SSH Daemon on Alternate Ports

Posted on Sat 25 June 2016 in miscLeave a comment

Their comes a time in every sysadmin's life where they need to run SSH on an alternate port. Should be as simple as adding multiple Port <number> directives to /etc/sshd/config and issuing a restart to the daemon.

Except SELinux, as usual, finds a way to rain on the parade. But we don't want to disable it. Especially since reconfiguring it is so easy.

In this example we'll run SSH on it's usual 22/tcp as well as 80+443/tcp by adding the following lines to the configuration file.

Port 80
Port 443

Since we obviously won't be needing those ports for Apache, it's safe to go ahead and relabel them.

sudo semanage port -m -t ssh_port_t -p tcp 80
sudo semanage port -m -t ssh_port_t -p tcp 443

Make sure the ports are open in firewalld.

sudo firewall-cmd --add-port 80/tcp --add-port 443/tcp --permanent
sudo firewall-cmd --reload

Then restart the daemon and test it out. As usual make sure to have an active session running on standby in case you fubar your configuration.

Hint: some documentation will use port -a but these ports may already be labeled and -a will produce an error. Use -m instead.


Deduplication and You

Posted on Fri 22 January 2016 in miscLeave a comment

I was doing some backups and realized my photos, which I keep in Dropbox (sue me) were taking up about 50G. I knew there had to be a lot of duplicates but searching for them through 50G of files would be tedious. This seemed like a task that should be easily solvable with a simple one-line but my shell-foo was simply not up to the task. Python to the rescue. I meant for this to work for my pictures, but really it should work for anything.

If you use this make sure to try it once with the --dry-run option to see what duplicates it finds. Then you can at least spot check and make sure it's identifying them correctly.

tl;dr - I wrote a quick and dirty script to deduplicate my pictures.

$ dedupe_files.py --src ~/Dropbox/Camera\ Uploads --dest ~/Dropbox_Camera\ Uploads.dupes
/home/mcaudill/Dropbox/Camera Uploads/Archive/Photo Booth Library/Pictures/Photo on 1-11-15 at 4.45 PM.jpg is a duplicate of /home/mcaudill/Dropbox/Camera Uploads/Archive/Photo on 1-11-15 at 4.45 PM.jpg (117fa9d33b38d19300bdac7921b7412b)
Moving /home/mcaudill/Dropbox/Camera Uploads/Archive/Photo Booth Library/Pictures/Photo on 1-11-15 at 4.45 PM.jpg to /home/mcaudill/Dropbox_Camera Uploads.dupes
/home/mcaudill/Dropbox/Camera Uploads/Archive/Photo Booth Library/Pictures/Photo on 1-11-15 at 4.47 PM.jpg is a duplicate of /home/mcaudill/Dropbox/Camera Uploads/Archive/Photo on 1-11-15 at 4.47 PM.jpg (fb0bd6014aaea38fa8f73074aad26d0)
Moving /home/mcaudill/Dropbox/Camera Uploads/Archive/Photo Booth Library/Pictures/Photo on 1-11-15 at 4.47 PM.jpg to /home/mcaudill/Dropbox_Camera Uploads.dupes
/home/mcaudill/Dropbox/Camera Uploads/Archive/Camera Uploads/IMG_20140727_092314.jpg is a duplicate of /home/mcaudill/Dropbox/Camera Uploads/2014-07-27 09.23.14.jpg (1d3f48a2b596d47c9d16d5e8bdf86778)
Moving /home/mcaudill/Dropbox/Camera Uploads/Archive/Camera Uploads/IMG_20140727_092314.jpg to /home/mcaudill/Dropbox_Camera Uploads.dupes
/home/mcaudill/Dropbox/Camera Uploads/Archive/Camera Uploads/IMG_20140716_192546.jpg is a duplicate of /home/mcaudill/Dropbox/Camera Uploads/2014-07-16 19.25.46.jpg (5c6829d37ae5ceddef2b986d5634af61)
Moving /home/mcaudill/Dropbox/Camera Uploads/Archive/Camera Uploads/IMG_20140716_192546.jpg to /home/mcaudill/Dropbox_Camera Uploads.dupes
/home/mcaudill/Dropbox/Camera Uploads/Archive/Camera Uploads/IMG_20140723_101455.jpg is a duplicate of /home/mcaudill/Dropbox/Camera Uploads/2014-07-23 10.14.56.jpg (4a13b37f7fa57249fdb2cadd51b81768)
Moving /home/mcaudill/Dropbox/Camera Uploads/Archive/Camera Uploads/IMG_20140723_101455.jpg to /home/mcaudill/Dropbox_Camera Uploads.dupes
/home/mcaudill/Dropbox/Camera Uploads/Archive/Camera Uploads/IMG_20140706_205524.jpg is a duplicate of /home/mcaudill/Dropbox/Camera Uploads/2014-07-06 20.55.24.jpg (40d7217492ca9c79073a61706d977130)
Moving /home/mcaudill/Dropbox/Camera Uploads/Archive/Camera Uploads/IMG_20140706_205524.jpg to /home/mcaudill/Dropbox_Camera Uploads.dupes
...

