Tag Archives: debian

Hardening SNMP on Debian

Posted on by
Reply

Hardening SNMP on Debian by disabling SNMP v1 and v2c, and configuring SNMP v3.

Modify /etc/snmp/snmpd.conf

First we’ll want to open up the /etc/snmp/snmpd.conf file and comment out all lines that begin with

  • rocommunity
  • view
  • rouser authPriv <– “This may be the last line by default, we don’t need it”

Alternatively, you can copy and paste the following sed commands instead of manually editing the file.

sudo sed -i 's/^rocommunity/# rocommunityc/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^view/# view/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^rouser authPriv/# rouser authPriv/g' /etc/snmp/snmpd.conf

Create SNMP v3 User

We can create a SNMP v3 user with the following command. There it will ask you for the username and passwords.

sudo net-snmp-create-v3-user -ro -a SHA-512 -x AES

You may receive an error about not being able to touch /snmp/snmpd.conf. I am not sure why Debian is attempting to create that file. Take the “rouser snmpuser” line and add it to the end of the /etc/snmp/snmpd.conf config.

Debian SNMP Error

Now we can start SNMPD

sudo systemctl start snmpd

Troubleshooting

My created user is not working! This could result from two different issues.

  1. It appears that Debian/SNMP doesn’t like pass phrases with special characters. You can try using a different password or escaping the special characters in “/var/lib/snmp/snmpd.conf” file before starting SNMPD.
  2. The user didn’t get added to /etc/snmp/snmpd.conf To fix, add “rouser snmpuser” (Change snmpuser to your snmp username) to the bottom of the config file.

Install RX 580 Mining Drivers on Debian Based Distributions

Posted on by
Reply

Use wget to download AMD drivers.

wget https://drivers.amd.com/drivers/linux/amdgpu-pro-20.45-1164792-ubuntu-20.04.tar.xz --referer https://support.amd.com

Extract archive.

tar xf amdgpu-pro-20.45-1164792-ubuntu-20.04.tar.xz

Change directory

cd amdgpu-pro-20.45-1164792-ubuntu-20.04

Install AMD Drivers

./amdgpu-pro-install -y --opencl=legacy,rocm --headless

If you run into issues with it saying “Unsupported DEB based OS” Refer to the following article.

Unsupported DEB-based OS: /etc/os-release ID ‘kali’

Delete SNMPv3 User on Linux

Posted on by
Reply

Don’t know if this is the recommended way to delete a user, but it seems to work.

sudo service snmpd stop

Open up the snmpd.conf file in /var/lib and find the line with the SNMP user and delete the line

sudo vi /var/lib/snmp/snmpd.conf

The above file may be in the following location on RPM based systems.

sudo vi /var/lib/net-snmp/snmpd.conf

Save, exit, and start snmpd

sudo service snmpd start

These steps work for Ubuntu, but should work for any Debain based distro as well as CentOS, Fedora, RedHat etc.

Install dig on Ubuntu, Debian or Kali Linux

Posted on by
Reply
install dig
Help options for dig


Dig is a DNS lookup utility.  It is included in most Linux distributions by default, but if it isn’t you can easily install dig with the following command.

The dig utility is apart of the dnsutils package

sudo apt-get install dnsutils -y

After it is installed, we can verify that it is working with

dig -v

For more information on how to use dig, refer to the following link.

https://www.howtogeek.com/663056/how-to-use-the-dig-command-on-linux/

The following is copied and pasted from the dig man page.

NAME
       dig - DNS lookup utility

SYNOPSIS
       dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m] [-p port#] [-q name]
           [-t type] [-v] [-x addr] [-y [hmac:]name:key] [[-4] | [-6]] [name] [type] [class]
           [queryopt...]

       dig [-h]

       dig [global-queryopt...] [query...]

DESCRIPTION
       dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and
       displays the answers that are returned from the name server(s) that were queried. Most DNS
       administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use
       and clarity of output. Other lookup tools tend to have less functionality than dig.

       Although dig is normally used with command-line arguments, it also has a batch mode of
       operation for reading lookup requests from a file. A brief summary of its command-line
       arguments and options is printed when the -h option is given. Unlike earlier versions, the
       BIND 9 implementation of dig allows multiple lookups to be issued from the command line.

       Unless it is told to query a specific name server, dig will try each of the servers listed
       in /etc/resolv.conf. If no usable server addresses are found, dig will send the query to the
       local host.

       When no command line arguments or options are given, dig will perform an NS query for "."
       (the root).

       It is possible to set per-user defaults for dig via ${HOME}/.digrc. This file is read and
       any options in it are applied before the command line arguments. The -r option disables this
       feature, for scripts that need predictable behaviour.

