Configure Squid to Filter Based on MAC Address

By | All Linux HowTo's | No Comments

In this article we are going to add some details to squid in order to allow it to filter based on MAC address and block certain clients from having full access. Alternatively you could reverse the rule and only allow the listed clients to have full access.

First we are going to assume that you have a working Squid setup if not then there are other articles that will tell you how to get that going, on Redhat or CentOS it is as simple as:

yum install squid ; /etc/init.d/squid start ; chkconfig squid on

You are going to want to make the following file in /etc/squid/

vi /etc/squid/client_macs

In the above file put the MAC addresses of the clients that you want to filter access. Once you have it should look something like:

52:54:00:AA:BB:CC
52:54:00:DD:EE:FF

Now create another file which will be the list of sites that we do not want these clients to be able to access.

vi /etc/squid/blocked_sites

For this example we don’t want our office staff to be accessing facebook or youtube so the file would look like this:

.facebook.com
.youtube.com

Now the only things left to do are tell squid conf about these files and then reload or restart squid.

vi /etc/squid/squid.conf

Add the following lines under the other acls

acl clients arp "/etc/squid/client_macs"
acl blockedsites dstdomain "/etc/squid/blocked_sites"
http_access deny blockedsites clients

Now do a restart or reload and test it out, you will find that the clients mentioned in /etc/squid/client_macs cannot get to the sites listed in /etc/squid/blocked_sites, exactly as we wanted

/etc/init.d/squid restart

Time Control

You might want to control the time of day that certain clients will be filtered using this method. A good solution for this has been written up in the below link.

http://serverfault.com/questions/249622/allow-facebook-access-only-in-specific-hours-of-the-day-with-squid

Alternatively you could use Cron and Template file this is the quick and dirty way to do this, I might write a script in a later post to do this better.

First we need to make a directory for our templates

mkdir /etc/squid/templates

Now to create our templates

vi /etc/squid/templates/day.txt

In the day template we are going to want our list of MAC addresses as that is when people will be in the office. In our night template it is going to be an empty file because that is when I.T. will be doing maintenance etc, squid will complain about the empty file but ultimately it does not care.

touch /etc/squid/templates/night.txt

Now we just need to make our entries in Cron.

crontab -e

We want our day time filter to kick in at 8:30am and our night time filter to kick in at 6:00pm

30 08 * * *  /etc/init.d/squid stop ; rm -f /etc/squid/client_macs ; ln -s /etc/squid/templates/day.txt /etc/squid/client_macs ; /etc/init.d/squid start
00 18 * * *  /etc/init.d/squid stop ; rm -f /etc/squid/client_macs ; ln -s /etc/squid/templates/night.txt /etc/squid/client_macs ; /etc/init.d/squid start

Restore a single MySQL DB from a Dump using –all-databases

By | All Linux HowTo's | No Comments

The link below shows a simple way to restore one the MySQL database that you want from a dump that included all databases.

http://pento.net/2009/04/16/extracting-a-database-from-a-mysqldump-file/

The good people who wrote that article (can) take credit for the following:

shell> sed -n '/^-- Current Database: `mydb`/,/^-- Current Database: `/p' dump.sql > mydb.sql

Where “mydb” is the name of the database that you want to extract. The above is a single line.

Install KVM (QEMU) Gentoo

By | All Linux HowTo's, Hypervisor HowTo's | No Comments

In this article we are going to detail how to install KVM on Gentoo, for the most part it is a normal KVM install but with some Gentoo differences.
Going to be installed:
QEMU/KVM – Our Base
libvirt – For Management
virt-manager – For Extra Tools
virt-manager – On our client machine for managing the system remotely

Lets get started..

First we need to make some tweaks in the kernel to enable KVM otherwise we are just going to end up with QEMU on its own which is slow. The tweaks below are for Intel but same applies for AMD just make sure that you pick the AMD options instead.

To configure the kernel run

genkernel --menuconfig all

In the heading Virtualization enable the following options:

   Kernel-based Virtual Machine (KVM) support
   KVM for Intel processors support
   Host kernel accelerator for virtio net

Under the heading Device Drivers and sub-heading Network Device Support ensure that the following are enabled:

[*]   Network core driver support
   Universal TUN/TAP device driver support

Because we are going to be using a bridged network we need to enable the following under the Heading Networking Support and the Sub-Heading Networking Options

 802.1d Ethernet Bridging

Now for our file system under the heading File Systems enable the following:

 The Extended 4 (ext4) filesystem
[*]   Ext4 Security Labels

Save the kernel update any programs like Grub if need be then reboot

reboot

Assuming your system boots then lets continue..

