Archive

Archive for the ‘Linux’ Category

Easy Layer 2 Site to Site VPN

January 17th, 2025 No comments

When you need to connect two sites with same IP subnet, you need to create Site to Site VPN on Layer 2. It means you need to create non-routing VPN between sites. Let’s assume we have following setup:

Easy network schema

We need to make sure, that computer 10.30.31.10 can access computer 10.30.31.20 and vice-versa.

We need to install two linux servers. I love Debian distribution. So I have installled two Debian servers on both sites. Both servers have two interfaces:

ens192 – first interface which is used to connect for SSH. It has IP address and it working interface

ens224 – second interface which is in LAN we want to connect. It acts as TAP interface – like cable put into LAN without IP settings. This interface is only up.

You will make SSH connection from one site to another – it means one server has to be accessible from other site. I published TPC/22 (SSH) port from SITE B on Internet. So I could connect from Debian server from SITE A to SSH on Debian server in SITE B. You need to install following packages on Debian:

uml-utilities
bridge-utils
net-tools

Run following commands on both linux servers:

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

and make those settings pernament running command:

sysctl -p

On server which will do SSH server you need to change in SSH config file /etc/ssh/sshd_config following settings:

PermitRootLogin yes
PermitTunnel yes

Now are are ready to make SSH connection between linux servers. You have to run following command on “ssh client” server to make connection on “ssh server” server:

ssh -f -o Tunnel=ethernet -o TunnelDevice=0:0 -w 0:0 root@IP_SSH_SERVER true

This command makes SSH connection between linux servers and it creates special interfaces on both linux servers. These interfaces are called tap0. Now we need to bridge interfaces to make VPN work. We have to run following commands on BOTH servers:

Create bridge interface:

brctl addbr br0

Add “cable” interface ens224 and VPN TAP interface into bridge:

brctl addif br0 tap0
brctl addif br0 ens224

And now put all those interfaces up:

ifconfig ens224 up
ifconfig tap0 up
ifconfig br0 up

Now all connection is set and Site to site VPN works as sharm. I never thought it was that easy to create such a connection.

If you have VMWare, settings needed:

VMWare Settings

If you have Hyper-V, settings needed:

Hyper-V settings

Enjoy.

Thank all folks,

Quickie: Problem accessing FTP using PHP

February 9th, 2015 No comments

One of our customer asked me to install and setup software to manage FTP storage via web page. We decided to insall ftp2net free version. I tested it at my testing server and there was no problem at all. At customer server I had problems. Installation went well. But when I tried to log to ftp2net website I received error that connection was refused. I decided to check if Safe mode is on. It was off. Then I checked if PHP restriction allow_url_fopen is on. It was on, so I turned it off. But website still didn’t work. I came to time when I started tcpdump and looked on network interfaces if there is any FTP traffic. There was none. When I tried FTP connection from shell on server, I could connect and I also saw FTP traffic via tcpdump. It was weird. Something blocked initialization of FTP connection for Apache processes.

I found solution after the lunch time 🙂 It was SELinux. It’s security feature for linux kernels. I had to run command:

setsebool -P httpd_can_network_connect 1

This command disables SELinux protection which protected network connection made by httpd/apache processes.

I wanted to spend 10 minutes on this product, but I spent almost half of the day debugging this issue 🙂

Have a nice day,

Quickie: Use pfx certificate in linux

January 27th, 2015 1 comment

When you export certificate in Windows with private key, you export it to .pfx file with password. When you want to use this certificate in linux you need to convert pfx file into .crt and .key files. You can use following commands to convert it:

[root@nagios]# openssl pkcs12 -in nagios.pfx -clcerts -nokeys -out nagios.crt
Enter Import Password:
MAC verified OK
[root@nagios]# openssl pkcs12 -in nagios.pfx -nocerts -nodes -out nagios.key
Enter Import Password:
MAC verified OK

Now you have two files .crt and .key which can be used in linux.

That’s all folks,

Categories: Linux, Microsoft, Quickie, Security Tags:

Quickie: Clean up your bash history

September 30th, 2014 No comments

Sometimes when you work on linux in bash you don’t want to leave commands in bash history (.bash_history). Easy way to clean it up it’s to run following command:

HISTSIZE=0

Now your bash history will be not accessible and not saved when you logoff.

 

Problem with random generator /dev/random

June 27th, 2013 No comments

Yesterday called my friend that he wants to migrate one website to his webserver. I’ve created hosting for him and then problem began. When he accessed one .php file browser was “working”, but nothing happened. There was no log about problems on server. Nothing.

So I started to investigate problem. CPU was fine, RAM was fine, disk queue lenght was fine. So I focused on particular .php file. I ran following command:

strace php -f PATH_TO_PHP_FILE

and I saw:

strace PHP file

and this was not moving forward. After couple tens of seconds it was moved one line futher. It looks like problem with /dev/random. When I looked into file crypt.class.php

PHP file source

I saw function mcrypt_create_iv() which creates an initialization vector from random source. And that’s it, random source is defined as /dev/random. You can change source by defining second parameter to value MCRYPT_DEV_URANDOM. When I tested it with second parameter set to value MCRYPT_DEV_URANDOM everything worked like it should. Php file was generated normally. When I tried to do cat /dev/random I received some random characters and after couple tens of second I’ve got more random characters:

Slow /dev/random

So this look like slow /dev/random. When I tried cat /dev/urandom my screen was full of random characters. I started to look for differences between /dev/random and /dev/urandom. Some random generator is implemented in linux kernel which generates random bits into entropy pool. When entropy pool is empty, reads from /dev/random will block until additional random bits are generated. Ublocked/non-blocing random source /dev/urandom will not block when entropy pool is empty (it will reuse existing random bits). You can check how many bits are generated in entropy pool by looking into file cat /proc/sys/kernel/random/entropy_avail. More info here.

So how to make faster generation of random bits into entropy pool? There is daemon which can help you out rng-tools. To make it work in Debian you have to do following:

  • apt-get install rng-tools
  • Edit file /etc/default/rng-tools
  • In file set HRNGDEVICE=/dev/urandom
  • Start up daemon /etc/init.d/rng-tools start

When I started this daemon /dev/random starts generate lots of random characters. 🙂

So this took four hours of my life. I’m working with Linux couple years, but I had no idea between /dev/random and /dev/urandom. I’m smarter now.

Have a nice day,

 

HP-UX problem with disks from SAN

June 14th, 2012 No comments

We had project replacing SAN switches. Customer has one old HP-UX (HP Unix) system. This system is very sensible about SAN changes.

Normal situation

You can see all hardware using command (http://www.bga.org/~lessem/psyc5112/usail/man/hpux/ioscan.1.html):

ioscan -fnC

Read more…

Add Unix commands into Windows

May 29th, 2012 No comments

When I want to feel like guru or I just need to use some Unix based utilities in Windows, I used to install http://www.cygwin.com/. It’s cool. But I recently found out that Windows has native support for Unix based applications.

Read more…

Categories: Linux, Windows Tags: , , ,