       The IN and CH class names overlap with the IN and CH top level domain names. Either use the
       -t and -c options to specify the type and class, use the -q the specify the domain name, or
       use "IN." and "CH." when looking up these top level domains.

SIMPLE USAGE
       A typical invocation of dig looks like:

            dig @server name type

       where:

       server
           is the name or IP address of the name server to query. This can be an IPv4 address in
           dotted-decimal notation or an IPv6 address in colon-delimited notation. When the
           supplied server argument is a hostname, dig resolves that name before querying that name
           server.

           If no server argument is provided, dig consults /etc/resolv.conf; if an address is found
           there, it queries the name server at that address. If either of the -4 or -6 options are
           in use, then only addresses for the corresponding transport will be tried. If no usable
           addresses are found, dig will send the query to the local host. The reply from the name
           server that responds is displayed.

       name
           is the name of the resource record that is to be looked up.

       type
           indicates what type of query is required — ANY, A, MX, SIG, etc.  type can be any valid
           query type. If no type argument is supplied, dig will perform a lookup for an A record.



					

		
		
	


				
					
	

		

						
Install UniFi Video 3.8.5 on Ubuntu or Debian

			
						

				Posted on   by  			

			
						

				Reply			

					


				

			
You can run all the commands from the terminal, or ssh into the server


See here if you need to setup SSH on the server.


Install prerequisites


sudo apt-get install mongodb mongodb-server openjdk-8-jre-headless jsvc


Download UniFi Video installer


Note the Debian package works on Ubuntu, and has been tested on the latest Ubuntu


wget https://dl.ubnt.com/firmwares/ufv/v3.8.5/unifi-video.Debian7_amd64.v3.8.5.deb


Install package


sudo dpkg -i unifi-video.Debian7_amd64.v3.8.5.deb


Login to the UniFi Video controller using your web browser and going to the following address to finish configuring the NVR.


https://your-server-address:7443

					

		
		
	


				
					
	

		

						
Install SSH Server on Linux (Debian, Ubuntu, Fedora, CentOS, RedHat)

			
						

				Posted on   by  			

			
						

				Reply			

					


				

			
Debian / Ubuntu


sudo apt-get install -y openssh-server


RPM based Distros, Fedora / CentOS / RedHat


sudo dnf install -y openssh-server


or use yum


sudo yum install -y openssh-server


Start ssh service


sudo systemctl start sshd


By default the SSH service should start when the system starts, but if not try the following command to enable the service on boot up.


Debian / Ubuntu


systemctl enable ssh


Fedora, CentOS, RedHat


systemctl enable sshd


Change SSH port


Not necessary, but it is a good idea to change the default ssh port.  To change the port edit the sshd file.


vi /etc/ssh/sshd_config


If you change the port, you’ll need to allow it in the firewall (firewalld, iptables) and if SELinux is enabled, semanage.

					

		
		
	


				
					
	

		

						
Setup SNMP v3 on Debian or Ubuntu

			
						

				Posted on   by  			

			
						

				Reply			

					


				

			
All the following commands should work on Ubuntu, or just about any other Debian based Linux distro.  If you have a firewall on the server, you’ll need to allow UDP on port 161.


Install SNMP


Install snmp, snmpd, and libsnmp.


sudo apt-get -y install snmp snmpd libsnmp-dev


Stop the snmpd service so we can add a user


sudo service snmpd stop


Add SNMP v3 user


    

  • Change AuthPassword to your Authentication password
    • 

  • Change CryptoPassword to your Crypto Password
    • 

  • Change privUser to your private users username
    • 



sudo net-snmp-config --create-snmpv3-user -ro -A AuthPassword -X CryptoPassword -a MD5 -x AES privUser


Change System Location, System Contact, and allow SNMP on all interfaces




Open up the SNMP config file usually in /etc/snmp/snmpd.conf


vi /etc/snmp/snmpd.conf


Search for “sysLocation”  and change to whatever your system location is.


Search for “sysContact” and change it.  It should be right underneath sysLocation.


Now allow SNMP on all interfaces.  Find the following line and comment it out.


agentAddress udp:127.0.0.1:161


Add a # to the beginning.


#agentAddress udp:127.0.0.1:161


Now find this line (should be a couple lines down from the line you just commented out)


#agentAddress udp:161,udp6:[::1]:161


and uncomment it


agentAddress udp:161,udp6:[::1]:161


That will enable it so you can read the SNMP info using the servers IP address, as opposed to being limited to localhost.


Start the SNMP service and Test


Start the SNMP service


service snmpd start


Test with


snmpwalk -v3 -a MD5 -A AuthPassword -X CryptoPassword -l authNoPriv -u privUser localhost