Duo ByPass

To bypass duo 2fa for a script or secure login etc on Linux you simply need to add the following to your SSHD PAM config (/etc/pam.d/sshd)

auth    [success=2 default=ignore]      pam_access.so accessfile=/etc/security/access-local.conf

You will then need to create the access file and put your rules in for example

+ : ALL : 192.168.1.0/24
- : ALL : ALL

For information on the access file, see here

Nagios Core Upgrade

Ubuntu

Stop Service / Daemon

This command stops Nagios Core.

===== Ubuntu 14.x =====

sudo service nagios stop

 

===== Ubuntu 15.x / 16.x / 17.x / 18.x =====

sudo systemctl stop nagios.service

 

Downloading the Source

cd /tmp
sudo rm -rf nagioscore*
wget -O nagioscore.tar.gz https://github.com/NagiosEnterprises/nagioscore/archive/nagios-4.4.1.tar.gz
tar xzf nagioscore.tar.gz

 

Compile

cd /tmp/nagioscore-nagios-4.4.1/
sudo ./configure --with-httpd-conf=/etc/apache2/sites-enabled
sudo make all

 

Install Binaries

This step installs the binary files, CGIs, and HTML files.

sudo make install

 

Install Service / Daemon

This installs the service or daemon files. While these will already exist they do get updated occasionally and hence need replacing.

sudo make install-daemoninit

 

Update nagios.cfg

If you are upgrading from Nagios Core 4.3.2 and earlier you will need to update the nagios.cfg file to point to /var/run/nagios.lock using the following command:

sudo sh -c "sed -i 's/^lock_file=.*/lock_file=\/var\/run\/nagios.lock/g' /usr/local/nagios/etc/nagios.cfg"

More information about this is detailed in the following KB article:

Nagios Core – nagios.lock Changes In 4.3.3 Onwards

 

Start Service / Daemon

This command starts Nagios Core.

===== Ubuntu 14.x =====

sudo service nagios start

 

===== Ubuntu 15.x / 16.x / 17.x / 18.x =====

sudo systemctl start nagios.service

 

Confirm Nagios Is Running

You can confirm that the nagios service is now running with the following command:

===== Ubuntu 14.x =====

sudo service nagios status

 

===== Ubuntu 15.x / 16.x / 17.x / 18.x =====

sudo systemctl status nagios.service

 

Confirm Nagios Version

You can confirm the nagios version being used with the following command:

sudo /usr/local/nagios/bin/nagios -V

 

This will output something like:

Nagios Core 4.4.1

RDP Cert (Windows 7)

Commercial Certificate Authority TLS Remote Desktop Service (RDS) certificate RDP Windows 7

There are two good guides on how to install a commercial certificate, to replace the self-signed generated by Remote Desktop Services, and avoid warning messages, but they both leave steps out. Here are all the steps.

1. Generate a private key and certificate request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

2. Get it signed by a commercial certificate authority

3. Convert your key, certificate, and Certificate Authority chain to a pfx file for Windows

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Don’t double-click the resultant “certificate.pfx” file. It will always put it into your personal certificate store, when you want it in the computer certificate store.

4. Install certificate – Open command-line, mmc, Add/Remove snap-in, Certificates, Computer Account, Local Computer

Expand Certificates (Local Computer), Personal, Certificates. Right click in right pane, All Tasks, Import…

Import your pfx file. Make sure the private key is included.

5. You need the thumbprint of the certificate. Double-click the certificate to view it in the mmc, and choose the Details tab. At the bottom is the Thumbprint. Copy it to Notepad, and remove the Question mark at the beginning, and all the spaces. It should be a string like “6adbb56632cc476ad790d899f2c34c42c1881590”

6. This link explains the command to use the CA cert instead of the self-signed, http://www.weaklink.org/2015/05/tls-certificate-for-windows-88-1-remote-desktop-service/

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "SSLCertificateSHA1Hash" /t REG_BINARY /d 6adbb56632cc476ad790d899f2c34c42c1881590

7. You must also allow the RDP service the rights to view the private key. Microsoft explains the ACL necessary, https://support.microsoft.com/en-us/kb/2001849

Click Start, click Run, type mmc, and click OK.

On the File menu, click Add/Remove Snap-in.

In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.

In the Certificates snap-in dialog box, click Computer account, and click Next.

In the Select Computer dialog box, click Local computer: (the computer this console is running on), and clickFinish.

