Category Archives: shell

How To Import and Export Databases in MySQL

June 1, 2021Database, How To, shellbackup, mysqlAkhil Jalagam

MySQL is an open-source relational database management system. Its name is a combination of “My”, the name of co-founder Michael Widenius’s daughter, and “SQL”, the abbreviation for Structured Query Language.

A relational database organizes data into one or more data tables in which data types may be related to each other; these relations help structure the data. SQL is a language programmers use to create, modify and extract data from the relational database, as well as control user access to the database. In addition to relational databases and SQL, an RDBMS like MySQL works with an operating system to implement a relational database in a computer’s storage system, manages users, allows for network access and facilitates testing database integrity and creation of backups.

What is mysql?

mysql is a simple SQL shell (with GNU readline capabilities). It supports interactive and
non-interactive use. When used interactively, query results are presented in an ASCII-table format.
When used non-interactively (for example, as a filter), the result is presented in tab-separated
format. The output format can be changed using command options.

What is mysqldump?

The mysqldump client is a backup program originally written by Igor Romanenko. It can be used to dump
a database or a collection of databases for backup or transfer to another SQL server (not necessarily
a MariaDB server). The dump typically contains SQL statements to create the table, populate it, or
both. However, mysqldump can also be used to generate files in CSV, other delimited text, or XML
format.

Export a MySQL Database

Use mysqldump to export your database:

mysqldump -u username -p database_name > database_name-dump.sql

1	mysqldump -u username -p database_name > database_name-dump.sql

You can compress the data on the run using pipe and gzip.

mysqldump -u username -p database_name | gzip > database_name-dump.sql.gz

1	mysqldump -u username -p database_name \| gzip > database_name-dump.sql.gz

*Using GZIP will save a lot of space on disk for huge databases.

Import a MySQL Database

Use mysql to import your database:

Create the database first.

mysql > CREATE DATABASE database_name;

1	mysql > CREATE DATABASE database_name;

Import the database now.

mysql -u username -p database_name &lt; database_name-dump.sql

1	mysql -u username -p database_name < database_name-dump.sql

If the file is compressed with gzip. use zcat to extract on the run.

zcat database_name-dump.sql.gz | mysql -u username -p database_name

1	zcat database_name-dump.sql.gz \| mysql -u username -p database_name

Handy scripts for admins who do backups daily

bkpmysqlgz() {
    set -x
    DEST=${1:-/opt/backups}
    shift
    sudo mkdir -p $DEST
    DATE=$(DATE)
    if command -v pv > /dev/null 2>&amp;1; then
        sudo mysqldump $@ | pv | gzip > $DEST/"${@: -1}"-$DATE.sql.gz
    else
        sudo mysqldump $@ | gzip > $DEST/"${@: -1}"-$DATE.sql.gz
    fi
    ls -lh $DEST/"${@: -1}"-$DATE.sql.gz
    set +x
}

bkpmysqlgz() {

set -x

DEST=${1:-/opt/backups}

shift

sudo mkdir -p $DEST

DATE=$(DATE)

if command -v pv > /dev/null 2>&1; then

sudo mysqldump $@ | pv | gzip > $DEST/"${@: -1}"-$DATE.sql.gz

else

sudo mysqldump $@ | gzip > $DEST/"${@: -1}"-$DATE.sql.gz

ls -lh $DEST/"${@: -1}"-$DATE.sql.gz

set +x

}

using script.

$ bkpmysqlgz /opt/backups -u root -p secret dbname

1	$ bkpmysqlgz /opt/backups -u root -p secret dbname

How to whitelist Google IP address ranges in firewall using iptables

May 8, 2021begginers, Cloud Computing, How To, internet, linux, networking, security, shellfirewall, google, linux, whitelistAkhil Jalagam

As an administrator, when you need to obtain a range of IP addresses for Google APIs and services’ default domains, you can refer to the following sources of information.