Encryption with a Funky Partition Layout

Posted on Mon 18 January 2016 in miscLeave a comment

I recently ran into some trouble with the system while mucking around and decided to take the opportunity to restructure my partitioning layout and do a full OS reinstall; this time with full disk encryption (except /boot). Suffice it to say, the Fedora installer is fairly flexible, but not nearly enough to support a mix of mdadm, LUKS, and LVM.

Before I tell you–roughly–how I did it, here are the results:

NAME                                              MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                                 8:0    0 447.1G  0 disk
├─sda1                                              8:1    0   512M  0 part  /boot
└─sda2                                              8:2    0 446.6G  0 part
  ├─vg_SIIIKE-root                                253:0    0  59.6G  0 lvm
  │ └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE   253:3    0  59.6G  0 crypt /
  ├─vg_SIIIKE-lv_swap                             253:1    0  14.9G  0 lvm
  │ └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE   253:2    0  14.9G  0 crypt [SWAP]
  └─vg_SIIIKE-home                                253:4    0 372.1G  0 lvm
    └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE   253:9    0 372.1G  0 crypt /home
sdb                                                 8:16   0 119.2G  0 disk
└─sdb1                                              8:17   0 119.2G  0 part
  ├─vg_SIIIKE-lv_var_cache_cdata                  253:5    0   115G  0 lvm
  │ └─vg_SIIIKE-lv_var                            253:8    0   1.8T  0 lvm
  │   └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10   0   1.8T  0 crypt /var
  └─vg_SIIIKE-lv_var_cache_cmeta                  253:6    0     1G  0 lvm
    └─vg_SIIIKE-lv_var                            253:8    0   1.8T  0 lvm
      └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10   0   1.8T  0 crypt /var
sdc                                                 8:32   0   1.8T  0 disk
└─md0                                               9:0    0   1.8T  0 raid1
  └─vg_SIIIKE-lv_var_corig                        253:7    0   1.8T  0 lvm
    └─vg_SIIIKE-lv_var                            253:8    0   1.8T  0 lvm
      └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10   0   1.8T  0 crypt /var
sdd                                                 8:48   0   1.8T  0 disk
└─md0                                               9:0    0   1.8T  0 raid1
  └─vg_SIIIKE-lv_var_corig                        253:7    0   1.8T  0 lvm
    └─vg_SIIIKE-lv_var                            253:8    0   1.8T  0 lvm
      └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10   0   1.8T  0 crypt /var

To clarify, I have an SSD with /, /home, and swap on it and a software RAID-1 set with an SSD as a caching layer in front of it. The partitions (sda2, sdb1, and md0) are all physical volumes in the same volume group. I simply created logical volumes in that volume group and directed that they reside on certain physical volumes (such a handy feature). Then it was simply a matter of encrypting them with LUKS, configuring crypttab, and configuring fstab.

