Install and Configure Fail2ban on Fedora/CentOS/RedHat

Posted on by
Reply

The following is a very basic guide for setting up Fail2ban for SSH.

Install and basic config

Install Fail2ban

sudo dnf install fail2ban

You may need to install the epel repo

sudo yum install epel-release

Configure to run on system boot

sudo systemctl enable fail2ban

Start Fail2ban service

sudo systemctl start fail2ban

Copy config file with

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Modify the config file

nano /etc/fail2ban/jail.local

Uncomment the following line and add any IPs that need to be whitelisted

ignoreip = 127.0.0.1/8 ::1 192.168.1.20

Save the file and restart Fail2Ban

sudo systemctl restart fail2ban

Configuring Fail2Ban for SSH

Create a new jail file in /etc/fail2ban/jail.d/ called sshd.local

nano /etc/fail2ban/fail.d/sshd.local

Add the following. Note: if you are using a custom ssh port, change “port = ssh” to “port = portnumber”

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 5
bantime = 300

Restart Fail2ban

sudo systemctl restart Fail2ban

You can list the firewall rules to verify that an IP gets banned.

iptables -S | grep ipaddress

Unbanning an IP Address

You can unban an IP address with the following command. 

sudo fail2ban-client set sshd unbanip 192.168.1.100

You can check out the following link for more information

https://www.redhat.com/sysadmin/protect-systems-fail2ban

Configure MikroTik Router as WireGuard VPN Appliance

Posted on by
Reply

You may need to upgrade your MikroTik if the WireGuard options are not available.

Quick overview of setting up a MikroTik Router as a VPN appliance.

  1. Configure WireGuard Interface on MikroTik Router
    1. Copy interface public key
    2. Add IP address on WireGuard interface
  2. Create WireGuard client config
    1. Use above interface public key
    2. Copy the client Public Key
  3. Create a WireGuard Peer on the MikroTik Router
    1. Use client Public Key
    2. Assign proper IP address

Configure WireGuard on Router

First we need to create a WireGuard interface to use.

/interface/wireguard add listen-port=51820 mtu=1420 name=wireguard1

We’ll need to copy the public key, shown in the following command, for use in the client config.

/interfaces/wireguard print

Next we’ll configure an IP address/range for the new WireGuard interface. 

/ip/address add address=192.168.1.1/24 network=192.168.1.0 interface=wireguard1

Configure WireGuard Client

Download and install the WireGuard application on your computer or phone.

Create an empty config (Ctrl +N), click edit, add the following. 

Address = 192.168.1.2/24
DNS = 9.9.9.9

[Peer]
PublicKey = ReplaceWithInterfacePublicKeyFromMikrotik
AllowedIPs = 0.0.0.0/0
Endpoint = endpointip:51820

Here is a screenshot as an example. We need to copy the public key. We’ll use that when we create the peer.

Configure WireGuard Client

Create WireGuard Peer

Now lets create a peer. Back on the MikroTik, run the following command. Change the allowed address and public key.

/interface/wireguard/peers add allowed-address=192.128.1.2/32 interface=wireguard1 public-key="PublicKeyFromClientCreatedInNextStep"

Note that the 192.168.1.2/32 is important. If you have multiple clients connected and one of them is setup with a /24 instead of a /32, it will cause issues. I think this is because WireGuard tries to route the whole /24 over that peer.

Also note that you can not use DHCP with WireGuard. Each client will have a static IP address assigned in the config. In this example, 192.168.1.2.

You should now be all set up and able to connect from your device.

Troubleshooting

Some issues you may run into.

Unable to have two devices connected at the same time.

First, you’ll need to have one Peer per Client connection. Either that, or do not connect at the same time.

Second, check and verify that each peer has the ClientIP/32 in the Allowed Address.

For example, if the WireGuard interface is using 192.168.1.0/24, and one of the peers has 192.168.1.4/24 in the Allowed Address option, then only one client will work. It appears that the MikroTik will attempt to route all 192.168.1.0/24 request to 192.168.1.4.