The complete list of IP ranges that it announces to the internet. Learn more
A list of Google Cloud customer-usable global and regional external IP address ranges. Learn more

The default domains’ IP address ranges for Google APIs and services fit within the list of ranges between these 2 sources. (Subtract the usable ranges from the complete list.)

Once you get the IP address ranges, use the xargs command to update iptables.

google-ips-whitelist.sh

echo "8.8.4.0/24
8.8.8.0/24
8.34.208.0/20
8.35.192.0/20
23.236.48.0/20
23.251.128.0/19
34.64.0.0/10
34.128.0.0/10
35.184.0.0/13
35.192.0.0/14
35.196.0.0/15
35.198.0.0/16
35.199.0.0/17
35.199.128.0/18
35.200.0.0/13
35.208.0.0/12
35.224.0.0/12
35.240.0.0/13
64.15.112.0/20
64.233.160.0/19
66.102.0.0/20
66.249.64.0/19
70.32.128.0/19
72.14.192.0/18
74.114.24.0/21
74.125.0.0/16
104.154.0.0/15
104.196.0.0/14
104.237.160.0/19
107.167.160.0/19
107.178.192.0/18
108.59.80.0/20
108.170.192.0/18
108.177.0.0/17
130.211.0.0/16
136.112.0.0/12
142.250.0.0/15
146.148.0.0/17
162.216.148.0/22
162.222.176.0/21
172.110.32.0/21
172.217.0.0/16
172.253.0.0/16
173.194.0.0/16
173.255.112.0/20
192.158.28.0/22
192.178.0.0/15
193.186.4.0/24
199.36.154.0/23
199.36.156.0/24
199.192.112.0/22
199.223.232.0/21
207.223.160.0/20
208.65.152.0/22
208.68.108.0/22
208.81.188.0/22
208.117.224.0/19
209.85.128.0/17
216.58.192.0/19
216.73.80.0/20
216.239.32.0/19" | xargs -I% iptables -I INPUT -p tcp -s % -j ACCEPT

echo "8.8.4.0/24

8.8.8.0/24

8.34.208.0/20

8.35.192.0/20

23.236.48.0/20

23.251.128.0/19

34.64.0.0/10

34.128.0.0/10

35.184.0.0/13

35.192.0.0/14

35.196.0.0/15

35.198.0.0/16

35.199.0.0/17

35.199.128.0/18

35.200.0.0/13

35.208.0.0/12

35.224.0.0/12

35.240.0.0/13

64.15.112.0/20

64.233.160.0/19

66.102.0.0/20

66.249.64.0/19

70.32.128.0/19

72.14.192.0/18

74.114.24.0/21

74.125.0.0/16

104.154.0.0/15

104.196.0.0/14

104.237.160.0/19

107.167.160.0/19

107.178.192.0/18

108.59.80.0/20

108.170.192.0/18

108.177.0.0/17

130.211.0.0/16

136.112.0.0/12

142.250.0.0/15

146.148.0.0/17

162.216.148.0/22

162.222.176.0/21

172.110.32.0/21

172.217.0.0/16

172.253.0.0/16

173.194.0.0/16

173.255.112.0/20

192.158.28.0/22

192.178.0.0/15

193.186.4.0/24

199.36.154.0/23

199.36.156.0/24

199.192.112.0/22

199.223.232.0/21

207.223.160.0/20

208.65.152.0/22

208.68.108.0/22

208.81.188.0/22

208.117.224.0/19

209.85.128.0/17

216.58.192.0/19

216.73.80.0/20

216.239.32.0/19" | xargs -I% iptables -I INPUT -p tcp -s % -j ACCEPT

how to manage airpods on linux

July 21, 2020begginers, How To, linux, shellairpods, airpodspro, linuxAkhil Jalagam

This article guides you on how to manage airpods and airpods pro on linux.

It uses pulseaudio and ofono telephony service for A2DP, HSP/HFP profiles.

