Just is a “handy way to save and run project-specific commands.”
https://github.com/casey/just#installation
Just is similar to make. On Ubuntu you can install it from the Snap store, however you’ll need install it with the following options.
sudo snap install --edge just --classic
The following is some basic info on STP and RSTP. This list is not comprehensive. Refer to the link at the bottom of the page for more in depth details.
Default Priority is 32768 + VLAN ID
For example, if we are using vlan 10, then our default priority is 32768 + 10 = 32778
RSTP Priority can be set from 0 – 61440 in increments of 4096.
Ports can fill 1 of 4 roles.
| Port Role | Description |
| Root Port | Port closest to the Root Bridge (Switches going to the Root switch) |
| Designated Port | Ports going away from the Root Bridge (To clients) |
| Alternate Port | A “backup” port for the Root port. If the Root Port fails, this port takes over |
| Backup Port | Essentially a backup port for the designated port |
A port can be in one of 3 states. Well technically 4 states if you include down/unplugged.
| Port State | Description |
| Discarding | Port discards packets (Alternate and Backup Ports) |
| Learning | Port learns MACs and doesn’t forward data |
| Forwarding | Port forwards data and learns MACs |
There are 3 port Types. Not to be confused with port States or Roles.
| Port Type | Description |
| Point to Point | Switch to Switch |
| Point to Point Edge | Edge of Network. Connected to a PC, Printer etc. |
| Shared | Half Duplex, Port connected to a Hub |
There are three RSTP timers. STP has the same timers, but the MaxAge is 10 seconds, and the Forward Delay is used for both Learning and Listening states which takes a total of 30 seconds to complete.
| Timer Name | Default Value | Description |
| Hello Timer | 2 Seconds | Time between Hellos created by Root |
| MaxAge | 6 Seconds (Hello Timer * 3) | How long a Switch should wait before trying to readjust the network |
| Forward Delay | 15 Seconds | Delay used for Learning/Listening in STP. Shouldn’t be necessary if legacy bridges are not used. |
There are technically two types of cost. The newer cost values were introduced so we could use faster ethernet speeds.
By default Cisco switches use the old cost values, but they can be changed to use the new ones.
spanning-tree pathcost method long
| Ethernet Speed | Old Cost | New Cost |
| 10 Mbps | 100 | 2,000,000 |
| 100 Mbps | 19 | 200,000 |
| 1 Gbps | 4 | 20,000 |
| 10 Gbps | 2 | 2000 |
| 100 Gbps | N/A | 200 |
| 1 Tbps | N/A | 20 |
More information can be found at the following link.
https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24062-146.html
This error can show up on Windows if you have already copied a file with the same name. To fix the issue, just copy it to a file with a different name. Change cap.pcap to cap1.pcap and so forth as needed.
scp user@192.168.1.20:/tmp/tcp.pcap .\cap1.pcap
The following is a very basic guide for setting up Fail2ban for SSH.
Install Fail2ban
sudo dnf install fail2ban
You may need to install the epel repo
sudo yum install epel-release
Configure to run on system boot
sudo systemctl enable fail2ban
Start Fail2ban service
sudo systemctl start fail2ban
Copy config file with
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Modify the config file
nano /etc/fail2ban/jail.local
Uncomment the following line and add any IPs that need to be whitelisted
ignoreip = 127.0.0.1/8 ::1 192.168.1.20
Save the file and restart Fail2Ban
sudo systemctl restart fail2ban
Create a new jail file in /etc/fail2ban/jail.d/ called sshd.local
nano /etc/fail2ban/fail.d/sshd.local
Add the following. Note: if you are using a custom ssh port, change “port = ssh” to “port = portnumber”
[sshd] enabled = true port = ssh action = iptables-multiport logpath = /var/log/secure maxretry = 5 bantime = 300
Restart Fail2ban
sudo systemctl restart Fail2ban
You can list the firewall rules to verify that an IP gets banned.
iptables -S | grep ipaddress
You can unban an IP address with the following command.
sudo fail2ban-client set sshd unbanip 192.168.1.100
You can check out the following link for more information
For some reason Ubuntu server didn’t use all the available disk space while installing. Thankfully this is an easy fix.
sudo lvextend –resizefs -l +100%FREE ubuntu-vg/ubuntu-lv
If the Volume Group or LVM Volume is different, you will need to change the name in the above command. You can use the “sudo pvdisplay” and “sudo lvdisplay” to show you details about your volumes.
https://unix.stackexchange.com/questions/664486/lvm-root-partition-only-uses-half-the-volume-size
Bob is the companies local Linux administrator. He has been tasked with creating a secure shared SFTP folder so members in the R&D department can securely collaborate on “The New Project”.
Bob immediately recognizes a potential difficulty. If Steve and John are working on a prototype, how will John be able to edit Steve’s file if the user permissions are set to only allow John to read?
Bob first goes to the break room to locate a coffee mug.
After consulting Google and the man pages for sftp, sftp-server, sshd_config, sshd he found out what he needed to do.
First Bob needed a directory to hold the R&D files.
mkdir /sftp/rdshare mkdir /sftp/rdshare/files/ chown 755 /sftp/rdfiles
For some reason, he ran into issues with the folder getting set to the 775 permission which caused issues with logging in. Manually changing it to 755 fixed that issue.
