RHEL6.4-64 – No networking after cloning via template VM using vSphere client

I had a VMware VM of a RHEL6.4 64-bit  machine, security hardened to CIS standards, converted to VM template within vSphere as it was going to be reused, I then used ‘Clone to New Virtual Machine’ to…well..erm..clone it, this worked fine, however on booting the new VM networking was messed up, even though all the configs seem to be in place in for eth0 in /etc/sysconfig/network-scripts/ifcfg-eth0. I tried removing the UUID, and HW address for this device, adding removing the VNIC in vSphere, all to noavail

The fix was this.

Boot the VM, got to /etc/udev/rules.d/70-persistent-net.rules, delete everything in that file pertaining to interfaces, save, close and reboot and you are good.

Posted in Linux & Solaris | Tagged , , | 1 Comment

Centos6.4 64-bit – No networking after clean install

I was recently running up a new CentOS6.4 64-bit minimal install on VMware vCenter v5  & vSphere client v5, and during the install of CentOS you can configure the networking manually, which I usually do for servers.  This VM server has 2 VNICs, so I configured both manually and plugged in all the usual settings, static IP, default gateway etc., all very straight forward.  On rebooting I noticed I had no networking at all, that’s odd I think.

I look at /etc/sysconfig/network-scripts/ifcfg-eth0 and eth1 and notice that the line ONBOOT is set at “NO”, so no wonder it wasn’t working, so simply change it to “YES” and you are good to go.

DEVICE=eth0
TYPE=Ethernet
UUID=dfe0f2f3-ff34-41c4-b634-c06b32c4567
ONBOOT=yes <==== change to YES
NM_CONTROLLED=no 
BOOTPROTO=none
HWADDR=00:55:36:AF:52:15
IPADDR=192.168.1.50
PREFIX=16
GATEWAY=1.1.1.1
DNS1=123.34.5.6
DNS2=123.34.5.6
DOMAIN="local"
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"
Posted in Linux & Solaris | Tagged , | Leave a comment

Why HD TV could be so much better

Interesting article on theregister, basically explaining how modern TV is what it is, and how it could be much better.

http://www.theregister.co.uk/2013/06/25/the_future_of_moving_images_the_eyes_have_it/

Posted in Technology | Tagged , , , | Leave a comment

How to blow away a Solaris zone

You’ve been monkeying around with Solaris zones, and now you want to blow away your screwed up test zone, here’s how you do it.

To completely delete/remove a Solaris zone you essentially have 4 step process.

  1. Shutdown the zone
  2. Halt the zone
  3. Uninstall the zone
  4. Delete the zone configuration files

Here’s how, we are removing sol2

Find what is what
bash-3.00# zoneadm list -cv
ID NAME             STATUS     PATH                       BRAND    IP
0 global           running    /                           native   shared
69 sol1            running    /zones/sol1/root            native   shared
72 sol2            running    /zones/sol2/root            native   shared

Log into the zone and shut it down

Now  halt it
bash-3.00# zoneadm -z sol2 halt

Check its status
bash-3.00# zoneadm list -cv
ID NAME             STATUS     PATH                       BRAND    IP
0 global           running    /                           native   shared
69 sol1            running    /zones/sol1/root            native   shared
–  sol2            installed  /zones/sol2/root            native   shared

Now uninstall it
bash-3.00# zoneadm -z sol2 uninstall
Are you sure you want to uninstall zone sol2 (y/[n])? y

And finally delete the zone configuration
bash-3.00# zonecfg -z sol2 delete
Are you sure you want to delete zone sol2 (y/[n])? y

Posted in Linux & Solaris | Tagged , | Leave a comment

pam_tally & pam_tally2

There a few minor differences between pam_tally & pam_tally2, just enough to trip you over and end up in another head scratching moment!

pam_tally,  seems to have fallen out of favour for RHL6 & >= CentOS 6, they  seemed to have switched to using pam_tally2, this maybe the case for other distros as well.

With pam_tally you can specify the option ‘reset’ within the system-auth file (see below) with pam_tally2 this option has been dropped, during testing, this initially caused some confusion, as the failed login attempt counter just kept on increasing, so after waiting for the required 60 seconds, I attempt to login again…and I’m still locked out,  you will see an error such as this in /var/log/secure

sshd[2661]: pam_tally2(sshd:account): unknown option:reset

So, after reading that it became obvious that the ‘reset‘ option had been dropped, , also no_magic_root and no_reset options are not available in pam_tally2.so.

