Here’s one trick to do that:
Step 1. Install  FreeTDS

FreeTDS Website: http://www.freetds.org/ choose FreeTDS source distribution

Compile parameter: –prefix=/usr/local/freetds –enable-msdblib

Then, copy /etc/ld.so.conf, to /usr/local/freetds/lib; and then run ldconfig

Step 2. Change /usr/local/freetds/etc/freetds.conf

[sql2k]

host = your.mssql.server.ip
port = 1433
client charset = cp950
tds version = 8.0

b. tds version: 4.2 (for MS SQL Server 6.x); 7.0 (for 7.x); 8.0 (for 2000)

Step 3. Test FreeTDS connect to MS SQL Server

#cd /usr/local/freetds/bin
#./tsql -S sql2k -U sa
1> use mydatabase
2> select * from mytable
3> go

it shows mytable if success

quit tsql:

1>    quit

Step 4. Recompile PHP Source

PHP website: http://www.php.net/

Before you re compile, please use php run echo phpinfo(); check the existing configure parameter, and then add  –with-mssql=/usr/local/freetds

example:

./configure ‘–prefix=/usr/local/php_4.3.10′ ‘–localstatedir=/var’ ‘–disable-debug’ ‘–enable-pic’ ‘–disable-rpath’ ‘–enable-inline-
optimization’ ‘–with-bz2′ ‘–with-db4=/usr’ ‘–with-curl’ ‘–with-exec-dir=/usr/bin’ ‘–with-freetype-dir=/usr’ ‘–with-png-dir=/usr’ ‘–with-gd’ ‘–enable-gd-native-ttf’ ‘–without-gdbm’ ‘–with-gettext’ ‘–with-ncurses’ ‘–with-gmp’ ‘–with-iconv’ ‘–with-jpeg-dir=/usr’ ‘–with-
openssl’ ‘–with-png’ ‘–with-pspell’ ‘–with-regex=system’ ‘–with-xml’ ‘–with-expat-dir=/usr’ ‘–with-dom’ ‘–with-dom-xslt=/usr’ ‘–with-dom-exslt=/usr’ ‘–with-xmlrpc=shared’ ‘–with-pcre-
regex=/usr’ ‘–with-zlib’ ‘–with-layout=GNU’ ‘–enable-bcmath’ ‘–enable-exif’ ‘–enable-ftp’ ‘–enable-magic-quotes’ ‘–enable-safe-mode’ ‘–enable-sockets’ ‘–enable-sysvsem’ ‘–enable-sysvshm’ ‘–enable-track-vars’ ‘–enable-trans-sid’ ‘–enable-yp’ ‘–enable-wddx’ ‘–with-pear=/usr/share/pear’ ‘–with-imap=shared’ ‘–with-imap-ssl’ ‘–with-kerberos’ ‘–with-ldap=shared’ ‘–with-mysql’ ‘–with- pgsql=shared’ ‘–with-snmp’ ‘–with-snmp=shared’ ‘–enable-ucd-snmp-hack’ ‘–with-unixODBC’ ‘–enable-memory-limit’ ‘–enable-bcmath’ ‘–enable-shmop’ ‘–enable-calendar’ ‘–enable-dbx’ ‘– enable-dio’ ‘–enable-mcal’ ‘–enable-mbstring’ ‘–enable-mbstr-enc-trans’ ‘–enable-mbregex’ ‘–with-apxs2=/usr/sbin/apxs’ ‘–with-mssql=/usr/local/freetds’

After compile?installation, cp php.ini-dist /prefix/lib/php.ini

Step 5. Startup Apache HTTP Server for testing

Sample Code:

<?php

mssql_connect(‘sql2k’,’sa’,”);
mssql_select_db(‘mydatabase’);
$rs = mssql_query(‘select * from mytable’);
list($column01) = mssql_fetch_row($rs);
echo $column01;
?>

It show mytable if success.

The post Quick tip: how to connect linux php applications to MSSQL via freetds appeared first on Free Linux Tutorials.

The following procedure will install and configure snmp daemon on your Redhat-based distribution such as CentOS & Fedora. Here are the steps:

1. Verify if snmp package is installed, there are few ways

[root@localhost ~]# rpm -qa | grep snmp

[root@localhost ~]# snmpwalk
-bash: snmpwalk: command not found

[root@localhost ~]# ls /etc/snmp*
ls: /etc/snmp*: No such file or directory

This mean net-snmp package is not installed yet

2. Install net-snmp & net-snmp-utils package via yum or up2date

CentOS/Fedora:
[root@localhost ~]# yum install net-snmp net-snmp-utils
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirror.usonyx.net
* extras: mirror.usonyx.net
* updates: mirror.usonyx.net
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package net-snmp.i386 1:5.3.2.2-17.el5_8.1 set to be updated
–> Processing Dependency: libsensors.so.3 for package: net-snmp
—> Package net-snmp-utils.i386 1:5.3.2.2-17.el5_8.1 set to be updated
–> Running transaction check
—> Package lm_sensors.i386 0:2.10.7-9.el5 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package              Arch       Version                    Repository     Size
================================================================================
Installing:
net-snmp             i386       1:5.3.2.2-17.el5_8.1       updates       703 k
net-snmp-utils       i386       1:5.3.2.2-17.el5_8.1       updates       191 k
Installing for dependencies:
lm_sensors           i386       2.10.7-9.el5               base          511 k

Transaction Summary
================================================================================
Install       3 Package(s)
Upgrade       0 Package(s)

Total download size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): net-snmp-utils-5.3.2.2-17.el5_8.1.i386.rpm        | 191 kB     00:00
(2/3): lm_sensors-2.10.7-9.el5.i386.rpm                  | 511 kB     00:01
(3/3): net-snmp-5.3.2.2-17.el5_8.1.i386.rpm              | 703 kB     00:01
——————————————————————————–
Total                                           408 kB/s | 1.4 MB     00:03
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing     : lm_sensors                                               1/3
Installing     : net-snmp                                                 2/3
Installing     : net-snmp-utils                                           3/3

Installed:
net-snmp.i386 1:5.3.2.2-17.el5_8.1  net-snmp-utils.i386 1:5.3.2.2-17.el5_8.1

Dependency Installed:
lm_sensors.i386 0:2.10.7-9.el5

Complete!

RHEL:
up2date -v -i net-snmp-utils net-snmp

3. Configure /etc/snmp/snmpd.conf, basic config would be specifying the community string. You can use any text editor like vi or use echo command

[root@localhost ~]# echo rocommunity freelinuxtutorials >> /etc/snmp/snmpd.conf

4. Restart snmp service

[root@localhost ~]# service snmpd restart
Stopping snmpd: [FAILED]
Starting snmpd: [  OK  ]

5. Check snmpd if it’s working using snmp utilities like snmpwalk. You should get an output something like this:

[root@localhost ~]# snmpwalk -v2c -c freelinuxtutorials localhost
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 2012 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (356) 0:00:03.56

Quick tip:

To make sure snmpd will start on boot, use chkconfig command
Sample:
[root@localhost init.d]# ls -l /etc/rc3.d/ | grep snmpd
lrwxrwxrwx 1 root root 15 Aug 29 15:56 K50snmpd -> ../init.d/snmpd

[root@localhost init.d]# chkconfig snmpd on
[root@localhost init.d]# ls -l /etc/rc3.d/ | grep snmpd
lrwxrwxrwx 1 root root 15 Aug 29 15:57 S50snmpd -> ../init.d/sn

Notice snmpd changed from K50 to S50, meaning snmpd will start on boot. Enjoy!

The post Install and Configure SNMP client on Linux appeared first on Free Linux Tutorials.