Lets start…

1. Dependencies

sudo add-apt-repository ppa:smoser/bluetooth  
sudo apt-get install ofono-phonesim ofono  
git clone https://github.com/rilmodem/ofono.git /opt/ofono

sudo add-apt-repository ppa:smoser/bluetooth

sudo apt-get install ofono-phonesim ofono

git clone https://github.com/rilmodem/ofono.git /opt/ofono

2. Download the script

wget https://raw.githubusercontent.com/AkhilJalagam/pulseaudio-airpods/master/pulseaudio-airpods

1	wget https://raw.githubusercontent.com/AkhilJalagam/pulseaudio-airpods/master/pulseaudio-airpods

3. Tweak the script for first time

replace MAC and card name in the script

AIRPODS_MAC='4C:6B:E8:80:46:84' # it should be somewhere in blueman-manager  
AIRPODS_NAME='bluez_card.4C_6B_E8_80_46_84' # you can find this using 'pactl list cards' command

1 2	AIRPODS_MAC='4C:6B:E8:80:46:84' # it should be somewhere in blueman-manager AIRPODS_NAME='bluez_card.4C_6B_E8_80_46_84' # you can find this using 'pactl list cards' command

4. Usage

pusleaudio-airpods connect/toggle_profile/disconnect

1	pusleaudio-airpods connect/toggle_profile/disconnect

Note

you should first pair your airpods using blueman-manager and trust them to use this script

References

https://github.com/AkhilJalagam/pulseaudio-airpods

https://github.com/AkhilJalagam/i3blocks-airpods

Speed up SSH with multiplexing

July 4, 2020begginers, How To, internet, linux, networking, shellmultiplex, sshAkhil Jalagam

SSH multiplexing is the ability to carry multiple SSH sessions over a single TCP connection.

OpenSSH can reuse an existing TCP connection for multiple concurrent SSH sessions. This results into reduction of the overhead of creating new TCP connections.

Advantage of using SSH multiplexing is that it speeds up certain operations that rely on or occur over SSH. For example, let’s say that you’re using SSH to regularly execute a command on a remote host. Without multiplexing, every time that command is executed your SSH client must establish a new TCP connection and a new SSH session with the remote host. With multiplexing, you can configure SSH to establish a single TCP connection that is kept alive for a specific period of time, and SSH sessions are established over that connection.

You can see the difference below

without multiplexing, we see the normal connection time:

$ time ssh lintel-blog

real    0m0.658s
user    0m0.016s
sys     0m0.008s

real 0m0.658s

user 0m0.016s

sys 0m0.008s

Then we do the same thing again, but with a multiplexed connection to see a faster result:

$ time ssh lintel-blog

real    0m0.029s
user    0m0.004s
sys     0m0.004s

real 0m0.029s

user 0m0.004s

sys 0m0.004s

Configure Multiplexing

OpenSSH client supports multiplexing its outgoing connections, since version 3.9, using the ControlMaster, ControlPath and ControlPersist configuration directives which get defined in ssh_config. The client configuration file usually defaults to the location ~/.ssh/config.

ControlMaster determines whether ssh will listen for control connections and what to do about them. ControlPath sets the location for the control socket used by the multiplexed sessions. These can be either globally or locally in ssh_config or else specified at run time. Control sockets are removed automatically when the master connection has ended. ControlPersist can be used in conjunction with ControlMaster. If ControlPersist is set to ‘yes’, then it will leave the master connection open in the background to accept new connections until either killed explicitly or closed with -O or ends at a pre-defined timeout. If ControlPersist is set to a time, then it will leave the master connection open for the designated time or until the last multiplexed session is closed, whichever is longer.

Here is a sample excerpt from ssh_config applicable for starting a multiplexed session to server1.example.org via the shortcut server1.

Host server1
  HostName server1.example.org
  ControlPath ~/.ssh/controlmasters/%r@%h:%p
  ControlMaster auto
  ControlPersist 10m

Host server1

HostName server1.example.org

ControlPath ~/.ssh/controlmasters/%r@%h:%p

ControlMaster auto

ControlPersist 10m

How to install jitsi meet on CentOS 7

May 12, 2020How To, internet, linux, shelljitsi, longress, meetAkhil Jalagam

Jitsi is a set of Open Source projects that allows you to easily build and deploy secure videoconferencing solutions.

