Admins eHow SysAdmin Tips & Tricks

December 2, 2022

Redirect all DNS requests to local caching DNS server

Filed under: dns,linux — Tags: , , , , — admin @ 2:44 am

For caching DNS Server, I use PowerDNS recursor server. Install it first :

apt install pdns-recursor

By default it listens on 127.0.0.1:53 and should work right after the installation, but for faster performance I want it to forward all queries to 8.8.8.8 which is Google’s public DNS server. so change /etc/powerdns/recursor.conf and add the following line :

forward-zones-recurse= .=8.8.8.8;

Restart the service after config change :

systemctl restart pdns-recursor.service

Now you can test it :

dig yahoo.com @127.0.0.1

You should get a valid response.
Now lets redirect all DNS queries to our local server :

iptables -t nat -I OUTPUT -m owner --uid-owner pdns -j RETURN
iptables -t nat -I POSTROUTING -m owner --uid-owner pdns -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:53
iptables -t nat -A POSTROUTING -p udp --dport 53 -j SNAT --to-source 127.0.0.1

The first two iptables rules prevent a loop in redirecting pdns queries to outside world (8.8.8.8 in our case).
Done. Easy 😉

January 11, 2022

Log the memory usage of a process in Linux

Filed under: linux — Tags: , , , — admin @ 10:27 pm

Create log_memory_usage.py with following contents :

#! /usr/bin/python3

import json, psutil, datetime, sys, time

f = open('memory_usage_'+sys.argv[1]+'.log', 'a')

while True:
  txt=json.dumps((datetime.datetime.now().isoformat(),psutil.Process(int(sys.argv[1])).memory_info()._asdict()))+"\n"
  f.write(txt)
  f.flush()
  time.sleep(60)

Make it executable :

chmod +x log_memory_usage.py

Usage :

./log_memory_usage.py PID

By default it logs the memory usage info every 60 seconds in a file named memory_usage_PID.log in the same folder, if you want, you can change time.sleep(60) in the code to suit your needs.

April 8, 2021

Resolving openconnect connection issues

Filed under: linux — Tags: , , , , — admin @ 4:43 am

Recently I have switched from OpenVPN to OpenConnect as my main VPN solution as somehow my ISP has blocked access to OpenVPN.
The first issue which I encountered was very familiar, connection hangs and a debug message like this “Failed to read from SSL socket: The transmitted packet is too large (EMSGSIZE)”, It was obvious to me that it has something to do with MTU settings so after some digging into docs I simply added the “–base-mtu 1450” argument to OpenConnect client and it resolved the first issue.
But the second issue was something much more baffling, some websites would work perfectly and some would hang in middle of loading or simply refuse to connect at all, after some more digging into forums, I found out the solution.

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

More info :
https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.mtu-mss.html
https://www.linuxtopia.org/Linux_Firewall_iptables/x4700.html

October 23, 2019

How to limit the number of incoming connections to a specific port

Filed under: linux,Security — Tags: , , , , — admin @ 11:47 pm

Replace [PORT] & [CON_NUM] with respected values.

iptables -I INPUT -p tcp --syn --dport [PORT] -m connlimit --connlimit-above [CON_NUM] --connlimit-mask 0 -j REJECT --reject-with tcp-reset

October 22, 2019

How to add rc.local in Debian 9 & 10

Filed under: Debian,linux — Tags: , , — admin @ 10:59 am

Debian has removed rc.local from its recent releases.
I have created a simple script which adds rc.local back to the system.
You need to run the following command as root:

bash <(curl -s https://www.adminsehow.com/wp-content/uploads/2019/10/rc-local.txt)

or if you are skeptical to run a script from internet, you can create rc-local.txt yourself and run it.
rc-local.txt :

