Friday, December 26, 2014

VLAN bridge.multiple Unipi account with single fiber line

ref:
http://net.doit.wisc.edu/~dwcarder/captivator/linux_trunking_bridging.txt

UPDATE: brctl method not working on my setting. maybe working on someone else. on centos, i'm using this method and it is working: https://sites.google.com/site/ghidit/how-to-2/configure-bridging-on-centos

UPDATE: 30/12/2014 - to connect second unifi account, please use interface ETH=br10 (bridge interface) not ETH=2.500 

VLAN id 10 on eth0:

/etc/sysconfig/network-scripts/ifcfg-eth0.10
# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)
DEVICE=eth0.10
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet
VLAN=yes
BRIDGE=br10

VLAN id 11 on eth0:

/etc/sysconfig/network-scripts/ifcfg-eth0.11
# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)
DEVICE=eth0.11
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet
VLAN=yes
BRIDGE=br10

 The bridges need to be configured too:

/etc/sysconfig/network-scrips/ifcfg-br10
DEVICE=br10
TYPE=Bridge
#IPADDR=1.2.3.4
#GATEWAY=1.2.3.1
#NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
DELAY=5
STP=yes

store for future reference: currently not able to experiment

 
# setup vlans:

modprobe 8021q

/sbin/vconfig add eth2 970
/sbin/vconfig add eth2 972
/sbin/vconfig add eth3 971
/sbin/vconfig add eth3 973

# You should see: 
#
# Added VLAN with VID == 970 to IF -:eth2:-
# Added VLAN with VID == 972 to IF -:eth2:-
# Added VLAN with VID == 971 to IF -:eth3:-
# Added VLAN with VID == 973 to IF -:eth3:-

# bring interfaces up

ifconfig eth2 up
ifconfig eth3 up
ifconfig eth2.970 up
ifconfig eth2.972 up
ifconfig eth3.971 up
ifconfig eth3.973 up

# setup bridging

# create a bridge called "br970" and put vlans 970 and 971 in it
brctl addbr br970
brctl addif br970 eth2.970
brctl addif br970 eth3.971

# create a bridge called "br972" and put vlans 972 and 973 in it
brctl addbr br972
brctl addif br972 eth2.972
brctl addif br972 eth3.973

# bring the bridge virtual interfaces up on each bridge
ifconfig br970 192.168.70.5 netmask 255.255.254.0 up
ifconfig br972 192.168.72.5 netmask 255.255.254.0 up

# verify the bridging config looks legit:

brctl show

# You should see something like:
#
#  bridge name     bridge id               STP enabled     interfaces
#  br970           8000.000423ab99d8       no              eth2.970
#                                                          eth3.971
#  br972           8000.000423ab99d8       no              eth2.972
#                                                          eth3.973
Posted by at No comments:

Monday, November 24, 2014

Secure your SSL. How to setup?

ref: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

Before and after please test here: https://www.ssllabs.com/ssltest/index.html

For cpanel, please use: EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

UPDATE:
to get A marks please use:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA

Ref: http://forums.cpanel.net/f185/cpanel-openssl-1-0-1c-higher-332001-p2.html


Apache

To configure Apache, you need to have the following lines in your configuration:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Nginx

To configure Nginx, you need to have the following lines in your configuration:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
Posted by at No comments:

How to generate SHA2 (SHA256) CSR request

openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.YOURDOMAIN.COM.sha256.csr -keyout www.YOURDOMAIN.key -subj "/C=CA/ST=ON/L=YOURCITY/O=YOUR COMPANY NAME/OU=Web/CN=*.YOURDOMAIN.COM" 

Ref: http://forums.cpanel.net/f185/sha2-256-ssl-certificates-your-experiences-364612.html

Please change to rsa:4096 to create 4096 bits. currently cpanel stable version still using SHA1 for default.
Posted by at No comments:

Friday, September 26, 2014

bash update for centos 6 i386 and x64 cpanel

check your existing bash:
env X="() { :;} ; echo shellshock" /bin/sh -c "echo completed"
env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"
for non-cpanel server you can easily run:
‪#‎yum‬ update bash

for cpanel server:
you will face this problem:
root@cp6 [~]# yum update bashLoaded plugins: fastestmirrorLoading mirror speeds from cached hostfile * epel: ftp.cuhk.edu.hk * extras: centos.exabytes.com.my
Setting up Update ProcessNo Packages marked for Update

Solution x64:

for i386:
wget http://centos.ipserverone.com/centos/6/updates/i386/Packages/bash-4.1.2-15.el6_5.1.i686.rpmrpm -Uvh bash-4.1.2-15.el6_5.1.i686.rpm

for centos 5 i386:
http://centos.ipserverone.com/centos/5/updates/i386/RPMS/bash-3.2-33.el5.1.i386.rpm
Centos 5 x64:
http://centos.ipserverone.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm
Posted by at No comments:

Friday, July 18, 2014

trickle reduce remote host speed

source:http://dan.folkes.me/2011/03/03/rsync-speed-limit-trickle-slow/
other source: http://stackoverflow.com/questions/10064316/rsync-limit-transfer-speed-not-working

Install rsync and trickle:
sudo apt-get install rsync
sudo apt-get install trickle
Now you can run rsync:
This will download at a limit of 80 KB/s from host:
rsync -auvPe "trickle -d 80 ssh" user@host:/src/ /dst/
Explanation of Commands:
-a, --archive               archive mode; equals -rlptgoD (no -H,-A,-X)
-u, --update                skip files that are newer on the receiver
-v, --verbose               increase verbosity
-P  --progress              show progress during transfer
-e, --rsh=COMMAND           specify the remote shell to use
trickle -d 80  = -d rate    Limit the download bandwidth consumption to rate KB/s.
- See more at: http://dan.folkes.me/2011/03/03/rsync-speed-limit-trickle-slow/#sthash.Avw6VoyU.dpuf
Posted by at No comments:

Friday, June 06, 2014

recover died USB stick

ref: http://superuser.com/questions/338059/recovering-a-partially-formatted-usb-thumb-drive

  1. Click on the Start Orb.
  2. Type cmd into the search box.
  3. Shift + Right Click on the CMD icon.
  4. Click on Run as Administrator.
From here, we are going to type in diskpart and run the following commands.
C:\Windows\system32>diskpart

Microsoft DiskPart version 6.1.7601
Copyright (C) 1999-2008 Microsoft Corporation.
On computer: DYGEAR-PC

DISKPART>
From here we are going to type list disk to find the current drives connected to the computer.
DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online           14 GB      0 B
  Disk 1    Online           74 GB      0 B
  Disk 2    Online          698 GB      0 B   *
  Disk 3    Online           15 GB      0 B
The 15GB drive is the drive we are looking for, as that's the size of our USB Thumb Drive. So to select that drive, we run the command select disk 3.
DISKPART> select disk 3

Disk 3 is now the selected disk.
If you are not sure if this is your drive, you can request details about the drive by running the command detail disk after you have selected the disk.
DISKPART> detail disk

Corsair Voyager Mini USB Device
Disk ID: 00000000
Type   : USB
Status : Online
Path   : 0
Target : 0
LUN ID : 0
Location Path : UNAVAILABLE
Current Read-only State : No
Read-only  : No
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No
Clustered Disk  : No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 4                             Removable     15 GB  Healthy
After we have correct drive, we can select any partitions on the drive select by doing select volumeand then the volume number like in our case select volume 4.
DISKPART> select volume 4

Volume 4 is the selected volume.
From here, we will try to recover the drive to a useable state. We are going to attempt to reformat the drive first. FORMAT RECOMMENDED OVERRIDE is the safest way to format your drive back to a normal state.
DISKPART> FORMAT RECOMMENDED OVERRIDE

DiskPart has encountered an error: The system cannot find the file specified.
See the System Event Log for more information.
Should that not work, such as shown above, we can try to run a format command that tells it how to format the drive in our case we use FORMAT FS=NTFS LABEL="Windows7" QUICK COMPRESS.
DISKPART> FORMAT FS=NTFS LABEL="Windows7" QUICK COMPRESS

DiskPart has encountered an error: The system cannot find the file specified.
See the System Event Log for more information.
In our case, this still does not work. So we attempt to clean the whole drive with the command CLEAN ALL.
DISKPART> clean all

DiskPart has encountered an error: Incorrect function.
See the System Event Log for more information.
my command prompt not responding after this command. i quit diskpart Ctrl+C. remove USB stick and now its fixed :)
Posted by at No comments:

Monday, March 03, 2014

RESTRICT_SYSLOG problem affecting lfd in csf

recently i have a problem (lfd not working) on centos6 server.

Firewall Status: Enabled and Running
WARNING: RESTRICT_SYSLOG is disabled. See SECURITY WARNING in Firewall Configuration



to all csf user please ignore this message because enabling or following the instruction of this option willl make your lfd not able to working properly. i hope csf will update this problem or at least give user more detailed documentation on how this thing works without broke existing lfd functionality.
Posted by at 1 comment:

Friday, February 21, 2014

simple unifi router

here's mine:

stored here for recovery later :)

#!/bin/sh
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT

Posted by at No comments:
Subscribe to: Posts (Atom)
Related Posts Plugin for WordPress, Blogger...