windows 7.

virtual-wifi-router-screenshot

virtual-wifi-router-connected-device-screenshot-windows
3. My Wifi Router 3.0

Finally I've come across My Wifi Router 3.0 which is just another program that makes necessery Windows configuration to TP-Link TL-WN722N Wireless receiver Adapter to turn it into a homemade Wi-Fi router.
my-wifi-router-on-windows-xp-desktop-pc-noteboko-creenshot

By default Amiss_papp Wifi is configured, this can be changed, however in my case when I tried changing it there were some issues, so finally I've had to re-install My Wifi Router to make it working again.
Once configured My Wifi Router there is the green button (Activate / Deactivate Free Wifi) as seen from screenshot.

As you can see My Wifi Router also allows to Share Videos over WiFi. Once I've tested the program and confirmed it as working, I had to configure it to automatically start on Windows PC boot.

This is done from Settings (located on backward triangle button, next to minimize function).
I had to set check in to Auto Start and Software Conflict Detection.

make-windows-pc-with-wireless-wifi-router-my-wifi-router-settings-screenshot

Once connected to the TP-Link TL-WN722N (USB) Wi-Fi (High Gain) Receiver adapter in Windows Tray a new indicator will popup that a device has been connected. I've tested My Wifi Router and it seem to be working fine with 3 remote connected Wi-Fi devices (1 Notebook and 2 Nokia Lumia mobile phones). The speed of internet was fast and if I didn't know the connection is done in a software way via such an improvised Windows XP Wi-Fi network router I would think it is just a regular Wi-Fi network router.

One more thing I had to do to make the internet working I had to share the the LAN Network (ethernet card) Interface's internet from

Control Panel -> Networking -> Local Area Connection (Properties) -> Advanced

A downside of My Wifi Router is I couldn't find a way to save password while connection to the newly created WiFi router with it, so each time I had to login I had to manually type in the password (default my wifi router password is 123567890). Re-typing password on each login is annoying but if you have to do it once per day in the morning when you turn on your notebook it is not such a big deal.

Once connected to My Wifi Router in Connection Management in Friends (tab) you will see a list with connected devices.

my-wifi-router-on-windows-xp-with-htc-and-ipad-iphone-connected
As visible from above screenshot default IPs which will be assigned to new connected clients to My Wifi Router will be in local network IP range 192.168.23.2 – 192.168.23.254.

Now all left is to Enjoy your new Software Wi-Fi router 🙂

Tags: function, make, multiple, password, Pc, program, screenshot, turn, Windows Tray, working
Posted in Entertainment, System Administration, Various, Windows | 3 Comments »

Skype Log Out on All devices howto / Sign off from Skype on old forgotten device – Skype All Hidden Commands List

Friday, December 12th, 2014

Skype-log-out-all-logged-in-devices-users-sign-off-from-skype-on-old-forgotten-device-show-all-hidden-skype-commands
I run into a funny case I went to see some friends in another City and used their Samsung Tablet for some Skype Chatting and few Skype Calls.
When logging in I forgot to untick the "Save password" tick and when I left the city and travelled to my home I saw on my wife's Skype (who has my username) logged in that still my Skype keeps logged in. In other words Skype shows I'm online even though I was not really connected.

I remembered I forgot to logoff Skype from the Tablet, so any time the tablet was connected to the internet or restarted Skype started I was automatically logged in Skype. This was pretty annoying because many people write me when I'm in fact offline and the messages end up in the tablet and I'm not answering making truly a bad impression (many friends and relatives, think I'm rude for not answering and even started being angry with me without me knowing why …)

To solve the situation, I had to use /remotelogout Skype Chat Windows command which is not visible as standard commands:

/remotelogout

remote-logout-skype-loggedin-users-or-fix-skype-shows-online-even-thoguh-am-not-connected2.

This command logout all users logged in any device ( Android / iPhones Mobile Phones etc.) so afterwards, one can be sure you're logged in just from one device (the current one from where you execute the command)

To be absolutely sure, there are no other devices logged in with your credentials there is also /showplaces command:

/showplaces

You have 1 online endpoints:
{6934eadb-3eec-e001-4bc6-064e0552018f} 'WINDOWSVM' (Windows Skype)

remote-logout-skype-loggedin-users-or-fix-skype-shows-online-even-thoguh-am-not-connected

The standard commadns shown in Skype help with /help typed in on any userchat opened Window are:

/help
Available commands:
/me [text]
/add [skypename+]
/alertson [text]
/alertsoff
/help

However there is another less known Complete list of supported Skype (Hidden) commands you can use to imitiate most of GUI Skype motions + a lot of info you can get only via those commands, here it is:

Command	Description
/add [Skype Name]	Adds a contact to the chat. For instance:/add alex_cooper1 will add that member to the chat.
/alertson [text]	Allows you to specify what needs to appear in a chat for you to be notified. For example, /alertson London will only alert you when the word “London” appears in the chat.
/alertsoff	Disable message notifications.
/clearpassword	Removes the password security.
/find [text]	Finds specific text in a chat. For example,/find Charlie will return the first instance of the word “Charlie” in the chat.
/get allowlist	Details people with access to the chat.
/get banlist	Details people banned from the chat.
/get creator	Details the person who created the chat.
/get guidelines	See the current chat’s guidelines.
/get options	Details active options for current chat – see /set options below for a list of the options available.
/get password_hint	Get the password hint.
/get role	Details your role in the chat.
/get uri	Creates a URL link that other people can use to join the group chat.
/golive	Starts a group call with other participants of the chat.
/info	Details number of people in chat and maximum number available.
/kick [Skype Name]	Eject chat member. For instance,/kick alex_cooper1 will eject that member from the chat.
/kickban [Skype Name]	Ejects chat member and prevents them from rejoining chat. For instance,/kickban alex_cooper1 will eject that member from the chat and ban them from rejoining.
/leave	Leave current group chat.
/me [text]	Your name will appear followed by any text you write. For instance, /me working from home will cause the phrase “working from home” to appear next to your name in the chat. You can use this to send a message about your activities or status.
/remotelogout	Sign out all other instances except the current one. This will also stop push notifications on all other instances.
/set allowlist [[+\|-]mask] ..	Sets the members allowed in the chat. For instance, /set allowlist +alex_cooper1 will allow that member to join the chat.
/set banlist [[+\|-]mask] ..	Sets which members are banned from the chat. For instance, /set banlist +alex_cooper1 will ban that member from the chat. /set banlist -alex_cooper1will allow them to rejoin it.
/set guidelines [text]	Set a chat’s guidelines. For instance, /set guidelines No spoilers! These can be returned to be viewed in the chat by the command /get guidelines.
/set options [[+\|-]flag]	Sets options for this chat. For example: /set options -JOINING_ENABLED switches off the JOINING_ENABLED option, while /set options +JOINERS_BECOME_APPLICANTS will switch on the JOINERS_BECOME_APPLICANTS option.

The available flags to commands are listed below:
	HISTORY_DISCLOSED – Joiners can see the conversation that took place before they joined. The limit that they can see is either 400 messages or two weeks of time, depending on which is reached first.
	JOINERS_BECOME_APPLICANTS – New users can join the chat, but cannot post or receive messages until authorized by a CREATOR or MASTER (see the table below for more information on roles).<
	JOINERS_BECOME_LISTENERS – New users can receive messages but cannot post any until promoted to the USER role.
	JOINING_ENABLED – New users can join the chat.
	TOPIC_AND_PIC_LOCKED_FOR_USERS – Only a user with a CREATOR role will be able to change the topic text or accompanying picture for the chat.
	USERS_ARE_LISTENERS – Users with a USER role will be unable to post messages.
/set password [text]	Create a password (no spaces allowed).
/set password_hint [text]	Create the chat’s password hint text.
/setpassword [password] [password hint]	Create a password and password hint for the chat.
/setrole [Skype Name] MASTER \| HELPER \| USER \| LISTENER	Allows you to set a role to each chat member. A description of roles is given in the table below.
/showplaces	Lists other instances where this Skype name is currently signed in.
/topic [text]	Changes the chat topic.
/undoedit	Undo the last edit of your message.
/whois [Skype Name]	Provides details about a chat member such as current role.
/fa or /	Repeats the last search.
/history	Loads the complete chat history into the active chat window.
/htmlhistory	Generates a HTML file of the chats history and opens it in the browser. Skype 4: not iplemented in this version anymore.
/clear	Clears the chat window.
/goadmin	Enters the administration mode of the chat (only if creator) and adds a small text “Creator” to the user-icon in the chat. I didn’t find so far a way to leave this mode again. According to the Skype documentation the only effect is the “Creator” tag but I’m not so sure about that.
/dbghelp	Outputs a list of (debug?) commands but without description.
/showmembers	Lists all members of the chat with their currently assigned role.
/showstatus	Prints some infos about the current conversation. Conversation convoi id, Consumption horizon, History date and Message count.
/showname	Displays the name of the original conversation
/verify	Shows some text about missing messages on my computer. Maybe checks the message-database for validity.
/golive [token]	(since Skype4?) Opens a management window in a group conversation which allows to handle conference calls. The sense of the (optional) token is not yet clear to me but seems to give you a link which you can share to others and allow them to join the conference.
/fork [skypename/s]	(since Skype5?) Duplicates the current group chat leaving out the contacts which are added to this command.
/fork [skypename/s]	(since Skype5?) Duplicates the current group chat leaving out the contacts which are added to this command.
/showplaces	Displays a list of the currently online Skype instances using this Skype name (and have Skype version >=6 or recent mobile versions).
/remotelogout	Logs out all other currently online Skype instances which are using this Skype name (and have Skype version >=6 or recent mobile versions).
/get listeners	Shows the list of listeners set with previous command.
/golive [name]	this command starts a call with other participants of the chat. It’s your choice to indicate a call name or not.
/undoedit	undo a edit made to the chat

Other thing you might not know is there are Skype hidden emoticons
For more see official skype help.chathelp.