Jitsi Meet is a fully encrypted, 100% Open Source video conferencing solution that you can use all day, every day, for free — with no account needed.

1. Architecture

A Jitsi Meet installation can be broken down into the following components:

A web interface
An XMPP server
A conference focus component
A video router (could be more than one)
A SIP gateway for audio calls
A Broadcasting Infrastructure for recording or streaming a conference.

The diagram shows a typical deployment in a host running Docker. This project separates each of the components above into interlinked containers. To this end, several container images are provided.

2. Ports

The following external ports must be opened on a firewall:

80/tcp for Web UI HTTP (really just to redirect, after uncommenting ENABLE_HTTP_REDIRECT=1 in .env)
443/tcp for Web UI HTTPS
4443/tcp for RTP media over TCP
10000/udp for RTP media over UDP

Also 20000-20050/udp for jigasi, in case you choose to deploy that to facilitate SIP access.

E.g. on a CentOS server this would be done like this (without SIP access):

    $ sudo firewall-cmd --permanent --add-port=80/tcp
    $ sudo firewall-cmd --permanent --add-port=443/tcp
    $ sudo firewall-cmd --permanent --add-port=4443/tcp
    $ sudo firewall-cmd --permanent --add-port=10000/udp
    $ sudo firewall-cmd --reload

				
					
				1
2
3
4
5

						    $ sudo firewall-cmd --permanent --add-port=80/tcp
    $ sudo firewall-cmd --permanent --add-port=443/tcp
    $ sudo firewall-cmd --permanent --add-port=4443/tcp
    $ sudo firewall-cmd --permanent --add-port=10000/udp
    $ sudo firewall-cmd --reload

					

			

3. Configuration

The configuration is performed via environment variables contained in a .env file. You can copy the provided env.example file as a reference.

a. Jibri Module Setup

Before running Jibri, you need to set up an ALSA loopback device on the host. This will not work on a non-Linux host.

For CentOS 7, the module is already compiled with the kernel, so just run:

# configure 5 capture/playback interfaces
echo "options snd-aloop enable=1,1,1,1,1 index=0,1,2,3,4" &gt; /etc/modprobe.d/alsa-loopback.conf
# setup autoload the module
echo "snd_aloop" &gt; /etc/modules-load.d/snd_aloop.conf
# load the module
modprobe snd-aloop
# check that the module is loaded
lsmod | grep snd_aloop

# configure 5 capture/playback interfaces

echo "options snd-aloop enable=1,1,1,1,1 index=0,1,2,3,4" > /etc/modprobe.d/alsa-loopback.conf

# setup autoload the module

echo "snd_aloop" > /etc/modules-load.d/snd_aloop.conf

# load the module

modprobe snd-aloop

# check that the module is loaded

lsmod | grep snd_aloop

b. Installation

clone the repository:

git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet

Create a .env file by copying and adjusting env.example
- cp env.example .env
Set strong passwords in the security section options of .env file by running the following bash script
- ./gen-passwords.sh
Create required CONFIG directories
- mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
Run docker-compose up -d
Access the web UI at https://domain.com (or a different port, in case you edited the compose file).

If you want to use jigasi too, first configure your env file with SIP credentials and then run Docker Compose as follows: docker-compose -f docker-compose.yml -f jigasi.yml up

If you want to enable document sharing via Etherpad, configure it and run Docker Compose as follows: docker-compose -f docker-compose.yml -f etherpad.yml up

If you want to use jibri too, first configure a host as described in JItsi BRoadcasting Infrastructure configuration section and then run Docker Compose as follows: docker-compose -f docker-compose.yml -f jibri.yml up -d or to use jigasi too: docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d

Running behind NAT or on a LAN environment
If running in a LAN environment (as well as on the public Internet, via NAT) is a requirement, the DOCKER_HOST_ADDRESS should be set. This way, the Videobridge will advertise the IP address of the host running Docker instead of the internal IP address that Docker assigned it, thus making ICE succeed. If your users are coming in over the Internet (and not over LAN), this will likely be your public IP address. If this is not set up correctly, calls will crash when more than two users join a meeting.

