route essential reference

Adding a route:

route add -net [net or host] gw [gw IP] netmask [mask] dev [interface]

Removing a route:

route del -net [net or host] gw [gw IP] netmask [mask] dev [interface]

Adding/removing a default route:

route add/del default gw [IP]

Listing routes using IPs:

route -n

Rejecting a specific host:

route add -host [IP] reject

fail2ban essential reference

Get the active jails:

# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd

Show the banned IP in a jail:

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 3
| |- Total failed:     1907
| `- File list:        /var/log/secure 
`- Actions
  |- Currently banned: 0
  |- Total banned:     381
  `- Banned IP list:

You can also list the banned IPs using iptables -L.

Unban an IP:

fail2ban-client set [JAIL] unbanip [IP]

Ban an IP:

fail2ban-client set [JAIL] banip [IP]

Log file:

/var/log/fail2ban.log

Updating Solaris 11

Check if there are any updates available:

pkg list -u

-u will show only the packages for which updates are available.

Check the latest package version in the repository:

pkg info -r system/zones

(Optional) Perform a dry run:

pkg update -nv

Update:

pkg update

Install or update the Certificate and Key for Solaris Support Repository

If it’s the first time using the Support Repository, you need to configure the solaris publisher with the new certificate and key found on the certificate page:

pkg set-publisher -g https://pkg.oracle.com/solaris/support/ -c pkg.oracle.com.certificate.pem -k pkg.oracle.com.key.pem  solaris

To verify that the configuration has succeeded:

$ pkg publisher solaris        
Publisher: solaris
Alias:
Origin URI: https://pkg.oracle.com/solaris/support/
Origin Status: Online
SSL Key: /var/pkg/ssl/key
SSL Cert: /var/pkg/ssl/cert
Cert. Effective Date: March 19, 2020 at  9:11:27 PM
Cert. Expiration Date: March 27, 2022 at  9:11:27 PM
Client UUID: uuid
Catalog Updated: March 11, 2020 at  5:41:19 PM
Enabled: Yes

To update expired certificate and key, simply run the command above omitting the -g switch, as the repository is already configured on the system.

Configuring rsyslog on Solaris 11

By default, Solaris uses its native syslog as the default log manager:

svcs system-log
STATE          STIME    FMRI
disabled       12:07:34 svc:/system/system-log:rsyslog
online         12:08:10 svc:/system/system-log:default

If you want to use rsyslog, check if the package is installed (on my machine it’s already there):

pkg info system/rsyslog

To install it:

pkg install system/rsyslog

Now, to use rsyslog, first you have to disable the native syslog:

svcadm disable system/system-log:default

Then enable and refresh the service:

svcadm enable system/system-log:rsyslog
svcadm refresh system/system-log:rsyslog

To check the status:

svcs -p rsyslog
STATE          STIME    FMRI
online         12:10:04 svc:/system/system-log:rsyslog
               12:10:04      1199 rsyslogd

SOCKS Proxy via SSH reverse tunnel

I was working on some test servers on which access is highly restricted (only SSH over VPN) and I couldn’t ask for proxy permissions for outbound HTTP connections so I wasn’t able to use any repo needed to install or upgrade software.

My laptop can access the Internet so it could act as proxy but I didn’t know how to redirect traffic from the remote server to my local machine.

And here’s where I “met” the SSH reverse tunneling, which allows to connect via SSH to a remote server and tell it to forward all the TCP connections received on a specific port, to another host.

Continue reading “SOCKS Proxy via SSH reverse tunnel”

Rundeck on openSUSE Leap

Yum RPM install is not supported on openSUSE and, if you want to use Rundeck on a openSUSE/SLES server, you must use the self contained launcher (.war).

Issuing the java command (even if you’re just testing it) it’s a bit annoying for me so I opted for an handy systemd service to manage Rundeck.

[Unit]
Description=Rundeck

[Service]
WorkingDirectory=/home/thinkhel/lab/rundeck
ExecStart=/usr/bin/java \
         -Xmx2g \
         -jar rundeck-systemd.war
Type=simple
Restart=on-failure
RestartSec=30

[Install]
WantedBy=multi-user.target

The -Xmx2g is used to set the maximum heap size.