Also note, for pam_tally, you have to modify the /etc/pam.d/sshd_conf file change the following to look like this:

PermitRootLogins no (I always block root access via SSH)
PermitEmptyPasswords no
PasswordAuthentication no 
ChallengeResponseAuthentication yes
UsePAM yes

Useful commands

To show failed logins for all users faillog -a
To show failed logins for a user faillog -u mrfoo, and for PAM, pam_tally2 -u mrfoo
Reset failed login counter for user faillog -r -u mrfoo and for PAM, pam_tally2 -r -u mrfoo

pam_tally

I know this works for CentOS 5.5 (Final).

I recommend creating a ‘test’ user to try it out.

This will lock users out for 60 seconds after 3 unsuccessful attempts, then reset the tally to 0, you can change this to suit – see ‘man pam_tally’

To show failed logins at /var/log do ‘faillog -a’

Add the line ‘auth required pam_tally.so onerr=fail deny=3 unlock_time=60 ‘ after the line ‘auth required pam_env.so’ – the order is crucial, it doesn’t work correctly if you place it out of order.

Add the line ‘auth required pam_env.so’

#%PAM-1.0
  # This file is auto-generated.
  # User changes will be destroyed the next time authconfig is run.
  auth required pam_env.so
  auth required pam_tally.so onerr=fail deny=3 unlock_time=60 <===== add this line here
  auth sufficient pam_unix.so nullok try_first_pass
  auth requisite pam_succeed_if.so uid >= 500 quiet
  auth required pam_deny.so
  account required pam_unix.so
  account sufficient pam_succeed_if.so uid < 500 quiet
  account required pam_permit.so
  account required pam_tally.so reset <===== add this line here
  password requisite pam_cracklib.so try_first_pass retry=3
  password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
  password required pam_deny.so
  session optional pam_keyinit.so revoke
  session required pam_limits.so
  session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
  session required pam_unix.so

pam_tally2

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so onerr=fail deny=3 unlock_time=60  <===== add this line here
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_tally2.so  <===== add this line here, note, the 'reset' option has been dropped

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Adding it all up

Okay , lets check that mrfoo has no unsuccesful logins

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            0

mrfoo screws up is password 3 times and gets locked out, easily check by:

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            3    03/26/13 10:22:28  192.168.1.50

We have a chat with mrfoo, give him a good bollocking, and tell him never to do it again…and then reset his password

[root@foo log]# pam_tally2 -r -u mrfoo

Login           Failures Latest failure     From
mrfoo            3    03/26/13 10:22:28  192.168.1.50

Check it has reset

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            0
Posted in Linux & Solaris | Tagged , , , , | 4 Comments

Foscam FI8918W – not re-establishing wirless link after scheduled wireless stop/start

My problem.

Teenager staying up all night playing online games.

Scheduled blocking of IP/MAC addresses using DD-WRT worked fine for awhile, but after a few weeks the schedule seems to go a drift, even though DD-WRT still shows the correct time and is synced over NTP, I tried this solution several times over a 18 months period, and it does this consistently.

So I configured a daily scheduled job  to switch off the RF transmitter (WiFi) at 01:00hrs and turn it on again at 06:00hrs, this worked great as it turns off the WiFi, but leaving the router/firewall still doing its job, and saves a bit of energy.

What I hadn’t figured on was the way the Foscam FI8908W IP camera handles this, when the WiFi comes back on the Foscam fails to reconnect, which I believe in not how it should work and is sloppy implementation of the WiFi standards.  The only way to make camera start is to unplug and re-plug the power cord.

So, I start getting my hands dirty, and try out a few things.

First I set a static IP within the camera GUI config page, and had the aforementioned issues – I read somewhere about using static IP assigned from the router so I next did this.I assigned a static IP using its MAC address within the DHCP lease range, in effect, I set a reservation up for it, turned off DHCP within the camera GUI, it worked, but still got issues with camera not reconnecting. As a side note, you don’t have to set static IP’s outside your DHCP scope, it is neater to do so, but just saying, you don’t have too.

I can safely say, that if your router can reserve and IP via MAC address, you CAN assigned a static IP WITHIN your DHCP scope and the Foscam camera will play along with this.

However, all of this did not fix the camera reconnecting issue.  But I have found a fix and this it.

Basically, the Foscam doesn’t play nicely when using AES, it works fine until you lose WiFi connectivity, so I changed it to TKIP, configured DD-WRT to play with TKIP, and it now works without issue, the WiFi turns off & on at night and the camera is reconnecting without issue.

Previously I was using WPA2/AES for everything, and yes, I’m aware that this is a retro-grade step from security view, but there is nothing that sensitive on my home network, and TKIP will suffice for now.

So, my advice for using a  Foscam FI8908W over WiFi, with scheduled job of turning the WiFi on & off, using DD-WRT is:

  • Assign the camera a static IP using a reservation on your router
  • Turn off DHCP on the camera, configure networking manually
  • Set camera to use WPA/Personal, TKIP
  • Set router to use TKIP
Posted in Home surveillance | Tagged , , , , , | 7 Comments