Category Archives: How To

how to manage users with ansible

If you have multiple servers to manage, it can be a pain to manually add a new user, change a password, or lock an old account. Manually logging into all of your servers and performing these tasks is a real pain, and a huge waste of time.

Using ansible user module, you can manage users and ssh keys in a single run of playbook.

Create users

The home directory for the user will also be created by default. You have the option to choose your home directory by setting the home parameter.

Following playbook is for Red Hat/CentOS

You need to change user group for Debian based systems

authorize_users.yml

---
- hosts: tag_group_{{ env }}_webserver
  ignore_unreachable: true
  strategy: free
  gather_facts: False

  vars_files:
  - group_vars/all.yml

  vars:
    users:
      - tony
      - thor
      - hulk

  tasks:
  - name: Make sure we have a 'wheel' group
    group:
      name: wheel
      state: present
  - name: Allow 'wheel' group to have passwordless sudo
    lineinfile:
      dest: /etc/sudoers
      state: present
      regexp: '^%wheel'
      line: '%wheel ALL=(ALL) NOPASSWD: ALL'
      validate: visudo -cf %s
  - name: "Create user accounts and add users to groups"
    user:
      name: "{{ item }}"
      groups: "wheel"
      shell: /bin/bash
    loop: "{{ users }}"
  - name: Add sudoers users to wheel group
    user:
      name: "{{ item }}"
      groups: wheel
      append: yes
    loop: "{{ users }}"
  - name: "Add authorized keys"
    authorized_key:
      user: "{{ item }}"
      key: "{{ lookup('file', '~/.ssh/'+ item + '.pub') }}"
      state: present
    with_items: "{{ users }}"

Running:

“`$ ENV=prod; ansible-playbook   -i inventories/$ENV –extra-vars “env=$ENV” authorize_users.yml“`

Remove Users

Removing an existing user is easy. You just have to set the ‘state’ parameter to ‘absent’. It executes the ‘userdel’ command in the background.

deauthorize_users.yml

---
- hosts: tag_group_{{ env }}_webserver
  ignore_unreachable: true
  strategy: free
  gather_facts: False

  vars_files:
  - group_vars/all.yml

  vars:
    users:
      - frodo
      - sam
      - gollum

  tasks:
  - name: "Remove from authorized keys"
    authorized_key:
      user: "{{ item }}"
      key: "{{ lookup('file', '~/.ssh/lintel/'+ item + '.pub') }}"
      state: absent
    with_items: "{{ users }}"

  - name: "Remove from authorized keys from root"
    authorized_key:
      user: root
      key: "{{ lookup('file', '~/.ssh/lintel/'+ item + '.pub') }}"
      state: absent
    with_items: "{{ users }}"

  - name: Remove users
    user:
      name: "{{ item }}"
      remove: yes
      state: absent
    loop: "{{ users }}"

 

Running:

“`$ ENV=prod; ansible-playbook -i inventories/$ENV –extra-vars “env=$ENV” deauthorize_users.yml“`

how to manage airpods on linux

This article guides you on how to manage airpods and airpods pro on linux.

It uses pulseaudio and ofono telephony service for A2DP, HSP/HFP profiles.

Lets start…

1. Dependencies

sudo add-apt-repository ppa:smoser/bluetooth  
sudo apt-get install ofono-phonesim ofono  
git clone https://github.com/rilmodem/ofono.git /opt/ofono

2. Download the script

wget https://raw.githubusercontent.com/AkhilJalagam/pulseaudio-airpods/master/pulseaudio-airpods

3. Tweak the script for first time

replace MAC and card name in the script

AIRPODS_MAC='4C:6B:E8:80:46:84' # it should be somewhere in blueman-manager  
AIRPODS_NAME='bluez_card.4C_6B_E8_80_46_84' # you can find this using 'pactl list cards' command

4. Usage

pusleaudio-airpods connect/toggle_profile/disconnect

Note

you should first pair your airpods using blueman-manager and trust them to use this script

References

https://github.com/AkhilJalagam/pulseaudio-airpods

https://github.com/AkhilJalagam/i3blocks-airpods

Speed up SSH with multiplexing

SSH multiplexing is the ability to carry multiple SSH sessions over a single TCP connection.

OpenSSH can reuse an existing TCP connection for multiple concurrent SSH sessions. This results into reduction of the overhead of creating new TCP connections.

Advantage of using SSH multiplexing is that it speeds up certain operations that rely on or occur over SSH. For example, let’s say that you’re using SSH to regularly execute a command on a remote host. Without multiplexing, every time that command is executed your SSH client must establish a new TCP connection and a new SSH session with the remote host. With multiplexing, you can configure SSH to establish a single TCP connection that is kept alive for a specific period of time, and SSH sessions are established over that connection.