The public IP address is discovered via STUN. STUN servers can be specified with the JVB_STUN_SERVERS option.

Parallel command execution – Linux Cluster

April 3, 2020linux, networking, shellcluster, linux, parallel, pdshAkhil Jalagam

The pdsh parallel shell tool allows you and lets you run a shell command across multiple nodes in a cluster.

This is a high performance, parallel pdsh shell remote shell utility for admins. Chaos Pdsh is a multithreaded remote shell client which executes commands on multiple remote hosts in parallel. A parallel shell permits your clusters Linux Ubuntu RedHat to run the same similar command on many designated hosts or nodes within the hadoop cluster. In this case you do not have to really log in to each node individually.

High-performance and parallel remote shell utility with dshgroup module allows dsh on pdsh (or otherwise known as Dancer’s shell sudo) files from /etc/dsh/group directory. Now download Parallel Distributed Shell free of charge.

What is pdsh?

pdsh is a variant of the rsh(1) command. Unlike rsh(1), which runs commands on a single remote host, pdsh can run multiple remote commands in parallel. pdsh uses a “sliding window” (or fanout) of threads to conserve resources on the initiating host while allowing some connections to time out.

When pdsh receives SIGINT (ctrl-C), it lists the status of current threads. A second SIGINT within one second terminates the program. Pending threads may be canceled by issuing ctrl-Z within one second of ctrl-C. Pending threads are those that have not yet been initiated, or are still in the process of connecting to the remote host.

If a remote command is not specified on the command line, pdsh runs interactively, prompting for commands and executing them when terminated with a carriage return. In interactive mode, target nodes that time out on the first command are not contacted for subsequent commands, and commands prefixed with an exclamation point will be executed on the local system.

The core functionality of pdsh may be supplemented by dynamically loadable modules. The modules may provide a new connection protocol (replacing the standard rcmd(3) protocol used by rsh(1)), filtering options (e.g. removing hosts that are “down” from the target list), and/or host selection options (e.g., -a selects all hosts from a configuration file.). By default, pdsh must have at least one “rcmd” module loaded. See the RCMD MODULES section for more information.

Installing pdsh

Debian based:

apt install pdsh

RHEL based:

yum install pdsh

Running

The following command installs telegraf on all 4 nodes in cluster02

[akhil@PHOENIX:~]$ pdsh -w root@cluster02-node0[1-4] yum install -y telegraf

1	[akhil@PHOENIX:~]$ pdsh -w root@cluster02-node0[1-4] yum install -y telegraf

Running multiple commands

[akhil@PHOENIX:~]$ pdsh -w root@cluster02-node0[1-4] "date;sleep 5;date"

1	[akhil@PHOENIX:~]$ pdsh -w root@cluster02-node0[1-4] "date;sleep 5;date"

Pipe redirection

[akhil@PHOENIX:~]$ pdsh -w root@cluster02-node0[1-4] "chkconfig|grep collectl"

1	[akhil@PHOENIX:~]$ pdsh -w root@cluster02-node0[1-4] "chkconfig\|grep collectl"

Example

When using ssh for remote execution, expect the stderr of ssh to be folded in with that of the remote command. When invoked by pdsh, it is not possible for ssh to prompt for passwords if RSA/DSA keys are configured properly, etc.. For ssh implementations that suppport a connect timeout option, pdsh attempts to use that option to enforce the timeout (e.g. -oConnectTimeout=T for OpenSSH), otherwise connect timeouts are not supported when using ssh. Finally, there is no reliable way for pdsh to ensure that remote commands are actually terminated when using a command timeout. Thus if -u is used with ssh commands may be left running on remote hosts even after timeout has killed local ssh processes.

