Hardening SNMP on CentOS/RedHat/Fedora Etc.

These steps should be similar across Red Hat type distros.

Before we proceed, lets stop SNMP

sudo systemctl stop snmpd

Disable SNMP Versions 1 and 2c

First we are going to disable SNMP v1 and v2c

You can manually edit the /etc/snmp/snmpd.conf file and comment out or delete every line starting with com2sec, group, access. Or you can run the following sed commands to change it for you.

sudo sed -i 's/^com2sec/# com2sec/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^group/# group/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^access/# access/g' /etc/snmp/snmpd.conf

https://serverfault.com/questions/376688/how-to-disable-version-1-and-version-2c-in-snmpd

Create SNMP Version 3 User

Follow the prompts to create a SNMP v3 user.

sudo net-snmp-create-v3-user -ro -a SHA -x AES

Start SNMP

sudo systemctl start snmpd

You should be good to go.

If you are running a firewall, you will need to allow an exception for SNMP, UDP port 161. You may also need to allow an SELinux exception. Check out the last portion of both these articles.

Allowing SNMP Through Firewall

Bob lost sudo access on Fedora

Bob has a computer running Fedora. When he installed Fedora he didn’t setup the root password and locked the root account. That is best practice. Right? Then one day he goes to upgrade to the latest version of Fedora and types in

sudo dnf update

and is greeted with

sudoers. This incident will be reported.

What happened? I had access before? Bob thinks to himself. Seems like I am not in the wheel group anymore. Bob being a smart person decides to attempt recovery mode. He’ll boot up and just readd his user to the wheel group.

Recovery mode starts up and then fails due to the root account being locked. What?!

Bob then starts talking to himself as he is in need of some expert advice. What other options do I have. I know! He runs to find his handy dandy Live Fedora pen drive. Plugs it in and boots up into a live version of Fedora. Now I can mount and access the main drive.

But wait, I can’t run “usermod -G wheel bob” because that will only affect the Live System. I could chroot into the drive. That would require mounting some extra mount points. Is there a faster way? We could maybe edit the /etc/group and add “wheel:x:10:bob”. That should add bob back to the wheel group. Right?

Wait, what about the sudoers file. We are normally supposed to use “sudo visudo” command to modify the file. Let’s check the file and see if we can just manually edit it.

$ stat -c "%n %a" /etc/sudoers
/etc/sudoers 440
$
Permissions on /etc/sudoers file

Hmm, okay I am going to need to change permissions to save the file. Let’s chmod that to 644 temporarily

$ sudo chmod 644 /etc/sudoers 

Alright now I should be able to edit it.

$ sudo vi /etc/sudoers

Okay, now I need to explicitly give myself permission to use sudo. Where is that line. Ah-ha!

root    ALL=(ALL)       ALL

Lets duplicate that with yy and p, replace root with my username.

root    ALL=(ALL)       ALL
bob     ALL=(ALL)       ALL

Save that with esc then :wq enter

Now change the file permissions back

sudo chmod 400 /etc/sudoers

Reboot the system and now lets login and test sudo.

$ sudo whoami 
root

Success!

Bob, satisfied that the problem is resolved, rewards himself by getting a sandwich.

sudo make me a sandwich

https://docs.fedoraproject.org/en-US/quick-docs/root-account-locked/

Set coolbits value on Fedora Linux

You sometimes need to set the coolbits value to overclock your GPU on Linux

You’ll need to install nvidia-xconfig

sudo dnf install nvidia-xconfig

Then you can set the cool bits value with the following command. Change 24 to the appropriate cool bits value. Refer to the link below.

sudo nvidia-xconfig --cool-bits=28

It’ll create a new xorg config file. Reboot to take advantage of cool bits being enabled.

Multiple GPUs

If you have multiple GPUs, you will need to do the following to enable cool bits on each GPU.

sudo nvidia-xconfig -a --cool-bits=28 --allow-empty-initial-configuration

https://wiki.archlinux.org/title/NVIDIA/Tips_and_tricks#Enabling_overclocking

Snapper reverting changes on Fedora

List snapper BTRFS snapshots with

snapper list

If you are in recovery mode on Fedora, add –no-dbus right after the snapper command. e.g.

snapper --no-dbus list

You can use the diff command to list the changes that happened between snapshots.

snapper --no-dbus diff 108..109

And to undo a change or all the changes between a snapshot, do the following. Where 108..109 are all the changes you want to remove. So essentially going back to snapshot 108.

snapper --no-dbus -v undochange 108..109

https://documentation.suse.com/sles/11-SP4/html/SLES-all/cha-snapper.html

OLED Screen Brightness on Fedora 33

By default Linux and OLED displays don’t really want to play well together. icc-brightness is a handy utility that resolves the problem, but all the instructions I found online were for Ubuntu/Debian based distributions.

https://github.com/udifuchs/icc-brightness

Fortunately, after a few failed attempts to compile the program I was able to figure out which dependency was required.

