Tikejhya: Ashish Nepal

Knowledgebase

Month: July 2012 (Page 1 of 3)

sed between pattern

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

sed between pattern
sed -i “/start/,/end/{/start/b;/end/b;s/^/#/g}” filename.txt

Bash Readline

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Bash Readline

#!/bin/bash
filename=$1

echo “Log Start $ts” >> sentMessageLog.txt
exec 9<$filename while read -u9 line do echo " $line" #send im echo $line >> sentMessageLog.txt
done
echo “” > $filename
echo “Log End for $ts” >> sentMessageLog.txt

fsck

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Unable to boot CentOS

***An error occurred during the file system check.
***Dropping you to a shell; the system will reboot
***when you leave the shell.
Give root password for maintenance
(or type Control-D to continue):

Solution:
Only many occasion when filesystem is corrupted
simply running `fsck` does the trick.

Asterisk If Else extension.conf

Asterisk Log, Asterisk If Else then conditions, Asterisk System command

//Setting Callerid To Caller Name
//This will work if we have entires in Asterisk DB
//can be found under *CLI> database show cidname
exten=> _.,n,Set(CALLERID(name)=${DB(cidname/${CALLERID(num)})})

// If else with extension “Asterisk”
exten=> _.,n,Set(foo=${IF($[ ${CALLERID(dnid)} = 44111111111]?customer_a:${IF($[ ${CALLERID(dnid)} = 4422222222]?Customer_b:Customer_c)})})

//This can also be achieved by noop
//Logging or Echo Variable
exten=> _.,n,Log(NOTICE, “Callerid TO: ${CALLERID(to)}”)

//Running Command from dialplan Asterisk (Bash)
exten=> _.,n,System(/etc/asterisk/my_script.sh)

Sample:

Pre-Routing: conditional messaging.

[context]

exten=> _.,1,NoOp(Incoming Call)

exten=> _.,n,Set(CALLERID(name)=${DB(cidname/${CALLERID(num)})})

exten=> _.,n,Set(foo=${IF($[ ${CALLERID(dnid)} = 012345678]?Client1:${IF($[ ${CALLERID(dnid)} = 234567]?Client2:Client3)})})
exten=> _.,n,Set(bar=${IF($[ ${CALLERID(dnid)} = 45464554645]?SomeOne:${IF($[ ${CALLERID(dnid)} = 4654758]?SomeTwo:SomeThree)})})

exten=> _.,n,Log(NOTICE, “Callerid TO: ${CALLERID(to)}”)

exten=> _.,n,System(/etc/asterisk/sendim.sh ${bar} ‘There is an Incoming call From ${CALLERID(name)} Caller Id: ${CALLERID(num)} n Customer try
ing to reach ${foo}’)

exten=> _.,n,NoOp(Sending to PSTN Now)
exten=> _.,n,goto(from-pstn,${EXTEN},1)

Iptables Rules

play safe with iptables:

Its always good to have these three lines on the top of iptables.

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

NEW – A Client requesting new connection via firewall host
ESTABLISHED – A connection that is part of already established connection
RELATED – A connection that is requesting a new request but is part of an existing connection.
INVALID – If none of the above three states can be referred or used then it is an INVAID state.

# Accept Anything from given ip

-A INPUT -s 192.168.1.1 -j ACCEPT

# Accept on certain port

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Block everything from certain ip

-A INPUT -s 11.11.11.11 -j DROP

# open multiports in same line

-A INPUT -p tcp -m multiport --dports 25,53,80,110,143,443,465,587,993,995 -j ACCEPT

#Block Everything Else

-A INPUT -j REJECT --reject-with icmp-host-prohibited

# Squid; redirect.

-A PREROUTING ! -s 192.168.1.85/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING ! -s 192.168.1.85/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128 


#ossec
-A INPUT -i eth0 -p tcp -m tcp --sport 1514 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 1514 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1514 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1514 -j ACCEPT

# Reject packets from RFC1918 class networks (i.e., spoofed)
-A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
-A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
-A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
-A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP

# Allow most ICMP packets to be received (so people can check our
# presence), but restrict the flow to avoid ping flood attacks
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

############## Drop Invalid Packets #################################################
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP

############# Block Anything beyond 2 hit per 1/s #############
############# Second for everything

# Protect against SYN floods by rate limiting the number of new
# connections from any host to 2 per second. This does *not* do rate
# limiting overall, because then someone could easily shut us down by
# saturating the limit.
-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set
-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 2 -j LOG --log-prefix "ipt: SATUR"
-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 2 -j DROP

