Redirecting Firewall Messages in Linux

The Linux firewall is a great way to secure a server, especially one that is Internet facing. Together with ipset and an appropriate blacklist, it can protect your server from the worst the Internet can throw at it. However, netfilter (aka iptables), can generate a lot of messages. By default they go to the kernel logging channel, flooding out log files such as messages, syslog and kern.log.

It is important to keep log files clear so that system issues are not missed. For example, a hardware or memory error message might be written to kern.log, but could be difficult to notice due to many thousands of firewall messages. Worse, over time, the important message will be moved into a historical log files due to the action of logrotate.

This article explains how to send firewall messages to their own log file, using the example of a Raspberry Pi running Raspbian 9 (Debian Stretch). After a small configuration change, netfilter messages go to their own file instead of clogging up the general logs.

Continue reading

Messing Around with Graphics.py

This article explains how to create some simple mathematical shapes with graphics.py, a popular graphics library for Python written by John Zelle. Graphics.py is a single file containing graphics functions such as Point, Line, Circle and Rectangle. In this article though, we are just going to use it to plot single points.

At the top of the page is a blancmange like shape. The program that drew it is at the bottom of the article, if you want to jump straight there.  Otherwise, a couple of simpler plots will be demonstrated first, just to show a couple of underlying principles. Continue reading

Complex Data Structures in Python

Most programming languages offer the facility for making large, compound data structures. For example C, Pascal, Perl and Python. A few simple data types are provided, out of which larger structures can be built. A programmer can store data in a whatever way is most suitable for the application.

Often, a simple list or dictionary will be enough. Read the data in, process it, and print the results out. Perfect. But for a larger or more useful application, more data, and more kinds of data, will need to be stored and processed at the same time.

This article demonstrates the building of a complex data structure in Python. Note: it is not about classes, or object oriented programming, just the syntax for handling complex data structures, made up of lists, dictionaries and simple strings and integers. Continue reading

Bash Script Behaves Differently When Called From Cron

Unix users and administrators will be familiar with the cron, unix’s built in job scheduler. It is a good way of running regular jobs eg backups, system monitoring programs or housekeeping scripts. The configuration of cron is quite particular and care is needed when setting up a new job. Your well tested script can behave differently when it is called from cron. Sometimes the differences won’t matter. But sometimes they do, and finding the cause can be tricky.

This brief article describes how many such problems can be tracked down simply by capturing the standard error output properly. In short, make sure your troublesome cron job is not quietly discarding the very information you need to fix it. Continue reading

How to Identify the Build Time of a Red Hat System

To determine when a Red Hat or CentOS server was first built, use rpm -qi basesystem:

[fred@rhel7 ~]$ rpm -qi basesystem
Name        : basesystem
Version     : 10.0
Release     : 7.el7
Architecture: noarch
Install Date: Thu 16 Apr 2015 18:16:04 CEST    <----- here
Group       : System Environment/Base
Size        : 0
License     : Public Domain
Signature   : RSA/SHA256, Tue 01 Apr 2014 15:23:16 CEST, Key ID 199e3a91fd554c52
Source RPM  : basesystem-10.0-7.el7.src.rpm
Build Date  : Fri 27 Dec 2013 18:22:15 CET
Build Host  : xxxxxxxxxx
Relocations : (not relocatable)
Packager    : Red Hat, Inc. 
Vendor      : Red Hat, Inc.
Summary     : The skeleton package which defines a simple Red Hat Enterprise Linux system
Description :
Basesystem defines the components of a basic Red Hat Enterprise Linux
system (for example, the package installation order to use during
bootstrapping). Basesystem should be in every installation of a system,
and it should never be removed.

Note: The date returned, 16th April in the example above, reflects the time that the operating system was installed. This is usually the same as the system creation time, except in cases where a system has been cloned or built from a pre-installed image. In the last case, the date returned will reflect the build date of the source image, rather than the target system.

/tmp/sortXXXXXX files

A backup script that runs on several Linux systems recently produced the following error:

ls: cannot access '/tmp/sortrq9hq8': No such file or directory

It happens every time the backup runs. Other than the above message, there seems to be no ill effect on the backup, which completes successfully. The ls command did not find a file that it expected to be there.

This article explains how the missing file was created by the Linux sort command as a temporary storage area, how error messages about these files are likely to crop up from time to time, how to reproduce the error, and some background about the behaviour of the sort command on Linux and Solaris. Continue reading

How to Convert a Website from HTTP to HTTPS

An http website is not encrypted. That is to say, the data comprising the site is not encrypted as it flows from the web server to the device (pc, phone, tablet) on which the user is viewing the page. Anyone able to “listen in” on the network could read that data, which is a security risk. An https web site is different. Data is encrypted. The web server encrypts each web page before transmission, and the user’s browser decrypts it, providing end-to-end protection from eavesdropping.

This article explains how to convert an existing basic website to https by obtaining a free digital certificate from Let’s Encrypt. It is based on a Raspberry Pi running the “Apache” web server, but will also work on other Linux systems. It is intended for home users and people running small-scale web sites, and as a learning aid. Continue reading

Automatic Nextcloud Installation on Raspberry Pi

Nextcloud is an open source software package providing remote file sharing services. It is similar to Dropbox. But with Nextcloud, you retain ownership, security and control of the shared data. This procedure describes how to build a working Nextcloud service using just 3 commands.  It has been tested on Raspbian Stretch and on the Raspberry Pi 4 / Raspbian Buster (this article last updated 14/1/2020)

Note: If you would rather do the installation manually, step-by-step, without the help of a script, please see my previous article Simple Nextcloud Installation on Raspberry Pi. It explains how to do the installation in detail, and provides more background information on Nextcloud. Both procedures achieve the same overall result, however.

Note: If you are running Raspbian Buster, then Nextcloud 17 will be installed.  For Stretch, it’s Nextcloud 15.

Continue reading

Renaming a Bitbucket Repository

Bitbucket is a paid-for version of Github*. Along with Jira and Confluence, it forms the Atlassian framework, a suite of devops tools in widespread use.

Using the Bitbucket web interface, a repository can easily be renamed. However, this causes a change in the URL, which breaks the link from existing clones of the repo. They can be deleted and re-cloned, or renamed. This post explains how to do the rename. Continue reading

Using Address Ranges and Port Ranges with Iptables

Iptables is the name of the firewall built into the Linux kernel. It is also the tool used for firewall configuration. This post explains how to use iptables with a range of IP addresses and/or ports. It could be used, for example, to allow SSH traffic from a number of systems. Or to open up a range of ports with a single firewall rule.

Note: This article is not about blacklisting. If you are looking to set up a blacklist, perhaps to protect your server from a number of unrelated IP addresses, my related procedure on how to protect your webserver with IPset might be more appropriate.

The Linux firewall (part of the Netfilter project) is important on Internet facing systems, “edge” servers and “jump” boxes. Particularly when they do not sit behind another protective network element such as a load balancer or discrete firewall. For example, standaline cloud instances that are not part of a protected VPC infrastructure. Continue reading