You can see the difference below

without multiplexing, we see the normal connection time:

“`$ time ssh lintel-blog“`

real    0m0.658s
user    0m0.016s
sys     0m0.008s

Then we do the same thing again, but with a multiplexed connection to see a faster result:

“`$ time ssh lintel-blog“`

real    0m0.029s
user    0m0.004s
sys     0m0.004s

Configure Multiplexing

OpenSSH client supports multiplexing its outgoing connections, since version 3.9, using the ControlMaster, ControlPath and ControlPersist configuration directives which get defined in ssh_config. The client configuration file usually defaults to the location ~/.ssh/config.

ControlMaster determines whether ssh will listen for control connections and what to do about them. ControlPath sets the location for the control socket used by the multiplexed sessions. These can be either globally or locally in ssh_config or else specified at run time. Control sockets are removed automatically when the master connection has ended. ControlPersist can be used in conjunction with ControlMaster. If ControlPersist is set to ‘yes’, then it will leave the master connection open in the background to accept new connections until either killed explicitly or closed with -O or ends at a pre-defined timeout. If ControlPersist is set to a time, then it will leave the master connection open for the designated time or until the last multiplexed session is closed, whichever is longer.

Here is a sample excerpt from ssh_config applicable for starting a multiplexed session to server1.example.org via the shortcut server1.

Host server1
  HostName server1.example.org
  ControlPath ~/.ssh/controlmasters/%r@%h:%p
  ControlMaster auto
  ControlPersist 10m

 

How to install jitsi meet on CentOS 7

Jitsi is a set of Open Source projects that allows you to easily build and deploy secure videoconferencing solutions.

Jitsi Meet is a fully encrypted, 100% Open Source video conferencing solution that you can use all day, every day, for free — with no account needed.

1. Architecture

A Jitsi Meet installation can be broken down into the following components:

  • A web interface
  • An XMPP server
  • A conference focus component
  • A video router (could be more than one)
  • A SIP gateway for audio calls
  • A Broadcasting Infrastructure for recording or streaming a conference.

The diagram shows a typical deployment in a host running Docker. This project separates each of the components above into interlinked containers. To this end, several container images are provided.

2. Ports

The following external ports must be opened on a firewall:

  • 80/tcp for Web UI HTTP (really just to redirect, after uncommenting ENABLE_HTTP_REDIRECT=1 in .env)
  • 443/tcp for Web UI HTTPS
  • 4443/tcp for RTP media over TCP
  • 10000/udp for RTP media over UDP

Also 20000-20050/udp for jigasi, in case you choose to deploy that to facilitate SIP access.

E.g. on a CentOS server this would be done like this (without SIP access):

    $ sudo firewall-cmd --permanent --add-port=80/tcp
    $ sudo firewall-cmd --permanent --add-port=443/tcp
    $ sudo firewall-cmd --permanent --add-port=4443/tcp
    $ sudo firewall-cmd --permanent --add-port=10000/udp
    $ sudo firewall-cmd --reload

 

3. Configuration

The configuration is performed via environment variables contained in a .env file. You can copy the provided env.example file as a reference.

a. Jibri Module Setup

Before running Jibri, you need to set up an ALSA loopback device on the host. This will not work on a non-Linux host.

For CentOS 7, the module is already compiled with the kernel, so just run:

# configure 5 capture/playback interfaces
echo "options snd-aloop enable=1,1,1,1,1 index=0,1,2,3,4" > /etc/modprobe.d/alsa-loopback.conf
# setup autoload the module
echo "snd_aloop" > /etc/modules-load.d/snd_aloop.conf
# load the module
modprobe snd-aloop
# check that the module is loaded
lsmod | grep snd_aloop

b. Installation

  • clone the repository:

git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet

  • Create a .env file by copying and adjusting env.example
    • cp env.example .env
  • Set strong passwords in the security section options of .env file by running the following bash script
    • ./gen-passwords.sh
  • Create required CONFIG directories
    • mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
  • Run docker-compose up -d
  • Access the web UI at https://domain.com (or a different port, in case you edited the compose file).

 

If you want to use jigasi too, first configure your env file with SIP credentials and then run Docker Compose as follows: docker-compose -f docker-compose.yml -f jigasi.yml up

If you want to enable document sharing via Etherpad, configure it and run Docker Compose as follows: docker-compose -f docker-compose.yml -f etherpad.yml up

If you want to use jibri too, first configure a host as described in JItsi BRoadcasting Infrastructure configuration section and then run Docker Compose as follows: docker-compose -f docker-compose.yml -f jibri.yml up -d or to use jigasi too: docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d

Running behind NAT or on a LAN environment
If running in a LAN environment (as well as on the public Internet, via NAT) is a requirement, the DOCKER_HOST_ADDRESS should be set. This way, the Videobridge will advertise the IP address of the host running Docker instead of the internal IP address that Docker assigned it, thus making ICE succeed. If your users are coming in over the Internet (and not over LAN), this will likely be your public IP address. If this is not set up correctly, calls will crash when more than two users join a meeting.

