This is an old revision of the document!
- gnulinux
- Jonathan Haack
- Haack's Networking
- netcmnd@jonathanhaack.com
Welcome to my gnulinux wiki page. This page has simple and complex system administrationnotes to remind me when I forget something that I already learned! If you are visiting, I hope you find the page useful.
#powerpc gnulinux notes; issues, installs +
Making a bootable usb stick …
diskutil list diskutil eraseDisk <filesystemtype> <partitionname> <diskidentifier> diskutil unmountDisk <diskidentifier>
Examples
sudo dd if=/Volumes/Cave/Users/axes/Desktop/lubuntu.iso of=/dev/disk4 bs=1m sudo dd if=/Users/me/tails-i386-1.3.iso of=/dev/rdisk9 bs=16m && sync
Insert USB drive into PPC Mac of choice, depress command-option-o-f (open firmware) try usb0, usb1, usb2, etc. until it works and finds the port you used for the img
probe-usb boot usb0/disk@1:2,\\yaboot boot usb1/disk@1:2,\\yaboot
once inside the yaboot shell, some common examples are:
install url=mintppc.org install cli cli-expert cli64 cli64-expert
#wireless hardware drivers, b43 cutter +
deb http://httpredir.debian.org/debian/ wheezy main contrib non-free deb http://http.debian.net/debian/ jessie main contrib non-free apt-get update sudo lspci apt-get install firmware-b43-installer apt-get install firmware-b43-lpphy-installer apt-get install firmware-b43legacy-installer
use lspci above and then visit https://wiki.debian.org/bcm43xx#supported-b43
#some imaging notes
convert .iso to .img syntax example
hdiutil convert -format UDRW -o destination_file.img source_file.iso diskutil list diskutil partitionDisk /dev/disk1 1 "Free Space" "unused" "100%" dd if=[Directory/to/udrw/img] of=/dev/disk1 bs=1m diskutil eject /dev/disk2
Plug into the Intel Mac, hold option while booting, proceed w/ install
#optical media ripping from command line
cdrecord -pad -dao -data blag-140k-i686.iso
#security & policy information
sudo nano /etc/pam.d/common-password
Prevent Log in - create file
/etc/nologin
tcpdump common uses; monitoring traffic on network
tcpdump -n -i <eth0> <host> <x.x.x.x> tcpdump -n -i <eth0> <port> <#> tcpdump -i eth0 -nn -c 10 tcp and host <x.x.x.x> tcpdump -i wlan0 port http or port smtp or port imap or port pop3 -l -A | egrep -e 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:pass |user |Referer:'
Generate
sudo htpasswd -c .htpasswd username
Syntax for .htaccess
AuthUserFile /private/etc/httpd/.htpasswd AuthGroupFile /dev/null AuthName "Members Only" AuthType Basic
<Limit GET POST> require valid-user </Limit>
#display managers; lightdm & gdm3
cd /usr/share/lightdm/light.conf.d/
Global lightdm settings here
cd /etc/lightdm/ sudo nano lightdm.conf
Lightdm ubuntu-MATE greeter and lock screen issues
/usr/share/common/backgrounds/ubuntu-mate-common/Ubuntu-Mate-Cold.jpg /etc/lightdm/lightdm-gtk-greeter.conf
The .conf file w/ some common sense parameters
[SeatDefaults] allow-guest=false greeter-hide-users=true
#ubuntu-MATE; DE 'porting' and tweaks 2 OS
sudo apt install mate-tweak cd /etc/apt/sources.list sudo nano sources.list <add contrib non-free to default debian repositories> sudo apt update sudo apt upgrade sudo reboot <upon reboot, begin the harvesting of ubuntu-MATE themes> cd /etc/apt/sources.list sudo nano sources.list <in the config file you just opened add the two repos below - no braces!> <deb http://us.archive.ubuntu.com/ubuntu yakkety main restricted non-free> <deb http://us.archive.ubuntu.com/ubuntu yakkety universe main restricted non-free> sudo apt update sudo apt install ubuntu-keyring-archive sudo apt update sudo apt install ubuntu-mate* <computer might crash during install, reboot, repeat or remove wildcard and install piecemeal> sudo apt autoremove cd /etc/apt/sources.list sudo nano sources.list <change the config file and comment out ubuntu repositories> <#deb http://us.archive.ubuntu.com/ubuntu yakkety main restricted non-free> <#deb http://us.archive.ubuntu.com/ubuntu yakkety universe main restricted non-free> sudo apt update sudo apt autoremove sudo apt update sudo apt upgrade sudo reboot <there could / will be problems when you attempt to sudo apt update - if so> sudo apt update --fix-missing <may need to run with and without ubuntu repos> sudo dpkg --reconfigure -a <there may also be a file in var that needs removed - be careful> rm -rf /var/<path/to/locked/file/from/apt/update/on/ubuntu>
#mac - hardware - gnulinux requirements
mac fan control; needed to ensure computer does not fry …
apt-get update apt-get install macfanctld /etc/macfanctl.conf <set desired values> service macfanctld restart
#openWRT notes
Enabling https,
opkg update #opkg install luci-lib-px5g px5g-standalone libustream-openssl opkg install luci-ssl nano /etc/config/uhttpd
[disable 80, edit px5g below]
/etc/init.d/uhttpd restart
#openVPN server / client notes
This tutorial is designed for users interested in setting up a von server on an embedded system, but it can easily be transferred to other systems. In this case, I used a WNDR 3800 from Netgear, with openWRT chaos calmer. This tutorial assumes that the router is already flashed and ready to go.
