Category Archives: Linux

RSTP Alternative Port vs Backup Port

Posted on by
Reply

The following is some basic info on STP and RSTP. This list is not comprehensive. Refer to the link at the bottom of the page for more in depth details.

RSTP Priority

Default Priority is 32768 + VLAN ID

For example, if we are using vlan 10, then our default priority is 32768 + 10 = 32778

RSTP Priority can be set from 0 – 61440 in increments of 4096.

RSTP Port Roles

Ports can fill 1 of 4 roles.

Port RoleDescription
Root PortPort closest to the Root Bridge (Switches going to the Root switch)
Designated PortPorts going away from the Root Bridge (To clients)
Alternate PortA “backup” port for the Root port. If the Root Port fails, this port takes over
Backup PortEssentially a backup port for the designated port
RSTP Port Roles

RSTP Port States

A port can be in one of 3 states. Well technically 4 states if you include down/unplugged.

Port StateDescription
DiscardingPort discards packets (Alternate and Backup Ports)
LearningPort learns MACs and doesn’t forward data
ForwardingPort forwards data and learns MACs
RSTP Port States

RSTP Port Types

There are 3 port Types. Not to be confused with port States or Roles.

Port TypeDescription
Point to PointSwitch to Switch
Point to Point EdgeEdge of Network. Connected to a PC, Printer etc.
SharedHalf Duplex, Port connected to a Hub
STP/RSTP Port Types

RSTP Timers

There are three RSTP timers. STP has the same timers, but the MaxAge is 10 seconds, and the Forward Delay is used for both Learning and Listening states which takes a total of 30 seconds to complete.

Timer NameDefault ValueDescription
Hello Timer2 SecondsTime between Hellos created by Root
MaxAge6 Seconds (Hello Timer * 3)How long a Switch should wait before trying to readjust the network
Forward Delay15 SecondsDelay used for Learning/Listening in STP. Shouldn’t be necessary if legacy bridges are not used.
RSTP/STP Timers

Port Cost

There are technically two types of cost. The newer cost values were introduced so we could use faster ethernet speeds.

By default Cisco switches use the old cost values, but they can be changed to use the new ones.

spanning-tree pathcost method long
Ethernet SpeedOld CostNew Cost
10 Mbps1002,000,000
100 Mbps19200,000
1 Gbps420,000
10 Gbps22000
100 GbpsN/A200
1 TbpsN/A20
STP/RSTP Path Cost

More information can be found at the following link.

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24062-146.html

Install and Configure Fail2ban on Fedora/CentOS/RedHat

Posted on by
Reply

The following is a very basic guide for setting up Fail2ban for SSH.

Install and basic config

Install Fail2ban

sudo dnf install fail2ban

You may need to install the epel repo

sudo yum install epel-release

Configure to run on system boot

sudo systemctl enable fail2ban

Start Fail2ban service

sudo systemctl start fail2ban

Copy config file with

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Modify the config file

nano /etc/fail2ban/jail.local

Uncomment the following line and add any IPs that need to be whitelisted

ignoreip = 127.0.0.1/8 ::1 192.168.1.20

Save the file and restart Fail2Ban

sudo systemctl restart fail2ban

Configuring Fail2Ban for SSH

Create a new jail file in /etc/fail2ban/jail.d/ called sshd.local

nano /etc/fail2ban/fail.d/sshd.local

Add the following. Note: if you are using a custom ssh port, change “port = ssh” to “port = portnumber”

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 5
bantime = 300

Restart Fail2ban

sudo systemctl restart Fail2ban

You can list the firewall rules to verify that an IP gets banned.

iptables -S | grep ipaddress

Unbanning an IP Address

You can unban an IP address with the following command. 

sudo fail2ban-client set sshd unbanip 192.168.1.100

You can check out the following link for more information

https://www.redhat.com/sysadmin/protect-systems-fail2ban

Fresh Install of Ubuntu Server Doesn’t use all Disk Space

Posted on by
Reply

For some reason Ubuntu server didn’t use all the available disk space while installing. Thankfully this is an easy fix.

sudo lvextend –resizefs -l +100%FREE ubuntu-vg/ubuntu-lv

If the Volume Group or LVM Volume is different, you will need to change the name in the above command. You can use the “sudo pvdisplay” and “sudo lvdisplay” to show you details about your volumes.

https://unix.stackexchange.com/questions/664486/lvm-root-partition-only-uses-half-the-volume-size

SFTP Server – Configure Folder to be used by two users

Posted on by
Reply

Bob is the companies local Linux administrator. He has been tasked with creating a secure shared SFTP folder so members in the R&D department can securely collaborate on “The New Project”.