In the Add or Remove Snap-ins dialog box, click OK.

In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.

Restart Remote Desktop Services, or Restart the computer, and the next time you use the RDP, it will not complain about the certificate.

Extend a partition and LVM with Ubuntu 16.04

There is a risk of data loss doing this!!!

First add the additional disk space using your virtualisation admin software (i.e. ESXi / Proxmox / etc)

Rescan the bus

echo 1 > /sys/class/block/sda/device/rescan

Next start fdisk

sudo fdisk /dev/sda

Press p to print the current partition list. Copy the start block for both sda2 and sda5. Now we need to delete the partitions.

Press d to delete the partion accept the default of ‘2’
Press d again and accept the default of ‘5’

Now press n for a new partition

Create an extended partition, make sure the start block is that of your “old” sda2 partition.

Accept the other defaults to use all available space.

Now press n again

This time accept the defaults. The start block will be wrong, but this is ok and a slight anomaly with this method.

This bit is super, world ending, important.

Once you are back to the fdisk prompt press x (to enter expert mode)

Press b and make sure sda5 is selected.

Enter the start value that you copied earlier for sda5.

Once you are back at the expert command prompt, press r (to return to the main menu) and then w (to write the changes and exit.

We’ve now finished with fdisk.

Now sync the changes with the running OS.

partprobe

Extending LVM

Run

pvresize /dev/sda5
lvextend -l +100%FREE /dev/VGNAME/LVNAME
resize2fs /dev/VGNAME/LVNAME

If you don’t know your VGNAME or LVNAME run

lvdisplay

That’s all there is to it!

Expand a hard disk with LVM

The “hardware” part, “physically” adding diskspace to your VM

Increasing the disk size can be done via the vSphere Client, by editing the settings of the VM (right click > Settings).

If the “Provisioned Size” area (top right corner) is greyed out, consider turning off the VM first (if it does not allow “hot adding” of disks/sizes), and check if you have any snapshots made of that VM. You can not increase the disk size, as long as there are available snapshots.

Partitioning the unallocated space: if you’ve increased the disk size

Once you’ve changed the disk’s size in VMware, boot up your VM again if you had to shut it down to increase the disk size in vSphere. If you’ve rebooted the server, you won’t have to rescan your SCSI devices as that happens on boot. If you did not reboot your server, rescan your SCSI devices as such.

Then rescan the bus.

~$ 'echo 1 > /sys/class/block/sda/device/rescan'

Create the new partition

Once the rescan is done (should only take a few seconds), you can check if the extra space can be seen on the disk.

~$  fdisk -l

Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14         391     3036285   8e  Linux LVM

So the server can now see the 10GB hard disk. Let’s create a partition, by start fdisk for the /dev/sda device.

~$  fdisk /dev/sda

The number of cylinders for this disk is set to 1305.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): n

Now enter ‘n’, to create a new partition.

Command action
e   extended
p   primary partition (1-4)
 p

Now choose “p” to create a new primary partition. Please note, your system can only have 4 primary partitions on this disk! If you’ve already reached this limit, create an extended partition.

Partition number (1-4): 3

Choose your partition number. Since I already had /dev/sda1 and /dev/sda2, the logical number would be 3.

First cylinder (392-1305, default 392): 
Using default value 392
Last cylinder or +size or +sizeM or +sizeK (392-1305, default 1305): 
Using default value 1305

Note; the cylinder values will vary on your system. It should be safe to just hint enter, as fdisk will give you a default value for the first and last cylinder (and for this, it will use the newly added diskspace).

Command (m for help): t
Partition number (1-4): 3
Hex code (type L to list codes): 8e
Changed system type of partition 3 to 8e (Linux LVM)

Now type t to change the partition type. When prompted, enter the number of the partition you’ve just created in the previous steps. When you’re asked to enter the “Hex code”, enter 8e, and confirm by hitting enter.

Command (m for help): w

Once you get back to the main command within fdisk, type w to write your partitions to the disk. You’ll get a message about the kernel still using the old partition table, and to reboot to use the new table. The reboot is not needed as you can also rescan for those partitions using partprobe. Run the following to scan for the newly created partition.

~$ partprobe -s

If that does not work for you, you can try to use “partx” to rescan the device and add the new partitions. In the command below, change /dev/sda to the disk on which you’ve just added a new partition.