Output from multiple processes per node may be interspersed when using qshell or mqshell rcmd modules.

The number of nodes that pdsh can simultaneously execute remote jobs on is limited by the maximum number of threads that can be created concurrently, as well as the availability of reserved ports in the rsh and qshell rcmd modules. On systems that implement Posix threads, the limit is typically defined by the constant PTHREADS_THREADS_MAX.

How to install Ansible AWX on centos 7

January 30, 2020How To, linux, shellansible, awx, towerAkhil Jalagam

Ansible Tower (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks.

Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is the upstream project for Tower, a commercial derivative of AWX.

Prerequisites

Before you can run a deployment, you’ll need the following installed in your local environment:

Ansible Requires Version 2.8+
Docker
- A recent version
docker Python module
- This is incompatible with docker-py. If you have previously installed docker-py, please uninstall it.
- We use this module instead of docker-py because it is what the docker-compose Python module requires.
GNU Make
Git Requires Version 1.8.4+
Python 3.6+
Node 10.x LTS version
- This is only required if you’re building your own container images with use_container_for_build=false
NPM 6.x LTS
- This is only required if you’re building your own container images with use_container_for_build=false

System Requirements

The system that runs the AWX service will need to satisfy the following requirements

At least 4GB of memory
At least 2 cpu cores
At least 20GB of space
Running Docker, Openshift, or Kubernetes
If you choose to use an external PostgreSQL database, please note that the minimum version is 10+.

Installation steps:

1. Install Dependencies

yum install -y epel-release


yum remove python-docker-py
yum install -y yum-utils device-mapper-persistent-data lvm2 ansible git python-devel python-pip python-docker-py vim-enhanced
pip install cryptography

pip install jsonschema

pip install docker-compose~=1.23.0

pip install docker –upgrade

2. Install docker

Configure docker ce stable repository.

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

Installing docker.

yum install docker-ce -y

Start docker service.

systemctl start docker

Enable docker service.

systemctl enable docker

3. Deploy AWX

Clone AWX repo

git clone https://github.com/ansible/awx.git

Clone commercial logos

cd awx/

git clone https://github.com/ansible/awx-logos.git

Configure AWX

cd installer/

$ vim inventory

awx_official=true

Deploy AWX

ansible-playbook -i inventory install.yml -vv

Check the status

docker ps -a

AWX is ready and can be accessed from the browser.

http://ipaddress:80/

the default username is “admin” and the password is “password”.

Final checks:

verify whether the service is started or not with ss -tlnp | grep 80
make sure your firewall is open for port 80
make sure your OS is using python 3.6+ and pip3

References:

https://github.com/ansible/awx/blob/devel/INSTALL.md

How to setup SOCKS proxy in Linux

December 24, 2019begginers, How To, internet, linux, security, shellproxy, socks5Akhil Jalagam

A SOCKS server is a general purpose proxy server that establishes a TCP connection to another server on behalf of a client, then routes all the traffic back and forth between the client and the server. It works for any kind of network protocol on any port. SOCKS Version 5 adds additional support for security and UDP.

Use of SOCKS is as a circumvention tool, allowing traffic to bypass Internet filtering to access content otherwise blocked, e.g., by governments, workplaces, schools, and country-specific web services

Using SSH

SOCKS proxies can be created without any special SOCKS proxy software if you have Open SSH installed on your server and an SSH client with dynamic tunnelling support installed on your client computer.

ssh -D 1080 user@&lt;IP Address or Domain of your Server&gt;

1 2	ssh -D 1080 user@<IP Address or Domain of your Server>

Now, enter your password and make sure to leave the Terminal window open. You have now created a SOCKS proxy at localhost:1080. Only close this window if you wish to disable your local SOCKS proxy.

Using Microsocks program

MicroSocks is a multithreaded, small, efficient SOCKS5 server.