ssh root@openWRTname
opkg update opkg install zip openvpn-easy-rsa openvpn-openssl mv /etc/config/openvpnconfig/openvpn /etc/config/ mv /etc/easy-rsa /etc/config/openvpnconfig/ cd /etc/ ln -s config/openvpnconfig/easy-rsa ./ OR [ln -s config/openvpnconfig/easy-rsa ./]
Now, edit the vars file and build the keys. (Optionally, you can build the dh key on a different host and then scp it over to the openWRT to save time since it is a processor intensive key building operation.)
nano /etc/config/openvpnconfig/easy-rsa/vars source vars nano /etc/config/openvpnconfig/openvpnWRT.conf nano /etc/config/openvpn
build-ca build-dh build-key-server server OR [build-key-server <servername>]
The openvpn configuration file should be in /etc/config/ and minimally should have:
package openvpn config openvpn openvpn_WRT option enabled 1 option config /etc/config/openvpnconfig/openvpnWRT.conf
The openvpnWRT.conf file should minimally be configured as follows:
float port 1194 proto udp dev tun comp-lzo yes tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
dh easy-rsa/keys/dh2048.pem ca easy-rsa/keys/ca.crt key easy-rsa/keys/server.key cert easy-rsa/keys/server.crt #crl-verify /etc/config/openvpnconfig/easy-rsa/keys/crl.pem ifconfig-pool-persist /tmp/ipp.txt client-config-dir clients status /var/log/openvpn-status.log
##Don't enable unless you disable all static ip options below# #server [10.10.84.0 255.255.255.0] ##begin VPN options for static ip mode (mode server)## mode server tls-server topology subnet push "topology subnet" ifconfig [10.10.84.1] 255.255.255.0 route-gateway [10.10.84.1] push "route-gateway [10.10.84.1]" ifconfig-pool [10.10.84.32 10.10.84.254 255.255.255.0] ##end VPN options for static ip##
##general LAN options## push "route [192.168.1.0 255.255.255.0]" push "dhcp-option DOMAIN [lan.local]" push "dhcp-option DNS [192.168.1.1]" client-to-client
mute 5 log /tmp/openvpn.log
keepalive 10 120 persist-key persist-tun
Now, to build the certificates for clients, use easy-rsa and pkitool as follows:
Template Instructions from jjscha; copy these files t the openvpn server
scp -r openvpnconfig root@[openwrt]:/etc/config/ ssh root@[openwrt]
on the openwrt:
opkg update opkg install zip openvpn-easy-rsa openvpn-openssl
mv /etc/config/openvpnconfig/openvpn /etc/config/ mv /etc/easy-rsa /etc/config/openvpnconfig/ cd /etc/ ln -s config/openvpnconfig/easy-rsa ./ vi /etc/config/openvpnconfig/easy-rsa/vars source vars vi /etc/config/openvpnconfig/openvpnWRT.conf vi /etc/config/openvpn
build-ca build-dh build-key-server server
/etc/config/openvpnconfig/easyrsa-user-setup-openwrt.sh
→ add interface for vpn tun → add firewall zone → open firewall: open 1194 udp on firewall; to device
<current>
#samba share basics
sudo apt update sudo apt install samba sudo adduser username sudo smbpasswd -a username mkdir /home/username/sharename nano /etc/samba/smb.conf [sharename] path = /home/username/sharename available = yes valid users = camalas read only = no browseable = yes public = yes writable = yes
#sitc
start or stop network manager (or other services)
systemctl <start/stop/restart> networkmanager.service /etc/init.d/network-manager stop <start/stop/restart>
verify dhcp client working for interface eno1
dhclient -v eno1
add subnet to interface eno1
ip address add 192.1##.1##.2/24 dev eno1
interface tool w/ eno1 example
ethtool eno1
interface with switch using screen
screen /dev/ttyUSB0/ 19200
calculate subnet automatically
subnetcalc
proxying web traffic through remote server
ssh -D <port#> <user>@<domain.com>
get block ID of drives
blkid
nmap example to get addresses of hosts / devices on lan
nmap -sP 10.##.##.0/24
find utils example
find . -iname "<name>"
#git basics
git - force git to use ssh & pull / push to verify
git remote set-url origin git@github.com:oemb1905/haackyard-gh.git git clone ssh://<user>@<##.##.##.##>/home/git . git commit -am"notes inside here" git pull git push
#nano / text editor basics