We do not need to add any special use flags for QEMU so you can just emerge it

emerge --ask -jv  app-emulation/qemu

Now we need to install the bridging utils so that we can create our network bridge

emerge --ask -jv bridge-utils

Now to set up our bridge in conf.d/net

vi /etc/conf.d/net

Below is an example replace with values for your host

dns_domain_lo="agix.lan"
config_eth0="10.0.0.1/24"
#
#Additions for KVM
#
config_eth1="null"
bridge_br0="eth1"
config_br0="10.0.0.2/24"
brctl_br0="setfd 0
	stp off"

Now we need to make the init file for our new network

ln -s /etc/init.d/net.lo /etc/init.d/net.br0 ; /etc/init.d/net.br0 start

Add it to the default run level

rc-update add net.br0 default

In the version of QEMU that our test system pulled in there appears to be a bug with some permissions that stop kvm from working, run the following to resolve the issue.

 chown root:kvm /dev/kvm ; chmod 660 /dev/kvm 

That should resolve the issue now lets install some management tools (The versions listed here were current at the time of testing)

echo ">=dev-libs/libxml2-2.9.2-r1 python" >> /etc/portage/package.use ; echo ">=app-emulation/libvirt-glib-0.2.0 python" >> /etc/portage/package.use
 
emerge --ask -jv app-emulation/libvirt app-emulation/virt-manager

Now we should be ready to start building some virtual machines, below is a “one liner” that will get you started building a VM also don’t forget to change the /kvm directory to one that actually exists

virt-install --name=Centos66 --arch=x86_64 --vcpus=2 --ram=1024 --os-type=linux --os-variant=rhel6 --hvm --connect=qemu:///system --network bridge:br0 --cdrom=/home/agix/Downloads/CentOS-6.6-x86_64-minimal.iso --disk path=/kvm/centos66.img,size=20 --accelerate --vnc --noautoconsole --keymap=es

From here everything on the host is finished and in our case we installed virt-manager on a laptop so we can manage our host remotely, one thing to check if you are getting strange keyboard layouts in your virtual machine but cannot figure out why it is because virt-manager sets its own have a look at the below article to show you how to change it
Pyrosoft Fixing Keyboard Problems Virt-Manager

OpenShift and PHP Fatal error: Allowed memory size of 134217728 bytes exhausted

By | All Linux HowTo's | No Comments

This article explains how to solve the “PHP Fatal error: Allowed memory size of 134217728 bytes exhausted ” problem on OpenShift. The issue is that the OpenShift application is using too much memory.

The solution was to put the following into the “.htaccess” file in the root of the OpenShift application.

php_value memory_limit 512M

TIP: If the “.htaccess” file doesn’t exist, create it. It can exist with as little as the above line or much more.

Secure Erase a Hard Drive

By | Scripting HowTo's, Security HowTo's | No Comments

If you decide that you want to overwrite one of your hard disk drives before reusing or perhaps giving to a friend, you don’t need to download a tool just use a simple script.

Be careful with this script as it will overwrite whatever disk you tell it to for example your boot drive

You can change the loop counter so that it does less than 7 passes as that might be a bit overkill for normal use, you could also change out /dev/zero for /dev/random if you wanted.

if [ -u $1 ]
then
echo "Please set a disk to wipe eg. For device sdb then: ./script.sh sdb"
else
touch "/var/log/disk_wipe.log"
for i in `seq 1 7`;
do
	echo "Running Pass $i on /dev/$1" >> /var/log/disk_wipe.log
	dd if=/dev/zero of=/dev/$1
	echo "Pass $i Complete" >> /var/log/disk_wipe.log
done
fi

To monitor the progress of this script just tail the log file

tail -f /var/log/disk_wipe.log &

If you are wiping a hard disk drive to dispose of it remember that nothing beats shattering the platter with a hammer or running through a drill press or a shredder for total security.

Minimal Gentoo Installation…Fast

By | All Linux HowTo's | No Comments

Installing Gentoo, Quickly. Adapted from the Gentoo wiki documentation https://wiki.gentoo.org/wiki/Handbook:AMD64/Full/Installation

This setup was documented using the Gentoo Minimal Install CD 04-06-15 available from your local mirror (A newer version is most likely available now but the method below has not yet changed)

Adapt the assumptions made in this documentation as needed. So lets get started..