There are few ways to set the date and time on Linux command line. In order to do this, you must login as root and execute the following methods as follow:

For you to remember the syntax, issue the command “date” first

[root@freelinux ~]# date 
Mon Aug 20 18:30:29 SGT 2012

Let say you want to change it to Sept 6, 2012, 3pm, just follow the pattern above

[root@freelinux ~]# date 090615002012
Thu Sep  6 15:00:00 SGT 2012

where as:
09 = month (September)
06 = day
15 = hour
00 = min
2012 = year

Now it’s set, as simple as that:
[root@freelinux ~]# date
Thu Sep  6 15:00:01 SGT 2012

Another example, you want it to change to 20th of December, 2012, 10:45pm

[root@freelinux ~]# date 122022452012
Thu Dec 20 22:45:00 SGT 2012

Viola!!!

[root@freelinux ~]# date
Thu Dec 20 22:45:03 SGT 2012

Now if you want to challenge yourself, then you can use this as well:
Using our example date above, use the date command with –set or -s options

[root@freelinux ~]# date -s "6 Sept 2012 15:00:00"
Thu Sep  6 15:00:00 SGT 2012

Extra tip: To set the hardware clock to the current system time, use:

[root@freelinux ~]# hwclock  --systohc

If the other way around, to set the system time from the hardware clock

[root@freelinux ~]# hwclock --hctosys

The post Quick tip: Set date and time in Linux appeared first on Free Linux Tutorials.

There is some instance during the Linux installation that you did not bother to set the correct timezone for any reasons like sometimes you are just lazy to set it, you’re in a rush to finish what your boss want you to complete in that day, or you just don’t give a damn Seriously, timezone is a bit important especially if you have scheduled scripts that you intended to run.

Here are some ways to change your timezone depending on your Linux distribution:

for RHEL/CENTOS:

Assuming you have the default or current timezone as UTC and you would like to change it to Singapore timezone

[root@freelinux etc]# date
Thu Sep 6 23:15:06 UTC 2012 
[root@freelinux etc]# rm /etc/localtime

Note: All timezones can be found under the directory /usr/share/zoneinfo

Link the Singapore file under the Asia to the /etc/localtime

#cd /etc
#ln -s /usr/share/zoneinfo/Asia/Singapore localtime
#date
Fri Sep 7 07:17:20 SGT 2012 

This localtime symbolic links can be overwritten when you execute tzdata-update which will based from /etc/sysconfig/clock settings configured

Example:
current date in Singapore time, you execute the tzdata-update, it will read the /etc/sysconfig/clock file

[root@freelinux etc]# cat /etc/sysconfig/clock
ZONE="Asia/Seoul"
UTC=true
ARC=false
[root@freelinux etc]# date
Fri Sep 7 07:26:12 SGT 2012
[root@freelinux etc]# tzdata-update
[root@freelinux etc]# date
Fri Sep 7 08:26:20 KST 2012

For Ubuntu/Debian, the above method will also work. But it also has some commands to make you life easier, see items 1 & 2

1. A simple way to change your timezone is using the “tzconfig” command which will prompt you with a list of region and cities. It will a simple way to update the link /etc/localtime to point to the correct timezone in /usr/share/zoneinfo

[root@freelinux etc]# tzconfig

2.Another way is using the command “dpkg-reconfigure tzdata”. It will be a menu-based type of configuration screen.

[root@freelinux etc]# dpkg-reconfigure tzdata

3. Another method which will work with other distribution as well is via the TZ environment variable

[root@freelinux ~]# date
Fri Sep 7 07:46:09 SGT 2012
[root@freelinux ~]# export TZ=Asia/Manila
[root@freelinux ~]# date
Fri Sep 7 07:46:30 PHT 2012 

4. Another way is via “tzselect” command

[root@freelinux ~]# tzselect 

The post Quick tip: Change Timezone in Linux in different ways appeared first on Free Linux Tutorials.

Important note to remember:
a. capture it in full length, using the -s 0 options
b. save it in a file, better to make the extension as .pcap so wireshark can associate directly

1.Identify which interface you want to listen to

[root@freelinux tmp]# ifconfig 

eth0 Link encap:Ethernet HWaddr 08:00:27:72:24:E6
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe72:24e6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:942 errors:0 dropped:0 overruns:0 frame:0
TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:78095 (76.2 KiB) TX bytes:198882 (194.2 KiB)
Interrupt:10 Base address:0xd020

2. Run “tcpdump” command with the following options. For instance, you want to monitor the DNS packets.Run:

tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53 

[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2657 packets captured
2938 packets received by filter
0 packets dropped by kernel

Verify:

# ls -l /tmp
-rw-r--r-- 1 root wheel 1386926 Sep 24 14:39 freelinux.pcap

where as:

-s 0 –> capture byte to its maximum (65535) or it’s full lenght
-ni –> listen on which interface. Then -n option is used so not to convert host addresses to names.
-w –> create the file
port –> to indicate the port number, e.g. 53 which pertains to dns
-X –> Print each packet (minus its link level header) in hex and ASCII
-vvv –> Even more verbose output

Other samples:
[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 portrange 67-68
[root@freelinux tmp]# tcpdump -ni eth1 -s0 -w hostlinux.pcap host 8.8.8.8 &

Note: you can do Ctrl+C to terminate the task, or if run in background, kill the process if finished as it will consume some hard disk space and some CPU resources.

3. Now open the wireshark program. It’s a GUI-based program, so viewing is easier and flexible.

Enjoy!

The post Quick Tip: Use tcpdump in Linux to capture network packets and view in wireshark appeared first on Free Linux Tutorials.

Linux comes with a built-in syslog package that you can use as a centralized syslog server. Basically, it can be used to send all log files from your network devices or appliances in a remote and centralized location. There are also some popular syslog packages for Linux that you can use  such as syslog-ng,rsyslog & splunk syslog server which all offers more features and flexibility.

On this tutorial, we are going to use the syslogd/sysklogd server which is a multi-platform and proven stable software.

[Syslog Server]

1.verify if the sysklogd package is installed.

[root@freelinux ~]# rpm -qa | grep sysklogd
sysklogd-1.4.1-46.el5

2. start the syslog daemon

[root@freelinux ~]# service syslog start
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]

3. verify if the process is running

[root@freelinux ~]# ps -ef | grep syslog
root      2174     1  0 17:53 ?        00:00:00 syslogd -m 0
root      2180  2110  0 17:54 pts/1    00:00:00 grep syslog
[root@freelinux ~]# ls -la /var/run | grep syslog
-rw——-  1 root  root     5 Oct  9 17:53 syslogd.pid

4. configure the syslog

configuration files:
/etc/sysconfig/syslog
/etc/syslog.conf

Add the “-r” options to enable logging from the remote machines

[root@freelinux ~]# cat /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables ‘MARK’ messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS=”-r -m 0″
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with ‘ksymoops’
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS=”-x”
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for “group” and “other”.

5. Restart the syslog service

[root@freelinux ~]# service syslog restart
Shutting down kernel logger: [  OK  ]
Shutting down system logger: [  OK  ]
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]

[Client devices]

configuration file: /etc/syslog.conf

a. Linux servers

[root@freelinux ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

*.* @172.16.0.100

# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

b. Cisco/Motorola devices

Cisco#configure terminal
Cisco#logging facility local6
Cisco#logging 172.16.0.49

c. Juniper OS
darwin@Juniper> configure
Entering configuration mode

{master}[edit]
darwin@Juniper#
darwin@Juniper#  set system syslog host a.a.a.a facility-override local6 any any
darwin@Juniper#commit synch

darwin@Juniper#show configuration

host 172.16.0.100 {
any any;
facility-override local6;
}

d. Unix

# @(#)B.11.11_LR
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug              /var/adm/syslog/mail.log
*.info;mail.none;local1.none;local2.none;local5.none;local6.none;local7.none    /var/adm/syslog/syslog.log
*.alert                 /dev/console
#*.alert                        root
*.emerg                 *
local4.info             /var/adm/syslog/fw.log
local6.info             /var/adm/syslog/cisco.log

e. Windows

There’s no way to directly configure the syslog clients or send your event log messages to syslog server. You have to use syslog clients such as Snare & winlogd which I will not cover on this tutorial. Alternative way, is send your event logs as snmp traps by configuring your SNMP service & using the event to trap translator or “evntwin” command.