The public IP address is discovered via STUN. STUN servers can be specified with the JVB_STUN_SERVERS option.

 

dms

How to fix missing foreign keys and/or indexes – AWS DMS

AWS Database Migration Service (DMS) helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. The AWS Database Migration Service can migrate your data to and from most widely used commercial and open-source databases.

The Database Migration Service is a data mover. It creates only the structures required to migrate your data, (this is for performance reasons mainly.) Additionally, it doesn’t migrate secondary indexes, default values, procedures, triggers, auto increment columns etc. These objects/modifications need to be made after migrating the data, (and typically prior to switching the app.)

But it can be fixed by importing schema manually.

Problem

missing foreign keys and/or indexes

Solution

To fix foreign keys & indexes missing issue, follow this

  1. Import Database schema manually to RDS.
  2. Set “`Target table preparation mode“` to “`Truncate“`

Using JSON:

dms

Using DMS GUI:

dms

Now run the task.

You will see all foreign keys and indexes in target (RDS).

How to install Ansible AWX on centos 7

Ansible Tower (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks.

Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is the upstream project for Tower, a commercial derivative of AWX.

Prerequisites

Before you can run a deployment, you’ll need the following installed in your local environment:

System Requirements

The system that runs the AWX service will need to satisfy the following requirements

  • At least 4GB of memory
  • At least 2 cpu cores
  • At least 20GB of space
  • Running Docker, Openshift, or Kubernetes
  • If you choose to use an external PostgreSQL database, please note that the minimum version is 10+.

Installation steps:

1. Install Dependencies

“`yum install -y epel-release

yum remove python-docker-py

yum install -y yum-utils device-mapper-persistent-data lvm2 ansible git python-devel python-pip python-docker-py vim-enhanced

pip install cryptography
pip install jsonschema
pip install docker-compose~=1.23.0
pip install docker –upgrade

“`

2. Install docker

Configure docker ce stable repository.

“`yum-config-manager –add-repo https://download.docker.com/linux/centos/docker-ce.repo“`

Installing docker.

“`yum install docker-ce -y“`

Start docker service.

“`systemctl start docker“`

Enable docker service.

“`systemctl enable docker“`

3. Deploy AWX

Clone AWX repo

“`git clone https://github.com/ansible/awx.git“`

Clone commercial logos

“`cd awx/“`

“`git clone https://github.com/ansible/awx-logos.git“`

Configure AWX

“`cd installer/“`

“`$ vim inventory“`

“`awx_official=true“`

Deploy AWX

“`ansible-playbook -i inventory install.yml -vv“`

Check the status

“`docker ps -a“`

AWX is ready and can be accessed from the browser.

http://ipaddress:80/

the default username is “admin” and the password is “password”.

Final checks:

  1. verify whether the service is started or not with “`ss -tlnp | grep 80“`
  2. make sure your firewall is open for port 80
  3. make sure your OS is using python 3.6+ and pip3

References:

https://github.com/ansible/awx/blob/devel/INSTALL.md

socks5

How to setup SOCKS proxy in Linux

SOCKS server is a general purpose proxy server that establishes a TCP connection to another server on behalf of a client, then routes all the traffic back and forth between the client and the server. It works for any kind of network protocol on any port. SOCKS Version 5 adds additional support for security and UDP.

Use of SOCKS is as a circumvention tool, allowing traffic to bypass Internet filtering to access content otherwise blocked, e.g., by governments, workplaces, schools, and country-specific web services

Using SSH

SOCKS proxies can be created without any special SOCKS proxy software if you have Open SSH installed on your server and an SSH client with dynamic tunnelling support installed on your client computer.

ssh -D 1080 user@<IP Address or Domain of your Server>

Now, enter your password and make sure to leave the Terminal window open. You have now created a SOCKS proxy at localhost:1080. Only close this window if you wish to disable your local SOCKS proxy.

Using Microsocks program

MicroSocks is a multithreaded, small, efficient SOCKS5 server.

It’s very lightweight, and very light on resources too:

for every client, a thread with a stack size of 8KB is spawned. the main process basically doesn’t consume any resources at all.

the only limits are the amount of file descriptors and the RAM.

It’s also designed to be robust: it handles resource exhaustion gracefully by simply denying new connections, instead of calling abort() as most other programs do these days.

another plus is ease-of-use: no config file necessary, everything can be done from the command line and doesn’t even need any parameters for quick setup.