Bob immediately recognizes a potential difficulty. If Steve and John are working on a prototype, how will John be able to edit Steve’s file if the user permissions are set to only allow John to read?

Bob first goes to the break room to locate a coffee mug.

After consulting Google and the man pages for sftp, sftp-server, sshd_config, sshd he found out what he needed to do.

  1. Create directory for the share
  2. Create a user group
  3. Create the individual users and add them to the user group
  4. Modify the sshd_config
  5. Restart the SSHD service and verify that it works

Create Directory for SFTP Share Directory

First Bob needed a directory to hold the R&D files.

mkdir /sftp/rdshare
mkdir /sftp/rdshare/files/
chown 755 /sftp/rdfiles

For some reason, he ran into issues with the folder getting set to the 775 permission which caused issues with logging in. Manually changing it to 755 fixed that issue.

Create User Group

Now Bob needs a user group to add everyone to.

sudo groupadd rdsftp

Now on to creating the users. Since we are just using the accounts for SFTP, we are setting the nologin option. None of these users will be able to use ssh to log on to the server.

sudo useradd -g rdsftp -s /sbin/nologin -M sftpadmin
passwd sftpadmin

Repeat for John, Steve, Jill, etc…

Use the sftpadmin user as an “admin” user and change the “home” directory permissions

chown -R adminuser:rdsftp /sftp/rdfiles

Modify sshd_config file

There are a couple things that need to be changed in the sshd_config file to make this all work.

sudo vi /etc/sshd_config

At the bottom of the file, Bob adds

# R&D SFTP share settings
Match Group rdsftp
        ChrootDirectory /sftp/rdshare/          # <- chroots the users into this directory
        ForceCommand internal-sftp -u 0002      # <- -u for umask.  Needed so users have write permissions for all files

This will chroot all the users into the /sftp/rdshare directory which makes /sftp/rdshare the users / directory.

The -u umask option is the secret for getting all the users to manage all the files. Without it, John would not be able to update Steve’s inventory file.

Restart services and test

Now we can restart the ssh server

sudo systemctl resart sshd

And verify that john can log in.

sftp john@localhost

Any existing sessions will need to be terminated for the changes to take effect.

Further reading.

https://askubuntu.com/questions/982123/multiple-owner-of-same-folder
https://www.tothenew.com/blog/how-to-set-up-shared-folderrepository-between-two-or-more-users-on-linux/
https://medium.com/linuxstories/linux-how-to-setup-an-sftp-server-37e6fb91649b
https://linuxandevops.wordpress.com/2017/07/30/ssh-scp-sftp-connections-and-file-permissions-part-2/

Bob lost sudo access on Fedora

Posted on by
Reply

Bob has a computer running Fedora. When he installed Fedora he didn’t setup the root password and locked the root account. That is best practice. Right? Then one day he goes to upgrade to the latest version of Fedora and types in 

sudo dnf update

and is greeted with

sudoers. This incident will be reported.

What happened? I had access before? Bob thinks to himself. Seems like I am not in the wheel group anymore. Bob being a smart person decides to attempt recovery mode. He’ll boot up and just readd his user to the wheel group.

Recovery mode starts up and then fails due to the root account being locked. What?!

Bob then starts talking to himself as he is in need of some expert advice. What other options do I have. I know! He runs to find his handy dandy Live Fedora pen drive. Plugs it in and boots up into a live version of Fedora. Now I can mount and access the main drive.

But wait, I can’t run “usermod -G wheel bob” because that will only affect the Live System. I could chroot into the drive. That would require mounting some extra mount points. Is there a faster way? We could maybe edit the /etc/group and add “wheel:x:10:bob”. That should add bob back to the wheel group. Right?

Wait, what about the sudoers file. We are normally supposed to use “sudo visudo” command to modify the file. Let’s check the file and see if we can just manually edit it.

$ stat -c "%n %a" /etc/sudoers
/etc/sudoers 440
$
Permissions on /etc/sudoers file

Hmm, okay I am going to need to change permissions to save the file. Let’s chmod that to 644 temporarily 

$ sudo chmod 644 /etc/sudoers

Alright now I should be able to edit it.

