Technical Bits n Pieces

This really is and aide memoire, a scrap pad, random commands etc ……. as I come across errors, workarounds, fixes.

This is all about making those notes so that I don’t have to trawl Google again to find the answers and at least I know these commands work ūüôā

How to grep IP addresses in a file?

I needed to tail a file for IP addresses as some thing was using a large amount of web server resource. The log file is called httpd-access

¬†tail -f httpd-access_log | grep -E -o “([0-9]{1,3}[\.]){3}[0-9]{1,3}”

How to deny and ip address from accessing your server?

Yes you can use a firewall, but if you are behind a load balancer or proxy server then you can not.

In either the httpd.conf or the .htaccess file add the following lines :-

httpd.conf – add these to the directory element of the file

Order allow,deny
Allow from all
deny from Enter IP address

At the end of the file

<Files 403.shtml>
order allow,deny
allow from all

.htaccess – add this to the IfModule element, You can deny IP addresses or use a RewriteCond and Rule.

# Block Bad Bots
RewriteCond %{HTTP_USER_AGENT} ^.*(Vagabondo).*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(AhrefsBot).*$ [NC]
RewriteRule . - [F,L]
order allow,deny
allow from all

deny from Enter Ip address here

Add this at the end of the file

<Files 403.shtml>
order allow,deny
allow from all

The server will redirect traffic to a 403 error.


How to log the source IP address when behind a load balancer or proxy?

You use a load balancer to spread the load of your web sites, but how can you find the ip address of who is using your site, this is specific to the Apache server but something similar will work on nginx I am sure.

In the httpd.conf file change the

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined


LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" combined

You now should create some custom logs files, again in httpd.conf add the following lines to the virtualhost element

ErrorLog logs/httpd-error_log
CustomLog logs/httpd-access_log combined


Allowing SSH access to Ubuntu 14.0 LTS Desktop

We are running some software that needs a Linux desktop, I am not a big fan of Ubuntu but it is one of the listed supported platforms.

I obviously need vnc access, wow what a pain. Centos / Redhat easy to do Ubuntu !!!!

So I though ssh on and just configure, well there is no SSH access out of the box. Build for the GUI generation. To get ssh access

sudo apt-get update
sudo apt-get install openssh-server


You now have ssh access!!!


Create a patch file and then the application of the patch

If you need to create a differential file for redeployment on another system then creating a patch file is ideal.

You will need the patch utilities installed

yum install patch

Now to create your patch file. Copy the original file into the same directory

e.g. cp config.php config.php_chg

Now update the config.php_chg file with all of your amendments

Now to create the file

diff -Naur config.php config.php_chg > config.php.patch

If you want to now apply the patch

patch config.php < config.php.patch

You now should keep the file in a safe place or if it is not a sensitive change, i.e. containing passwords then you can add it to








Cheat sheet for installing Centrify

This is more for me that a general help blog, the instructions are pretty good with the Centrfy product (, but there are pages and pages. I just want the salient points to get me up and running.


For those who do not know, this product allows you to join a Linux server to a Windows domain via a scripted method and with out all of the hassle trying to do it by hand. It also has a Samba element, this is what I want it for!!!!


There is much more to the enterprise product and you can do some really cool things with it, but I am happy with the free version.


You need to download the suite and Samba installs from here, the site tries its best to hide the downloads, you have to register for the download, and then it does it’s best to hide the bits you need. ¬†To download and register use¬†

Or you can follow this link

The express suite is for Centos is


The Samba install is


So here is the basics on the installation.

You will need some base bits

yum -y install perl
mkdir /opt/software
cd /opt/software


mkdir suite
tar -xvzf centrify-suite-2015.1-rhel4-x86_64.tgz -C suite
mkdir samba
tar -xvzf centrify-samba-4.5.9-rhel3-x86_64.tgz -C samba
cd suite


***** ***** ***** WELCOME to the Centrify Express installer! ***** ***** *****


Detecting local platform …


Running ./adcheck-rhel4-x86_64 … OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server : Pass DNSCHECK : Analyze basic health of DNS servers : Warning : Only one DNS server was found in /etc/resolv.conf. : At least one backup DNS server is recommended for : enterprise installations. : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf.