Additional Tips:

1. To make syslogd, re-read its configuration file, send it a HANGUP  signal:
[root@freelinux ~]# kill -HUP `cat /var/run/syslog.pid`

2. Familiarize with syslog facility and severity levels. A good reference about this is Wiki http://en.wikipedia.org/wiki/Syslog. Sample syslog.conf is on the Config-Scripts Section to show how this will be very useful for system administrators.

3.You can verify messages if it’s being logged in your syslog or if you want to test your /etc/syslog.conf, you can use the “logger” command

e.g.
@/etc/syslog.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

[root@freelinux ~]# logger -p user.info “Test Message”
[root@freelinux ~]# tail /var/log/messages
Oct 11 21:25:39 localhost root: Test Message

The post Configure Centralized Syslog server in Linux & setup syslog clients on different platforms appeared first on Free Linux Tutorials.

Secure Shell (SSH) is a program used to secure communication between two entities, often used as a replacement for Telnet and the Berkeley protocols such as remote shell (RSH) and remote login (Rlogin). SSH is also used as a secure remote copy utility, replacing traditional protocols such as the File Transfer Protocol (FTP) and Remote Copy Protocol (RCP).

For this tutorial, we are going to demonstrate steps on securing your OpenSSH which is a free version of the SSH protocol suite.

Note: Steps 1-9 can be done by  tweaking your sshd_config and do ssh service restart after changes to take effect.

1. Use SSH Protocol 2
Use SSH version 2 (SSH2) only as it offers more performance, flexibility and security than SSH1.
-To verify what SSH protocol version you are running, check your /etc/ssh/sshd_config and look for the line “Protocol”,

[root@freelinux ~]# vi /etc/ssh/sshd_config

Protocol 2

[root@freelinux ~]# /etc/init.d/sshd restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]

2. Disable direct root SSH logins
-disable direct logging in as root via ssh. This is like inviting hackers to brute force your root password.
It’s recommend to login as a normal user and then after that, just use su or sudo if want to execute priviledge commands.

PermitRootLogin no

3. Enable a SSH warning banner
You can display a warning banner before login to require acknowledgment of the contents. This can be done by defining under sshd_config

a. Create a Banner on any location. e.g. /etc/freelinux

[root@freelinux~]# vi /etc/freelinux
###############################################################
AUTHORIZED USERS ONLY
All login attempts will be logged!!!
###############################################################

b. Edit /etc/ssh/sshd_config. Locate the line containing “Banner”, uncomment and specify the file location
vi /etc/ssh/sshd_config

# no default banner path

Banner /etc/freelinux

c. Restart ssh service

[root@freelinux~]# service sshd restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]

d. Test:
@ssh client
login as: darwin
###############################################################
AUTHORIZED USERS ONLY
All login attempts will be logged!!!
###############################################################
darwin@10.0.2.100′s password:
Last login: Fri Oct 19 18:19:12 2012 from 10.0.2.2

4. Disable empty passwords
To disable empty password, edit /etc/ssh/sshd_config and make sure this line below is uncommented

PermitEmptyPasswords no

5. Disable Host-based authentication
It is not recommended that hosts always agreed to trust one another

HostbasedAuthentication no

6. Configure Idle Timeout
Let say you want the system to log out users after 15 mins of idling. Then you can set this:

[root@freelinux~]# vi /etc/ssh/sshd_config

ClientAliveInterval 300
ClientAliveCountMax 3

where:

This will give a timeout of 15 minutes (300 secs X 3)
ClientAliveInterval – timeout in seconds.
ClientAliveCountMax – total number of checkalive message sent by the ssh server without getting any response from the ssh client

Also,  you can do this 15 minute timeout:
ClientAliveInterval 900
ClientAliveCountMax 0

Additional Tip: This is slightly different with “TMOUT” variable that will terminate the shell if no activity for N seconds
# export TMOUT=N

[root@freelinux~]# export TMOUT=60

7. Limit SSH LoginGraceTime
By default, sshd will allow a connected user that has not begun the authentication process for a period 2 minutes (120 secs) for a grace time. It’s recommended to shorten this time to protect from brute force attacks.

LoginGraceTime 30

8. Change ssh port number
The advantage of this is somehow protects your box against automated attacks or malicious scripts that is trying to get in via ssh default port 22.

Port 35286

9. Limit or Permit only specific users or groups to login
All users by default is allowed to access your box. But you have the options to allow or deny few users or groups. This can be done in either of this way.

#[AllowUsers]

AllowUsers darwin tux

OR

#[DenyUsers]

DenyUsers user1 user2
DenyGroups group1 group2 group3

10. Update OpenSSH & OS
Make sure your Linux system is running the latest version for OpenSSH. SSH package version depends on your Linux distribution & OS version. Your distro will use the best or stable version for any packages, so if you want to upgrade to another version, you can do this via source package installation. It can be downloaded on OpenSSH official site http://www.openssh.com. Alternatively, you can do it by installing the latest rpm package or changing your repository, then use the yum.

For instance, if you are running CentOS 5.8 to check the current installed package and verify if there’s update, tr the following:

[root@freelinux~]# cat /etc/issue
CentOS release 5.8 (Final)
Kernel \r on an \m

[root@freelinux~]# rpm -qa | grep openssh
openssh-4.3p2-82.el5
openssh-clients-4.3p2-82.el5
openssh-server-4.3p2-82.el5

[root@freelinux~]# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

[root@freelinux~]# yum update openssh*
Loaded plugins: fastestmirror, security
Determining fastest mirrors
* base: mirror.nus.edu.sg
* extras: mirror.nus.edu.sg
* updates: mirror.nus.edu.sg
base                                                     | 1.1 kB     00:00
extras                                                   | 1.9 kB     00:00
extras/primary_db                                        | 171 kB     00:00
updates                                                  | 1.9 kB     00:00
updates/primary_db                                       | 828 kB     00:01
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update

11. Enforce access controls list by using TCP wrappers
TCP wrappers is used to restrict access to TCP services based on IP, hostname, network address etc. It supports SSH via the libwrap library. To check if your sshd is

dynamically linked against libwrap:

[root@freelinux~]# which sshd
/usr/sbin/sshd
[root@freelinux~]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib/libwrap.so.0 (0×00978000)

@/etc/syslog.conf
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

Configuration Files of TCP Wrapper

a. /etc/hosts.allow
b. /etc/hosts.deny

The file names are quite self-explanatory.
Access will be allowed when it matches an entry in the /etc/hosts.allow file
Access will be denied when it matches an entry in the /etc/hosts.deny file

But take note of the rules or points to consider
- access rules in hosts.allow are applied first
- rules in each file are read from the top down, so take note the order of rules
- changes in hosts.allow or hosts.deny will take effect immediately, no need to restart any services.
- access to service is permitted if no rules are found in either file
- use ‘#’ character to insert comments
- it uses this format

tcp_service : client_list [ : shell_command ]

where:
tcp_server – daemon process names
client_list – IP, hostnames, patterns, wildcards matching the client address or hostname

There are several patterns that you can use under client_list which we will not covering on this topic. But the recommended setting will be:
Deny anything not explicitly allowed and only Allow certain services.

[root@freelinux~]# cat /etc/hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
ALL: ALL

[root@freelinux~]# cat /etc/hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
sshd : freelinuxtutorials.com : allow
sshd: 192.168.0.192/255.255.255.240 : allow
sshd : 192.168.0.100 : allow

12. Configure iptables for added SSH security
It’s good to have your servers protected by hardwares or appliances such as security appliances, PIX, ASA etc. that will added more protection such as limiting TCP connections esp. on preventing dictionary attacks.
If you don’t have this, it’s a good thing this can be done also from your Linux server using iptables.