# Above statement of synflood save from any atack however below three line is dedicated on port 80 and 443
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -m recent --update --seconds 2 --hitcount 40 --name http_flood --rsource -j LOG --log-prefix "ipt: SFLOOD"
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -m recent --update --seconds 2 --hitcount 40 --name http_flood --rsource -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -m recent --set --name http_flood --rsource

# Anyone who tried to portscan us is locked out for an entire day.
-A INPUT -m recent --name portscan --rcheck --seconds 86400 -j LOG --log-prefix "ipt: Portscan"
-A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j LOG --log-prefix "ipt: Portscan"
-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

############## Incomming packet should always have SYN Packet########################
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

################################## DROP INVALID SYN PACKETS##########################
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "ipt: ALLI"
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP

# Drop bogus TCP packets
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Lets see if this affects legitimate traffic on RST per 2 sec
# Drop excessive RST packets to avoid SMURF attacks, by given the
# next real data packet in the sequence a better chance to arrive first.
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

################ Incoming malformed XMAS packets drop them:##########################
-A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "ipt: XMAS"
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

################## Drop all NULL packets############################################
################## Incoming malformed NULL packets:#################################
-A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "ipt: NULL"
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

############ Block fragments ####################################
-A INPUT -i eth0 -f -j LOG --log-prefix "ipt: Frags"
-A INPUT -i eth0 -f -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "ipt: NONE"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

Upgrade Python

If you are getting requirement issue and upgrade python, removing python is pain due to dependencies some times.

You may want to point symlink to solve the problem.

[root@ tikejhya]# ll /usr/bin/python*
-rwxr-xr-x 2 root root 8304 Feb 2 21:06 /usr/bin/python
lrwxrwxrwx 1 root root 6 Apr 7 19:30 /usr/bin/python2 -> python
-rwxr-xr-x 2 root root 8304 Feb 2 21:06 /usr/bin/python2.4
-rwxr-xr-x 2 root root 4736 Apr 2 22:00 /usr/bin/python26

Remove sym link
[root@tikejhya]# rm /usr/bin/python2

move 2.6 as python or create symlink pointing as python.
[root@tikejhya]# mv python2.6 python

Glusterfs Centos

Considering you have installed:

yum install bison flex openssl openssl-devel fuse-devel fuse python-ctypes

Read background before you start which is available at glusterfs documentation for admin.
Glusterfs has its own cli

gluster volume help | grep "something"

Base3.ashish.com (Gluster Server)

//checking status
gluster peer status
// probing Xrd machine (//NOTE: Not to probe localhost)
gluster peer probe base2.ashish.com
// Volume create (//Later to add “add-brick”)
gluster volume create cloud-share transport tcp base2.ashish.com:/cloud
// start the volume created before
gluster volume start cloud-share
// Adding another machine (self or x machine)
gluster volume add-brick cloud-share base3.ashish.com:/cloud/

// Balancing content (only required if you are adding brick where previous brick has already huge amount of content)

gluster volume rebalance cloud-share fix-layout start
gluster volume rebalance cloud-share fix-layout status

IPTABLES for Glusterfs

# Gluster Server

-A INPUT -p tcp -m tcp -s 111.11.111.0/24 --dport 24007:24024 -j ACCEPT
-A INPUT -p udp -m udp -s 111.11.111.0/24 --dport 24007:24024 -j ACCEPT

Base1 – (i.e. i am looking space to expand or utilize that gluster chunks from base1)

gluster peer status
service glusterd restart
mount -t glusterfs base3.ashish.com:/cloud-share /data
mkdir filesys
mv filesys filesys_orig
umount /data/
mkdir /filesys;mount -t glusterfs base3.ashish.com:/cloud-share /filesys
cd /filesys
rsync -Pzarv /filesys_orig/* /filesys/
mount -o remount /filesys
umount -l /filesys
mount -t glusterfs base3.ashish.com:/cloud-share /filesys
touch 51gbwala
umount -l /filesys
mount -t glusterfs base2.ashish.com:/cloud-share /filesys

Setting quota..

gluster volume quota cloud-share enable
gluster volume quota cloud-share limit-usage / 1GB

gluster volume quota cloud-share list

Problems: Potential Solutions

Uuid: 00000000-0000-0000-0000-000000000000

First detach the new nodes using
gluster peer detach
check service iptables status => make sure it’s not a
firewall issue.
Ping test with relevent hosts.
restart /etc/init.d/glusterd

GlusterFS: {path} or a prefix of it is already part of a volume

setfattr -x trusted.glusterfs.volume-id /path/to/share

Problem
configure: error: OpenSSL crypto library is required to build glusterfs

Solution

yum install openssl
yum install openssl-devel

And sometimes Patience is the keyword. LOL
(i would recommend to turn of iptables and ensure things first if everything works start iptables accordingly).

