November 19

Linux: Blacklist a country using Firewalld

Create the blacklist:

firewall-cmd –permanent –new-ipset=blacklist –type=hash:net –option=family=inet –option=hashsize=4096 –option=maxelem=200000

  • –permanent = use to make changes to the permanent configuration –new-ipset = name of the new IP/net blacklist –type = storage hash type, “net” is for subnets, while “ip” for individual ip addresses –option=family = IPv4 or IPv6 network, inet is for IPv4 –option=hashsize = the initial hash size of the list –option=maxelem = max number of elements

Download net blocks:

wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
tar -vxzf all-zones.tar.gz

Choose which countries you would like to block, ipdeny.com provides net blocks by country. The above command will download all country zones together in one archive. Once extracted you should end up with various files, each named after a country, for example “cn.zone” for China. I can’t tell you what to block, it all depends on what kind of service you provide and the location of your “real” requests. Personally, I run many major European sites and based on my logs, I block the following countries: ar bd bg br by cn co il in ir kp ly mn mu pa sd tw ua ro ru ve vn

After block the above countries, SPAM and hacking attempts dropped to nearly zero. Pretty much anything else comes via a European or American proxy, but that is easy to mitigate, once I file an abuse report to their network provider, the proxy is usually shut down rather quickly. While orchestrated and methodical hacks won’t be mitigated by a simple country block list, everything else will be blocked, especially spam.

Populate the blacklist:

firewall-cmd –permanent –ipset=blacklist –add-entries-from-file=./cn.zone

The above command will load a country zone file to our blacklist. Make sure to change the path and filename to your chosen country zone file. You may also add individual IP addresses or net blocks by yourself, from the shell or by using a tool like fail2ban, with the following simple shell script (for example, save it as ~/bin/ban):

firewall-cmd –permanent –ipset=blacklist –add-entry=$1
firewall-cmd –ipset=blacklist –add-entry=$1

Run it like this:

ban 192.168.1.0/24

Redirect the blacklist to the drop zone

firewall-cmd –permanent –zone=drop –add-source=ipset:blacklist
firewall-cmd –reload

Category: Linux | Comments Off on Linux: Blacklist a country using Firewalld
November 19

Linux: Issue with an interrupted upgrade

  1. Reboot gave display this message: “Kernel Panic – Not Syncing: VFS: Unable To Mount Root FS”
  2. Was able to boot into a past kernel. This gave me hope that it was just going to be a problem relating to the latest kernel installation
  3. I discovered that the latest kernel files were not all completely created. Particularly boot/initramfs-4.1.12-124.24.3.el6uek.x86_64.img
  4. I used dracut to build the image file:
    dracut /boot/initramfs-4.1.12-124.24.3.el6uek.x86_64.img 4.1.12-124.24.3.el6uek.x86_64
  5. I also ran yum-complete-transaction to force yum to finish installing the rest of the files that were interrupted
  6. I rebooted again and got the same error.
  7. We discovered that the /boot/grub/grub.conf file did not create correctly. Problem: title Oracle Linux Server Unbreakable Enterprise Kernel (4.1.12-124.24.3.el6uek.x86_64) root (hd0,0) kernel /vmlinuz-4.1.12-124.24.3.el6uek.x86_64 ro root=/dev/mapper/vg_servername-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_servername/lv_root rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_servername/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet numa=off transparent_hugepage=never '''initrd /initramfs-4.1.12-61.1.28.el6uek.x86_64.img''' It appears that during the Kernel configuration build since /boot/initramfs-4.1.12-124.24.3.el6uek.x86_64.img was missing, it pointed to an incoreect initramfs file. This file boots the hard drive. Corrected: title Oracle Linux Server Unbreakable Enterprise Kernel (4.1.12-124.24.3.el6uek.x86_64) root (hd0,0) kernel /vmlinuz-4.1.12-124.24.3.el6uek.x86_64 ro root=/dev/mapper/vg_servername-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_servername/lv_root rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_servername/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet numa=off transparent_hugepage=never initrd /initramfs-4.1.12-124.24.3.el6uek.x86_64.img
Category: Linux | Comments Off on Linux: Issue with an interrupted upgrade
November 19

Linux: Rescan for newly attach iscsi devices

Get baseline:
dmsetup info -c -o name,blkdevname,devnos_used,blkdevs_used,UUID

rescan:
iscsiadm -m session –rescan

Check for additions:
dmsetup info -c -o name,blkdevname,devnos_used,blkdevs_used,UUID

Category: Linux | Comments Off on Linux: Rescan for newly attach iscsi devices
November 19

Linux: iscsi information can be found store in the following folder’s subdirectories

/var/lib/iscsi

# tree /var/lib/iscsi
.
├── ifaces
├── isns
├── nodes
│   └── iqn.2010-06.com.purestorage:flasharray.67f4936d72ed7e6
│       ├── 10.1.206.14,3260,1
│       │   └── default
│       ├── 10.1.206.15,3260,1
│       │   └── default
│       ├── 10.1.206.16,3260,1
│       │   └── default
│       └── 10.1.206.17,3260,1
│           └── default
├── send_targets
│   └── 10.1.206.14,3260
│       ├── iqn.2010-06.com.purestorage:flasharray.67f4936d72ed7e6,10.1.206.14,3260,1,default -> /var/lib/iscsi/nodes/iqn.2010-06.com.purestorage:flasharray.67f4936d72ed7e6/10.1.206.14,3260,1
│       ├── iqn.2010-06.com.purestorage:flasharray.67f4936d72ed7e6,10.1.206.15,3260,1,default -> /var/lib/iscsi/nodes/iqn.2010-06.com.purestorage:flasharray.67f4936d72ed7e6/10.1.206.15,3260,1
│       ├── iqn.2010-06.com.purestorage:flasharray.67f4936d72ed7e6,10.1.206.16,3260,1,default -> /var/lib/iscsi/nodes/iqn.2010-06.com.purestorage:flasharray.67f4936d72ed7e6/10.1.206.16,3260,1
│       ├── iqn.2010-06.com.purestorage:flasharray.67f4936d72ed7e6,10.1.206.17,3260,1,default -> /var/lib/iscsi/nodes/iqn.2010-06.com.purestorage:flasharray.67f4936d72ed7e6/10.1.206.17,3260,1
│       └── st_config
├── slp
└── static
Category: Linux | Comments Off on Linux: iscsi information can be found store in the following folder’s subdirectories