WHATSSH : Is this an SSH that DirectControl works well with : Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that’s configured properly : to allow AD users to login and provides Kerberos GSSAPI support. : : If you install Centrify Express or Centrify Suite : Standard or Enterprise Edition, the Centrify build of : OpenSSH will be installed automatically. Alternatively : you may choose individual Suite packages to install : with the Custom install option.


2 warnings were encountered during check. We recommend checking these before proceeding


WARNING: adcheck exited with warning(s).


With this script, you can perform the following tasks: – Install (update) Centrify Suite Enterprise Edition (License required) [E] – Install (update) Centrify Suite Standard Edition (License required) [S] – Install (update) Centrify Suite Express Edition [X] – Custom install (update) of individual packages [C]


You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment.


How do you want to proceed? (E|S|X|C|Q) [X]:X


The Express mode license allows you to install a total of 200 agents. The Express mode license does not allow the use of licensed features for advanced authentication, access control, auditing, and centralized management. This includes, but is not limited to features such as SmartCard authentication, DirectAuthorize, DirectAudit, Group Policy, Login User Filtering, and NSS overrides.


Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:Y



Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:Y


Please enter the Active Directory domain to check []:acme


Join an Active Directory domain? (Q|Y|N) [Y]:Y


Enter the Active Directory domain to join [acme]:acme.local


Enter the Active Directory authorized user [administrator]:Administrator


Enter the password for the Active Directory user:


Enter the computer name [server-01]:Enter


Enter the container DN [Computers]: Enter Enter the name of the domain controller [auto detect]:Enter


Reboot the computer after installation? (Q|Y|N) [Y]:Y


You will get a confirmation screen


Please enter the Active Directory domain to check []: acme Join an Active Directory domain? (Q|Y|N) [Y]:Y Enter the Active Directory domain to join [churchill1795]: acme.local Enter the Active Directory authorized user [administrator]: Administrator Enter the password for the Active Directory user: Enter the computer name [server-01]: Enter the container DN [Computers]: Enter the name of the domain controller [auto detect]: Reboot the computer after installation? (Q|Y|N) [Y]:Y


You chose Centrify Suite Express Edition and entered the following: Install CentrifyDC 5.2.3 package : Y Install CentrifyDC-nis 5.2.3 package: N Install CentrifyDC-openssh 5.2.3 package: Y Install CentrifyDC-ldapproxy 5.2.3 package: N Install CentrifyDA 3.2.3 package: N Run adcheck : Y Join an Active Directory domain : Y Active Directory domain to join : acme.local Active Directory authorized user : Administrator computer name : server-01 container DN : Computers domain controller name : auto detect Reboot computer : Y


If this information is correct and you want to proceed, type “Y”. To change any information, type “N” and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Y

  The installation will start and the sever will reboot if successful. To avoid any errors when installing the samba install you need some bits

yum -y install cups


cd /opt/software/samba
 rpm -i centrifydc-samba-3.6.25-4.5.9-rhel3-x86_64.rpm
rpm -i centrifydc-adbindproxy-4.5.9-rhel3-x86_64.rpm
perl /usr/share/centrifydc/bin/ is used to configure the Centrify custom Samba build to interoperate with Centrify’s DirectControl product. It checks if the machine is joined to an AD domain. If not, it will prompt for the join operation. It also updates smb.conf and tdb files.


For security reason, you will be prompted for password several times in order to perform different AD operations when running this script.


Please specify Centrify Samba’s path if it is not in [/opt/centrify/samba/] :Enter



Using (/opt/centrify/samba/) The Samba base path is : /opt/centrify/samba/ Looking for conflicting Samba installations… No conflicting Samba found. Do you want to create symbolic links from /usr to /opt/centrify/samba/ [Y] : Y