Tags: chat history, command, conversation, creator, emoticons, help, hidden, instances, list, password, role, rsquo, see who uses your skype without you knowing, Skype, Skype Calls, skype hdiden command, skype hidden emoticons, skype logoff lenovo table, skype logoff remote devices, skype logoff remote logged in mobile phone, skype logoff remote loggedin user linux, skype remove remote login from unknown devices, text, WINDOWSVM
Posted in Curious Facts, Everyday Life, Skype on Linux, Various | 4 Comments »

Creating multi-part zip archives in Linux with 7zip command to transfer large zip files data in parts

Monday, December 1st, 2014

creating-multi-part-zip-archives-in-Linux-debian-ubuntu-fedora-centos-rhel-with-7z-command-to-transfer-large-files-data-in-parts
Recently, I've blogged on how to move large files from source to destination server in parts on a slow / restricted networks or whenever the media is limtied in size. This is not a common scenario but it happens so if you're admin sooner or later you will need that. I give example with UNIX's split and unrar. However strip's file naming can get you insane (in case if you don't want to use cstrip command – split a file into sections determined by context lines instead) plus normal split Linux / *nix command doesn't support compression and encryption. On the other side on many Company internal Networks with Windows server hosts running – Winblows (2003, 2008, 1012) for security purposes it might be that WinRar is not installed, thus you might need to transfer the file parted between the GNU / Linux server and Windows server in standard OS supported by Windows ZIP format. Assuming that you have root (admin) access to the Linux host you can then archive your file in parts using ZIP encryption algorithm with 7zip.

1. Installing 7zip on CentOS / Fedora / RHEL and other Redhat based Linuces

If the Linux server is running:
Fedora / CentOS / RHEL and you don't have 7zip installed yet install it with:

yum -y install p7zip

According to distros version it might be the name could be a bit different if p7zip is different to find the one you need search with:

yum search p7zip

and install whatever you need

2. Installing 7zip on Debian / Ubuntu and other Debian based servers

apt-get install –yes p7zip-full

Depending on Deb based distro just like with fedora if p7zip-full pack is not installable, check 7zip's package distro version:

apt-cache search p7zip

3. Archiving ZIP file in multiple (sized) parts on GNU / Linux

7z a -v512m Large-file-separated-in-multi-parts.zip Large-Many-Gigabytes-File.SQL

This would output multiple files:

Large-file-separated-in-multi-parts.zip.001, Large-file-separated-in-multi-parts.zip.002, Large-file-separated-in-multi-parts.zip.003, Large-file-separated-in-multi-parts.004 etc.

If you want to add security to the transferred file to protect newly created ZIP archive with password use following command:

7z a -v512m Large-file-separated-in-multi-parts.zip Large-Many-Gigabytes-File.SQL

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=bg_BG.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Scanning

Creating archive Large-file-separated-in-multi-parts.zip

Enter password (will not be echoed) :
…

Once you have transferred all the many parts via (SSH/ FTPS or not preferrably HTTP / HTTPS / FTP) place them in the same folder and use Windows standard ZIP to unarchive.

If the archived 7zip files are to be unarchived on another Linux host (in case if multi part zip transfer is between Linux -> Linux hosts) to unarchive, parted files:

7z x Large-file-separated-in-multi-parts.zip.* …

Tags: case, Creating, data, file, Linux, need, password, root admin, security, SQL, use, Windows, zip
Posted in Everyday Life, Linux, Linux and FreeBSD Desktop, System Administration, Various, Windows | 1 Comment »

☩ Walking in Light with Christ – Faith, Computing, Diary

Posts Tagged ‘password’

How to Install ssh client / server on Windows 10, Windows Server 2019 and Windows Server 2022 using PowerShell commands

Install OpenSSH using PowerShell

Start and configure OpenSSH Server

Connect to OpenSSH Server

How to convert .CRT SSL Certificate to .PFX format (with openssl Linux command) and Import newly generated .PFX to Windows IIS Webserver

Turn your Windows PC / notebook to Wireless Router with My Wifi Router 3.0 and TP-Link TL-WN722N

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

About Myself

Recent Comments

Top Post Views

blogtopsites