:::: MENU ::::

Home

  • Nov 21 / 2017
  • 0
Linux

Generate a CSR with openssl

Generate a CSR (Certificate Signing Request) on your server when you want to get a certificate from a certified provider is often a mandatory step, very easy to execute.

Here are the different steps to execute:

  1. Create a specific directory where you will put all your files
    mkdir sub.domain.com && cd sub.domain.com
  2. Generate a private key of 2048 bits
     openssl genrsa -out sub.domain.com.key 2048
  3. Now generate a CSR with openssl and with the private key you just generated
    openssl req -new -sha256 -key sub.domain.com.key -out sub.domain.com.csr

    Many information will be asked during the creation:

    Country Name (2 letter code) []: 
    State or Province Name (full name) []:
    Locality Name (eg, city) []:
    Organization Name (eg, company) []:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:
    Email Address []:
    A challenge password []:
    An optional company name []:
  4. You now have your CSR and your private key

It’s up to you to get your signed certificate from an official provider using those files.

  • Nov 02 / 2017
  • 0
Linux

Change or remove password expiration for linux user

It can happen that you’re getting that message when trying to connect to your linux server:

You are required to change your password immediately (password aged)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user mylinuxuser.
(current) UNIX password:

The message is quite explicit and you need to update your password right now.

If you don’t want to update your password too many times, you can update the frequency of the expiration to 90 days for example:

chage -M 90 mylinuxuser

Or you can completely disable the expiration by pushing the max value for expiration date to 99999 days:

chage -m 0 -M 99999 -I -1 -E -1 mylinuxuser
  • Oct 18 / 2017
  • 0
Linux

Update CA trusted root certificates on Linux server

If you’re getting many “unstrusted issuer” alerts in your app logs, it might be due to some CA trusted certificates outdated.
To fix that, just perform an update:

For Ubuntu/Debian

update-ca-certificates

For CentOS/RedHat

update-ca-trust extract
  • Oct 04 / 2017
  • 0
Linux

Write multiple lines to file in bash (script)

If you need to push multiple lines to one file through a bash script, you can simply use that syntax:

cat > /etc/ntp.conf << _NTPconf_
  server 1.2.3.4
  server 5.6.7.8
_NTPconf_

Tip: Be aware that if you’re using indentation, last line should not be indented (this would lead you to some errors).

If you want to add line instead of overwriting file (like we did in the previous example), just replace the “>” with “>>” after¬†cat command.

cat >> /etc/ntp.conf << _NTPconf_
  server 1.2.3.4
  server 5.6.7.8
_NTPconf_
  • Sep 09 / 2017
  • 0
Linux

Find IPs connecting to a postfix server through logs

There’s no easy way to list all the IPs connecting to your postfix server for sending mail. But you can easily extract them from all your postfix logs.

For our example, we will consider the logs from postfix to be as default and located in /var/log/maillog

Here is what a postfix log look like when a connection is received:

Sep  1 10:22:32 mail-server-01 postfix/smtpd[700]: connect from ha-lb-03[10.10.1.3]

For extracting exclusively the IPs, we will use a combination of commands:

$ grep " connect from " /var/log/maillog |cut -d '[' -f3 |cut -d ']' -f1 |sort -u
  • grep ” connect from ” /var/log/maillog will extract every lines containing a connection attempt
  • cut -d ‘[‘ -f3 |cut -d ‘]’ -f1 will extract the IP from the line (which is contained between [] )
  • sort -u will sort the output by unique values

Here is what we will get as a result once the command is executed (nothing will appear until it finished):

$ grep " connect from " /var/log/maillog |cut -d '[' -f3 |cut -d ']' -f1 |sort -u
10.10.1.1
10.10.1.2
10.10.1.3
10.20.4.4
10.20.4.8
10.250.250.250
127.0.0.1

You can obviously re-use this command for any log file that you want to filter out by updating the filtering.

  • Aug 02 / 2017
  • 0
Linux

Connect to serial/console terminal with MacOS using screen

It’s possible to connect to serial console with MacOS without using a specific app but only screen.

First, you need to find the correct device you will use to connect to the serial console. Depending on your installation and your adapter, you’ll can find it under different names with one these commands:

$ ls /dev*/usb*
ls: /dev*/usb*: No such file or directory
$ ls /dev/tty*usb*
tty.usbserial

Here, we can see that our device is available on /dev/tty.usbserial

If you have any doubt with the screen command, you can check the documentation, with the specific part regarding the console connection:

If  a  tty  (character  special  device)  name  (e.g.  "/dev/ttya") is specified as the first parameter, then the window is directly connected to this device.  This window type is similar to "screen cu -l /dev/ttya".  Read and write access is required on the device node, an exclusive open is attempted on the node to mark the connection line as busy. An optional parameter is allowed consisting of a comma separated list of flags in the notation used by stty(1):
    [1200,9600,19200] - First parameter is the baud rate        
        Usually 300, 1200, 9600 or 19200. This affects transmission as well as receive speed.
    cs8 or cs7
        Specify the transmission of eight (or seven) bits per byte.
    ixon or -ixon
        Enables (or disables) software flow-control (CTRL-S/CTRL-Q) for sending data.
    ixoff or -ixon
        Enables (or disables) software flow-control for receiving data.
    istrip or -istrip
        Clear (or keep) the eight bit in each received byte.

For example, if you want to connect to serial port with those parameters:

  • 9600 bps
  • 8 data bits
  • flow control

You can just use this command:

$ screen /dev/tty.usbserial 9600,cs8,ixon

Hint: Note that if you’re using a specific adapter (like an adapter DB9/RS232 to USB), you will probably need to install the driver first to get the device available.

Pages:1234567...18
Question ? Contact