cloud-init: Automatically import your public SSH keys into LXD Instances

Tags

automation, cloud-init, lxc, lxc profile, lxd, SSH, ssh-key, ubuntu, YAML

While provisioning LXD instance; we can define post deployment task using cloud-init. This will help us to import your public SSH keys, add new user, update packages and install new packages if required. To do that we use lxc profile.

First check what lxc profile you have. There should be one default profile.

# lxc profile list

Copy default profile and create new one

# lxc profile copy default production

Edit newly created profile

# lxc profile edit production

Use the following configuration. This is YAML file and for better formatting please download it from here Continue reading →

recover corrupt /etc/sudoers file over SSH

Tags

SSH, sudo su, ubuntu

Recently I have faced issue where I mistakenly edit the file under /etc/sudoers.d/. When ever I am trying to sudo; I am getting following error:

fakrul@fakrul-server01:~/.config$ sudo su
>>> /etc/sudoers.d/fakrul_sudo: syntax error near line 1 <<<
sudo: parse error in /etc/sudoers.d/fakrul_sudo near line 1
sudo: no valid sudoers sources found, quitting
sudo: unable to initialise policy plugin

Unfortunately I don’t have any other sudo user. I have googled and got a solution.

Steps:

1. Open two ssh sessions to the target server.

2. In the first session, get the PID of bash by running:
fakrul@fakrul-server01:~/.config$ echo $$
5886

3. In the second session, start the authentication agent with:

pkttyagent --process (pid from step 2)

4. Back in the first session, run:

fakrul@fakrul-server01:~/.config$ pkexec rm /etc/sudoers.d/fakrul_sudo

5. In the second session, you will get the password prompt. “fakrul_sudo” file will be removed in the first session. In same way you can add new file.

 

mitmproxy : intercept, inspect, modify and replay

Tags

mitmproxy, ubuntu

https://mitmproxy.org/ is CLI based An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed. Installation easy. For Ubuntu do the following:

sudo apt-get install python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev
sudo pip install mitmproxy

Run mitmproxy

fakrul@console ~> mitmproxy

It will run on port 8080. Now fire up your browser and point it the proxy. You can use it for both http & https. You will get the all the session details.

OpenVPN in Ubuntu 14.04

Tags

OpenVPN, Security, ubuntu, VPN

The quickest way to install OpenVPN in Ubuntu 14.04:

1. Download the initial script:

$ wget https://git.io/vpn -O openvpn-install.sh

2. Run the command

$ sudo bash openvpn-install.sh

You need to define the external IP address on which you will run the service

a.External IP address on which you will run the service

b. Port No

c. DNS you want to use

To get the public IP you can try the following command:

dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

It will create necessary certificates and also create the first client.

That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file:

$ cat /etc/rc.local
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 202.125.97.10

Type the following command start the OpenVPN service:

$ sudo /etc/init.d/openvpn start

The client certificate will be stored in the home directory.

fakrul-apnic.ovpn

To connect from MacOSX, you can use TunnelBlick which is available at https://tunnelblick.net

To add new client run the openvpn-install.sh script. Choose option 1 to add new client and certificate will be store in home folder.

Install and Configure SNMP on Ubuntu

Tags

SNMP, ubuntu

This guide describe how to install and configure SNMP on Ubuntu.

1.Installation

root@netflow:/# sudo apt-get install snmpd

2. Configuration
Move existing /etc/snmp/snmpd.conf configuration file to /etc/snmp/snmpd.conf.org

root@netflow:/# mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.org

Create a new /etc/snmp/snmpd.conf file:

# Configure Read-Only community and restrict who can connect
rocommunity COPUBLIC 103.12.179.0/24
rocommunity COPUBLIC 127.0.0.1

# Information about this host
sysLocation bdHUB Dhaka Bangladesh
sysContact noc@bdhub.com

# Which OSI layers are active in this host
# (Application + End-to-End layers)
sysServices 72

Make snmpd use the newly created file and make it listen to all interfaces:

Edit /etc/default/snmpd

root@netflow:/# vi /etc/default/snmpd

Change from:

# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS=’-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1’

To:

# snmpd options (use syslog, close stdin/out/err).
#SNMPDOPTS=’-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1’
SNMPDOPTS=’-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf’

and restart snmpd

root@netflow:/# /etc/init.d/snmpd restart

3. Test
Check SNMP is running

root@netflow:/# sudo netstat -ulnp | grep 161
udp 0 0 0.0.0.0:161 0.0.0.0:* 28676/snmpd

Check the snmpstatus output

root@netflow:/# snmpstatus -c ‘COPUBLIC’ -v2c 103.12.179.12