Using (Y) Creating symbolic links from /usr/sbin/ to /opt/centrify/samba/sbin/… Creating symbolic links from /usr/bin/ to /opt/centrify/samba/bin/… Creating symbolic links from /usr/lib64/ to /opt/centrify/samba/lib/… Creating symbolic links from /lib/security/ to /opt/centrify/samba/lib/security/… Creating symbolic links from /etc/pam.d/ to /opt/centrify/samba/etc/pam.d/… Creating symbolic links from /etc/logrotate.d/ to /opt/centrify/samba/etc/logrotate.d/… Creating symbolic links from /etc/samba/smbusers to /opt/centrify/samba/etc/samba/smbusers Creating symbolic links from /etc/samba/lmhosts to /opt/centrify/samba/etc/samba/lmhosts Joined to Domain: churchill1795.local Zone: Auto Zone Do you want to leave and join to another domain? [N] :N


Using (N) Remove Winbind settings (if any) from /etc/nsswitch.conf. No Winbind settings found. Removing old state files… Updating smb.conf with Centrify recommended settings… Existing file ‘/etc/centrifydc/centrifydc.conf’ is backed up as ‘/etc/centrifydc/centrifydc.conf.pre_adbindproxy’ Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting mappings) [Y] :Y


Using (Y)


Init Samba start script … Restarting Samba daemons …


Warning: Unit file of centrifydc-samba.service changed on disk, ‘systemctl daemon-reload’ recommended. Restarting centrifydc-samba (via systemctl): [ OK ]


Check if SWAT symbolic link exists: /opt/centrify/samba/share/samba/swat -> /opt/centrify/samba/share/swat


Current DirectControl Configuration:


Local host name: devwebapplication-02 Joined to domain: churchill1795.local Joined as: devwebapplications-02.churchill1795.local Pre-win2K name: devwebapplicati Current DC: ad-01.churchill1795.local Preferred site: HeadOffice Zone: Auto Zone Last password set: 2015-11-10 14:22:37 GMT CentrifyDC mode: connected Licensed Features: Disabled


Current Samba Configuration:


LDAP server: x.x.x.x LDAP server name: ad.acme.local Realm: acme.LOCAL Bind Path: dc=acmedc=LOCAL LDAP port: 389 Server time: Tue, 10 Nov 2015 14:22:40 GMT KDC server: x.x.x.x Server time offset: 0


Press ENTER to continue …


Samba is now installed.   OK now you need to create a folder and share it. This is a development web server so I am sharing /var/www/html, the share will be called web   You need to edit the /etc/samba/smb.conf file   Go to the bottom of the file and [web] comment = Apache web directory path = /var/www/html public = no valid users = +DOMAINNAME\DOMAIN_GROUPNAME writable = yes   This will allow members of the group access to the directory.   Because this is a systemd server you need to use systemctl to restart the services.

systemctl restart centrifydc.service


Centrify also add the applicable ini.d scripts so


service centrifydc-samba restart
service centrifydc restart





Alternative to Splunk

After having a few issues, I thought it should be time to get a central logging system in place. So Google to the rescue once more. I have come across a few and I will keep adding them to the following list.


This is more an aide de memoire so that I can pick this up when I get more time.


Graylog2 Рthis looks a good option

Fluentd Рthe combination of a few bits will give you what you want, the looks to be a good


OpenTSDB Рnot sure about this one, looks interesting though


Logstash РAgain looks interesting


Any way I will let you know more as I install them



Using Linux fsck to get you out of a jam

Well, not the best start to the weekend, One of my reliable and trusty dev servers decided to throw a wobble and toss the proverbial baby out of the bath water and give me a wonderful SuperBlock error. ūüė¶

Just for Google search the error was :-

mount: wrong fs type, bad option, bad superblock on /dev/mapper/Oracle_11G_Dev_Datap1,
       missing codepage or other error
       In some cases useful info is found in syslog Рtry
       dmesg | tail  or so

This is a Redhat Enterprise Linux version 5.9


So you turn to Google and off you go.

Now this site is worth a mention as it explains fsck pretty well


So off you go and try some of the commands

The issue is that there is a bad superblock, there are backup blocks though to find them you use

mke2fs -n /dev/mapper/mpath18p1

mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
214761472 inodes, 429522936 blocks
21476146 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
13108 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848



fsck -v /dev/mapper/mpath18p1

fsck 1.39 (29-May-2006)
fsck: fsck.ext4: not found
fsck: Error 2 while executing fsck.ext4 for /dev/mapper/mpath18p1

You notice many instructions with the following command fsck.ext4 as you see in the output above. What many people do not tell you is that you need a package installing

yum install e4fsprogs


So now the moment of truth, take one of the superblock number from the mke2fs command and try the

e4fsck command

e4fsck -b 98304 /dev/mapper/mpath18p1

e4fsck 1.41.12 (17-May-2010)
Adding dirhash hint to filesystem.