Install NVIDIA 510 driver (LHR Bypass) on CentOS/Fedora for Mining

Posted on by
Reply

Download NVIDIA 510 Driver

Download driver from here (Official Link) or with wget.

wget https://us.download.nvidia.com/XFree86/Linux-x86_64/510.68.02/NVIDIA-Linux-x86_64-510.68.02.run

If the above link doesn’t work, you can download a copy from this site with the following.

wget https://www.incredigeek.com/home/downloads/NVIDIA/NVIDIA-Linux-x86_64-510.68.02.run.tgz

Extract with

tar zxf ./NVIDIA-Linux-x86_64-510.68.02.run.tgz

Verify Driver (Optional)

Not a bad idea to check if you downloaded from an untrusted source.

sha256sum NVIDIA-Linux-x86_64-510.68.02.run

The Hash should equal

bd2c344ac92b2fc12b06043590a4fe8d4eb0ccb74d0c49352f004cf2d299f4c5

Install NVIDIA Driver

We can now install the NVIDIA driver with the following command.

sudo ./NVIDIA-Linux-x86_64-510.68.02.run

It will have a couple of prompts that are easy to walk through.

While installing the driver, it can try to blacklist Nouveau, if it runs into issues, try running the following, reboot, and run the install again.

sudo gruby --update-kernel=ALL --args="nouveau.modeset=0"

After driver is installed, reboot your machine.

Now download a copy of your favorite mining software and enjoy the extra Mhs…

Troubleshooting SSH “No Matching Key Exchange/Host Key Method/Type Found” errors

Posted on by
Reply

It can be common for older devices to throw errors like the following when trying to ssh into them.

Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

or 

Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-rsa

There can also be a No Matching Cipher Found error. We have talked about that in the past.

The issue is that your version of SSH does not support those older, and most likely insecure, Key Exchange and Host Key algorithms types. The errors do give us enough info to add the right options to connect to the device.

No Matching Key Exchange Method Found

For the “no matching key exchange method found.” we need to manually add the KexAlgorithms option. KexAlgorithms means Key Exchange Algorithm.

ssh -o KexAlgorithms=+diffie-hellman-group14-sha1 username@192.168.1.1

Change out “diffie-hellman-group14-sha1” for a supported Key Exchange algorithm.

No Matching Host Key Type Found

This issue is with the Host Key algorithm type. We’ll use the -o option with the HostKeyAlgorithms option.

ssh -o HostKeyAlgorithms=+ssh-rsa admin@192.168.1.1

Change our ssh-rsa with a supported “Their offer:” Host Key.

Putting it all together

You can combine the options if needed.

ssh -o KexAlgorithms=+diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-rsa admin@192.168.1.1

We have covered some of these topics before. Be sure to check them out.

no matching cipher found. Their offer: aes128-cbc,3des-cbc…

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

no matching host key type found. Their offer: ssh-dss

List of UniFi SSH Commands

Posted on by
Reply

I found the following post that has a very comprehensive list of UniFi commands.

All Unifi SSH Commands that You Want to Know
All Unifi SSH Commands that You Want to Know

Some of the most common ones that are used

Reset a device

set-default

or 

syswrapper.sh restore-default

Reboot a device

reboot

Connect device to a controller

After you run this command, adopt it in the controller and then run the command again.

set-inform http://ip-of-controller:8080/inform

Also note that the above command does not seem to work over https.

3D Printer not Reading Micro SD Card

Posted on by
Reply

It looks like some 3D printers can not read GPT microSD cards. Or SD cards formatted as exFat. You can fix the problem by converting the SD card to MBR and create a FAT32 partition on it.

Comment
byu/Extra-Load from discussion
in3Dprinting
PSA: SD cards with a GPT partition table, instead of MBR, will not be recognized by the 3DS/2DS
byu/willrandship in3dshacks

These steps are for windows, but the idea is the same on Linux and macOS

  1. Delete the partition on the card
  2. Change to MBR
  3. Create new Fat32 Partition
  4. Use in 3D printer

Insert the Micro SD card into your computer

Next open an Administrator Command Prompt. Search for cmd, right click, and run as Administrator.

Launch the WIndows Disk Part utility with

diskpart

List the disk.

list disk

Select the Micro SD card with the following command. Replace 1 with the proper disk from the above command.

select disk 1

Now lets clean the disk. Warning! This will delete all data on the SD Card

clean

We now have a clean SD card.

Convert the SD card to MBR

convert mbr

Create a new partition to use

create partition primary size=1024

You should be able to finish this using the Disk Management utility in Windows.

Format new partition and assign drive letter.

format fs=FAT32 label="3D" quick
assign letter=E

You should be able to put your gcode files on the sdcard now.

