Listing posts

Displaying posts 1 - 5 of 326 in total
Setup fail2ban to protect services
mouse 2784 · person cloud · link
Last update
2024-03-13
2024
03-13
«secure apps/server with fail2ban jails
ssh and ssh ddos»

Install fail2ban:

1
apt-get install fail2ban

Configure fail2ban:

Put this file in in /etc/fail2ban/jail.d/local.conf (it is a modified copy of jail.conf):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[DEFAULT]
# space separeted list of IP addresses, CIDR masks, DNS hosts
ignoreip = 127.0.0.1/8 192.168.1.1/24

# number of seconds that a host is banned
bantime  = 3600

# a host is banned if it has generated "maxretry" during the
# last "findtime" seconds
findtime = 600
maxretry = 1

[sshd]
enabled  = true
maxretry = 1
mode     = extra

[sshd-ddos]
enabled  = true
maxretry = 1

Starting, status, unblock IPs:

1
2
3
4
5
6
7
8
9
10
# restart service after any config modification
systemctl restart fail2ban

# show jailing info/counters
fail2ban-client status
fail2ban-client status sshd
fail2ban-client status sshd-ddos

# look suspicious IPs in the logs
journalctl -f -t sshd

Ban management:

1
2
3
4
5
6
# unlock blocked IPs
fail2ban-client unban IP1 IP2 IP3 ...
fail2ban-client unban --all

# block an IP
fail2ban-client -vvv set sshd banip x.x.x.x

SSH tips

You can allow or deny access to specific users by editing /etc/ssh/sshd_config:

1
2
3
4
5
# allow ssh access only to users A and B and disallow all the others
AllowUsers user_a user_b

# deny ssh access only to users A and B and allow all the others
DenyUsers user_a user_b

in this way the SSH demon triggers a faster failure+ban for the disallowed users.