/u100 was not cleanly unmounted, check forced.
Pass 1: Checking inodes, blocks, and sizes
Inode 7, i_blocks is 140000, should be 139888. Fix<y>? Y

And off you, a few hours later and many “y’s” being pressed it sprung back into life.


I am now looking for the commands to test / ensure that all is OK.

Good luck if you ever get this and I hope that this little bit of text works for you.


Creating a NFS CENTOS 6 Linux target server

We have some old kit and and I have a Friday free now and we need a development environment to get a few things working.

So I decided to embark on ¬†a vmware server and storage build. All of course without spending any money ūüôā (well on software anyway)

So I have 2 HP GL something servers for the vmware environment, a DL server to act as the iscii storage server and a 14 disk array that can be connected via a direct HBA fibre connect. All sounds good.

The idea is to software RAID the disk array, present the array to the storage server which will server this out as an iscii connection via direct connected bonded Ethernet cards.

The first thing that I though would be the easiest bit was to create the RAID array. This turned out not to be the case, but when you see the solution DOH!!!!!

Linux OS is CENTOS 6.3

I know you may wonder why I did not use FreeNAS or NAS4Free. I did try, but the hardware was not compatible. It would not even boot, so I could not even go after some fixes.

So onto the install.

First find out what the disks are called.

fdisk -l

Will display a long list look for something like


Armed with this information

fdisk -l | grep /dev/sd

This will list all of the disks. In my case /dev/sda —> /dev/sdm

To make sure all of the disks have no partition you can use various tools such as fdisk. Good tutorial How to delete a partion here. I used cfdisk. There is a menu with it so you do not have to remember the switches ūüôā

cfdisk /dev/sd*

Delete any partitions and save and exit. Do this for all the disks that you want to put into the array.

Now to create the array. I am creating a RAID 6 array with 2 spare disks. They are old disk. Need a bit of guarantee regarding the condition.

A good mdam write up is actually in wikipedia of all places Mdadm

mdadm --create --verbose /dev/md0 --level=6 --raid-devices=12 /dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf /dev/sdg /dev/sdh /dev/sdi /dev/sdj /dev/sdk --spare-devices=2 /dev/sdl /dev/sdm

I got this error mdadm: super1.x cannot open /dev/sdb1: Device or resource busy mdadm: ddf: Cannot use /dev/sdb1: Device or resource busy Not sure why you can get this, but basically it looks like some of the disks have a RAID configuration and are being held by the OS. To discover if this is the case

cat /proc/mdstat

This will list what RAID has got hold of the disks. A good chance if will be md127. To get rid of this

mdadm --stop /dev/<mdxxx>

Where xxx is the RAID number found in the cat command above. Once you have stopped the RAID, issue the mdadm –create command

This will start the creation of the RAID array. Depending on the size and speed this could take hours. To determine if the RAID is creating then

cat /proc/mdstat

You will get something along the lines of

cat /proc/mdstat
Personalities : [raid6] [raid5] [raid4]
md0 : active raid6 sdm[12](S) sdl[11](S) sdk[10] sdj[9] sdi[8] sdh[7] sdg[6] sdf[5] sde[4] sdd[3] sdc[2] sdb[1] sda[0]
1290359808 blocks super 1.2 level 6, 512k chunk, algorithm 2 [11/11] [UUUUUUUUUUU]
[======>…………..] resync = 32.7% (46917760/143373312) finish=175.3min speed=9168K/sec

unused devices: <none>

Once you have the RAID array created its time to create a file system and mount it and also make sure that the RAID starts when the system is re-booted

mdadm --detail --scan >> /etc/mdadm.conf

OK another area of investigation, what is the best Linux file system. Well as will all things it depends on what you need it for. The storage is for VMware files. These will be 10GB–50GB flat files and therefore I am going to try out the xfs file system which is supposed to be good and fast for the larger files.