Sample iptables  to allow only specified host:
iptables -A INPUT -p tcp -m state –state NEW –source 172.16.0.101 –dport 35286 -j ACCEPT

Another example iptables rule:

iptables -N RULE1
iptables -A INPUT -p tcp –dport 35286 -m state –state NEW -j RULE1
iptables -A RULE1 -m recent –set –name SSH
iptables -A RULE1 -m recent –update –seconds 60 –hitcount 4 –name SSH -j DROP

where:
Line1: create a new chaing RULE1
Line2/3: allow incoming SSH connection on ssh port 35286 and it will pass through this chain
Line4: source IP should not be more than 3 attempts within 60 seconds, else packets will be dropped from that source IP

13.  Use Strong Passwords
As system administrator, you can set a criteria for users to have a strong passwords. To enforce password complexity on  your Linux boxes via  PAM (the “pluggable authentication module”)

[root@freelinux~]# cat /etc/pam.d/system-auth | grep password
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

Change to something like this:
password requisite pam_cracklib.so try_first_pass retry=3 minlength=12 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=4

where:

try_first_pass = sets the number of times a user can attempt to set a good password before it aborts
minlen = measure of complexity related to the password length
lcredit = minimum number of required lowercase letters
ucredit = minimum number of required uppercase letters
dcredit = minimum number of required digits
ocredit = minimum number of required other characters
difok = sets the number of characters that must be different from the previous passwords

Alternatively, you can use /etc/login.defs to set parameters such as password expiration, etc.
@/etc/login.defs

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5

14. Use Private/Public Keys for SSH authentication
If you decided not to do password authenticaton instead using of keys, then you can follow this tutorial.

15. Patch OpenSSH to latest security fix
As long as you have the latest updates or patches installed on your Linux distribution, that should be enough to tell that you are fully patched.
To check the changelog for the openssh rpm, use the command below. It will show you various patches

[root@freelinux~]# rpm -q –changelog openssh | more
* Wed Jan 04 2012 Petr Lautrbach <plautrba@redhat.com> 4.3p2-82
- improve RNG seeding from /dev/random (#681291,#708056)

* Fri Dec 02 2011 Petr Lautrbach <plautrba@redhat.com> 4.3p2-81
- make ssh(1)’s ConnectTimeout option apply to both the TCP connection and
SSH banner exchange (#750725)

The post Securing your OpenSSH server in Linux appeared first on Free Linux Tutorials.

For the tutorial “Securing your OpenSSH server in Linux” , key-based authentication is one way to secure your SSH server. Below are the details how it’s done:

Users can login remotely to Secure Shell(SSH) server using public/private key without typing the password. This can put added security on your boxes as it reduces password cracking attempts. Aside from that, it will give convenience to users especially if running scripts that require SCP or SFTP transfers.

These are the steps on doing this:

1. Generate a public/private key pair on the client to identify on the servers. It can be protected with password/passphrase or choose not to have

ssh-keygen -t rsa

[darwin@freelinuxclient ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/darwin/.ssh/id_rsa):
Created directory ‘/home/darwin/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/darwin/.ssh/id_rsa.
Your public key has been saved in /home/darwin/.ssh/id_rsa.pub.
The key fingerprint is:
ec:e2:2c:72:f4:0d:a2:ce:83:5a:b1:f3:ee:e1:f3:9f darwin@freelinuxclient
[darwin@freelinuxclient ~]$

It will create two files under your .ssh folder

ls -la ~/.ssh/

[darwin@freelinuxclient ~]$ ls -la ~/.ssh/
total 16
drwx—— 2 darwin darwin 4096 Nov  2 23:30 .
drwx—— 3 darwin darwin 4096 Nov  2 23:29 ..
-rw——- 1 darwin darwin 1743 Nov  2 23:30 id_rsa
-rw-r–r– 1 darwin darwin  410 Nov  2 23:30 id_rsa.pub

id_rsa = private key
id_rsa.pub = public key (it’s the one you are going to upload on the server)

2. Set permission on private key

[darwin@freelinuxclient ~]$ chmod 700 ~/.ssh/
[darwin@freelinuxclient ~]$ chmod 600 ~/.ssh/id_rsa

Normally, the correct permission is already set by default but it’s better to do this esp. if “StrictModes” is set yes on your sshd_config.

3. Upload the id_rsa.pub or public key to server

$scp ~/.ssh/id_rsa.pub user@server:

[darwin@freelinuxclient .ssh]$scp /home/darwin/.ssh/id_rsa.pub darwin@freelinuxserver:~/

4. Add to the authorized keys

cat id_rsa.pub >> ~/.ssh/authorized_keys

[darwin@freelinuxclient ~]$ ssh darwin@freelinuxserver
darwin@freelinuxserver’s password:
[darwin@freelinuxserver]$ cat id_rsa.pub >> ~/.ssh/authorized_keys
Testing:
SSH to the server, if password is provided during the generation of client key pairs, it will ask during

[darwin@freelinuxclient ~]$ ssh darwin@freelinuxserver
Enter passphrase for key ‘/home/darwin/.ssh/id_rsa’:
[darwin@freelinuxserver ~]$

If no passphrase provided, then access would be direct:

[darwin@freelinuxclient ~]$ ssh darwin@freelinuxserver
[darwin@freelinuxserver ~]$

Additional Notes:

1. Make sure public key authentication is enabled (should be enabled by default)
[darwin@freelinuxserver ~]#vi /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes

2. SSH usually comes  with the “ssh-copy-id” utility that will install the id_rsa.pub to the server’s authorized keys.

ssh-copy-id -i .ssh/id_rsa.pub user@server

[darwin@freelinuxclient ~]$ ssh-copy-id -i .ssh/id_rsa.pub darwin@freelinuxserver
15
darwin@freelinuxserver’s password:
Now try logging into the machine, with “ssh ‘darwin@freelinuxserver’”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[darwin@freelinuxclient ~]$
3. To disable password authentication, item a is recommended

a. disable via the /etc/ssh/sshd_config

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

b. lock user account on the server, key authentication will still work

[root@freelinuxserver ~]# passwd -l darwin
Locking password for user darwin.
passwd: Success
[root@freelinuxserver ~]#

4. If you need to change or add key pair’s passphrase, use the -p option

 ssh-keygen -p

[darwin@freelinuxclient ~]$ ssh-keygen -p
Enter file in which the key is (/home/darwin/.ssh/id_rsa):
Enter old passphrase:
Key has comment ‘/home/darwin/.ssh/id_rsa’
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

5. You can use “DSA” as SSH2 authentication key. DSA authenticates or signs faster,but slower in verification. To do this:

ssh-keygen -t dsa

This will create two files, id_dsa & id_dsa.pub.

6. Once imported as public key, it’s recommended to delete it from the server

rm id_rsa.pub

[darwin@freelinuxserver ~]#rm id_rsa.pub

The post SSH authentication via Public/Private keys appeared first on Free Linux Tutorials.

Latest stable Linux kernel  is now ready for download on Linux Kernel archives or kernel.org. #linux

http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.6.8.tar.bz2

The post Linux Kernel 3.6.8 is released! appeared first on Free Linux Tutorials.

Installation & Setup of Free Tacacs+ server in Linux
(Tested via GNS3 & VirtualBox)

Software Used:

GNS3 0.8.3.1
-use 3700 IOS as Router & DHCP
-use Ethernet switch to connect hosts
-use VirtualBox guest running on Ubuntu Linux server 12.04.2 LTS

http://shrubbery.net/tac_plus/

Installation:

1.Login as root and install dependencies such as tcp wrappers and compilation tools e.g. gcc, bison, flex, make

If you’re not sure if these packages are installed, you can use the command:

dpkg -s [packagename]

Sample:

root@freelinux:~# dpkg -s gcc bison flex

Package `gcc’ is not installed and no info is available.

Package `bison’ is not installed and no info is available.

Package `flex’ is not installed and no info is available.

To install:

root@freelinux:~# apt-get install gcc make flex \
 bison libwrap0-dev

2. Download the tacacs+ package on ftp://ftp.shrubbery.net/pub/tac_plus/. It’s good to read additional information or changes on http://shrubbery.net/tac_plus/.

Latest version as of this writing is tacacs+-F4.0.4.26

root@freelinux:~# wget \
ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz

3. uncompress the tarball file

root@ubuntu:~# tar zxvf tacacs+-F4.0.4.26.tar.gz

4. Build
check the INSTALL file first to see the installation guide

root@ubuntu:~/tacacs+-F4.0.4.26# less INSTALL
root@ubuntu:~/tacacs+-F4.0.4.26# ./configure

If you missed installing those dependecies, you will receive messages something like this:

configure: error: Could not find libwrap. You must first install tcp_wrappers.