[admin@local icc-brightness]$ sudo make
cc -W -Wall  icc-brightness-gen.c -l lcms2  -o icc-brightness-gen 
icc-brightness-gen.c:9:10: fatal error: lcms2.h: No such file or directory
    9 | #include <lcms2.h>
      |          ^~~~~~~~~
compilation terminated.
make: *** [Makefile:10: icc-brightness-gen] Error 1
admin@local icc-brightness]$

We are missing the lcms2-devel package. Not sure if the utils package is required, but installed it anyway.

sudo dnf install lcms2-utils lcms2-devel

With that installed we can now make and install icc-brightness

sudo make install

Reboot the laptop and it should automatically start icc-brightness in the background and the brightness controls should work

You can find more information for installing on Debian based systems at the following link.

How To Setup Samba/CIFS Share on Fedora Server

We are going to setup a Samba/CIFS share on Fedora Server that we will then access from Windows 10.

  1. Install Samba/CIFS server packages
  2. Create user to access share
  3. Configure SELinux and firewall
  4. Connect to erver from Windows

1. Install Samba/CIFS Fedora Server Packages

First we need to install the samba package.

sudo dnf install samba
Installing SMB on Fedora
Samba Dependencies

Next, lets enable the Samba service so it automatically starts when the server boots up.

systemctl enable smb nmb
systemctl start smb

nmb is a “NetBIOS name server that provides NetBIOS over IP naming service to clients”
https://www.samba.org/samba/docs/current/man-html/nmbd.8.html

2. Setup Samba/CIFS User

We now need a user to connect to the Samba share with. You can use the commands below to to create a new user.

pdbedit only configures a current Linux system user for Samba. You can skip creating a new Linux user, but only if there is one already created that you can use.

sudo useradd -m sambaUser
sudo passwd sambaUser
sudo pdbedit -a sambaUser

3. Configure Server SELinux and Firewall Permissions

Configure SELinux permissions with the following command.

sudo setsebool -P samba_enable_home_dirs on

You can also just disable SELinux. Although it is not necessarily recommended.
How To Enable/Disable SELinux

sudo setsebool -P samba_enable_home_dirs on
sudo firewall-cmd --add-service=samba --permanent
sudo firewall-cmd --reload

4. Test Samba/CIFS Share from Windows

You can now test to see if the share works. Open up Windows Explorer. Type in the IP address of the server and connect.

\\ip-address\sambaUser

It should prompt you for a login. Enter the user and password you set up.

Connecting to Fedora Samba/CIFS server

If it loads, then congratulations! You have successfully setup a Samba/CIFS Share on Fedora Server. Create new directories or files or whatever else you need.

Successfully Connected to Fedora Samba/CIFS Server

Check out the following links for more information about setting up Samba.

https://fedoramagazine.org/fedora-32-simple-local-file-sharing-with-samba/
https://jewelhuq.wordpress.com/2017/12/08/how-to-install-samba-server-in-fedora/

https://fedoramagazine.org/fedora-32-simple-local-file-sharing-with-samba/

Where is my software RAID?!

There are a few different ways to view RAID information on Fedora. Here are two commands that can help.

1. Print Mdadm config

You can copy and past the following command to print the mdadm configuration.

cat /etc/mdadm.conf

It should return something similar to the following.

$ cat /etc/mdadm.conf
# mdadm.conf written out by anacondaMAILADDR root
AUTO +imsm +1.x -all
ARRAY /dev/md/Boot level=raid0 num-devices=6 UUID=21ce258a:015d0dd4:90d5b80e:ab04b7f7
ARRAY /dev/md/Root level=raid0 num-devices=6 UUID=4be32ad0:f3aa77bd:139d749d:4a6aab60 

We see from the above output that we have two raid arrays. Both RAID 0 over 6 drives.

2. Print mdstats

You can show the mdstats by running

cat /proc/mdstat

Should get output similar to the following.

$ cat /proc/mdstat
 Personalities : [raid0]
 md126 : active raid0 sdc2[0] sdf2[5] sde2[4] sdd2[1] sda2[2] sdb2[3]
       5856552960 blocks super 1.2 512k chunks
 md127 : active raid0 sdc1[0] sdf1[5] sde1[4] sdd1[1] sdb1[3] sda1[2]
       3133440 blocks super 1.2 512k chunks
 unused devices: 

This shows us the RAID size. About 5TB on one and 3GB on the other. The 3GB is used for the boot partition.

Other Notes

Apparently there is a difference between “mdadm” and “dm-raid”
Mdadm is for managing and creating software raids, while dm-raid interacts if a device like a laptop has a “fake RAID”

https://superuser.com/questions/721795/how-fake-raid-communicates-with-operating-systemlinux/721796#721796
https://stackoverflow.com/questions/23164384/what-is-the-difference-between-dm-and-md-in-linux-kernel

For more information on managing RAID with Mdadm, you can refer here.