Ok some thing strange happened, I had to reboot the server and the /dev/md0 became /dev/md127, no idea why, and I just wanted to get it finished.

You now need to create a logical volume, this will allow you to mount the disk

#create a volume group named “vg_target00”

vgcreate -s 32M vg_target00 /dev/md0

# create a logical volume named “lv_target00”

lvcreate -L 130G -n lv_target00 vg_target00

This creates it for all of the volume

lvcreate -l 100%VG -n lv_target00 vg_target00

This area got a bit fuzzy and the exact order may need to change, I tried to keep notes around this element, but I tried many different bits. One this is for sure though if you use xfs files system then to avoid the following error you need to install the correct packages

You may get the following error

bash: mkfs.xfs: command not found

Some bits and pieces were needed

yum install xfsdump xfsprogs
mkdir /mnt/storage

To make the file system

mount -t xfs /dev/vg_target00/lv_target00 /mnt/storage

mkfs -t xfs -f /dev/vg_target00/lv_target00

This will now have mounted it. To make this a permanent mount then you need to add a line to fstab

vi /etc/fstab
/dev/vg_target00/lv_target00 /mnt/storage       xfs     defaults        0 0

OK we now have the disk array prepared, we now need the connectivity to sort out. I installed a 4 port NIC card in the server, I will bond two port together to give me direct access to the two servers. Bonding the ports together will I hope give me enough throughput for some decent performance. To determine what nic you have

ls sysconfig/network-scripts/

This will list something along the lines of

ifcfg-eth0 ifcfg-eth5 ifdown-ippp ifdown-routes ifup-bnep ifup-plip ifup-sit network-functions
ifcfg-eth1 ifcfg-lo ifdown-ipv6 ifdown-sit ifup-eth ifup-plusb ifup-tunnel network-functions-ipv6
ifcfg-eth2 ifdown ifdown-isdn ifdown-tunnel ifup-ippp ifup-post ifup-wireless
ifcfg-eth3 ifdown-bnep ifdown-post ifup ifup-ipv6 ifup-ppp init.ipv6-global
ifcfg-eth4 ifdown-eth ifdown-ppp ifup-aliases ifup-isdn ifup-routes net.hotplug

The NIC cards I am interested in are ifcfg-eth2, ifcfg-eth3, ifcfg-eth4 and ifcfg-eth5. There is one note, many of the tutorials that I read specified changing the modprobe.conf file. This appears to be have been depreciated and now all the .conf files can be created in /etc/modprobe.d

So lets start we will have bond0 and bond1.

Just a note on the IP addresses that we will use. As we are direct connecting the servers, I am going to to configure the network too two IP hosts per connection


bond0  details (server)


bond0  details (client)


bond1  details (server)


bond1  details (client)


You need ethtool installed to allow bonding NIC to work

yum install ethtool

Bond0 creation

 echo "DEVICE=bond0"  >/etc/sysconfig/network-scripts/ifcfg-bond0
 echo "IPADDR="  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "NETWORK="  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "NETMASK="  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "USERCTL=no"  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0

Bond1 creation

echo "DEVICE=bond1"  >/etc/sysconfig/network-scripts/ifcfg-bond1
echo "IPADDR="  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "NETWORK="  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "NETMASK="  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "USERCTL=no"  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond1

OK we now need to tell the NIC ports to belong to the bond

vi /etc/sysconfig/network-scripts/ifcfg-eth3

My current config looks like this


We need to change it to the following


This needs to be done for all of the ports and bonds.

Once this is done, you need to start the bonds, to do this create a bonding.conf file. There are many difference bonding modes these are described in the Tips and tricks for bonding interfaces.