Now Bob needs a user group to add everyone to.
sudo groupadd rdsftp
Now on to creating the users. Since we are just using the accounts for SFTP, we are setting the nologin option. None of these users will be able to use ssh to log on to the server.
sudo useradd -g rdsftp -s /sbin/nologin -M sftpadmin passwd sftpadmin
Repeat for John, Steve, Jill, etc…
Use the sftpadmin user as an “admin” user and change the “home” directory permissions
chown -R adminuser:rdsftp /sftp/rdfiles
There are a couple things that need to be changed in the sshd_config file to make this all work.
sudo vi /etc/sshd_config
At the bottom of the file, Bob adds
# R&D SFTP share settings
Match Group rdsftp
ChrootDirectory /sftp/rdshare/ # <- chroots the users into this directory
ForceCommand internal-sftp -u 0002 # <- -u for umask. Needed so users have write permissions for all files
This will chroot all the users into the /sftp/rdshare directory which makes /sftp/rdshare the users / directory.
The -u umask option is the secret for getting all the users to manage all the files. Without it, John would not be able to update Steve’s inventory file.
Now we can restart the ssh server
sudo systemctl resart sshd
And verify that john can log in.
sftp john@localhost
Any existing sessions will need to be terminated for the changes to take effect.
Further reading.
https://askubuntu.com/questions/982123/multiple-owner-of-same-folder
https://www.tothenew.com/blog/how-to-set-up-shared-folderrepository-between-two-or-more-users-on-linux/
https://medium.com/linuxstories/linux-how-to-setup-an-sftp-server-37e6fb91649b
https://linuxandevops.wordpress.com/2017/07/30/ssh-scp-sftp-connections-and-file-permissions-part-2/
Bob has a computer running Fedora. When he installed Fedora he didn’t setup the root password and locked the root account. That is best practice. Right? Then one day he goes to upgrade to the latest version of Fedora and types in
sudo dnf update
and is greeted with
What happened? I had access before? Bob thinks to himself. Seems like I am not in the wheel group anymore. Bob being a smart person decides to attempt recovery mode. He’ll boot up and just readd his user to the wheel group.
Recovery mode starts up and then fails due to the root account being locked. What?!
Bob then starts talking to himself as he is in need of some expert advice. What other options do I have. I know! He runs to find his handy dandy Live Fedora pen drive. Plugs it in and boots up into a live version of Fedora. Now I can mount and access the main drive.
But wait, I can’t run “usermod -G wheel bob” because that will only affect the Live System. I could chroot into the drive. That would require mounting some extra mount points. Is there a faster way? We could maybe edit the /etc/group and add “wheel:x:10:bob”. That should add bob back to the wheel group. Right?
Wait, what about the sudoers file. We are normally supposed to use “sudo visudo” command to modify the file. Let’s check the file and see if we can just manually edit it.
$ stat -c "%n %a" /etc/sudoers /etc/sudoers 440 $
Hmm, okay I am going to need to change permissions to save the file. Let’s chmod that to 644 temporarily
$ sudo chmod 644 /etc/sudoers
Alright now I should be able to edit it.
$ sudo vi /etc/sudoers
Okay, now I need to explicitly give myself permission to use sudo. Where is that line. Ah-ha!
root ALL=(ALL) ALL
Lets duplicate that with yy and p, replace root with my username.
root ALL=(ALL) ALL bob ALL=(ALL) ALL
Save that with esc then :wq enter
Now change the file permissions back
sudo chmod 400 /etc/sudoers
Reboot the system and now lets login and test sudo.
$ sudo whoami root
Success!
Bob, satisfied that the problem is resolved, rewards himself by getting a sandwich.
sudo make me a sandwich
https://docs.fedoraproject.org/en-US/quick-docs/root-account-locked/
Adding a directory to your path is really easy.
The following command adds the ~/script_folder to our PATH paths. Once run, we’ll be able to call any script in the script folder like it was a system utility.
PATH="$HOME/script_folder/:$PATH"
If you would like to always be able to call any file in your scripts folder, add the above command to your ~/.bashrc file.
You may need to restart your session for it to work.
Issue was not being able to import a video into Peertube using a URL.
Peertube was set up to use youtube-dl which is in /var/www/peertube/storage/bin/youtube-dl. Further investigation showed that Peertube calls it with python.
For example
python youtube-dl video-to-download
Usually Python refers to Python 2 where as Python3 refers to Python 3.
We can create a symlink so that python = python3
sudo ln -s /usr/bin/python3 /usr/bin/python
This way when Peertube runs python, it technically will run it with python3.
Note you will probably run into issues if you do have Python 2 installed and need it. In my case, python was not installed and didn’t reference anything.
The following links were helpful in setting things up.
https://doc.powerdns.com/recursor/running.html
https://www.reddit.com/r/linuxadmin/comments/9lc4jl/logging_queries_in_pdnsrecursor/
First we need to find the line that says “disable-syslog” and uncomment/change it to
disable-syslog=no
Next find the line that says “quiet” and uncomment/change it to
quiet=no
Some other lines you may want to check and change
logging-facality=1
loglevel=6
Next we need to modify the Systemd unit file to allow PowerDNS Recursor to log to syslog.
systemctl edit --full pdns-recursor.service
On the ExecStart Line, remove the part that says
--disable-syslog
The resulting line should look something like
[Service]
ExecStart=/usr/sbin/pdns_recursor --socket-dir=%t/pdns-recursor --socket-dir=%t/pdns-recursor --daemon=no --write-pid=no --log-timestamp=no
Save the file.
Edit the rsyslog file
sudo vim /etc/rsyslog.conf
Add the following line
local1.* /var/log/pdns_recursor.log
This should now log all of the PowerDNS Recursor log info to “/var/log/pdns_recursor.log”
Restart the rsyslog and PowerDNS Recursor service
sudo systemctl restart rsyslog sudo systemctl restart pdns-recursor
You should now see DNS request in the log file.
tail /var/log/pdns_recursor.log
They should also show up in the “/var/log/messages”