Hardening SNMP on Debian

Posted on by
Reply

Hardening SNMP on Debian by disabling SNMP v1 and v2c, and configuring SNMP v3.

Modify /etc/snmp/snmpd.conf

First we’ll want to open up the /etc/snmp/snmpd.conf file and comment out all lines that begin with

  • rocommunity
  • view
  • rouser authPriv <– “This may be the last line by default, we don’t need it”

Alternatively, you can copy and paste the following sed commands instead of manually editing the file.

sudo sed -i 's/^rocommunity/# rocommunityc/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^view/# view/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^rouser authPriv/# rouser authPriv/g' /etc/snmp/snmpd.conf

Create SNMP v3 User

We can create a SNMP v3 user with the following command. There it will ask you for the username and passwords.

sudo net-snmp-create-v3-user -ro -a SHA-512 -x AES

You may receive an error about not being able to touch /snmp/snmpd.conf. I am not sure why Debian is attempting to create that file. Take the “rouser snmpuser” line and add it to the end of the /etc/snmp/snmpd.conf config.

Debian SNMP Error

Now we can start SNMPD

sudo systemctl start snmpd

Troubleshooting

My created user is not working! This could result from two different issues.

  1. It appears that Debian/SNMP doesn’t like pass phrases with special characters. You can try using a different password or escaping the special characters in “/var/lib/snmp/snmpd.conf” file before starting SNMPD.
  2. The user didn’t get added to /etc/snmp/snmpd.conf To fix, add “rouser snmpuser” (Change snmpuser to your snmp username) to the bottom of the config file.

Access Denied “You don’t have permission to access …”

Posted on by
Reply

Sometimes you can get the following error while trying to access some sites.

Access Denied while trying to access website

It looks like these errors are from Akamai or other CDN’s

Why is Akamai blocking me?

https://myakamai.force.com/customers/s/article/Why-is-Akamai-blocking-me

Why is Akamai blocking me? Part 2 & 3

https://community.akamai.com/customers/s/article/Why-is-Akamai-Blocking-Me-Part-2-Penetration-Testers-Bug-Bounty-Hunters-and-Security-Researchers

https://community.akamai.com/customers/s/article/Why-is-Akamai-Blocking-Me-Part-3-Partners-Performing-Web-Scraping-Activity

Client Reputation Lookup

https://www.akamai.com/us/en/clientrep-lookup/

Akamai says they don’t block you, but the site can use tools and policies which could block you. To resolve the issue you should contact the web site owner and see if you can get unblocked and potentially get more details.

You can try doing a whois on the website domain to find the contact email.

Hardening SNMP on CentOS/RedHat/Fedora Etc.

Posted on by
Reply

These steps should be similar across Red Hat type distros.

Before we proceed, lets stop SNMP

sudo systemctl stop snmpd

Disable SNMP Versions 1 and 2c

First we are going to disable SNMP v1 and v2c

You can manually edit the /etc/snmp/snmpd.conf file and comment out or delete every line starting with com2sec, group, access. Or you can run the following sed commands to change it for you.

sudo sed -i 's/^com2sec/# com2sec/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^group/# group/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^access/# access/g' /etc/snmp/snmpd.conf

https://serverfault.com/questions/376688/how-to-disable-version-1-and-version-2c-in-snmpd

Create SNMP Version 3 User

Follow the prompts to create a SNMP v3 user.

sudo net-snmp-create-v3-user -ro -a SHA -x AES

Start SNMP

sudo systemctl start snmpd

You should be good to go.

If you are running a firewall, you will need to allow an exception for SNMP, UDP port 161. You may also need to allow an SELinux exception. Check out the last portion of both these articles.

Setting up SNMP V3 on CentOS
Allowing SNMP Through Firewall
semanage Allow and Delete ports in CentOS

Fresh Install of Ubuntu Server Doesn’t use all Disk Space

Posted on by
Reply

For some reason Ubuntu server didn’t use all the available disk space while installing. Thankfully this is an easy fix.

sudo lvextend –resizefs -l +100%FREE ubuntu-vg/ubuntu-lv

If the Volume Group or LVM Volume is different, you will need to change the name in the above command. You can use the “sudo pvdisplay” and “sudo lvdisplay” to show you details about your volumes.

https://unix.stackexchange.com/questions/664486/lvm-root-partition-only-uses-half-the-volume-size