It’s very lightweight, and very light on resources too:

for every client, a thread with a stack size of 8KB is spawned. the main process basically doesn’t consume any resources at all.

the only limits are the amount of file descriptors and the RAM.

It’s also designed to be robust: it handles resource exhaustion gracefully by simply denying new connections, instead of calling abort() as most other programs do these days.

another plus is ease-of-use: no config file necessary, everything can be done from the command line and doesn’t even need any parameters for quick setup.

Installing microsocks

git clone https://github.com/rofl0r/microsocks.git

cd microsocks

make

Starting socks service

microsocks -1 -i listenip -p port -u user -P password -b bindaddr

1 2	microsocks -1 -i listenip -p port -u user -P password -b bindaddr

all arguments are optional. by default listenip is 0.0.0.0 and port 1080.

option -1 activates auth_once mode: once a specific ip address authed successfully with user/pass, it is added to a whitelist and may use the proxy without auth. this is handy for programs like firefox that don’t support user/pass auth. for it to work you’d basically make one connection with another program that supports it, and then you can use firefox too.

Howto use ssh as VPN tunnel

November 13, 2019begginers, How To, linux, networking, security, shellssh, sshuttle, tunnel, VPNAkhil Jalagam

SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections.

What is SSH Tunneling?

A tunneling protocol may, for example, allow a foreign protocol to run over a network that does not support that particular protocol, such as running IPv6 over IPv4.

SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. … It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH.

sshuttle

sshuttle is not exactly a VPN, and not exactly port forwarding. It’s kind of both, and kind of neither.

It’s like a VPN, since it can forward every port on an entire network, not just ports you specify. Conveniently, it lets you use the “real” IP addresses of each host rather than faking port numbers on localhost.

On the other hand, the way it works is more like ssh port forwarding than a VPN. Normally, a VPN forwards your data one packet at a time, and doesn’t care about individual connections; ie. it’s “stateless” with respect to the traffic. sshuttle is the opposite of stateless; it tracks every single connection.

Installation

sudo pip install sshuttle

Example

$ sshuttle --dns -v -r <remote-host> 0/0

* This will forward all connections including DNS requests…

Usage

usage: sshuttle [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>

positional arguments:
 IP/MASK[:PORT[-PORT]]...
 capture and forward traffic to these subnets
 (whitespace separated)

optional arguments:
 -h, --help show this help message and exit
 -l [IP:]PORT, --listen [IP:]PORT
 transproxy to this ip address and port number
 -H, --auto-hosts continuously scan for remote hostnames and update
 local /etc/hosts as they are found
 -N, --auto-nets automatically determine subnets to route
 --dns capture local DNS requests and forward to the remote
 DNS server
 --ns-hosts IP[,IP] capture and forward DNS requests made to the following
 servers
 --to-ns IP[:PORT] the DNS server to forward requests to; defaults to
 servers in /etc/resolv.conf on remote side if not
 given.
 --method TYPE auto, nat, nft, tproxy, pf, ipfw
 --python PATH path to python interpreter on the remote server
 -r [USERNAME@]ADDR[:PORT], --remote [USERNAME@]ADDR[:PORT]
 ssh hostname (and optional username) of remote
 sshuttle server
 -x IP/MASK[:PORT[-PORT]], --exclude IP/MASK[:PORT[-PORT]]
 exclude this subnet (can be used more than once)
 -X PATH, --exclude-from PATH
 exclude the subnets in a file (whitespace separated)
 -v, --verbose increase debug message verbosity
 -V, --version print the sshuttle version number and exit
 -e CMD, --ssh-cmd CMD
 the command to use to connect to the remote [ssh]
 --seed-hosts HOSTNAME[,HOSTNAME]
 comma-separated list of hostnames for initial scan
 (may be used with or without --auto-hosts)
 --no-latency-control sacrifice latency to improve bandwidth benchmarks
 --wrap NUM restart counting channel numbers after this number
 (for testing)
 --disable-ipv6 disable IPv6 support
 -D, --daemon run in the background as a daemon
 -s PATH, --subnets PATH
 file where the subnets are stored, instead of on the
 command line
 --syslog send log messages to syslog (default if you use
 --daemon)
 --pidfile PATH pidfile name (only if using --daemon) [./sshuttle.pid]
 --user USER apply all the rules only to this linux user
 --firewall (internal use only)
 --hostwatch (internal use only)
 --no-sudo-pythonpath do not set PYTHONPATH when invoking sudo

usage: sshuttle [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>

positional arguments:

IP/MASK[:PORT[-PORT]]...

capture and forward traffic to these subnets

(whitespace separated)

optional arguments:

-h, --help show this help message and exit

-l [IP:]PORT, --listen [IP:]PORT

transproxy to this ip address and port number

-H, --auto-hosts continuously scan for remote hostnames and update

local /etc/hosts as they are found

-N, --auto-nets automatically determine subnets to route

--dns capture local DNS requests and forward to the remote

DNS server

--ns-hosts IP[,IP] capture and forward DNS requests made to the following

servers

--to-ns IP[:PORT] the DNS server to forward requests to; defaults to

servers in /etc/resolv.conf on remote side if not

given.

--method TYPE auto, nat, nft, tproxy, pf, ipfw

--python PATH path to python interpreter on the remote server

-r [USERNAME@]ADDR[:PORT], --remote [USERNAME@]ADDR[:PORT]

ssh hostname (and optional username) of remote

sshuttle server

-x IP/MASK[:PORT[-PORT]], --exclude IP/MASK[:PORT[-PORT]]

exclude this subnet (can be used more than once)

-X PATH, --exclude-from PATH

exclude the subnets in a file (whitespace separated)

-v, --verbose increase debug message verbosity

-V, --version print the sshuttle version number and exit

-e CMD, --ssh-cmd CMD

the command to use to connect to the remote [ssh]

--seed-hosts HOSTNAME[,HOSTNAME]

comma-separated list of hostnames for initial scan

(may be used with or without --auto-hosts)

--no-latency-control sacrifice latency to improve bandwidth benchmarks

--wrap NUM restart counting channel numbers after this number

(for testing)

--disable-ipv6 disable IPv6 support

-D, --daemon run in the background as a daemon

-s PATH, --subnets PATH

file where the subnets are stored, instead of on the

command line

--syslog send log messages to syslog (default if you use

--daemon)

--pidfile PATH pidfile name (only if using --daemon) [./sshuttle.pid]

--user USER apply all the rules only to this linux user

--firewall (internal use only)

--hostwatch (internal use only)

--no-sudo-pythonpath do not set PYTHONPATH when invoking sudo

Shell script wrapper function for sending messages through Pushover

November 4, 2019begginers, How To, linux, shellbash, pushover, shellAkhil Jalagam

Pushover makes it easy to get real-time notifications on your Android, iPhone, iPad, and Desktop (Android Wear and Apple Watch, too!)

You can use this shell function anywhere in your script.

Example:

#!/bin/bash

pushmail() {
    APP_TOKEN='auznj8jnj9v7gyuf5qqexx3vyn'
    USER_TOKEN='uest9vme9gthgpk5f5hmeas59'
    TITLE='nagios-alerts'
    MESSAGE="$1"
    curl 'https://api.pushover.net/1/messages.json' -X POST -d "token=$APP_TOKEN&user=$USER_TOKEN&message=\"$MESSAGE\"&title=\"$TITLE\""
}

# call
pushmail "server is down"

#!/bin/bash

pushmail() {

APP_TOKEN='auznj8jnj9v7gyuf5qqexx3vyn'

USER_TOKEN='uest9vme9gthgpk5f5hmeas59'

TITLE='nagios-alerts'

MESSAGE="$1"

curl 'https://api.pushover.net/1/messages.json' -X POST -d "token=$APP_TOKEN&user=$USER_TOKEN&message=\"$MESSAGE\"&title=\"$TITLE\""

}

# call

pushmail "server is down"

Note: you need to update API tokens and title above