Check sudoers file

Messing up a sudoers file on one box is no big deal.

In a managed environment, say if Puppet is pushing out a central sudoers file, getting it wrong could break a lot of things for a lot of people. Good advice is to check it before pushing it out. One method is:

visudo -cf /etc/sudoers

It’ll sanity check whatever file you specify. Better safe than sorry.

Live snapshots on KVM

Live snapshots have long been a key feature of virtualisation technologies. VMware probably weren’t the first but they sold the feature to the world. If you want to be able to take live external snapshots (say, for backup purposes) and you’re on KVM, here’s what you need to do (using CentOS 7).

So, you have your KVM host set up with machines running. You need to add the oVirt repo to your system to get more recent versions of qemu and, well, everything KVM-related. Do this like so:

wget http://resources.ovirt.org/pub/yum-repo/ovirt-release36.rpm && yum localinstall ovirt-release36.rpm && yum update -y

Let it update then reboot the host. Yup, I know – rebooting Linux, what a crime. It’s what I had to do to get the VMs running on the newer version qemu. Fire up a VM.

To test live external snapshots, first of all you need to know what disk image is being used by a particular VM. Do this:

virsh domblklist vm1

Replace vm1 with the name of your VM. Returned is a list of block storage attached to it. Now take the live snapshot:

virsh snapshot-create-as --domain vm1 snapshot1 --diskspec vda,file=/var/lib/libvirt/images/vmsnapshot1.qcow2 --disk-only --atomic --no-metadata

You have a little thinking to do here. As before, replace vm1 with the name of your VM. The vda has to match the target in the domblklist output from before. The file= path can be arbitrary but I tend to stick with keeping images in the same place. The name of the snapshot is also arbitrary. Once you have finished thinking and input the command you’ll have a snapshot.

The active image is now this snapshot. Feel free to backup the original. Finished? Okay, on the assumption the snapshot was temporary (snapshots should ALWAYS be temporary, okay? I’ve seen em used as permanent ‘bookmarks’ in some settings and it’s just wrong), we now need to commit the snapshot back into the original, base image while the VM is powered on:

virsh blockcommit vm1 vda --active --verbose --pivot

This shouldn’t take long. Now emu is using the original disk image again. Delete the snapshot:

rm /var/lib/libvirt/images/vmsnapshot1.qcow2

You’re done. There is more to this, using the –quiesce option when creating the snapshot. That requires the emu guest agent being installed on the VM and set up correctly, which I hope to go through soon. It ensures consistent disk images.

Install zmap on Kali 2

Zmap is a nice tool. If you don’t know already, it can scan vast subnets very quickly. Best used to scout for targets, make a list and then go exploring them with nmap. It’s not as fast as masscan, but that’s for another post. Zmap has found its way into Kali now, but if you are stuck using a version prior to that change or want to setup from source, here’s how to install it:

apt-get install build-essential make libgmp3-dev libpcap-dev gengeopt byacc flex git libjson-c-dev
git clone git://github.com/zmap/zmap.git
cd zmap
cmake -DENABLE_DEVELOPMENT=OFF
make && make install

That should be that. Scan away. Responsibly. 😉

CentOS 6 Squid Proxy Install

Today Mama is going to cook a tasty Squid proxy server on CentOS 6. It’s a reliable, trusted solution used in many web filtering appliances around the world. This howto comes with no guarantees!

Install Squid.

yum install epel-release && yum -y install squid

These are very common forward proxy settings.

vi /etc/squid/squid.conf

acl CONNECT method CONNECT <<– look for this line
## Add a new ACL to allow your LAN access to the Proxy:
acl lan src 192.168.1.0/24

http_access allow localhost <<– look for this line
## Let the ACL we just defined have http access via the proxy and add/change to:
http_access allow lan

## Look for http_port and change it to:
http_port 8080

## Copy and paste the below to the bottom of the file:
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

## Look for visible_hostname
visible_hostname yourhost.server.world

## Turn off IP address forwarding:
forwarded_for off

Exit vi (:x), turn on the Squid service at boot and start the service now:
chkconfig squid on
service squid start

Welcome to Mama Linux!

Here we’ll try to provide you with the tastiest Linux recipes that only Mama can provide! We’ll be aiming to help you set up a few different services running on Linux, helping you over any sticking points.