#!/bin/bash

echo '[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99

[Install]
WantedBy=multi-user.target' > /etc/systemd/system/rc-local.service


echo '#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0' > /etc/rc.local

chmod +x /etc/rc.local
systemctl enable rc-local

May 21, 2015

Block Torrent Trackers on Linux

Filed under: linux,Security,Torrent — Tags: , , , — admin @ 2:38 am

Create “/etc/trackers” with a list of trackers which you want to be blocked.
My current file contains:

9.rarbg.com
announce.torrentsmd.com
bigfoot1942.sektori.org
bt.careland.com.cn
bttrack.9you.com
bttracker.crunchbanglinux.org
coppersurfer.tk
explodie.org
i.bandito.org
mgtracker.org
open.demonii.com
opensharing.org
torrent.fedoraproject.org
torrent.gresille.org
tracker.best-torrents.net
tracker.blucds.com
tracker.btzoo.eu
tracker.coppersurfer.tk
tracker.dler.org
tracker.istole.it
tracker.leechers-paradise.org
tracker.nwps.ws
tracker.openbittorrent.com
tracker.publicbt.com
tracker.tfile.me
tracker1.wasabii.com.tw

You can have duplicates in the list, script will take care of that.

Now create “/usr/bin/blocktrackers” script:

#!/bin/bash

IFS=$'\n'
L=$(/usr/bin/sort /etc/trackers | /usr/bin/uniq)
for fn in $L; do
        /sbin/iptables -D INPUT -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -D FORWARD -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -D OUTPUT -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -A INPUT -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -A FORWARD -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -A OUTPUT -d $fn -j DROP -m comment --comment "Tracker"
done

Make it executable and create a cronjob to run it daily because trackers change IP address very often.

March 22, 2015

Linux dig utility for Windows x64

Filed under: dns,General,linux,Windows — Tags: , , , — admin @ 5:00 pm

I have created an installer for Linux DNS dig utility for Windows x64. it is extracted from BIND 9.10.2.x64.
It installs dig into system32 folder of Windows so it is already included in PATH and can be invoked from anywhere in command prompt.

Download : DIG_9.10.2.x64

September 6, 2014

Send weekly reports of IPs logged into vsftpd

Filed under: linux — Tags: , , , — admin @ 10:25 am
root@X:[/etc/logrotate.d]: cat /etc/logrotate.d/vsftpd

/var/log/vsftpd.log
{
        create 640 root adm

        # ftpd doesn't handle SIGHUP properly
        missingok
        notifempty
        rotate 4
        weekly
        prerotate
                echo "<html><body><table>$(grep "OK LOGIN" /var/log/vsftpd.log | awk '{print $8" "$12'} | sort | uniq -c | awk '{print "<tr><td>"$2"</td><td>"$3"</td><td>"$1"</td></tr>"}')</table></body></html>" | mail -a "Content-type: text/html" -s 'FTP REPORT' mail@domain.com
        endscript
}

September 1, 2014

Filter out comments and empty lines from config files

Filed under: Bash,linux — Tags: , , , , , — admin @ 12:38 pm
egrep -v "^[[:blank:]]*(#|$)" filename

Send email alerts if Adaptec raid fails in Linux

Filed under: linux — Tags: , , , , — admin @ 10:56 am

For Adaptec Raid you need arcconf tool to check the raid status, you can install it based on the instructions provided on this link (For Debian) :
http://hwraid.le-vert.net/wiki/DebianPackages
After you have arcconf installed, create /usr/bin/raidcheck with following content and make it executable :

#!/bin/bash
RESULT=$(arcconf GETCONFIG 1 | grep Status | grep -v "Not Installed" | grep -v Optimal)
if [ -n "$RESULT" ]; then
    wget http://domain.com/notify.php?m=RAID_ERROR -O /dev/null
    else echo "Raid is OK"
fi

Note : In my script I have chosen to use a php script on another server to send the alert, this way I wont need to install a mail server on every server which I am monitoring. you can do the same or change the wget line to whatever you want.
Put the script in the cron to check the raid status every 12 hours :

0 */12 * * * /usr/bin/raidcheck
Older Posts »

Powered by WordPress