ctl-r read -open file curr. buffer, or new in multibuffer mode, enter4new empty buffer ctl-o writeout i.e. save file cctl-x exit i.e. quit; also exits from buffer in multibuffer mode; asks writeout/save ctl-g get help/aid/assistance enter, ctl-m newline bksp, ctl-h delete previous character del, ctl-d delete current character left, ctl-b backward character right, ctl-f forward character home, ctl-a beginning of line end, ctl-e end of line up, ctl-p previous line down, ctl-n next line pgup, ctl-y previous page pgdn, ctl-v next page m-space previous word ctl-space next word alt-\ beginning of file alt-/ end of file ctl-c display cursor position ctl-/ go i.e. jump to line and column ctl-^ set/unset mark; or alt-a alt-^ copy marked, or copy line if nomark; actually alt-6 i.e. do not need shift key ctl-k cut marked or cut lineifnomark or cut2end line if cut2end is enabled using alt-k ctl-u paste cut or copied alt-t cut to end of file ctl-w search alt-w search again alt-r search and replace alt-< previous file buffer; actually alt-, i.e. do not need shift key alt-> next file buffer; actually alt-. i.e. do not need shift key alt-x toggle bottom help display alt-y toggle color syntax hiliting;colors config via /usr/share/nano/*.nanorc files alt-c toggle cursor position display alt-d toggle dos/unix format option at writeout/save prompt alt-k toggle cut to end of line ctl-t show file list at read/open prompt ctl-x prompt for external command to execute at read/open prompt and insert output ctl-z suspend to shell; use fg to return
#scripts and miscellaneous
downloading scripts and executing them; example from DO
curl -sSL https://agent.digitalocean.com/install.sh | sh
ngrok notes; private http(s) tunnels
./ngrok http 80 wget https://[ngrok tunnel]/id_rsa.pub cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
query hosts on the lan
avahi-browse -tl _workstation._tcp
Debian print system configuration to stdout; use root
cat /proc/cpuinfo && lspci | grep -i vga && uname -a && lsb_release -a lsb_release -a lspci
Debian repo management
cd /etc/apt nano sources.lsit [main contrib non-free]
Uploading files to remote webservers with sftp
cd ~/Downloads sftp user@host.com:/path/to/sftp/directory/of/choice/ > put /path/to/file.txt
#Building From Source to Custom library Location
tar -xf <source_filename>
Navigate to the directory that tar unarchived the files to. Then, within that directory, execute:
./configure --prefix=/usr/local make sudo make install clean
#Cacti Server Notes
Installing snmpd to an embedded system and then installing cacti to a client to monitor the device. Additionally, this tutorial covers one way to monitor a client without an snmpd server running on the client machine (ping only). The embedded OS is openWRT on a Netgear WNDR.
ssh -p ###### root@nameofembeddedhost opkg update opkg install snmpd cd /etc/config nano snmpd /etc/init.d/snmpd enable /etc/init.d/snmpd restart
There are many customizations possible, but my colleagues recommend the minimum of changing the name of the public community to something indicative of the network purpose. Additionally, it is also adviseable to change three fields below that refer to the physical location, ip address, and the contact email for the system administrator in charge of managing the snmp server. Once you are done, continue to installing cacti on a network machine that will field the incoming snmp request
sudo apt install cacti
I used the default recommendations, however, when cacti failed repeatedly I was forced to use the reconfiguration command below. The OS I used in this case was Debian 9.2.1 Stretch.
sudo dpkg-reconfigure cacti <Yes, rebuild database, default to other options> <I chose matching MySQL pass because it failed with blank>
At this point, cacti should work so to speak, but it will need to be configured and have its license terms accepted. Since cacti utilizes a web server with which users may access its data, users must configure cacti within that interface. FYI - I chose defaults, and used apache2, as follows from within the Firefox web-browser:
localhost/cacti <say yes to EULA, etc.> <user: admin> <pass: admin>
Since cacti's web server is running, its web server page can highlight information from the snmp server that it queries information from as a client (& many other queries too!). I would error on the side of portraying more information, not less, so consider the following configurations from within the web interface.