Source: debianizzati, digitalocean, stackoverflow


~~~ * ~~~

Setup an UPS monitor
mouse 3835 · person cloud · link
Last update
2024-03-09
2024
03-09
«NUT - Network UPS Tools»
1
apt-get install nut # install server

Set MODE=standalone in /etc/nut/nut.conf.

Append the user definition in /etc/nut/upsd.users:

1
2
3
4
[monuser]
password = ApAssWorD
allowfrom = localhost
upsmon master

Optionally, set the daemon to listen only on IPv4 (defaults to both v4 and v6), append in /etc/nut/upsd.conf:

1
LISTEN 127.0.0.1 3493

I had a Powercom KIN-1200AP connected via an USB to serial converter:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# find the converter
lsusb | grep Serial # Bus 001 Device 009: ID 067b:2303 Prolific Technology, Inc. PL2303 Serial Port

# create an udev rule to fix its device name,
# append this in /etc/udev/rules.d/10-local.rules
ACTION=="add", KERNEL=="ttyUSB[0-9]*", SUBSYSTEMS=="usb", ATTRS{idVendor}=="067b", ATTRS{idProduct}=="2303", SYMLINK+="ttyUSB_UPS"

# append the UPS definition in /etc/nut/ups.conf
[myups]
driver = powercom
port = /dev/ttyUSB_UPS
desc = "Main supply"
loadPercentage = {6.1343,-0.3808,1.075,0.1811}
batteryPercentage = {5.0000,0.3268,-825.00,0.46511,0}

Now I have a Line-Interactive Eaton 5E 850i connected via USB:

1
2
3
4
5
# append the UPS definition in /etc/nut/ups.conf
[myups]
driver = usbhid-ups
port = auto
desc = "Main supply"

If you encounter the error usb_submit_urb(ctrl) failed: -1 when pluggin in the USB cable then append to your kernel boot params the NOGET quirk for this UPS (idVendor=0463, idProduct=ffff):

1
usbhid.quirks=0x0463:0xffff:0x08

Check the configured UPS status with the command upsc myups.

Configure the monitor in /etc/nut/upsmon.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
MONITOR myups@localhost 1 monuser ApAssWorD master

# setup a custom script to notify you
NOTIFYCMD /opt/ups/nut_notify_cmd.sh

# customize notification messages
NOTIFYMSG ONLINE   "UPS: Power restored - shutdown cancelled"
NOTIFYMSG ONBATT   "UPS: Power failure - shutdown countdown started"
NOTIFYMSG REPLBATT "UPS: Battery exhausted, replacement needed"
NOTIFYMSG SHUTDOWN "UPS: Battery low - running immediate shutdown"

# enable some logging
NOTIFYFLAG ONLINE   SYSLOG+EXEC
NOTIFYFLAG ONBATT   SYSLOG+EXEC
NOTIFYFLAG LOWBATT  SYSLOG+WALL+EXEC 
NOTIFYFLAG REPLBATT SYSLOG+WALL+EXEC
NOTIFYFLAG SHUTDOWN SYSLOG+WALL
NOTIFYFLAG COMMOK   SYSLOG
NOTIFYFLAG COMMBAD  SYSLOG

Add the nut user to dialout group:

1
useradd -G dialout nut

Restart the services and test the ups:

1
2
3
4
5
6
systemctl restart nut-driver
systemctl restart nut-server
systemctl restart nut-monitor

upsc -l     # list all monitored UPSes
upsc myups  # show UPS details and status

Note: Uninstall xfce-powermanager or you will get an USB communication error requiring a system reboot in order to clear it.

Note: To cleanly unmount VeraCrypt volumes you can use this NOTIFYCMD script:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/bash

# /opt/ups/nut_notify_cmd.sh - nut NOTIFYCMD script

# put in /etc/sudoers.d/local:
# nut raoul = (root)  NOPASSWD: /sbin/shutdown, /opt/systemd-units/vc-mounter.rb

if [ "$NOTIFYTYPE" = "ONBATT" ]; then
  /opt/bin/shutdown -h 600 &
elif [ "$NOTIFYTYPE" = "ONLINE" ]; then
  sleep 3 # wait for first command to start
  /opt/bin/shutdown -c     &
fi

that uses this useful shutdown script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/bin/ruby

$VERBOSE = nil

# /opt/bin/shutdown - emulate shutdown command and unmount VeraCrypt volumes

require 'optparse'
require 'shellwords'

opts = {}
OptionParser.new{|o|
  o.banner = "Usage: #{File.basename __FILE__} [options]"

  o.on('-r', '--reboot   [N]', Float, 'Reboot   after N seconds (default=0)') do |n|
    opts.merge! action: :reboot, delay: n.to_f
  end

  o.on('-h', '--poweroff [N]', Float, 'Poweroff after N seconds (default=0)') do |n|
    opts.merge! action: :shutdown, delay: n.to_f
  end

  o.on('-c', '--cancel', 'Cancel a pending operation') do |enabled|
    opts.merge! action: :cancel
  end

  opts.merge! help: o.to_s
}.parse!

case opts[:action]
  when :cancel
    `pgrep -fl vc-mounter.rb`
    if $?.to_i == 0
      puts 'aborted'
      exit
    end
    # kill all but yourself
    pids = `pgrep -f ruby.*shutdown`.split("\n").map(&:to_i) - [Process.pid]
    pids.each{|pid| system "kill #{pid}" }
  when :reboot, :shutdown
    sleep opts[:delay]
    `sudo swapon | grep " file " | cut -f 1 -d " "`.strip.split("\n").
      each{|f| system "sudo swapoff #{f.shellescape}" }
    system 'sudo /opt/systemd-units/vc-mounter.rb umount'
    system "sudo /usr/sbin/shutdown -#{opts[:action] == :reboot ? :r : :h} 0 &"
  else
    puts opts[:help]
end

Source: eaton ups setup


~~~ * ~~~

Video editing software
mouse 663 · person cloud · link
Last update
2024-03-08
2024
03-08
«video editor»
  1. shotcut appimage
  2. kdenlive appimage
  3. openshot appimage
  4. flowblade deb

Source: itsfoss.com


~~~ * ~~~

extract first frame from animated GIF
mouse 38 · person cloud · link
Last update
2024-03-06
2024
03-06
« — »
1
2
3
4
5
# from file
convert image.gif[0] first_frame.gif

# from stdin
cat image.gif | convert -'[0]' first_frame.gif

Source: stackoverflow


~~~ * ~~~

Linux default date & time format
mouse 25 · person cloud · link
Last update
2024-03-04
2024
03-04
« — »
  1. find your current locale
1
2
locale | grep LC_TIME
# => LC_TIME="en_US.UTF-8"
  1. edit the corresponding file /usr/share/i18n/locales/en_US

  2. change values to your liking:

1
2
3
4
d_t_fmt "%a %d %b %Y %T %Z"
d_fmt   "%Y//%m//%d"
t_fmt   "%T"
date_fmt "%a %d %b %Y %T %Z"
  1. regenerate locales and re-login
1
2
locale-gen
update-locale

Source: linuxopsys