Create a bootable USB from the Gentoo CD using your choice of tool, unetbootin was used in this example.

When booting from the USB the Keyboard and Mouse should be detected by default, if you have issues with them not working then try toggling USB Legacy support in the BIOS.

Now that you are booted into a Gentoo environment you are going to want to check that your networking device is enabled and has an address as we will need it during the install.

Some commands to help with this are

ifconfig
ifconfig | grep inet
dhclient -r ; dhclient

Once your network is up and running we can proceed to partitioning the disk.

parted -a optimal /dev/sda
mklabel gpt
unit MB
mkpart primary 1 20
name 1 grub
set 1 bios_grub on
#
mkpart primary 21 500
name 2 boot
#
mkpart primary 501 1501
name 3 swap
#
mkpart primary 1502 -1
name 4 root
#
quit

Make the file system on the new partitions.

mkfs.ext2 /dev/sda2
mkfs.ext4 /dev/sda4
mkswap /dev/sda3
swapon /dev/sda3

Mount the new partitions to /mnt/gentoo

mount /dev/sda4 /mnt/gentoo
mkdir /mnt/gentoo/boot
mount /dev/sda2 /mnt/gentoo/boot

Now make sure that the date is set correctly so that you will be able to download the required files
Check the date:

date

Set the date (Just replace the MMDDhhmmYYYY with the correct date):

date MMDDhhmmYYYY

Example:

date 060410302015

Download the stage3 tar

cd /mnt/gentoo ; wget http://mirror.internode.on.net/pub/gentoo/releases/amd64/autobuilds/current-stage3-amd64/stage3-amd64-20150604.tar.bz2

Now Extract it:

tar xvjpf stage3-*.tar.bz2 --xattrs

Now to create our make.conf

rm /mnt/gentoo/etc/make.conf ; vi /mnt/gentoo/etc/make.conf

Just change the number in MAKEOPTS to be one more than you have CPU cores in your system for example 8 cores = -j9

CFLAGS="-O2 -pipe"
CXXFLAGS="${CFLAGS}"
CHOST="x86_64-pc-linux-gnu"
MAKEOPTS="-j3"
USE="caps hardened -ipv6 -systemd"
GENTOO_MIRRORS="ftp://mirror.internode.on.net/pub/gentoo/"
#New Gentoo Does not like Sync
##SYNC="rsync://mirror.internode.on.net/gentoo-portage"
#PORTDIR="/usr/portage"
#DISTDIR="${PORTDIR}/distfiles"
#PKGDIR="${PORTDIR}/packages"
EOF

Now copy the resolv.conf from the live system.

cp /etc/resolv.conf /mnt/gentoo/resolv.conf

Mount our new environment, for this example we are not using systemd but these mounts will work just fine

mount -t proc proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/dev

Now chroot into our new environment:

chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(AGIX chroot) $PS1"

Now we need to pull in a snapshot of portage

emerge-webrsync

You can read the Gentoo news later run this for now,

eselect news read > /root/news

Set the system profile

eselect profile set 1

Set the timezone for the system

echo "Australia/South" > /etc/timezone ; emerge --config sys-libs/timezone-data

Set the system locale

echo 'en_AU.UTF-8 UTF-8' > /etc/locale.gen ; locale-gen ; eselect locale set 3

Now update the environment

env-update && source /etc/profile

Setup the package.use file

cat /etc/portage/package.use/iputils > /root/package.use ; rm -rf /etc/portage/package.use ; mv /root/package.use /etc/portage/package.use
echo "sys-kernel/genkernel cryptsetup" >> /etc/portage/package.use

Now for the linux kernel

emerge --ask -jv sys-kernel/gentoo-sources sys-kernel/genkernel

Generate the kernel be sure to enable support for your networking devices under device drivers

genkernel --menuconfig all

Once done take a record of the files

ls /boot/kernel* > /root/kernel_files ; ls /boot/initramfs* > /root/initramfs_files

Add your text editor

emerge --ask -jv vim

Setup the FStab

vi /etc/fstab
/dev/sda2	/boot		ext2	defaults,noatime	0 2
/dev/sda3	none		swap	sw			0 0
/dev/sda4	/		ext4	noatime			0 1
/dev/cdrom	/mnt/cdrom	auto	noauto,user		0 0

Set the hostname for the system

vi /etc/conf.d/hostname

Setup your domain and interface, change the interface name to reflect your system

vi /etc/conf.d/net
dns_domain_lo="DOMAIN"
config_eth0="dhcp"

