The Linux packet filter provides an easy way to protect against unwanted network intrusions. Often referred to simply as “iptables“, it is a basic firewall built into the Linux kernel. Iptables is most useful, perhaps, on those servers most susceptible to attack, such as LAMP systems, content management servers and blogging platforms, especially where they are Internet facing.
Ipset is a fairly recent addition to Linux, having been introduced into kernel version 2.6.32. This means it is supported in Debian 7 and 8, as well as Red Hat 6 onwards. In short, ipset allows a large number of IP addresses to be blocked in an efficient way, as demonstrated below. Continue reading →
Linux disk partition names such as /dev/sda1, /dev/sda2 are not as fixed as they once were. From time to time they can change. Perhaps due to a hardware change or kernel upgrade, or sometimes for no apparent reason. If and when this happens on your system, things can break. In this case, an encrypted swap partition had been configured as “/dev/sda6”, and failed to activate following a change in the the /dev/sdXX partition names. This article describes the symptoms and a fix.
The article also discusses a bug affecting Ubuntu 14.04 based distributions, which can make it more difficult to recover an encrypted swap configuration broken by a device name change. Continue reading →
Debian 8 (jessie) was released in April 2015, ten months ago at the time of writing. Some sites will have upgraded by now, and others might be considering the move. This article provides a list of issues encountered after upgrading several servers from Debian 7 (wheezy) to Debian 8. These are system administration issues in the most part, though some might also be of interest to application support staff. Continue reading →
This post describes the recovery of a broken virtual machine within ESXi 5.1 (update 1). The VM was damaged in several ways: the vmxf file was missing, and so was one of the vmdk files. The system was down and not bootable due to the missing files. In addition, the root password had been lost and needed recovery. The same procedure, or parts of it, should work for other ESXi VMs. The broken VM was running Red Hat, but that barely impacts the procedure, apart from the password recovery bit. Continue reading →
After a security scan showed vulnerabilities, a recent client of mine requested the above update. The target server was a stand alone HP DL360 running ESXi version 5.0 (GA). The upgrade was performed with the following procedure, which should work equally as well for other ESXi versions. A system reboot is required. Continue reading →
This post explains how to install the mlx4 driver into ESXi 5.1 in order that it can see and communicate with the NC542m 2-port Ethernet adapter card. The card was fairly new (at the time) and ESXi 5.1 could not see it by default. Continue reading →
UPDATED December 2017 for Rasbian Stretch. The Raspberry Pi comes with a default user called “pi”, whose initial password is also set to a well known default. While this makes it easy to use the system, it is not very secure. Anyone with physical access to your Pi could login with these widely known credentials. Furthermore, if you have enabled the SSH server, users on the local network could do the same.
Even if you have changed the “pi” user password, just having a user name that is universally known is still a security risk. The following article explains how to safely rename the “pi” user to something more secure. Continue reading →
ESXi is popular hypervisor product from VMware. It comes with several management GUIs including Vsphere and VCenter. Command line tools are also bundled, though they are used more rarely. This article describes a short script to list all virtual machines on the system.
The script is below. It is intended to run under the Busybox shell, the default environment when you ssh directly into the system hosting ESXi. Continue reading →