~$ partx -v -a /dev/sda

If that still does not show you the newly created partition for you to use, you have to reboot the server. Afterwards, you can see the newly created partition with fdisk.

~$  fdisk -l

Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14         391     3036285   8e  Linux LVM
/dev/sda3             392        1305     7341705   8e  Linux LVM

Extend your Logical Volume with the new partition

Now, create the physical volume as a basis for your LVM. Please replace /dev/sda3 with the newly created partition.

~$  pvcreate /dev/sda3
Physical volume "/dev/sda3" successfully created

Now find out how your Volume Group is called.

~$  vgdisplay
--- Volume group ---
VG Name               VolGroup00
...

Let’s extend that Volume Group by adding the newly created physical volume to it.

~$  vgextend VolGroup00 /dev/sda3
Volume group "VolGroup00" successfully extended

With pvscan, we can see our newly added physical volume, and the usable space (7GB in this case).

~$  pvscan
PV /dev/sda2   VG VolGroup00   lvm2 [2.88 GB / 0    free]
PV /dev/sda3   VG VolGroup00   lvm2 [7.00 GB / 7.00 GB free]
Total: 2 [9.88 GB] / in use: 2 [9.88 GB] / in no VG: 0 [0   ]

Now we can extend Logical Volume (as opposed to the Physical Volume we added to the group earlier). The command is “lvextend /dev/VolGroupxx /dev/sdXX“.

~$  lvextend /dev/VolGroup00/LogVol00 /dev/sda3
Extending logical volume LogVol00 to 9.38 GB
Logical volume LogVol00 successfully resized

If you’re running this on Ubuntu, use the following.

~$  lvextend /dev/mapper/vg-name /dev/sda3

All that remains now, it to resize the file system to the volume group, so we can use the space. Replace the path to the correct /dev device if you’re on ubuntu/debian like systems.

~$  resize2fs /dev/VolGroup00/LogVol00
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/VolGroup00/LogVol00 is mounted on /; on-line resizing required
Performing an on-line resize of /dev/VolGroup00/LogVol00 to 2457600 (4k) blocks.
The filesystem on /dev/VolGroup00/LogVol00 is now 2457600 blocks long.

And we’re good to go!

~$  df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 9.1G 1.8G  6.9G  21% /
/dev/sda1              99M   18M   77M  19% /boot
tmpfs                 125M     0  125M   0% /dev/shm

Unifi Video Mongodb remove

Occasionally you hit an issue with a unifi camera and it won’t connect or remove from the controller. The easiest / only way to fix this is to manually remove it from the database.

SSH into the NVR and find all the cameras:

mongo localhost:7441/av
db.camera.find()
db.camera.find({}, {_id: 0, name: 1, uuid: 2})

Look for the camera in question, we will want the UUID

"Driveway", "uuid" : "1fbfb420-a091-3c8f-b184-e43ec862b14a"

Then remove it, exit the tool, and restart UFV

db.camera.remove({uuid:"1fbfb420-a091-3c8f-b184-e43ec862b14a"})
exit
service unifi-video stop; service unifi-video start

OPNSense & Duo

OPNSense & Duo

Set the OPNSense LDAP connection to use the DN rather than the domain\user format or DUO fails to recognise it as the same user. By default the Authentication Proxy doesn’t require 2FA for the first bind in a connection. This is to support systems that bind as a service account, search for the user account, and then bind as the user. It looks like your system may connect and bind as the service account, then disconnects, then connects again to bind as the end user. Look at the exempt_primary_bind and exempt_ou_1 options  and try settingexempt_primary_bind=false and exempt_ou_1=the DN of the service account.

OPNSense & OVH/SyS

This is much simpler in OPNSense

Add gateway

System -> Gateways -> All

Add Gateway

Change Interface to WAN.

Add your primary OVH IP gateway in the “Gateway” field (this will almost certainly not be the gateway for your IP address block) and tick the “far gateway” box.

Hit save and then reload

Adding more IPs

Go to the firewall -> virtual IPs

Add an IP Alias, add the IPs one at a time with a /32

Your IPs are now ready to use!

LAN Internet

Firewall -> NAT -> Outbound

Manual Outbound NAT rule generation. If it isn’t created automatically add a rule with the Interface of WAN, source of your internal IP (192.168.1.x/24) & any VPN IP leave everything else as default and save. Check that your WAN address is chosen rather than interface address (or your outgoing traffic will come from any of your external IPs)