Create the init script

cd /etc/init.d
ln -s net.lo net.eth0
rc-update add net.eth0 default
emerge --ask -jv net-misc/netifrc

Double check the keymap for the system and then set the password for root

cat /etc/conf.d/keymaps | grep -i "keymap="
passwd

Check the system clock settings, should be UTC by default but you can set it to local if that suits you

cat /etc/conf.d/hwclock | grep -i "clock="

Now install some useful apps all but gentoolkit and dhcpcd are optional

emerge --ask -jv app-admin/syslog-ng sys-process/cronie sys-apps/mlocate app-admin/sudo app-admin/logrotate app-admin/syslog-ng app-misc/screen app-text/tree app-portage/gentoolkit app-portage/portage-utils net-misc/dhcpcd app-misc/screen

Add to the default run level

rc-update add syslog-ng default ; rc-update add cronie default ; rc-update add sshd default

Install Grub

emerge --ask -jv sys-boot/grub ; grub2-install /dev/sda
grub2-mkconfig -o /boot/grub/grub.cfg

Now you should be able to reboot into a working Gentoo System, remember to remove the install media once the system exits

reboot

When the system comes backup login using the password that you set and run the following to make sure that your network device is working.

ifconfig -a

If you do not see your networking device listed then you will need to reconfigure the kernel with your device driver enabled.

Now update the system and you should be all set to start using it

emerge @world --update --deep --newuse -aqv --autounmask-write ; dispatch-conf

One final reboot

reboot

That is it you are all set with a basic Gentoo install, if you have any issues then you will be able to find the answer on the Gentoo wiki

Preparing Windows 7/8 for kids

By | Windows HowTo's | No Comments

This article is for those looking to prepare a Windows 7 or 8 computer for kids. These are the steps i take as a minimum.

  • 1. Remove all unnecessary software from the PC. Unnecessary software (such as download assistant software, assistive software, adware software, etc can lead kids (and adults) to websites of poor taste. Remove everything you don’t need. If you’re not sure if a program is needed or not, Google it or ask an expert. Go through the list of installed software in the Windows Add/Remove list. See the steps below.
  • 2. Remove whatever anti-virus you have on the PC and then install something trusted like AVG. AVG comes free for personal use. Free doesn’t mean bad in this case. AVG has a great reputation and doesn’t take over your computer.
  • 3. Turn on Parental Controls for the kids account. This means creating a new computer login account for the kids. You can log in with full access to make changes to the computer, etc but kids have restrictions. You have the admin account and kids and the Parental Controlled account. See below for steps.
  • 4. Set Internet Explorer to the default browser and ensure no other browsers are installed. Internet Explorer does NOT have a good reputation but it works well with the Parental Controls that we previously enabled. Other browsers don’t. Also, great browsers like Chrome have excellent features that block bad images but they require you to have a Google/Gmail account for the user. Ironically, only adults can have such account. So we’re stuck with Internet Explorer. While on this topic we must set a good Search Engine as the home page and the default search engine for Internet Explorer. I recommend “www.duckduckgo.com” which claims to ‘not track’ their users.
  • 5. Watch and educate your kids. Keep the computers in the lounge or kitchen where you can monitor them.

These are the steps to take.

1. Go to the Control Panel and select the Uninstall Programs link/option. Select one program at a time to remove and click the Uninstall or Change button at the top of the list. You can’t remove more than one at a time.

2. Using Internet Explorer, download AVG Free using the link below. Then go back to the Uninstall Programs utility and remove the currently-installed antivirus program. Download AVG Free from “http://download.cnet.com/AVG-AntiVirus-Free-2015/3000-2239_4-10320142.html”. Click the “Download Now, Secure Download” link on that page.

3. Turn on Parental Controls. First we need to create the Kids a new account and leave yours (the one with full access) for your use only. Go to the Control Panel and click User Accounts and Family Safety. Click Add or Remove User Accounts. Then click Create New Account and give it a name such as “Kids”. Make sure to select Standard Account. Click Create Account. Now click on the N”Kids” account (the button) and click the “Set Up Parental Control” link. Select the “Kids” account and change the option from Off to On. Click OK. Now you need to set your own account’s password if one isn’t already set. DO this by going to the Control Panel and then User Accounts and Family Safety. Then click the Change Your Password link. Set your password to something the kids don’t know. You’re done. You can set the Kids password too in the same way if you like. Finally before logging out, make sure your account is “Administrative”. Do this by Going to the Control Panel and clicking User Accounts and Family Safety. Then go to Add or Remove User Accounts. You will see the words Administrative below your account name. If not, go in and change it using an Administrative account. Test what you’ve just done by logging out of your account and in as the Kids account.