Device Add #SNMP Server# ucd/net SNMP Host Ping or SNMP ICMP Ping Version 2 <name of public community chosen ^>
During this install I had a conflict with a previously installed web server nginx, so I had to find its process and then kill it:
netstat -enpl sudo kill -XXX PID
After that, I restarted the web-server apache2 as follows:
sudo /etc/init.d/apache2 restart
#Private Git Server
Configure the machine that will be running the git server first. In order, this requires creating the git user, and then creating the .ssh directory and authorized keys files, and then establishing appropriate permissions.
sudo adduser git su - git cd ~ mkdir .ssh && chmod 700 .ssh touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys
You can add keys to authorized keys file using copy and paste, or using some bash syntax (from within the git user's shell) as follows:
cat /tmp/id_rsa.john.pub >> ~/.ssh/authorized_keys
Now, let's finish configuring the server.
cd /srv mkdir git cd git/ mkdir repositoryname.git cd repositoryname.git/ git init --bare --shared
The shared option above allows more than just the git user to write to the repository. The users must have permissions to do so, however, so since the directories were created by the git user, one can add the user to the git group. If you need this functionality, then on the server, make sure to execute the following command for each user:
sudo adduser <username> git
The instructions below assume the clients are on the same LAN and using a directory in their home directory dedicated to git repos. If the clients are not on the same LAN, then use openvpn to tunnel into the LAN.
cd ~ mkdir git cd git/ git clone git@gitserver:/srv/git/repositoryname.git cd repositoryname/ nano README git commit -am"added a line to README for repository participants" git push origin master
This method has everyone using the user git in order to clone the repository, and unless tweaked will allow users shell access to the server. To stop shell access, simply add :/bin/false to the end of the git user's entry in /etc/passwd.
Using other user names for access / cloning will be covered in a later tutorial.
#Installing openWRT onto a WNDR 3800 router
Download the image for openWRT. I used the following site:
https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/openwrt-15.05.1-ar71xx-generic-wndr3800-squashfs-factory.img
Before you begin preparing the WNDR3800, you should ensure your network interface is on the proper subnet. I chose the 105 for the last octet. This can be done as follows:
ip a a 192.168.1.105/24 dev <devid>
If you are unsure what your device id is, please run:
ip a
Now, you are ready to install the image. Using a paper clip or other pick, and with the WNDR plugged in but powered off, depress the reset button on the backside with the paper clip, and while keeping it depressed, power up the WNDR by pressing its power button, all while simultaneously maintaining the depression of the reset button. If you followed the steps correctly, the lights will start amber, then flicker amber, then flicker green and then change to solid green. The device is now in the proper mode to accept transmission of the image. Nevertheless, it is good to ping the device and you will see a specific error that will indicate it is in the proper mode. Those steps are:
ping 192.168.1.1 curl -T ~/Downloads/openwrt-15.05.1-ar71xx-generic-wndr3800-squashfs-factory.img tftp://192.168.1.1
The device will automatically reboot when the image completes transfer. You may verify the install by visiting the following site in a web browser:
192.168.1.1
#Beagle Bone Black w/ Debian
To locate device if auto-mounted
sudo dmesg
umount /dev/mmcblk0p1
Optional: use fdisk to remove the partition first before dding …
sudo dd of=/dev/mmcblk0 if=/home/sexa/Downloads/bone-debian-9.2-iot-armhf-2017-10-10-4gb.img bs=1M conv=fdatasync [or && sync]
After this, pull out SD card. Plug back in. Locate where it mounted, prepare to edit file to allow it to run the installer upon boot. This is located in boot/enV.txt relative to wherever the media mounted. Eg., cd /media/sexa/rootfs/boot/
cmdline=init=/opt/scripts/tools/eMMC/init-eMMC-flasher-v3.sh
Get out of the directory asap. then:
umount /dev/mmcblk0p1
Now that the image has been turned into an installer, you may put the microSD card into the Beagle Bone (without power).
If there is a fourth pin, usually red, do not use. We only need input, output, and ground.
sudo screen <devicename> 115200 sudo screen /dev/ttyUSB0 115200 [Example]
#Screen
Using ssh to tunnel to another host, and then executing screen to keep the session persistent.
ssh -p ### -t user@host.com screen -DRO
Using screen with usb to serial adapter
sudo screen /dev/ttyUSB0 115200
Some other common speeds are 9600, 57600, 38400, 19200
——————————————- #next topic
git clone git@gitserver:/srv/git/project.git
#virt-manager stuff
Start defualt
sudo virsh net-start default
Remove bridge
sudo ifconfig virbr0 dow sudo brctl delbr virbr0
List all
sudo virsh net-list --all
#rsync
sudo rsync -avxHAX --progress /sourcefiles/path /backup/path
#openvpn ciphr changes
Server; for /etc/config/openvpnconfig/nameofvpnserver.conf
tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
Client; for .ovpn config file
cipher AES-256-CBC
#next topic
#next topic
#next topic
— oemb1905 2017/12/18 23:04
