Setup Linux NTP daemon
Looking for a reliable NTP daemon to keep your system clock up-to-date. Look no further... OpenNTPD. The following will outline setup of OpenNTPD on Linux.
Download the latest source from OpenNTPD.
Extract and change to the install directory.
tar xzf openntpd-3.9p1.tar.gz cd openntpd-3.9p1
Create a user and group which the ntp daemon will run and chroot'ed to directory.
groupadd _ntp useradd -g _ntp -s /sbin/nologin -d /var/empty/ntp -c 'OpenNTP daemon' _ntp mkdir -p /var/empty/ntp chown 0 /var/empty/ntp chgrp 0 /var/empty/ntp chmod 0755 /var/empty/ntp
Perform standard install from source steps. Read the INSTALL doc for more information.
./configure make && make install
Next we'll create a init script to start/stop the daemon.
vi /etc/init.d/ntpd
#!/bin/bash
NTPD_CONF=/usr/local/etc/ntpd.conf
if [ ! -f $NTPD_CONF ]
then
echo "Could not find $NTPD_CONF"
exit 1
fi
# -s : Set the time immediately at startup if the
# local clock is off by more than 180 seconds.
PARAMS="-s"
PID=`pidof -o %PPID /usr/local/sbin/ntpd`
case "$1" in
start)
echo "Starting OpenNTPD"
[ -z "$PID" ] && /usr/local/sbin/ntpd $PARAMS
if [ $? -gt 0 ]; then
echo "Failed"
else
PID=`pidof -o %PPID /usr/local/sbin/ntpd`
echo $PID >/var/run/openntpd.pid
echo "Done"
fi
;;
stop)
echo "Stopping OpenNTPD"
[ ! -z "$PID" ] && kill $PID &>/dev/null
if [ $? -gt 0 ]; then
echo "Failed"
else
echo "Done"
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo "usage: $0 {start|stop|restart}"
esac
exit 0
Change the init script to allow for execution.
chmod a+x /etc/init.d/ntpd
Next setup the ntpd.conf file to point to servers you want to sync with. You can read the man pages first for syntax.
man ntpd.conf vi /usr/local/etc/ntpd.conf
You can use this site to find a pool of servers close to you.
Finally we'll start the daemon.
/etc/init.d/ntpd start
You can view the progress of the sync using the following command.
cat /var/log/syslog | grep ntpd
You can see the progression of the clock...
Jan 7 12:02:53 pc-name ntpd[1355]: adjusting local clock by -1.462512s Jan 7 12:05:36 pc-name ntpd[1355]: adjusting local clock by -1.429211s Jan 7 12:08:27 pc-name ntpd[2064]: adjusting local clock by -1.362814s Jan 7 12:12:14 pc-name ntpd[2064]: adjusting local clock by -1.302321s Jan 7 12:16:37 pc-name ntpd[2064]: adjusting local clock by -1.199679s Jan 7 12:20:53 pc-name ntpd[2064]: adjusting local clock by -1.119930s Jan 7 12:24:01 pc-name ntpd[2064]: adjusting local clock by -1.076154s Jan 7 12:25:53 pc-name ntpd[2064]: adjusting local clock by -1.002400s Jan 7 12:28:47 pc-name ntpd[2064]: adjusting local clock by -0.946294s Jan 7 12:31:13 pc-name ntpd[2064]: adjusting local clock by -0.926053s Jan 7 12:33:22 pc-name ntpd[2064]: adjusting local clock by -0.867900s Jan 7 12:35:44 pc-name ntpd[2064]: adjusting local clock by -0.819938s Jan 7 12:37:18 pc-name ntpd[2064]: adjusting local clock by -0.787604s Jan 7 12:38:56 pc-name ntpd[2064]: adjusting local clock by -0.717054s Jan 7 12:42:42 pc-name ntpd[2064]: adjusting local clock by -0.653446s Jan 7 12:45:32 pc-name ntpd[2064]: adjusting local clock by -0.599668s Jan 7 12:47:44 pc-name ntpd[2064]: adjusting local clock by -0.512153s Jan 7 12:51:51 pc-name ntpd[2064]: adjusting local clock by -0.472384s Jan 7 12:54:44 pc-name ntpd[2064]: adjusting local clock by -0.397733s Jan 7 12:57:25 pc-name ntpd[2064]: adjusting local clock by -0.335255s Jan 7 13:00:39 pc-name ntpd[2064]: adjusting local clock by -0.275158s Jan 7 13:03:15 pc-name ntpd[2064]: adjusting local clock by -0.222749s Jan 7 13:06:49 pc-name ntpd[2064]: adjusting local clock by -0.197332s Jan 7 13:09:53 pc-name ntpd[2064]: adjusting local clock by -0.175554s
Depending on how far your clock is off you man want to perform a manual update.
rdate -nv tick.usno.navy.mil
Check how far off you clock currently is.
rdate -nv tick.usno.navy.mil
Following are some troubleshooting steps...