4. Set Internet Explorer as the default browser and make sure the default search engine is “www.duckduckgo.com”. Open Internet Explorer and press “Alt+t” and then “o”. You will see the Internet Explorer Options Window appear. In the top field, remove whatever is already in there and enter “http://www.duckduckgo.com” and click the Apply button. Click on the Advanced tab and in the Settings list, go to Security and then tick the Enable Enhanced Protected Mode. Again click the Apply button. Now click the Programs tab and click the Make Default button. Click OK. You’re done.

5. Watching your kids is obvious but worth it. One wrong click and they end up seeing something very uncool.

Adding Neo4J to OpenShift

By | All Linux HowTo's | No Comments

This article shows how to add a Neo4J cartridge to your OpenShift application. We’re assuming you have an application already created and that you’re simply needing to add the Neo4J database to your existing app.

The YML file is:

https://raw.githubusercontent.com/danielnatali/openshift-neo4j-cartridge/master/metadata/manifest.yml

You can add Neo4J via the command line as follows:

rhc cartridge-add https://raw.githubusercontent.com/danielnatali/openshift-neo4j-cartridge/master/metadata/manifest.yml -a MyAppName --namespace MyNameSpace

Or use can use the OpenShift portal to add it by simply entering the above YML url.

Minimal Apache SSL Configuration (Redhat)

By | All Linux HowTo's, Security HowTo's | No Comments

This document shows the minimal information you need to have a working Apache server serving HTTPS requests. It’s typical to put your configuration files in (when using Redhat) “/etc/httpd/conf.d/”.

<VirtualHost *:443>
 
 LogLevel warn
 SSLEngine on
 SSLCertificateFile /etc/httpd/keys/www.example.com.crt
 SSLCertificateKeyFile /etc/httpd/keys/www.example.com.key
 SSLCertificateChainFile /etc/httpd/keys/keysupplier.crt

 DocumentRoot "/var/www/html/ssldomain/public"
 ServerName www.example.com

 <Directory "/var/www/html/ssldomain/public">
 Options Indexes FollowSymLinks MultiViews
 AllowOverride All
 Order allow,deny
 allow from all
 </Directory>

</VirtualHost>

You should always test your configuration with the following command:

apachectl -t

And restart apache with:

service httpd restart

Migrate from Evolution to Thunderbird

By | All Linux HowTo's, Scripting HowTo's | No Comments

Just recently for work we had to migrate all of our users from evolution to Thunderbird, this is a boring process if you have to do it manually for an office full of people so I wrote a little script. Feel free to edit to match your needs.

#!/bin/bash

#Check if the user has set a user name and if not tell them how to use the script
if [ -u $1 ]
then
echo "This script migrates mailboxes from evolution to thunderbird by copying their data to the correct directory"
echo "This script expects one parameter, the username of the person being migrated see below for an example"
echo "This script must be run as a privileged user"
echo "sudo ./MigrateMailScript.sh brad"
else
#Since the user name has been set then we can get the users unique thunderbird id, this section requires there to be only one .default which for our case is fine
UNIQUEID="$(sudo ls /home/$1/.thunderbird/ | grep .default)"
#echo $UNIQUEID #Only Used for Debugging

#Found an issue with some users where the directory does not exist after first run so we will just create it
sudo mkdir -p "/home/$1/.thunderbird/$UNIQUEID/Mail/Local Folders/"

#Now we can copy all of the users files from evolution to thunderbird
sudo cp "/home/$1/.local/share/evolution/mail/local/"/* "/home/$1/.thunderbird/$UNIQUEID/Mail/Local Folders/"

#Now we need to detect the users primary group so that we can set permissions on the files
PRIMARYGROUP="$(id -g -n $1)"
sudo chown -R $1:$PRIMARYGROUP "/home/$1/.thunderbird/$UNIQUEID/Mail/"
fi

This has been tested as it migrated our whole office but be careful there are probably still issues with it, some of the items could also be environment specific for example the existence of more than one .default folder under ./thunderbird

Contact AGIX Support

Level 2, 170 Greenhill Road
Parkside 5063 South Australia
Phone: (08) 7324 4429
or 0422 927 598
support@agix.com.au