Installing microsocks

“`git clone https://github.com/rofl0r/microsocks.git“`

“`cd microsocks“`

“`make“`

Starting socks service

microsocks -1 -i listenip -p port -u user -P password -b bindaddr

all arguments are optional. by default listenip is 0.0.0.0 and port 1080.

option -1 activates auth_once mode: once a specific ip address authed successfully with user/pass, it is added to a whitelist and may use the proxy without auth. this is handy for programs like firefox that don’t support user/pass auth. for it to work you’d basically make one connection with another program that supports it, and then you can use firefox too.

How to protect files from overwriting with noclobber in bash

This tip is for people who have ever hosed important files by using > when they meant to use >>. Add the following line to .bashrc:

“`set -o noclobber“`

The noclobber option prevents you from overwriting existing files with the > operator.

If the redirection operator is ‘>’, and the noclobber option to the set builtin has been enabled, the redirection will fail if the file whose name results from the expansion of word exists and is a regular file. If the redirection operator is ‘>|’, or the redirection operator is ‘>’ and the noclobber option is not enabled, the redirection is attempted even if the file named by word exists.

Example:

$ echo "Hello, world" >file.txt
$ cat file.txt
Hello, world
$ echo "This will overwrite the first greeting." >file.txt
$ cat file.txt
This will overwrite the first greeting.
$ set -o noclobber
$ echo "Can we overwrite it again?" >file.txt
-bash: file.txt: cannot overwrite existing file
$ echo "But we can use the >| operator to ignore the noclobber." >|file.txt
$ cat file.txt # Successfully overwrote the contents of file.txt using the >| operator
But we can use the >| operator to ignore the noclobber.
$ set +o noclobber # Changes setting back

 

Run:

noclobber

 

Manhole service in Twisted Application.

What is Manhole?

Manhole is an in-process service, that will accept UNIX domain socket connections and present the stack traces for all threads and an interactive prompt.

Using it we can access and modify objects or definition in the running application, like change or add the method in any class, change the definition of any method of class or module.

This allows us to make modifications in running an application without restarting the application, it makes work easy like debugging the application, you are able to check the values of the object while the program is running.

How to configure it?

from twisted.internet import reactor
from twisted.conch import manhole, manhole_ssh
from twisted.conch.ssh.keys import Key
from twisted.cred import portal, checkers

DATA = {"Service": "Manhole"}


def get_manhole_factory(namespace, **passwords):

    def get_manhole(arg):
        return manhole.ColoredManhole(namespace)
            
    realm = manhole_ssh.TerminalRealm()
    realm.chainedProtocolFactory.protocolFactory = get_manhole
    p = portal.Portal(realm)
    p.registerChecker(checkers.InMemoryUsernamePasswordDatabaseDontUse(**passwords))
    f = manhole_ssh.ConchFactory(p)
    f.publicKeys = {"ssh-rsa": Key.fromFile("keys/manhole.pub")}
    f.privateKeys = {"ssh-rsa": Key.fromFile("keys/manhole")}
    return f


reactor.listenTCP(2222, get_manhole_factory(globals(), admin='admin'))
reactor.run()

Once you run above snippet, the service will start on TCP port 2222.

You need to use SSH command to get login into the service.

See below how it looks like.

[lalit : ~]₹ ssh admin@localhost -p 2222
admin@localhost's password:
>>> dir() 
['DATA', '__builtins__', '__doc__', '__file__', '__name__', '__package__', 'checkers', 'get_manhole_factory', 'manhole', 'manhole_ssh', 'portal', 'reactor'] 
>>> DATA 
{'Service': 'Manhole'}
>>> DATA['Service'] = "Edited" 
>>> DATA 
{'Service': 'Edited'}
[lalit : ~]₹ ssh admin@localhost -p 2222
admin@localhost's password: 
>>> dir() 
['DATA', '__builtins__', '__doc__', '__file__', '__name__', '__package__', 'checkers', 'get_manhole_factory', 'manhole', 'manhole_ssh', 'portal', 'reactor'] 
>>> DATA 
{'Service': 'Edited'} 

Here In the first login, we change the value in DATA dictionary in running application, as we can see we get the new value in the second login.

Simple port scanner in python

a port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify the security policies of their networks and by attackers to identify network services running on a host and exploit vulnerabilities.

port-scanner.py

#!/usr/bin/env python2
from socket import * 

if __name__ == '__main__':
    target = raw_input('Enter host to scan: ')
    targetIP = gethostbyname(target)
    print 'Starting scan on host ', targetIP

    #scan reserved ports
    for i in range(20, 1025):
        s = socket(AF_INET, SOCK_STREAM)

        result = s.connect_ex((targetIP, i))

        if(result == 0) :
            print 'Port %d: OPEN' % (i,)
        s.close()

Example

port-scannin