$ sudo vi /etc/sudoers

Okay, now I need to explicitly give myself permission to use sudo. Where is that line. Ah-ha!

root    ALL=(ALL)       ALL

Lets duplicate that with yy and p, replace root with my username.

root    ALL=(ALL)       ALL
bob     ALL=(ALL)       ALL

Save that with esc then :wq enter

Now change the file permissions back

sudo chmod 400 /etc/sudoers

Reboot the system and now lets login and test sudo. 

$ sudo whoami 
root

Success!

Bob, satisfied that the problem is resolved, rewards himself by getting a sandwich.

sudo make me a sandwich

https://docs.fedoraproject.org/en-US/quick-docs/root-account-locked/

Add directory to path in Linux

Posted on by
Reply

Adding a directory to your path is really easy.

The following command adds the ~/script_folder to our PATH paths. Once run, we’ll be able to call any script in the script folder like it was a system utility.

PATH="$HOME/script_folder/:$PATH"

If you would like to always be able to call any file in your scripts folder, add the above command to your ~/.bashrc file.

You may need to restart your session for it to work.

Fix Peertube youtube-dl not Downloading

Posted on by
Reply

Issue was not being able to import a video into Peertube using a URL.

Peertube was set up to use youtube-dl which is in /var/www/peertube/storage/bin/youtube-dl. Further investigation showed that Peertube calls it with python.

For example 

python youtube-dl video-to-download

Usually Python refers to Python 2 where as Python3 refers to Python 3.

We can create a symlink so that python = python3

sudo ln -s /usr/bin/python3 /usr/bin/python

This way when Peertube runs python, it technically will run it with python3.

Note you will probably run into issues if you do have Python 2 installed and need it. In my case, python was not installed and didn’t reference anything.

Enable Syslog for PowerDNS Recursor

Posted on by
Reply

  1. Enable Logging in PowerDNS Recursor Config
  2. Edit Systemd Unit File for PowerDNS to Allow Syslog
  3. Enable Logging in rsyslog Config File

The following links were helpful in setting things up.

https://doc.powerdns.com/recursor/running.html
https://www.reddit.com/r/linuxadmin/comments/9lc4jl/logging_queries_in_pdnsrecursor/

Enable logging in PowerDNS Recursor Config

First we need to find the line that says “disable-syslog” and uncomment/change it to 

disable-syslog=no

Next find the line that says “quiet” and uncomment/change it to 

quiet=no

Some other lines you may want to check and change

logging-facality=1
loglevel=6

Edit Systemd Unit File for PowerDNS to allow Syslog

Next we need to modify the Systemd unit file to allow PowerDNS Recursor to log to syslog.

systemctl edit --full pdns-recursor.service

On the ExecStart Line, remove the part that says

--disable-syslog

The resulting line should look something like

[Service]
ExecStart=/usr/sbin/pdns_recursor --socket-dir=%t/pdns-recursor --socket-dir=%t/pdns-recursor --daemon=no --write-pid=no --log-timestamp=no

Save the file.

Enable Logging in rsyslog Config File

Edit the rsyslog file 

sudo vim /etc/rsyslog.conf

Add the following line

local1.*        /var/log/pdns_recursor.log

This should now log all of the PowerDNS Recursor log info to “/var/log/pdns_recursor.log”

Restart the rsyslog and PowerDNS Recursor service

sudo systemctl restart rsyslog
sudo systemctl restart pdns-recursor

You should now see DNS request in the log file.

tail /var/log/pdns_recursor.log

They should also show up in the “/var/log/messages”

Enable Remote Logging in Rsyslog on Linux (Debian, Ubuntu, CentOS, Fedora)

Posted on by
Reply

Edit the rsyslog file

sudo vi /etc/rsyslog.conf

add the following. Change out the IP address for your remote syslog server IP address.

The syntax for this has changes. Newer recommended way is

*.*  action(type="omfwd" target="192.0.10.5" port="514" protocol="tcp"

Old Syntax

## rsyslog Server
*.*     @10.0.10.5:514

https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/

Restart the rsyslog service and check your remote log server.

systemctl restart rsyslog

If you are having issues viewing logs in LibreNMS, try adding the hostname in the /etc/rsyslog.conf file

$LocalHostName server.hostname.com