Check for ntp connections to ntp sources
netstat -upn
Check your hardware clock isn't jumping around
hwclock --show; hwclock --show; hwclock --show; hwclock --show; hwclock --show
Other things to note is you may not be able to set your clock if your on a VPS server. You'll have to talk to your VPS provider to fix. Also don't use ntpdate in a cron job as this will just force your clock to jump all around where as an ntp daemon will progressivly adjust the clock into accurate time.
Linux ntpd Sync with Windows 2008
Debian squeeze comes with ntpĀ 4.2.6p2 which doesn't work with Windows 2008 R2 servers as seen in this bug. To fix this update to a newer version such as 4.2.7p326. Tried running version 4.2.6p5 but was receiving segfaults while running debian 6.0.4 squeeze with kernel 2.6.32-5-amd64.
sudo apt-get remove ntp ntpdate wget http://archive.ntp.org/ntp4/ntp-dev/ntp-dev-4.2.7p326.tar.gz tar xzvf ntp-dev-4.2.7p326.tar.gz cd ntp-dev-4.2.7p326/ ./configure --enable-clockctl sudo make && make install
You then just need to setup your init script to start ntpd.
Apache LDAP Authentication
Quick Setup of using LDAP for authentication in Apache with .htaccess 1. Enable ldap modulea2enmod authnz_ldap2. Enable .htaccess files to be read
vi /etc/apache2/sites-enabled/000-defaultSet AllowOverride from 'none' to 'All' for your web directory.
3. Create a .htaccess file within the directory your trying to set passwords on and enter the following into the file.
AuthType Basic AuthBasicProvider ldap AuthName "My LDAP Auth" AuthLDAPURL "ldap://<serverIP>/o=<root>?cn" Require ldap-group cn=<group_name>, o=<root>Following is a real world example with secondary LDAP server:
AuthType Basic AuthBasicProvider ldap AuthName "My LDAP Auth" AuthLDAPURL "ldap://192.168.1.10 192.168.1.11/ou=People, o=Facility?cn" Require ldap-group cn=Administrators, ou=People, o=FacilityThat's it. Documentation can be found on the Apache site.
Replicate using rsync
To replicate local directories
The following will replicate all files and folders in the '/home' folder to '/mnt/backup/' folder recursively.
rsync -avh --delete /home/ /mnt/backup/
To replicate to remote directories
The following will replicate all files and folders in the '/home' folder to the remote server myhost under the username bob to directory '/backup/'. The use of the progress argument will show you the status of the transfer.
rsync --progress -avhe ssh --delete /home/ bob@myhost:/backup/
You can of course automate the running of these through crontab.
Firefox and wrong ELF class error
If you running a system that newer than say 8 years your probably running a 64-bit processor. Now weather you're running a 64-bit OS is another story. Well if you're like me, you probably are running a 64-bit OS, linux of course!
Recently I had a little bit of time and wanted to make sure all my systems were up-to-date, starting with their browsers. Currently I am running Debian squeeze which comes with GNU browser Iceweasel and found out there is no recent update. However you can get the latest through Iceweasel's new name... IceCat. Well I didn't feel like using that so I decided to change to Firefox......
Printing to PDF from Adobe
To print a PDF from Adobe Reader (acroread) you will need to install the following:
sudo apt-get install cups-pdf
Along with:
sudo apt-get install cups-bsd
Without the 'cups-bsd' you will receive the following error while trying to print:
The print process returned error. Please check whether the printer is connected to the machine
After you have the above installed you should see a new printer named 'PDF'. You can now print to PDF from within Adobe Reader.
Colorize output
With some regex magic and perl we can colorize the output in console:
tail -f filename | perl -pe 's/keyword/\e[1;31;43m$&\e[0m/g'
Resize Images
The ability to resize images is an essential tool when working with the web. Here are some tools for Linux and Microsoft OS's.
Image Resizer from Microsoft PowerToys is your best bet when looking to resize images in a Windows environment.
When looking for a utility in Linux there are a slew of options. Ones I have found are from within ImageMagick:
sudo apt-get install imagemagick
Once you have this you can use one of many tools, but I find I use mogrify more often:
mogrify -resize 640 *.png
This will resize and overwrite all png images in the current directory to a scaled with of 640px. If you don't want the images to be overwritten you can use the equivalent command convert.
Firewall Stopped Logging
Your Checkpoint firewall may stop logging to the management server for any number of reasons, to restart use the following commands:
Stop fwd:
cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
Start fwd:
cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
If successful you should see an information message in the management tracker similar to stating "sys_message: started logging".