Glusterfs is wired if you try to delete and start again and again, you might have to change share-volume, share directory and so on….

###############################################################

Removing Brick.

If you want to remove brick (one of the server).

gluster volume info all

pay attn on Volume Name and brick name you want to remove

i.e. gluster volume remove-brick [Volume name] [brick name]
gluster volume remove-brick cloud-share base2.ashish.com:/share

Note: Client will stop sending data to this particular brick if its replicated/stripped or distributed. However not need to get worried on retriving files it will be in the brick point.

###########################################################################

[Its always recommended for manual save and rsync to the mount point, i have not that big test completed but while changing type of gluster it might loose integrity of data (trying to convert stiped to replicated could be fine but i
personally doubt replicated to striped)]

Changing Storage type: From Distributed to striped.

We will have to stop volume and delete (No need to worry it will not remove data from bricks).

gluster volume stop cloud-share
Stopping volume will make its data inaccessible. Do you want to continue? (y/n) y
Stopping volume cloud-share has been successful

gluster volume delete cloud-share

[root@base3 /]# gluster volume info all
[This should output]
No volumes present

[root@base3 /]# gluster volume create cloud-share stripe 2 transport tcp base2.ashish.com:/share base3.ashish.com:/share
Creation of volume cloud-share has been successful. Please start the volume to access data.

[root@base3 /]# gluster volume start cloud-share
Starting volume cloud-share has been successful

If you want umount -l /newmount and mount -a
assuming that you have fstab edited.

all data should be equally striped.

// To be in safe side
rsync -Pzarve /share/* /share_bak

// remove everything as we have in share_bak
rm -rf /share/*

Now those files can be rsynced to the mounted location in order to retrieve back otherwise can be ignored depending upon how critical data is. Ofcourse it is assumed that we will make early plan if we want to strip or distribute rather than getting it done after starting.

To Sum Up, Data now kept in mount point should be distributed almost equally.

###########################################################################

Changing Storage type: From Distributed to replicated

Same as before while moving distributed to replicated, need to backup stuff as you find it best according to the space available.

mkdir /newmount_bak; rsync -Pzarv [anywhere you got space] newmount/* /newmount_bak

###########################################################################

gluster volume create cloud-share replica 2 transport tcp base2.ashish.com:/share base3.ashish.com:/share
gluster volume start cloud-share

gluster volume stop cloud-share
gluster volume delete cloud-share
gluster volume create cloud-share stripe 2 transport tcp base2.ashish.com:/share base3.ashish.com:/share
gluster volume start cloud-share

##############################################################################

iptables tips and tricks

#Check Statistic

iptables -L INPUT -nvx

# All open for certain subnet
iptables -A INPUT -s 111.11.111.0/24 -j ACCEPT

# gluster Client
-A INPUT -p tcp -m tcp -s 111.11.111.0/24 –sport 24007:24024 -j ACCEPT
-A INPUT -p udp -m udp -s 111.11.111.0/24 –sport 24007:24024 -j ACCEPT
-A INPUT -p udp -m udp -s 111.11.111.0/24 –dport 24007:24024 -j ACCEPT
-A INPUT -p tcp -m tcp -s 111.11.111.0/24 –dport 24007:24024 -j ACCEPT

# Gluster Server
-A INPUT -p tcp -m tcp -s 111.11.111.0/24 –dport 24007:24024 -j ACCEPT
-A INPUT -p udp -m udp -s 111.11.111.0/24 –dport 24007:24024 -j ACCEPT

secure asterisk server with iptables

Secure Asterisk Server

iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
# This has to be port open on rtp.conf

iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 1720 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

And reject all

Kayako Support Suite predefined replies

Kayako Support Suite predefined replies

If you are using kayako support suite its most probably you are facing issue with predefined replies.

Kayako support suite predefined replies are saved as .js file.

This requires ftp ownership
in my case

chown apache:ftp files/8e570da263922f43.js
[can be found under: ]

This is it. Solved.

Find files owned by certain user

Find files owned by certain user

find /path/to/search -user username

Find files and chown

find /path/to/search -user username -exec chown tikejhya ‘{}’ ;

Page 1 of 3

Powered by WordPress & Theme by Anders Norén