I want to balance my NIC to get the best throughput so I an using mode 5

echo "alias bond0 bonding" > /etc/modprobe.d/bonding.conf
echo "options bond0 mode=5 miimon=100" >> /etc/modprobe.d/bonding.conf
echo "alias bond1 bonding" >> /etc/modprobe.d/bonding.conf
echo "options bond1 mode=5 miimon=100" >> /etc/modprobe.d/bonding.conf

We now need to add this to the kernel (not sure exactly what this means but taken from all the tutorials read this is what you have to do)

modprobe bonding

Okay the last this that I want to is present the disk so that the servers can use it. I tried iscii at the start but this really did not work in our environment, so I opted for NFS. So this is how I think I got this working, there was a mix of iscii and NFS going on so this maybe a little inaccurate, but it will get you most of the way there :).

yum -y install nfs-utils rpcbind

chkconfig nfs on
chkconfig rpcbind on
chkconfig nfslock on

The two line below referrer to the networks that servers will be allowed to access the NFS shares from. For security I would keep this as small as possible and due to the namture an amount of traffic should be on a separate network.

vi /etc/exports

exportfs -a

I have compiled this almost how to guide from the resources below

Installing Java JRE on an Amazon Linux AMI

I am building my Apex environment and one of the requirements is to have Java JRE installed. I hate installing Java on Linux. The first thing to do is remove the Java version that is installed on a Amazon Linux image. The Java version is Java-openJDK and this may work but lets stick with Sun Java.

To un-install openJDK

yum erase java*

Now download the latest JRE for your environment from Java SE Downloads

mkdir /opt/software

cd /opt/software

upload the rpm / bin file to here I downloaded the jre-6u25-linux-x64-rpm.bin. The rpm file is easier to intstall

chmod 755 jre-6u25-linux-x64-rpm.bin


To ensure that the java path is always available

Navigate to the home folder of the user, in my case this is root and edit the .bash_profile


vi ~/.bash_profile

Insert the following line


The path obviously has to match where Java is installed.


To make this available to all users create a file in  /etc/profile.d


I am going to standardise on my


vi /etc/profile.d/



Securing your Linux server from SSH attacks

If you build any server that is accessible from the internet then you are in for a world of pain. All the servers I have ever tended to build have sat behind a nice corporate firewall controlled by me, and to SSH to them you needed to be in our network. What a great strategy, if you can not get to me you can not hack me :). Or the script kiddies can not have a pop and use valuable bandwidth and server resources.

So as soon as you get to Amazon AWS you need to seriously start thinking about your server security. You have of course got the AWS security groups to help you, but we no have a need to allow SSH access to some of our servers by third party people.

Therefore you need to harden the servers even more, Amazon goes some way with protecting their servers with key access only, but sometimes you need to give good old username and password access.

You therefore will start seeing entries in your /var/log/secure file something along the lines of :

Jul 1 20:48:28 ip-10-228-234-162 sshd[6901]: pam_succeed_if(sshd:auth): error retrieving information about user andreea
Jul 1 20:48:30 ip-10-228-234-162 sshd[6901]: Failed password for invalid user andreea from port 42511 ssh2
Jul 1 19:48:30 ip-10-228-234-162 sshd[6904]: Received disconnect from 11: Bye Bye
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: Invalid user davida from
Jul 1 19:48:32 ip-10-228-234-162 sshd[6914]: input_userauth_request: invalid user davida
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): check pass; user unknown
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse
r= rhost=

How annoying, that you have to expend time and effort with this these idiots.

Well luckily Linux has some built in defence mechanisms against such people in the hosts.deny file.

You could manually go through or get someone to go through you secure file but someone who is far more cleaver that me, has written a utility that does this for you.

What a tool, there is a brilliant README file in the install directory, but as usual  to make it easy or your and me, here are the highlights to get it working

yum install python

cd ~
mkdir software
cd software
tar -xvzf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python install

cd /usr/share/denyhosts

cp denyhosts.cfg-dist denyhosts.cfg
cp daemon-control-dist daemon-control

vi denyhosts.cfg
chown root:root daemon-control
chmod 700 daemon-control

vi denyhosts.cfg

Change the file to match your distribution, I am using a Red Hat based distro as you would expect being in Amazon. I left everything as standard except I turned on the sync to get the host IP addresses of these annoying idiots.

The instructions for starting the daemon automatically is so straight forward, the guy who wrote this sure did understand the software but also how to document it ūüôā

cd /etc/init.d

ln -s /usr/share/denyhosts/daemon-control denyhosts

If you have chkconfig installed you can then use it to
ensure that DenyHosts runs at boot time:

chkconfig –add denyhosts

service denyhosts start