So to resolve this, install the necessary packages.

# apt-get install libwrap0-dev

Libraries have been installed in:
/usr/local/lib

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR’
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH’ environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH’ environment variable
during linking
- use the `-Wl,-rpath -Wl,LIBDIR’ linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf’

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.

Configuration:

1. After extracting the files, default directory would be /usr/local/bin/

root@ubuntu:~/tacacs+-F4.0.4.26# ls /usr/local/bin/tac*
/usr/local/bin/tac_plus /usr/local/bin/tac_pwd

2. Read the manual page for the following:

$man tac_plus
$man tac_pwd

So basically,
tac_plus – tacacs plus daemon
tac_pwd – generate DES or MD5 encryption of a password

3. use tac_pwd to encrypt clear text passwords to make it more secure
e.g.
We want to use “password” to login the username freelinux and “enablepass” to go privilege mode

root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: password
VUjB99kC2IGws

root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: enablepass
HD.Hw0OHKmO/c

4. Setup config files

a.create tacacs directory under /etc

5. create the tac_plus.conf file

tac_plus.conf setup:
i. set the key

#tacacs key
key = "tackey"

ii. set the user accounts

#user details
#admin freelinuxtutorials@gmail.com
user = freelinux {
default service = permit
member = admingroup
login = des VUjB99kC2IGws
}

iii. set the group details

#group details
# admin group
group = admingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}

iv. set enable password

#Enable password setup for users:
user = $enable$ {
login = des HD.Hw0OHKmO/c
}

Note: This is how it looks like, get it here
v. set the location of the accounting file

accounting file = /var/log/tacacs/tac_plus.log

6. change permission

#chmod 600 /etc/tacacs/tac_plus.conf

Note: If along the way, if you encoutered such as below, then you need to create necessary links using ldconfig

tac_plus: error while loading shared libraries: libtacacs.so.1:
cannot open shared object file: No such file or directory

# vi /etc/ld.so.conf

add /usr/local/lib under /etc/ld.so.conf

 root@freelinux#ldconfig

7. Run the tacacs service

root@freelinux:/etc/tacacs# /etc/init.d/tac_plus start
Starting Tacacs+ server: tac_plus.

this tac_plus file, contents can be downloaded here

8. check if process running

root@freelinux:/etc/tacacs# netstat -na | grep 49
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN

——————–
Sample Cisco configuration

Configuring Cisco:

Cisco>en
Cisco#conf t
Cisco#service password-encryption
Cisco#tacacs-server host 192.168.56.10
Cisco#tacacs-server directed-request
Cisco#tacacs-server key tackey

Cisco#aaa new-model
Cisco#aaa authentication login default group tacacs+ local
Cisco#aaa authentication enable default group tacacs+ enable
Cisco#aaa authorization commands 1 default group tacacs+ local
Cisco#aaa authorization commands 15 default group tacacs+ local
Cisco#aaa accounting commands 0 default start-stop group tacacs+
Cisco#aaa accounting commands 1 default start-stop group tacacs+
Cisco#aaa accounting commands 7 default start-stop group tacacs+
Cisco#aaa accounting commands 15 default start-stop group tacacs+
Cisco#aaa accounting network 15 start-stop group tacacs+
Cisco#aaa accounting connection 15 start-stop group tacacs+

I will not go deeper into client configuration as it differs on devices and softwares by different vendors. Anyway, what has shown here is just the basic tacacs config that is proven working. Go try explore further the advance tacacs configuration. Enjoy!

The post Installation and Setup of Free Tacacs+ server in Linux appeared first on Free Linux Tutorials.

SSH Remote Host Identification has changed Error and Fixes

Normally you see this message by remotely accessing via ssh on target systems like Cisco, Juniper or Linux/Unix for possible reasons like:

a.The target systems’ hostname or IP address have changed, and previously belong to a different server which of course has a different public key
b. Server’s public key has changed like SSH reinstallation or update, OS reinstallation or the ssh keygen was being re-run.
c. Can be related to security like unauthorized access or middle in the man attack is happening

Sample:

[tux@jumphost1 ~]$ ssh freelinux
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
2c:46:b0:b5:67:2b:a7:a9:89:5a:cd:13:ff:36:db:b2.
Please contact your system administrator.
Add correct host key in /home/tux/.ssh/known_hosts to get rid of this message.
Offending key in /home/tux/.ssh/known_hosts:339
RSA host key for freelinux has changed and you have requested strict checking.
Host key verification failed.

Fix#1
Delete the offending key directly on the command line

[tux@SSH-01 ~]$ sed -i “339 d” ~/.ssh/known_hosts

Fix#2
Manually delete the line
a.using vi editor, go into the file

[tux@SSH-01 ~]$vi .ssh/known_hosts

b. go to line, e.g. 339
:339

c. delete the line with “dd” and save/exit
dd
Shift+zz ( or :wq!)

Fix#3
Delete the known_hosts file
[tux@SSH-01 ~]$rm .ssh/known_hosts

Fix#4
Remove keys using ssh-keygen -R option
(from man ssh-keygen)
-R hostname
Removes all keys belonging to hostname from a known_hosts file.
This option is useful to delete hashed hosts (see the -H option
above).

[tux@SSH-01 ~]$ssh-keygen -R hostname

Test after change:

tux@SSH-01 ~]$ ssh freelinux
The authenticity of host ‘freelinux(192.168.1.100)’ can’t be established.
RSA key fingerprint is 2c:46:b0:b5:67:2b:a7:a9:89:5a:cd:13:ff:36:db:b2.
Are you sure you want to continue connecting (yes/no)? yes

The post SSH Remote Host Identification has changed appeared first on Free Linux Tutorials.

Freelinuxtutorials.com is back! Sorry for the inconvenience caused. Will be posting new tutorials soon.

Pls. follow:
Twitter: https://twitter.com/linuxtutorials
Facebook: https://www.facebook.com/freelinuxtutorials

Thanks for all the support and spread the good vibes to everyone. Cheers!

-admin

The post FreeLinuxTutorials.com is back! appeared first on Free Linux Tutorials.

My friend had this Raspberry Pi B+ and wants to use it as a media centre to play his video collection from his NAS storage.  I gave him an option to install Raspbian then install on top those open source media player application. Ended up he wanted the easier way so recommended the OpenELEC. But there’s another thing, he only have Macbook Pro as a laptop.

OpenELEC or short for Open Embedded Linux Entertainment Center, is a free and open source operating system that provides functionality as a complete media center as it is built around Kodi(previously XBMC).

Installation procedure:

Mac OS X (El Capitan 10.11)
Sandisk 8GB
Raspberry Pi 1 B+ model

1. Download  and uncompress the OpenELEC disk image from OpenELEC website download page (http://openelec.tv/get-openelec).Choose the stable Raspberry Pi builds Disk Image.
   URL used: http://releases.openelec.tv/OpenELEC-RPi.arm-5.0.8.img.gz 
2. Insert the SD card to your Mac and open up a terminal window. Run the “diskutil list” command to list all the disk. Normally it will be in /dev/disk2

diskutil list

Sample output:

Darwins-MacBook-Pro:~ darwin$ diskutil list

/dev/disk0 (internal, physical):

   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *256.1 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:          Apple_CoreStorage darwinX                255.2 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
/dev/disk1 (internal, virtual):

   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS darwinX               +254.8 GB   disk1

                                 Logical Volume on disk0s2
                                 00DDB247-0B7D-40EC-B750-CA00C86CB57F
                                 Unencrypted
/dev/disk2 (internal, physical):

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:     FDisk_partition_scheme                        *7.9 GB     disk2
   1:             Windows_FAT_32 boot                    58.7 MB    disk2s1
   2:                      Linux                         3.2 GB     disk2s2

Darwins-MacBook-Pro:~ darwin$

3.  Unmount the disk to write the image using the command below:

diskutil unmountDisk /dev/disk2

Sample output:

Darwins-MacBook-Pro:~ darwin$ diskutil unmountDisk /dev/disk2

Unmount of all volumes on disk2 was successful

4.  Use “dd” command to copy and convert a file to a standard output. Syntax will be like : dd if=path_location_of_image of=output . Sample command below:

dd if=/Users/vinyard/Downloads/OpenELEC-RPi.arm-5.0.8.img of=/dev/disk2

Sample output: (root access needed)

Darwins-MacBook-Pro:~ root# dd if=/Users/darwin/Downloads/OpenELEC-RPi.arm-5.0.8.img of=/dev/disk2

598016+0 records in
598016+0 records out
306184192 bytes transferred in 239.168115 secs (1280205 bytes/sec)

5. That’s it. Eject the SD card from Mac and insert it to Raspberry Pi. It is ready for use, just follow the GUI based wizard for the setup. Enjoy!

