Category Archives: Linux

How to use Cloudflare DNS for the Letsencrypt challenge with Bitwarden’s automatic setup

Bitwarden’s automatic setup script allows you to secure your server’s HTTPS connections using Letsencrypt via certbot but it does not provide control over the challenge type used to issue the certificate. If you wanted to use a DNS challenge and take advantage of the Cloudflare API for example, you’ll need to make some changes to the scripts.

As your docker user, follow the standard steps from the TL;DR guide, which I’ve linked to and copied here just for completion. I do not recommend copy and pasting commands like this without being sure of what you’re executing.

$ curl -Lso bitwarden.sh https://go.btwrdn.co/bw-sh && chmod +x bitwarden.sh
$ ./bitwarden.sh install

You can CTRL+C to stop the install once it begins prompting you for input. Edit the bitwarden.sh script and comment out the downloadRunFile calls (e.g., at the time of writing lines 109 and 118)

You can then download and apply this diff to ~/bwdata/scripts/run.sh

Once complete the standard install can be reinitiated

$ ./bitwarden.sh install

LibreNMS 1.50.1 packer.io CentOS image high CPU usage

LibreNMS offers prebuilt OVA VM images using packer.io based on Ubuntu 18 and CentOS 7. If you’ve deployed the CentOS image though, you may be aware of it using an excessive amount of CPU – not an issue present in the Ubuntu image.

A quick look at the system with top will show us php processes with new PIDs spiking the CPU endlessly. Output of ps axf will show the parent process as syslog-ng, whose config has a PHP script defined as a program which it is trying to launch. Turning on debugging in syslog-ng doesn’t return any information on what is happening so when something on an RHEL based system doesn’t make sense, what do you do? Check if SELinux is enforcing and look at your audit logs!

Continue reading

Understanding iptable’s hashlimit module

I was having trouble understanding the iptables hashlimit module and couldn’t dig up anything that really helped. The man pages are definitely lacking a clear explanation and /proc/net/ipt_hashlimit/ leaves out some information that would clarify things immensely. After some testing I managed to work it all out, so let’s go through it and see if I can help make sense of it for you too.

I’ll try not to assume too much prior knowledge about the module. We’ll be coming at this with the goal of blocking traffic that exceeds a certain amount of packets per second. From the man page:

hashlimit uses hash buckets to express a rate limiting match (like the limit match) for a group of connections using a single iptables rule. Grouping can be done per-hostgroup (source and/or destination address) and/or per-port. It gives you the ability to express “N packets per time quantum per group” or “N bytes per seconds”

Continue reading

Enabling pam_tty_audit on RHEL, CentOS, or Scientific Linux 6

aureport output

If you have plans to make use of the audit system in RHEL and its clones, you may decide to use pam_tty_audit. A lot of the top hits on Google will recommend enabling the module in /etc/pam.d/system-auth-ac, but because of changes related to having better support for HIDs like fingerprint scanners, it should actually exist in /etc/pam.d/password-auth-ac, which is included by /etc/pam.d/sshd and others. One other complaint is that it logs passwords, but a patch was implemented in an update to RHEL 6 to address this.

Add the following line to the end of /etc/pam.d/password-auth-ac to enable keystroke logging for all users on a default RHEL, CentOS or Scientific Linux 6 server:

session     required      pam_tty_audit.so enable=*

The raw audit log can then be viewed at /var/log/audit/audit.log (which includes other audit events) or output in a somewhat friendlier format using aureport as root.

aureport --tty -ts today

The audit system caches based on settings in /etc/audit/auditd.conf, so it could take some time before you see audit logs for user activity. Check its man page for further information

The $280 `htop` T-Shirt

Angelos Frentzos T-Shirt

Angelos Frentzos “Crash” T-Shirt

Having an interest in fashion and an interest in Linux are usually two very separate things for me. I don’t think System Administrators are well known for their style, and I definitely didn’t expect to be writing a post about it here, so imagine my surprise when I came across this particular shirt on antonioli.eu’s latest arrivals. Designed by Angelos Frentzos and priced at a whopping $280 Canadian, it’s quite a bit of money for a tee full of wacky computer speak! Immediately though, I noticed that calling it the “crash print” is a bit of a misnomer, as it looks like pretty typical htop output with some sort of window split. Curious about its origin, I thought I’d look into it.

Continue reading

Installing ArchLinux AUR packages in a post-package signing world

ArchLinux and I aren’t the best of friends, its rolling release system just doesn’t jive with me. I only really installed it on a couple personal servers for experience with another distribution, so usually the boxes sit there doing their thing until I feel like setting up something new. When I run its first update in six months, something usually goes wrong, and I make my way over to their forums to figure out how to give pacman a kick in the butt to get things sorted.

This time around, I’m installing metasploit to test some equipment against the recent security flaws in UPnP that have been making some waves. A binary package isn’t available in the official repositories so in this case the Arch User Repository (AUR) picks up the slack to automate building from source. I’ve used this in the past with some success, but last year Arch finally implemented package signing. Turns out this complicates installing these personally built packages unless you temporarily disable it. Let’s not do that though, let’s stay consistent with package signing. In a larger environment with your own custom repo, you would definitely want to have this working, and there’s nothing wrong with learning more about your system.

Continue reading