Thursday, 21 September 2017

Forwarding mail for the root user to an external address

Quite often I find mail such as those generated by cron jobs are sent to the user they are executed under - for example root.

Using the 'aliases' file we can instruct any mail destined for a specific user to be forwarded to another (internal or external) address - for example by adding the following to /etc/aliases:

sudo vi /etc/aliases

root: yourname@externalemail.com

and ensure those changes take effect by issuing:

sudo newaliases

and finally reloading the mail server:

sudo service postfix reload

Tuesday, 19 September 2017

Installing / setting up Samba on CentOS 7

Firslty install the required packages:

sudo dnf install samba samba-client samba-common

We'll use /mnt/backup for the directory we wish to share:

mkdir -p /mnt/backup

Make a backup copy of the existing samba configuration:

sudo cp /etc/samba/smb.conf cp /etc/samba/smb.conf.orig

and adding the following into /etc/samba/smb.conf:

[global]
workgroup = WORKGROUP
netbios name = centos
security = user
[ARCHIVE]
comment = archive share
path = /mnt/backup
public = no
valid users = samba1, @sambausers
writable = yes
browseable = yes
create mask = 0765

*NOTE*: [ARCHIVE] is the share name!

Let's proceed by creating our samba user:

groupadd sambausers
useradd samba1
usermod -G sambausers samba1
smbpasswd -a samba1

Ensure the user / group has the relevant permissions:

chgrp -R sambausers /mnt/backup
chmod -R 0770 /mnt/backup

In my case this didn't work since this directory was a USB hard drive formatted with NTFS - so instead I had to set the group, owner and permissions as part of the mounting process in fstab - my fstab line looked something like:

UUID=XXXXXXXXXXXXXXX /mnt/backup ntfs umask=0077,gid=1001,uid=0,noatime,fmask=0027,dmask=0007 0 0

This ensures the group we created has access to the directory and that normal users do not have access to the files / directories. (You'll need to replace the 'gid' by obtaining the group id with getent or doing a cat /etc/group | grep "<group-name>")

If you have SELinux enabled you will want to change the security context on the directory you wish to export:

sudo dnf -y install policycoreutils-python
sudo chcon -R -t samba_share_t /mnt/backup
sudo semanage fcontext -a -t samba_share_t /mnt/backup
sudo setsebool -P samba_enable_home_dirs on

Enable and start the relevent services:

sudo systemctl enable nmbd
sudo systemctl enable smbd

sudo systemctl start nmbd
sudo systemctl start smbd

While smbd handles the file and printer sharing services, user authentiaction and data sharing; nmbd handles NetBIOS name service requests generated by Windows machines.

Add the relevent firewall rules in:

sudo iptables -t filter -A INPUT -i ethX -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
sudo iptables -t filter -A INPUT -i ethX -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
sudo iptables -t filter -A INPUT -i ethX -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
sudo iptables -t filter -A INPUT -i ethX -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

From a Windows client we can test the share with something like:

cmd.exe
net use \\SERVER\archive

or from *nix using the smbclient utility.

Erasing an MBR (or GPT) and / or partition table and data of a disk

This can performed with dd - in order to wipe the MBR (the first sector this is executed after the BIOS / hardware initialisation) we should issue:

sudo dd if=/dev/zero of=/dev/sdx bs=446 count=1

This wipes the first 446 bytes of the disk - while if we want to erase the MBR and the partition table we need to zero the first 512 bytes:

sudo dd if=/dev/zero of=/dev/sdx bs=512 count=1

And then to erase the data on the disk we can issue:

sudo dd if=/dev/zero of=/dev/sdx bs=4M count=1

Note: While strictly speaking the vast majority of modern drives actually have block sizes of 4096 bytes however the MBR and partition table are always restricted to the first 512.

GPT is slightly different - instead we need to ensure that the first 1024 bytes are zeroed:

sudo dd if=/dev/zero of=/dev/sdx bs=1024 count=1

and also be aware that a backup of the GPT table is also stored at the end of the disk - so we need to work out the last block as well.

Wednesday, 23 August 2017

Setting up DKIM for your domain / MTA

What is DKIM and how is it different to SPF?

Both DKIM and SPF provide protection for your email infrastructure.

SPF is used to prevent disallowed IP addresses from spoofing emails originating from your domain.

DKIM validates that the message was initially sent by a specific domain and ensures its integrity.

The two can (and should) be used together - since using DKIM might ensure the integrity of the email - but they can be re-sent (providing the message isn't modified) and potentially used for spam or phishing - hence employing SPF in addition ensures that whomever is re-sending the message is authorised to do so.

How does DKIM work?

DKIM (or rather the MTA) inserts a digital signature (generated with a private key) into a message that when received by another mail system is checked to ensure the authenticity of the sending domain by checking the public key via the domains DNS zone (specifically a TXT record).

