Xenserver list snapshots

This command will list the snapshot tree, with it you'll get a view of where each VDI fits on your system:

for i in `vgs --noheadings -o vg_name`; do vhd-util scan -p -l $i -f 'VHD-*' ; done

Organize your photos with a script

I have a lot of photographs and they where distributed over several external disks and computers, so I needed a way to organize them, I've searched the web and found a script that used the exif data to organize the images into folders by year, month, day. So I've picked that up and modified a bit to better fit my neads, I ended up with the script that you can check after the break.
I also use this script to move the photos from my camera to my PC.

Note: I don't remember the link from where I got the original script but I will update this post as soon as I find it. The original script can be found here: http://davehope.co.uk/Blog/sorting-your-photos-with-bash/

Setting up a Bridged VPN using OpenVPN

Install OpenVPN and bridging tools:

sudo apt-get install openvpn bridge-utils

Setting up the Bridge

Edit /etc/network/interfaces

When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo eth0
iface lo inet loopback
# The primary network interface
## This device provides internet access.
iface eth0 inet
 static address 192.168.1.10
 netmask 255.255.255.0
 gateway 192.168.1.1

Edit this and add a bridge interface:

sudo vi /etc/network/interfaces

so that it look similar to:

## This is the network bridge declaration
## Start these interfaces on bootauto lo br0
iface lo inet loopback
iface br0 inet static
 address 192.168.1.10
 netmask 255.255.255.0
 gateway 192.168.1.1
 bridge_ports eth0
iface eth0 inet manual
 up ip link set $IFACE up promisc on
 down ip link set $IFACE down promisc off

If you are running Linux inside a virtual machine, you may want to add the following parameters to the bridge connection:

bridge_fd 9 ## from the libvirt docs (forward delay time)
bridge_hello 2 ## from the libvirt docs (hello time)
bridge_maxage 12 ## from the libvirt docs (maximum message age)
bridge_stp off ## from the libvirt docs (spanning tree protocol)

Restart networking:

sudo /etc/init.d/networking restart

The bridging declarations come from the libvirt documentation.

Generating Certificates

Generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.

Copy files to the /etc/openvpn/easy-rsa/ directory:

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*/etc/openvpn/easy-rsa/

Than edit /etc/openvpn/easy-rsa/vars

sudo vi /etc/openvpn/easy-rsa/vars

And change these lines at the bottom so that they reflect your new CA.

export KEY_COUNTRY="US"export KEY_PROVINCE="CA"export KEY_CITY="SanFrancisco"export KEY_ORG="Fort-Funston"export KEY_EMAIL="me@myhost.mydomain"

Finally setup the CA and create the first server certificate

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and keycd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

The Certificate Authority is now setup and the needed keys are in /etc/openvpn/


Configuring the Server

By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.

First, we're going to create a couple of new scripts to be used by the openvpn server.

sudo vi /etc/openvpn/up.sh

This script should contain the following

#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl
/usr/sbin/brctl/usr/sbin/brctl addif $BR $DEV

Now, we'll create a "down" script.

sudo vi /etc/openvpn/down.sh

It should contain the following.

#!/bin/sh
BR=$1DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ip/sbin/ip link set "$DEV" down

Now, make both scripts executable.

sudo chmod +x /etc/openvpn/up.sh/etc/openvpn/down.sh

And finally on to configuring openvpn itself.

sudo vi /etc/openvpn/server.conf

mode server
tls-server
local <your ip address> ## ip/hostname of server
port 1194 ## default openvpn portproto udp
#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-keypersist-tun
#certificates and encryption
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"
max-clients 10 ## set this to the max number of clients that should be connected at a time
#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

If the server initialization script will complain about WARN: could not open database for 4096 bits. Skipped, you can work around it by running this command:

touch /usr/share/openssl-blacklist/blacklist.RSA-4096

Now you will need to restart openvpn and load the new config with:

sudo /etc/init.d/openvpn restart

In case you run a firewall like ufw, please consider enabling ip forwarding, otherwise the clients will only be able to connect to the server, but not to other LAN servers.

Setting up a Routed VPN using OpenVPN

First let's install OpenVPN:

sudo apt-get install openvpn

OpenVPN must be installed in both client and server, the configuration file used for starting the service will define the role of each PC.

Now we can start, stop or restart OpenVPN as usual:

Start OpenVPN:

/etc/init.d/openvpn start

Stop OpenVPN:

/etc/init.d/openvpn stop

Restart OpenVPN:

/etc/init.d/openvpn restart

Every time you change settings in /etc/openvpn/openvpn.conf you need to restart OpenVPN.

Create Keys and Certificates

Now we need to create security certificates and keys. We'll do all this in the server as root:

cd /etc/openvpn/

Copy the directory easy-rsa to /etc/openvpn:

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .

Remember we're still inside the /etc/openvpn directory. Now let's edit the file vars with our favorite editor (replace vi with yours):

vi easy-rsa/vars

Kaiman reported a change for this part after June 2008:

vi easy-rsa/2.0/vars

Comment this line:

#export D=pwd

Add this one:

export D=/etc/openvpn/easy-rsa

And modify as below:

export KEY_COUNTRY=PEexport KEY_PROVINCE=LIexport KEY_CITY=Limaexport KEY_ORG="Nombre-OpenVPN"export KEY_EMAIL="tu-nombre@example.com"

Save and quit.

Now run:

. ./vars

Important: that's a period, a space and another period followed by /vars. This is a common confusion in many setups.

Now:

./clean-all

The next command creates your certificate authority (CA) using the parameters you just set, you should just add Common Name, I used OpenVPN-CA. For this step you'll need OpenSSL; if you don't have it in your server install it by running:

sudo apt-get install openssl

Ok, now we're ready:

./build-ca

Now let's create the keys, first the server:

./build-key-server server

This is important. When build-key-server asks for Common Name write server, the same parameter you provided to the command.

Also you'll need to answer yes to these two questions:

Sign the certificate? [y/n]

and

1 out of 1 certificate requests certified, commit? [y/n].

Now the key for the client:

./build-key client1

Use client1 as Common Name, the same parameter you used above for build-key.

You can repeat this step if you want to have more clients, just replace the parameter with client2, client3, etc.

Now let's create Diffie Hellman parameters:

./build-dh

There you are! Now you should have a new directory with your certificates and keys: /etc/openvpn/easy-rsa/keys. To configure your first client copy these files from servo to cliento:

ca.crtclient1.crtclient1.key

Ideally you should use a secure channel, I use scp with RSA authentication (topic for another article):

scp alexis@servo:ca.crt .
scp alexis@servo:client1.crtscp alexis@servo:client1.crt .
scp alexis@servo:client1.keyscp alexis@servo:client1.key .

These commands assume you've copied the files to the home of user alexis on the server and assigned read permissions. Then move the files to /etc/openvpn on the client.

The Configuration Files: openvpn.conf

Now go to your client and create openvpn.conf in /etc/openvpn. Write this inside:

dev tun
client
proto tcp
remote x.y.z.w 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
# Set log file verbosity.
verb 3

Replace x.y.z.w with your server's public IP.
Now in the server: create openvpn.conf in /etc/openvpn and put this:

dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push "redirect-gateway def1"
#log-append /var/log/openvpn
comp-lzo

If youre connections are a little slow you can try disabling compression with this:

#comp-lzo

Finally, configure IP forwarding and IPTables for doing NAT on the server:

echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

You can verify the rule was written correctly with:

sudo iptables -L -t nat

If you have a firewall you should make sure your VPN traffic can be routed.

If you made a mistake and want to remove all rules from IPTables:

sudo iptables -F -t nat

Now restart OpenVPN in both client and server and you should be set.

Running ifconfig and route -n you should see a new interface, tun0, in both PC's.

Confirm you can connect with a ping to your new tun0 interfaces, for example:

ping 10.8.0.1

Block P2P Traffic on a Cisco IOS Router using NBAR

In the following example, we'll use NBAR to block P2P traffic on our router's Gigabit interface.

• Create a class-map to match the protocols to be blocked.
• Create a policy-map to specify what should be done with the traffic.
• Apply the policy to the user-facing (incoming) interface.

conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
class-map match-any p2p
!--- Mention the P2P protocols to be blocked in order to block the
!--- P2P traffic flow between the required networks. edonkey,
!--- fasttrack, gnutella, kazaa2, skype are some of the P2P
!--- protocols used for P2P traffic flow. This example
!--- blocks these protocols.
!
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
!--- Here the policy map named SDM-QoS-Policy is created, and the
!--- configured class map p2p is attached to this policy map.
!--- Drop is the command to block the P2P traffic.
!
policy-map SDM-QoS-Policy
class p2p
drop
!
!--- Use the inferface where you wich to block the P2P traffic
interface GigabitEthernet 0/1
!
!--- The command ip nbar protocol-discovery enables NBAR
!--- protocol discovery on this interface where the QoS
!--- policy configured is being used.
ip nbar protocol-discovery
!
!--- Use the service-policy command to attach a policy map to
!--- an input interface so that the interface uses this policy map.
service-policy input SDM-QoS-Policy
!
end
!
!--- Save the current configuration
wr

And that's it.
You can ensure the policy is working with the command:

show policy-map

However if your version of IOS is older than 12.2(13)T, you will need some extra steps. This process relies on setting the DSCP field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we'll block P2P using the DSCP field.