Unfortunately, you can accomplish very few of these tasks in the Fedora Desktop installer. I initially tried to configure everything outside of the installer hoping that it would get the hint and leave everything alone. The problem there is that the Workstation version doesn't know how to handle software RAID sets properly. I tried using the Server version but it did its own munging of things by making certain assumptions about how I wanted to do LVM.

In the end, since really only /var was going to be a special snowflake, I decided to install everything on the primary SSD then after the installation configure the /var volumes and migrate the newly installed /var over to its new home. This worked better than expected and other than having to boot single to fix a fat-fingered fstab everything booted right up.

While I don't think the Fedora installers need the ability to generate arbitrary partitioning schemes, it would be nice to have some sort of "I know what I'm doing please leave my partitions alone" mode.


Weather Shell Function

Posted on Sat 12 December 2015 in miscLeave a comment

Here's the weather function I use when I'm too lazy to look out the window. The only configuration is a free forecast.io API key. The main selling point is that it geolocates so you don't have to remember where you are. Though this has drawbacks if you're running it on remote servers far from your location. If that's a problem then go get one of those silly weather() functions that doesn't know where it is unless you tell it.

weather() {
    # Geolocates on public IP.
    source ~/.forecast.io # Provides API_KEY
    local coordinates=$(curl -s ip-api.com/csv | awk -F',' '{print $8","$9}')
    echo $(curl -s https://api.forecast.io/forecast/$API_KEY/$coordinates | \
        grep -Eo 'apparentTemperature":[0-9\.]+|summary":"[A-Za-z\ ]+' | \
        head -n2 | \
        sed 's/summary":"//g' | \
        sed 's/apparentTemperature\"://g' | \
        xargs)F
}

Breaking It Down

The Forecast API needs your latitude and longitude coordinates which we can get from ip-api.com.

$ curl -s ip-api.com/csv | awk -F',' '{print $8","$9}'
38.XXXX,-76.XXXX

Now we can use curl to get the latest weather data.

$ . ~/.forecast.io
$ coordinates=$(curl -s ip-api.com/csv | awk -F',' '{print $8","$9}';)
$ curl -s https://api.forecast.io/forecast/$API_KEY/$coordinates

Assuming you've got your API_KEY setup properly in ~/.forecast.io you should see a big block of JSON. Doing proper parsing in the shell is ill-advised most of the time, but we're just looking for a specific piece of information so the Linux gods will probably give us a pass this time.

All we're interested in is the first instance of apparentTemperature and the accompanying summary, which we get using head -n2. We're using our special knowledge that the first instance of those variables happens to be in the currently section. If they ever change that we'll have to get creative.

Next we just use sed to remove the names, pipe it through xargs to put everything on one line, then append "F" to the end because I'm a dirty American.

$ . ~/.bashrc
$ weather
Partly Cloudy 45F

Well, There It Is


CIFS, fstab, and You

Posted on Tue 24 November 2015 in miscLeave a comment

Let's say you're a Linux admin in a Windows shop (ha) and you'd like to be able to access your company shares via a real operating system. Even more, you'd like these shares to be accessible immediately after boot.

//<server>/path /path/to/mount  cifs credentials=/home/<username>/.smbcreds,uid=1000,gid=1000,file_mode=0640,dir_mode=0750 0 0

Let's break this down. The first three fields and the last two are obvious. The fourth field is where the magic happens. credentials specifies the path to the (protected by 0600) file containing your AD credentials. uid, gid, file_mode, and dir_mode provide hints on how to handle a share that doesn't provide those values already. If the server provides these values then your hints are helpfully ignored.

Then in ~/.smbcreds:

username=<username>
password=<password>
domain=<domain>

Profit.