The post Installing OpenELEC Raspberry Pi image using Mac OS X appeared first on Free Linux Tutorials.

1. Check the current timezone[root@linuxserver ~]# ls -lt /etc/localtime
   lrwxrwxrwx. 1 root root 38 Aug 25 14:15 /etc/localtime -> ../usr/share/zoneinfo/America/New_York

As you can see the current timezone is NY timezone, if we want to change it to for example Singapore, then use the command “timedatectl” to change.

2. List the current timezones available for reference:

[root@dhcpteeserver ~]# timedatectl list-timezones | grep Singapore
Asia/Singapore

3. Change the timezone to Asia/Singapore

[root@linuxserver ~]# timedatectl set-timezone Asia/Singapore
[root@linuxserver ~]# ls -lt /etc/localtime
lrwxrwxrwx 1 root root 36 Sep 1 11:09 /etc/localtime -> ../usr/share/zoneinfo/Asia/Singapore

Enjoy!

The post Quick Tip: Set or change Timezone in Centos/Redhat Linux using timedatectl appeared first on Free Linux Tutorials.

Objective: to copy/send or tee packets coming from enp3s4f1 and send to a destination IP via the enp3s4f0 management/data port
ServerA = enp3s4f1 (connected to a switch1 span port) (no IP address)
enp3s4f0  (connected to switch2 as management/data port)
(IP is 192.168.100.99)
ServerB destination IP = 192.168.100.100  (same IP range)

This is based on commer’s post in LQ below:

http://www.linuxquestions.org/questions/linux-networking-3/how-to-route-forward-packets-in-promiscuous-mode-832698/

1. Configure  the bridge interface and bind enp3s4f1  into it. Disable Spanning Tree Protocol (STP) if necessary. Bring up the bridge interface

#brctl addbr br0
#brctl stp br0 off
# brctl addif br0 enp3s4f1
#ifconfig br0 up

2. Use ebtables to redirect the mac addresses of incoming packets to machine’s physical device

#ebtables -t broute -A BROUTING -i enp3s4f1 -j redirect –redirect-target DROP

3. Configure static route all expected incoming IP address/subnets
e.g.

#ip route add 192.168.20.192/27 dev enp3s4f1
#ip route add 192.168.20.224/27 dev enp3s4f1

4. Tee the packets (sample filter DCHP packets) and send to 192.168.100.100

#iptables -t mangle -A PREROUTING -i enp3s4f1 -p udp –dport 67:68 –sport 67:68 ! -d 192.168.100.0/24 -j TEE –gateway 192.168.100.100

Note: I configured exceptions on the same destination IP range to avoid double tee
use the command “iptables -t mangle -L -v” to see if tee packets are incrementing

Tested working using CentOS 7

The post copy and send (tee) packets from a mirrored interface using iptables and ebtables appeared first on Free Linux Tutorials.

For Ubuntu 16.04 LTS or greater, it would be simple as only required two steps to install Fingerprint Scanner. Tested using Lenovo Thinkpad X240

1. sudo apt install libpam-fprintd
2. fprintd-enroll

That’s it. You can now login or even use for sudo access using finger print

Alternative: Fingerprint GUI

tux@freelinux:~$ sudo apt install libpam-fprintd
Reading package lists… Done.
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
libpam-fprintd
0 upgraded, 1 newly installed, 0 to remove and 282 not upgraded.
Need to get 0 B/9,336 B of archives.
After this operation, 68.6 kB of additional disk space will be used.
Selecting previously unselected package libpam-fprintd:amd64.
(Reading database … 173955 files and directories currently installed.)
Preparing to unpack …/libpam-fprintd_0.6.0-1_amd64.deb …
Unpacking libpam-fprintd:amd64 (0.6.0-1) …
Setting up libpam-fprintd:amd64 (0.6.0-1) …

tux@freelinux:~$ fprintd-enroll
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completed

Now can use fingerprint reader to run sudo

tux@freelinux:~$ sudo apt-get update
Swipe your finger across the fingerprint reader
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:2 http://sg.archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://ppa.launchpad.net/fingerprint/fingerprint-gui/ubuntu xenial InRelease

The post Quick Tip: Install Fingerprint Scanner (FPrint) in Ubuntu 16.04 Linux appeared first on Free Linux Tutorials.

Installing a graphical network simulator GNS3 is quite easy for Ubuntu based distribution for 64-bit systems. Tested using Ubuntu 16.04.

sudo add-apt-repository ppa:gns3/ppa
sudo apt-get update
sudo apt-get install gns3-gui

few packages will be installed aside from the gns3-gui , gns3-server

qemu
wireshark
dynamips
cpu-checker

Type “gns3” in command line to launch the application. Enjoy!

tux@freelinux:~$ sudo add-apt-repository ppa:gns3/ppa

Swipe your finger across the fingerprint reader
PPA for GNS3 and Supporting Packages. Please see http://www.gns3.com for more details
More info: https://launchpad.net/~gns3/+archive/ubuntu/ppa
Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmplevn08nn/secring.gpg’ created
gpg: keyring `/tmp/tmplevn08nn/pubring.gpg’ created
gpg: requesting key A2E3EF7B from hkp server keyserver.ubuntu.com
gpg: /tmp/tmplevn08nn/trustdb.gpg: trustdb created
gpg: key A2E3EF7B: public key “Launchpad PPA for GNS3” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK

tux@freelinux:~$ sudo apt-get update

tux@freelinux:~$ sudo apt-get install gns3-gui

Reading package lists… Done
Building dependency tree
Reading state information… Done
The following package was automatically installed and is no longer required:
ubuntu-core-launcher
Use ‘sudo apt autoremove’ to remove it.
The following additional packages will be installed:
cpu-checker cpulimit dynamips freerdp-x11 geoip-database-extra gns3-server
ipxe-qemu javascript-common libaio1 libavahi-gobject0 libboost-random1.58.0
libboost-thread1.58.0 libc-ares2 libcacard0 libfdt1 libfreerdp-rail1.1
libgtk-vnc-2.0-0 libgvnc-1.0-0 libiscsi2 libjs-openlayers libnl-route-3-200
libqgsttools-p1 libqt5clucene5 libqt5designer5 libqt5help5
libqt5multimedia5-plugins libqt5multimediawidgets5 librados2 librbd1
libsdl1.2debian libsmi2ldbl libspice-client-glib-2.0-8
libspice-client-gtk-3.0-4 libspice-server1 libusbredirhost1
libusbredirparser1 libvncserver1 libwireshark-data libwireshark6 libwiretap5
libwsutil6 libxen-4.6 libxenstore3.0 libxfreerdp-client1.1 msr-tools
python3-pyqt5 python3-pyqt5.qtsvg python3-sip qemu-block-extra qemu-kvm
qemu-system-arm qemu-system-common qemu-system-x86 qemu-utils seabios
sharutils spice-client-glib-usb-acl-helper ubridge vinagre vpcs wireshark
wireshark-common wireshark-qt x11vnc x11vnc-data xvfb
Suggested packages:
gns3 apache2 | lighttpd | httpd snmp-mibs-downloader wireshark-doc
python3-pyqt5-dbg samba vde2 sgabios ovmf debootstrap bsd-mailx | mailx