Setting up DKIM

For this example we'll use the domain 'example.com'. We should firstly generate a private / public key pair for use with DKIM - this can be generated via numerous online wizards - but I'd strongly discourage this (for obvious reasons!) We'll instead uses openssl to accomplish this:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

We should also choose a 'selector' - which is an arbitrary value e.g. TA9s9D0q3164rpz

The public portion goes into a txt record in your zone file (append it to 'p=') - making sure you replace the domain 'test.com' with yours and the selector value as well!:

Name: TA9s9D0q3164rpz._domainkey.test.com

Value: k=rsa; p=123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789

and a second txt record - which indicates how DKIM is configured for your domain.

Name: _domainkey.test.com

Value: t=y;o=~;

'o=' can either be "o=-" (which states that all messages should be signed) or "o=~" (which states that only some* of the messages are signed.)

and the private portion (along with the selector and domain name) will be provided to your MTA. (This will differ dependant on your MTA.)

Validating Results

To ensure that the DKIM validation is succeeding we need to inspect the mail headers - looking specifically at the 'Authentication-Results' header:

Authentication-Results: mail.example.com;
       dkim=pass header.i=@xyz.com;


Wednesday, 16 August 2017

Creating an internal / NAT'd network using a vSwitch on Server 2012 / 2016

We'll firstly need to install the Hyper V role - since we'll require the management tools in order to create our interface:

Install-WindowsFeature Hyper-V –IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools

However I had the following message returned when attempting installation:

Hyper-V cannot be installed: A hypervisor is already running.

As I was running under VMWare I had to install the feature using a slightly different method (bare in mind we have no intention of using the Hyper V hypervisor - however we do want to take advantage of the virtualized networking capabilities.

So instead I installed Hyper with:

Enable-WindowsOptionalFeature –Online -FeatureName Microsoft-Hyper-V –All -NoRestart

and the management tools with:

Install-WindowsFeature RSAT-Hyper-V-Tools -IncludeAllSubFeature

Ensure the NAT routing protocol is available to RRAS - 'Administrative Tools' >> 'Routing and Remote Access' >> Expand the following: Server, IPv4 and right hand click on general and select 'New Routing Protocol' >> Select NAT

We can now create our new virtual switch with:

New-VMSwitch -SwitchName "SwitchName" -SwitchType Internal

and assign the interface with an IP:

New-NetIPAddress -IPAddress 10.0.0.1 -PrefixLength 16 -InterfaceIndex <id>

(You can get the associated interface index with: Get-NetAdapter)

At this point you won't be able to ping any external hosts from that interface - we can verify that using the '-S' switch with ping:

ping -S 10.0.0.1 google.com

So - we'll need to enable NAT with:

New-NetNat -Name "NATNetwork" -InternalIPInterfaceAddressPrefix 10.0.0.0/16

and then attempt to ping from the interface again:

ping -S 10.0.0.1 google.com

Wednesday, 9 August 2017

Useful find command examples in Linux

The below is a compilation of 'find' commands that I often use myself.

Finding files greater (or small) than 50mb

find /path/to/directory -size +50m

find /path/to/directory -size -50m

Finding files with a specific file extension

find /path/to/directory -name "prefix_*.php"

Finding files (or folders) with specific permissions

find /home -type f -perm 777

Finding files that have been changed  in the last hour

find / -cmin -60

Performing an action with matched files (-exec switch)

find / -cmin -60 -exec rm {} \;

Saturday, 5 August 2017

Adding a custom / unlisted resolution in Fedora / CentOS / RHEL

Sometimes I find that xrandr doesn't always advertise all of the supported resolutions for graphic cards - this can sometimes be down to using an unofficial driver or an older one.

However in Fedora the latest drivers are usually bundled in for Intel graphics cards - unfortunately xrandr is only reporting that one resolution is available:

xrandr -q

Screen 0: minimum 320 x 200, current 1440 x 900, maximum 8192 x 8192
XWAYLAND0 connected (normal left inverted right x axis y axis)
   1440x900      59.75 +

In order to add a custom resolution we can use the 'cvt' utility - this calculates the VESA Coordinated Video Timing modes for us.

The syntax is as follows:

cvt <width> <height> <refreshrate>

for example:

cvt 800 600 60

# 800x600 59.86 Hz (CVT 0.48M3) hsync: 37.35 kHz; pclk: 38.25 MHz
Modeline "800x600_60.00"   38.25  800 832 912 1024  600 603 607 624 -hsync +vsync

We then create a new mode with (appending the above in bold):

sudo xrandr --newmode "800x600_60.00"   38.25  800 832 912 1024  600 603 607 624 -hsync +vsync

and then adding that mode to the display (in our case this is WAYLAND0):

sudo xrandr --addmode VGA-0 800x600_60.00

and then set this mode with:

sudo xrandr --output VGA1 --mode 1280x1024_60.00