• Create a class-map to match the protocols to be blocked.
• Create a policy-map to specify what should be done with the traffic.
• Create an access-list to block packets with the DSCP field set to 1.
• Apply the policy to the user-facing (incoming) interface.
• Apply the blocking access-list to the outbound interface.

conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
!
class-map match-any P2P
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
policy-map P2P
class P2P
set ip dscp 1
!
!--- Block all traffic with the DSCP field set to 1.
!
access-list 100 deny ip any any dscp 1
access-list 100 permit ip any any
!
interface GigabitEthernet0/1
service-policy input P2P
!
interface POS1/1
ip access-group 100 out

Installing DNS Master and Slave Servers

Install bind:

apt-get install bind9

Configure The Master

First we need to stop bind9:

/etc/init.d/bind9 stop

edit the /etc/bind/named.conf.options file so it looks something like this (use the forwarders of your liking):

options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
dnssec-enable yes;
query-source address * port 53;
allow-query { any; };
forwarders {
8.8.8.8;
208.67.222.222;
208.67.220.220;
};
auth-nxdomain no; # conform to RFC1035
//listen-on-v6 { any; };
};

Add the ip of this newly installed DNS server (the localhost) to your /etc/resolv.conf to use it:

echo "search linux.lan" > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf

Now restart bind9:

/etc/init.d/bind9 start

And test !

ping www.google.com

If you get a reply, then your DNS master server is working and ready to use. We will now fill and use the linux.lan domain with our new master server.

Setting up the linux.lan domain

The master DNS server is currently just forwarding requests to the server(s) you have configured in the options file. So, we will now install and configure our own domain and let our new server handle all request regarding that domain.
Lets start with creating the directory where we will store the zone file. This file contains all info about the domain.

mkdir /etc/bind/zones/

Next we will create the zones file, /etc/bind/zones/master_linux.lan, something like this:

$TTL 3D
@ IN SOA ns1.linux.lan. hostmaster.linux.lan. (
199802151 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
TXT "Linux.LAN, serving YOUR domain :)"
NS ns1 ; Inet Address of name server
NS ns2
MX 10 mail ; Primary Mail Exchanger
localhost A 127.0.0.1
ns1 A 192.168.254.1
ns2 A 192.168.254.2
www CNAME ns1

Here we have created a simple zone file with both nameservers and a www alias for ns1. Just in case we have a running apache on ns1 ;)

Now edit /etc/bind/named.conf.local and add:

zone "linux.lan" {
type master;
file "/etc/bind/zones/master_linux.lan";
};

This is it, we can now restart bind and check if it works:

/etc/init.d/bind9 restart

And test if it's working:

ping ns1.linux.lan

At this stage you should have a working and usable DNS server.
If it says it cannot find the domain, maybe dhclient has changed your nameserver entry... You should check that.

Installing The Slave
Basically, the slave uses the same basic system as we constructed in the first part (just before we added the zone file). We will add some little changes to both master and slave to make them work together. The zones file will be transfered over the net using encryption.
Unless else stated, these commands are for the slave ONLY.

Create the zones dir:

mkdir /etc/bind/zones

For both master AND slave edit /etc/bind/named.conf.options and make sure you have:

dnssec-enable yes;

Now we need a secure key. This will generate a .private and a .key file. The 'key=' line in the .private file represents the hashkey:

dnssec-keygen -a hmac-md5 -b 128 -n host linux.lan

Add this in your /etc/bind/named.conf on master AND slave:

key "TRANSFER" {
algorithm hmac-md5;
secret "---HASHKEY---";
};

On the master add the slave ip to /etc/bind/named.conf:

server 192.168.254.2 {
keys {
TRANSFER;
};
};

And on the slave we add the master ip to /etc/bind/named.conf:

server 192.168.254.1 {
keys {
TRANSFER;
};
};

Add to /etc/bind/named.conf.local:

zone "linux.lan" {
type slave;
file "/etc/bind/zones/slave_linux.lan";
masters { 192.168.254.1; };
allow-notify { 192.168.254.1; };
};

Finally we need to, on BOTH hosts, add this to /etc/bind/named.conf:

include "/etc/bind/rndc.key";

In order to have a succesfull zone transfer both systems need to have a synchronised clock, so:
apt-get -y install ntpdate

Restart bind on both machines and notice the new zone file on the slave.
If you're wondering why _updates_ to the zonefile on your master seem to fail, check the expire etc. settings inside the zonefile.

NOTE: if you get an error on syslog saying "bind dumping master file (...) permission denied ubuntu" check the /etc/apparmor.d/usr.sbin.named file and change the line:

/etc/bind/** r,

into:

/etc/bind/** rw,

Create symbolic links for multiple files simutaneously

As simple as:

for file in $(ls <path>|grep <something>); do ln -s <path>$file <new_path>$file; done