The following NEW packages will be installed:
cpu-checker cpulimit dynamips freerdp-x11 geoip-database-extra gns3-gui
gns3-server ipxe-qemu javascript-common libaio1 libavahi-gobject0
libboost-random1.58.0 libboost-thread1.58.0 libc-ares2 libcacard0 libfdt1
libfreerdp-rail1.1 libgtk-vnc-2.0-0 libgvnc-1.0-0 libiscsi2 libjs-openlayers
libnl-route-3-200 libqgsttools-p1 libqt5clucene5 libqt5designer5 libqt5help5
libqt5multimedia5-plugins libqt5multimediawidgets5 librados2 librbd1
libsdl1.2debian libsmi2ldbl libspice-client-glib-2.0-8
libspice-client-gtk-3.0-4 libspice-server1 libusbredirhost1
libusbredirparser1 libvncserver1 libwireshark-data libwireshark6 libwiretap5
libwsutil6 libxen-4.6 libxenstore3.0 libxfreerdp-client1.1 msr-tools
python3-pyqt5 python3-pyqt5.qtsvg python3-sip qemu-block-extra qemu-kvm
qemu-system-arm qemu-system-common qemu-system-x86 qemu-utils seabios
sharutils spice-client-glib-usb-acl-helper ubridge vinagre vpcs wireshark
wireshark-common wireshark-qt x11vnc x11vnc-data xvfb
0 upgraded, 67 newly installed, 0 to remove and 0 not upgraded.
Need to get 67.0 MB of archives.
After this operation, 279 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

–omitted–

Fetched 67.0 MB in 3min 15s (343 kB/s)
Extracting templates from packages: 100%
Preconfiguring packages …

To run, use the command “gns3 &”

tux@freelinux:~$ gns3 &
[1] 4049
tux@freelinux:~$ GNS3 GUI version 1.5.3
Copyright (c) 2007-2017 GNS3 Technologies Inc.
2017-02-05 15:47:44 INFO logger.py:107 Log level: INFO
2017-02-05 15:47:44 ERROR __init__.py:144 vmware command not found
2017-02-05 15:47:44 INFO servers.py:103 New local server connection http://127.0.0.1:3080 registered
2017-02-05 15:47:44 INFO __init__.py:181 VPCS module reset
2017-02-05 15:47:44 INFO __init__.py:322 Dynamips module reset
2017-02-05 15:47:44 INFO __init__.py:262 IOU module reset
2017-02-05 15:47:44 INFO __init__.py:256 QEMU module reset
2017-02-05 15:47:44 INFO __init__.py:302 VirtualBox module reset
2017-02-05 15:47:44 INFO __init__.py:369 VMware module reset
2017-02-05 15:47:44 INFO __init__.py:193 Docker module reset
2017-02-05 15:47:44 INFO __init__.py:70 Built-in module reset
2017-02-05 15:47:44 INFO topology.py:408 Topology reset
2017-02-05 15:47:45 INFO servers.py:540 Starting local server process with “/usr/bin/gns3server” –host=127.0.0.1 –port=3080 –local –controller –log=”/home/tux/.config/GNS3/gns3_server.log” –pid=”/home/tux/.config/GNS3/gns3_server.pid”
2017-02-05 15:47:45 INFO servers.py:553 Local server process has started (PID=4058)

To install a shortcut launcher for GNS3, follow this simple step below:

http://freelinuxtutorials.com/quick-tips-and-tricks/quick-tip-create-gns3-launcher-ubuntu-linux/

The post Quick Tip: Installing GNS3 in Ubuntu (64-bit) appeared first on Free Linux Tutorials.

Sublime Text is one of the best text or code editor that you can have in Linux as it supports different programming languages and markup languages. There’s a list of features that you can check from the Sublime Text official website, one of my favorites is the python-based plugin API and “Goto Anything” feature.
The only downfall I find is Sublime Text may be downloaded and evaluated for free, however a license must be purchased for continued use.

Installing Sublime Text ver.3 in Ubuntu 16.04 LTS can be done in just 3 steps. As it is not available in Ubuntu Software Center, need to add first the repository before installing it.

sudo add-apt-repository ppa:webupd8team/sublime-text-3
sudo apt-get update
sudo apt-get install sublime-text-installer

Type “subl” to launch Sublime Text

tux@freelinux:~$ sudo add-apt-repository ppa:webupd8team/sublime-text-3

Swipe your finger across the fingerprint reader
Sublime Text 3 Installer: the package in this PPA downloads and installs the latest Sublime Text 3 beta builds.
For more info, see: http://www.webupd8.org/2013/07/sublime-text-3-ubuntu-ppa-now-available.html
More info: https://launchpad.net/~webupd8team/+archive/ubuntu/sublime-text-3
Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmpnj7nb47v/secring.gpg’ created
gpg: keyring `/tmp/tmpnj7nb47v/pubring.gpg’ created
gpg: requesting key EEA14886 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmpnj7nb47v/trustdb.gpg: trustdb created
gpg: key EEA14886: public key “Launchpad VLC” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK

tux@freelinux:~$sudo apt-get update

tux@freelinux:~$ sudo apt-get install sublime-text-installer

Reading package lists… Done
Building dependency tree
Reading state information… Done
The following package was automatically installed and is no longer required:
ubuntu-core-launcher
Use ‘sudo apt autoremove’ to remove it.
The following NEW packages will be installed:
sublime-text-installer
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 9,566 B of archives.
After this operation, 26.6 kB of additional disk space will be used.
Get:1 http://ppa.launchpad.net/webupd8team/sublime-text-3/ubuntu xenial/main amd64 sublime-text-installer all 3126-2~webupd8~1 [9,566 B]
Fetched 9,566 B in 1s (9,062 B/s)
Preconfiguring packages …
Selecting previously unselected package sublime-text-installer.
(Reading database … 224696 files and directories currently installed.)
Preparing to unpack …/sublime-text-installer_3126-2~webupd8~1_all.deb …
Downloading…
–2016-12-26 11:20:11– https://download.sublimetext.com/sublime_text_3_build_3126_x64.tar.bz2
Resolving download.sublimetext.com (download.sublimetext.com)… 104.236.0.104
Connecting to download.sublimetext.com (download.sublimetext.com)|104.236.0.104|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 9313954 (8.9M) [application/octet-stream]
Saving to: ‘sublime_text_3_build_3126_x64.tar.bz2’
0K …….. …….. …….. …….. …….. …….. 33% 1.14M 5s
3072K …….. …….. …….. …….. …….. …….. 67% 1.44M 2s
6144K …….. …….. …….. …….. …….. …… 100% 803K=8.4s
2016-12-26 11:20:22 (1.06 MB/s) – ‘sublime_text_3_build_3126_x64.tar.bz2’ saved [9313954/9313954]
Download done.
Removing outdated cached downloads…
sublime_text_3/
sublime_text_3/Packages/
sublime_text_3/Packages/Pascal.sublime-package
sublime_text_3/Packages/Matlab.sublime-package
sublime_text_3/Packages/Go.sublime-package
sublime_text_3/Packages/Graphviz.sublime-package
sublime_text_3/Packages/Haskell.sublime-package
sublime_text_3/Packages/Clojure.sublime-package
sublime_text_3/Packages/TCL.sublime-package
sublime_text_3/Packages/C++.sublime-package
sublime_text_3/Packages/C#.sublime-package
sublime_text_3/Packages/Textile.sublime-package
sublime_text_3/Packages/Text.sublime-package
sublime_text_3/Packages/XML.sublime-package
sublime_text_3/Packages/D.sublime-package
sublime_text_3/Packages/Lisp.sublime-package
sublime_text_3/Packages/Objective-C.sublime-package
sublime_text_3/Packages/Vintage.sublime-package
sublime_text_3/Packages/Groovy.sublime-package
sublime_text_3/Packages/Theme – Default.sublime-package
sublime_text_3/Packages/LaTeX.sublime-package
sublime_text_3/Packages/Color Scheme – Default.sublime-package
sublime_text_3/Packages/Python.sublime-package
sublime_text_3/Packages/R.sublime-package
sublime_text_3/Packages/PHP.sublime-package
sublime_text_3/Packages/ActionScript.sublime-package
sublime_text_3/Packages/OCaml.sublime-package
sublime_text_3/Packages/Language – English.sublime-package
sublime_text_3/Packages/Rails.sublime-package
sublime_text_3/Packages/Regular Expressions.sublime-package
sublime_text_3/Packages/Erlang.sublime-package
sublime_text_3/Packages/Batch File.sublime-package
sublime_text_3/Packages/Markdown.sublime-package
sublime_text_3/Packages/ASP.sublime-package
sublime_text_3/Packages/Perl.sublime-package
sublime_text_3/Packages/Ruby.sublime-package
sublime_text_3/Packages/Makefile.sublime-package
sublime_text_3/Packages/Default.sublime-package
sublime_text_3/Packages/Scala.sublime-package
sublime_text_3/Packages/YAML.sublime-package
sublime_text_3/Packages/JavaScript.sublime-package
sublime_text_3/Packages/ShellScript.sublime-package
sublime_text_3/Packages/Lua.sublime-package
sublime_text_3/Packages/Diff.sublime-package
sublime_text_3/Packages/RestructuredText.sublime-package
sublime_text_3/Packages/SQL.sublime-package
sublime_text_3/Packages/CSS.sublime-package
sublime_text_3/Packages/Rust.sublime-package
sublime_text_3/Packages/Java.sublime-package
sublime_text_3/Packages/AppleScript.sublime-package
sublime_text_3/Packages/HTML.sublime-package
sublime_text_3/changelog.txt
sublime_text_3/sublime_text
sublime_text_3/python3.3.zip
sublime_text_3/plugin_host
sublime_text_3/crash_reporter
sublime_text_3/sublime_text.desktop
sublime_text_3/Icon/
sublime_text_3/Icon/16×16/
sublime_text_3/Icon/16×16/sublime-text.png
sublime_text_3/Icon/32×32/
sublime_text_3/Icon/32×32/sublime-text.png
sublime_text_3/Icon/128×128/
sublime_text_3/Icon/128×128/sublime-text.png
sublime_text_3/Icon/48×48/
sublime_text_3/Icon/48×48/sublime-text.png
sublime_text_3/Icon/256×256/
sublime_text_3/Icon/256×256/sublime-text.png
sublime_text_3/sublime.py
sublime_text_3/sublime_plugin.py
Unpacking sublime-text-installer (3126-2~webupd8~1) …
Processing triggers for bamfdaemon (0.5.3~bzr0+16.04.20160824-0ubuntu1) …
Rebuilding /usr/share/applications/bamf-2.index…
Processing triggers for gnome-menus (3.13.3-6ubuntu3.1) …
Processing triggers for desktop-file-utils (0.22-1ubuntu5) …
Processing triggers for mime-support (3.59ubuntu1) …
Setting up sublime-text-installer (3126-2~webupd8~1) …
tux@freelinuxt:~$

The post Quick Tip: Installation of Sublime Text in Ubuntu Linux appeared first on Free Linux Tutorials.

Spotify is considered the king of digital music streaming service that offers millions of songs.  There are 4 steps to install Spotify client in Debian-based Linux.

Tested in Ubuntu 16.04 LTS. Enjoy!

1.Add Spotify’s repository signing key to verify downloaded packages
sudo apt-key adv –keyserver hkp://keyserver.ubuntu.com:80 –recv-keys BBEBDCB318AD50EC6865090613B00F1FD2C19886

2. Add Spotify repository
echo deb http://repository.spotify.com stable non-free | sudo tee /etc/apt/sources.list.d/spotify.list

3. Check and update latest version
sudo apt-get update

4. Install the Spotify client
sudo apt-get install spotify-client

Run “spotify” in the command-line or find from the Applications

tux@freelinux:~$ sudo apt-key adv –keyserver hkp://keyserver.ubuntu.com:80 –recv-keys BBEBDCB318AD50EC6865090613B00F1FD2C19886
Swipe your finger across the fingerprint reader
Executing: /tmp/tmp.4ToCaqi4Sq/gpg.1.sh –keyserver
hkp://keyserver.ubuntu.com:80
–recv-keys
BBEBDCB318AD50EC6865090613B00F1FD2C19886
gpg: requesting key D2C19886 from hkp server keyserver.ubuntu.com
gpg: key D2C19886: public key “Spotify Public Repository Signing Key <operations@spotify.com>” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

tux@freelinux:~$ echo deb http://repository.spotify.com stable non-free | sudo tee /etc/apt/sources.list.d/spotify.list
Swipe your finger across the fingerprint reader
deb http://repository.spotify.com stable non-free

tux@freelinux:~$ sudo apt-get update
Hit:1 http://sg.archive.ubuntu.com/ubuntu xenial InRelease
Get:2 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Get:3 http://sg.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
Hit:4 http://ppa.launchpad.net/fingerprint/fingerprint-gui/ubuntu xenial InRelease
Hit:5 http://ppa.launchpad.net/fingerprint/fprint/ubuntu xenial InRelease
Get:6 http://repository.spotify.com stable InRelease [3,302 B]
Get:7 http://sg.archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB]
Hit:8 http://ppa.launchpad.net/gns3/ppa/ubuntu xenial InRelease
Hit:9 http://ppa.launchpad.net/webupd8team/sublime-text-3/ubuntu xenial InRelease
Get:10 http://repository.spotify.com stable/non-free amd64 Packages [1,592 B]
Get:11 http://repository.spotify.com stable/non-free i386 Packages [1,136 B]
Ign:12 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:13 http://dl.google.com/linux/chrome/deb stable Release
Fetched 313 kB in 10s (29.5 kB/s)
Reading package lists… Done

tux@freelinux:~$ sudo apt-get install spotify-client
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages were automatically installed and are no longer required:
kde-l10n-engb ubuntu-core-launcher
Use ‘sudo apt autoremove’ to remove them.
Recommended packages:
libavcodec54 | libavcodec-extra-54 libavformat54
The following NEW packages will be installed:
spotify-client
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 71.7 MB of archives.
After this operation, 166 MB of additional disk space will be used.
Get:1 http://repository.spotify.com stable/non-free amd64 spotify-client amd64 1:1.0.44.100.ga60c0ce1-89 [71.7 MB]
Fetched 71.7 MB in 2min 4s (577 kB/s)
Selecting previously unselected package spotify-client.
(Reading database … 226829 files and directories currently installed.)
Preparing to unpack …/spotify-client_1%3a1.0.44.100.ga60c0ce1-89_amd64.deb …
Unpacking spotify-client (1:1.0.44.100.ga60c0ce1-89) …
Setting up spotify-client (1:1.0.44.100.ga60c0ce1-89) …

tux@freelinux:~$

The post Quick Tip: Install Spotify in Ubuntu or Debian Linux appeared first on Free Linux Tutorials.

After installing GNS3 or Graphical Network Simulator 3 in Ubuntu Linux, you can run it via the command “gns3” but it does not come with a default launcher or shortcut. To have a nice shortcut to place under your launcher bar or dock, here are the steps:

1. Go to /usr/share/applications folder

tux@freelinux:~$ cd /usr/share/applications

2. Create a filename with extension “desktop” , e.g. gns3.desktop . Configure the following desktop entries as per below. The contents are quite self-explanatory. Save and exit

tux@freelinux:/usr/share/applications$ sudo vi gns3.desktop

[Desktop Entry]
Name=GNS3
Comment=GNS3 Network Simulator
Exec=/usr/bin/gns3
Icon=/home/tux/GNS3/gns3-icon.png
Terminal=false
Type=Application
Encoding=UTF-8
Categories=Application;

3. Search the launcher under Applications
Enjoy!

The post Quick Tip: Create GNS3 Launcher in Ubuntu Linux appeared first on Free Linux Tutorials.