You may also want to verify masters is pointing to a valid DNS/IP of your log server:
cat $FWDIR/conf/masters
List Samba Users
Using pdb we can read the SAM database of samba users. Use the following command to list the users:
$ pdbedit -w -L
Browser Display Statistics
Screen Resolution
Today, most computers are using a screen resolution of 1024x768 pixels or higher:
| Date | Higher | 1024x768 | 800x600 | 640x480 | Unknown |
|---|---|---|---|---|---|
| January 2010 | 76% | 20% | 1% | 0% | 3% |
| January 2009 | 57% | 36% | 4% | 0% | 3% |
| January 2008 | 38% | 48% | 8% | 0% | 6% |
| January 2007 | 26% | 54% | 14% | 0% | 6% |
| January 2006 | 17% | 57% | 20% | 0% | 6% |
| January 2005 | 12% | 53% | 30% | 0% | 5% |
| January 2004 | 10% | 47% | 37% | 1% | 5% |
| January 2003 | 6% | 40% | 47% | 2% | 5% |
| January 2002 | 6% | 34% | 52% | 3% | 5% |
| January 2001 | 5% | 29% | 55% | 6% | 5% |
| January 2000 | 4% | 25% | 56% | 11% | 4% |
How To Fix Offending key in ~/.ssh/known_hosts file
While trying to ssh into a box you may run in to the following error:
Offending key in ~/.ssh/known_hosts:6
This could mean a handful of things. Amongst some of those is a man-in-the-middle attack or, as in my case, the RSA key has changed, such as a new box taking the place of old IP address. To resolve this use the error message to help you in finding the offending line number, which is shown at the end. In this case it's line 6. To remove this line you can use `sed` with the following parameters:
$ sed -i '6d' ~/.ssh/known_hosts
Cisco SLA snmp OID
The following OID value will let you know if your SLA is within the threshold value: 1 = True 2 = False$ snmpwalk -cpublic -v2c 1.3.6.1.4.1.9.9.42.1.2.9.1.7.<sla_number>
ZIP File Corruption using Apache’s example for mod_deflate
Upon using the example show here I ran into an issue with ZIP files being downloaded showing up as corrupt, specifically from IE.
<Location /> # Insert filter SetOutputFilter DEFLATE # Netscape 4.x has some problems... BrowserMatch ^Mozilla/4 gzip-only-text/html # Netscape 4.06-4.08 have some more problems BrowserMatch ^Mozilla/4\.0[678] no-gzip # MSIE masquerades as Netscape, but it is fine # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48 # the above regex won't work. You can use the following # workaround to get the desired effect: BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html # Don't compress images SetEnvIfNoCase Request_URI (?:gif|jpe?g|png)$ no-gzip dont-vary # Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary </Location>
Line 17 specifically says to use compression however there is no exclusion for ZIP files. We don't want to compress the already compressed file so we need to add this line below line 20:
# Don't compress zip files SetEnvIfNoCase Request_URI (?:zip)$ no-gzip dont-vary
This will then exclude ZIP file from compression.
Change Java version on Debian
Type the following commands to change the default:
sudo update-alternatives --config java
You can also add a new java version if you would like by using the following commands:
sudo update-alternatives --install "/usr/bin/java" "java" "<java_binary_file_path>" 1 sudo update-alternatives --set java <java_binary_file_path>
Setup Oracle for PHP on IIS
1.) Use the ZIP version of PHP as it has the "ext" folder with all extensions
2.) Download Oracle Instant Client
3.) Unzip the the Oracle Instant Client to "c:\instantclient_11_1"
4.) Append "c:\instantclient_11_1" to the system PATH environment variable
5.) Set and/or uncomment the following in your php.ini file:
extension_dir="c:\<php_folder>\ext"
extension=php_oci8.dll
6.) Restart IIS
net stop iisadmin
net start w3svc
net start smtp
Scan your network for conficker
You can now scan your network for conficker with nmap using version 4.85 BETA 6 or newer.
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns 192.168.1.*
login failed for user null
This mssql error can be a real pain in the you know what. To fix this create the following registry file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo]
"STRATDBS1"="DBNETLIB,SERVERNAME,1433"
"DSQUERY"="DBNETLIB"
Replace Password in FileZilla sitemanager.xml with VBscript
Because FileZilla, without recompiling, doesn't allow for the use of registry settings I made this script to aid in mass deployment to workstations without affecting other sites that may have been created. This is also very useful to rotate passwords without users having to change them.
Ignore Errors with dd
Sometimes you want dd to ignore errors while making an image. The following will do just that:
dd if=/dev/hda of=./securecube.iso conv=noerror,sync
You can read the man page on dd here.