Welcome, Guest! Registration

loc2log

Sunday, 2019-06-16

So you've got a bigger and better card than an existing one in your Android 7.1.1 phone. You may have already copied files form your old card to the new one, but some apps are failing to find their files in the new card. The reason is that mount point for the new card is different from the old one so the actual path the app is different from what is expected by the app. The trick is, to change your new SD card's Volume Serial Number. Here is what I did to upgrade SD card in storage mode using MS Windows 8:

Prerequisite: Download VolumeId tool from VolumeId at MS KB. Unzip it.

Full procedure steps for Android 7.1.1 SD storage card

  1. Take a note of existing path used by your apps. E.g. Fast Notepad -> Settings -> Storage location /storage/XXXX-XXXX/fastnote. Where XXXX-XXXX - some HEX value. e.g. 01FB-8899
  2. Unmount ("Eject") the old SD card. Power off your phone and remove your old card.
  3. Insert the old card to your MS Windows PC and copy all the data from old SD card to PC
  4. Insert new SD card to the phone. Power on your phone
  5. Format the new SD card using your Android phone
  6. Unmount ("Eject") the new formatted SD card. Power off your phone and remove your new card from it.
  7. Using volumeid tool change your new SD card's volume id to math of the old one.
    In MS Windows Command Line (cmd) cd to your unzipped VolumeID location. E.g. volumeid is unzipped to Downloads\VolumeID; and your new SD card is available on MS Windows as drive "E:":
    cd Downloads
    cd VolumeId
    C:\Users\MyUser\Downloads\VolumeId64 E: XXXX-XXXX
    
    VolumeId v2.1 - Set disk volume id
    Copyright (C) 1997-2016 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    Volume ID for drive e: updated to XXXX-XXXX
  8. Copy all the backed-up data to the new card. Safely eject the new SD card from your PC
  9. Insert the new card to your phone
  10. Power on your phone. Mount the new card if necessary (my phone mounted it automatically).

Congratulations, your apps should see all their files now, as nothing happened :-)

Views: 122 | Added by: ep | Date: 2019-01-11 | Comments (0)

tower-cli job_template list tower-cli job_template get -n -f yaml or tower-cli job_template get -n -f json
Views: 247 | Added by: ep | Date: 2018-07-22 | Comments (0)

sudo awx-manage print_settings | grep '^DATABASES'
Views: 246 | Added by: ep | Date: 2018-07-22 | Comments (0)

When I entered one of my server instances on DigitalOcean via ssh I was shocked to discover there were almost half-million unsuccessful login attempts. That was definitely a cracking attempt going on. And I must confess my setup was not the strongest. So here are the remedy options:

  1. Just in case: Make sure you have non-ssh way of accessing your server console. DigitalOcean provides its own console to each Droplet. To get there: Click on your Droplet, Access, - big green button "Launch Console". Once you get to your box via non-ssh console (aka VNC), you are free to experiment because you do not depend on the ssh as your only life-line anymore.

    Now, from the VNC terminal, logged in as root, you may stop the sshd - an attacker won't be able to brute force a service which is not running.
    sudo service sshd stop - DO NOT DO THIS COMMAND UNLESS YOU HAVE NON-SSH ACCESS.

  2. If you've got an attack on a particular user name, then disable password access for that user, make it auth-key only, and limit number of access attempts.

    Better yet, create a new user instead, with less trivial name for the future access, so it has less chance of being in attacker's dictionary.

    Edit sshd config as necessary /etc/ssh/sshd_config

  3. To slow them down you may also throttle auth requests in the firewall, e.g. iptables.

    # sample configuration for iptables service
    # you can edit this manually or use system-config-firewall
    # please do not ask us to add additional ports/services to this default configuration
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -N SSHATTACK
    -A SSHATTACK -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --dport 80 --state NEW -m tcp -j ACCEPT
    -A INPUT -p tcp -m state --dport 22 --state NEW -m recent --set
    -A INPUT -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT

Useful links:

  • http://serverfault.com/questions/275669/ssh-sshd-how-do-i-set-max-login-attempts
  • http://serverfault.com/questions/470287/how-to-enable-iptables-instead-of-firewalld-services-on-rhel-7-and-fedora-18
Views: 465 | Added by: ep | Date: 2017-01-30 | Comments (0)

I have CentOS 7.0 iso set used as CD/DVD in VMWare, and wanted to use the image as the source to install rpms to my VMWare instance. It appeared quite easy to do:
  1. Even though the iso is used as the CD/DVD in the virtual machine and is "inserted", you still have to mount on the CentOS:
    sudo mount -t iso9660 /dev/sr0 /mnt
  2. Now create a repo file in /etc/yum.repos.d/. E.g. sudo vi /etc/yum.repos.d/CentOS-Media.repo:
    [CentOS-Media]
    name=CentOS-Media
    baseurl=file:///mnt/
    enabled=1
    
  3. You may have to clean all the caches to make sure the new repo is hooked up properly:
    sudo yum clean all
  4. That is pretty much it, yum shall be able to pick up your "CD/DVD" iso just as the other repositories.

Views: 591 | Added by: ep | Date: 2017-01-29 | Comments (0)

Recently I was debugging quite a convoluted bunch of daemons. That was an integration task with the goal to set proper permissions on temporary files used by them. I had to know what daemon is trying to access a certain file, and what user and group memberships are active for the daemon. There is a bunch of ways how to check what is accessing a file on Linux. The audit seemed to be the the most suitable one, as I did not know the exact timing for the access events.

Get things going I had to hook up a non-core repo on my CentOS 6.8 machine. Then to install audit with:

sudo yum install audit

Then start the daemon:

sudo service auditd start

Checked the audit daemon is actually running:

sudo service auditd status

Added the monitored rule:

auditctl -w /path/to/my/file -p rawx

The -w parameter sets which file or dir to monitor. If a directory is given, then all files and sub-dirs are going to be monitored.

The -p parameter enforces what exactly to monitor. I threw it all: r - for read, a - for append, w - for write, x - for execute.

The output can be found in /var/log/audit.log

Interestingly enough, there were no access events for that file until cut access permission down to just execute and set ownership to root:root. The idea was to proveke access error, and I knew the file is going to be read or written. Then the auditd threw an event of interest, so I could see what process tried to access file and the daemon's UID and GID among other info.

Another method could have been using inotify command line utility, which comes with the incron package. Will try it some other time. And last, but not least, all that goodness is available from kernel 2.6 and up, you maybe out of luck if you are running an older kernel.

Views: 545 | Added by: ep | Date: 2016-12-13 | Comments (0)

You may have to find out details on an existing AWS security group with ansible. For example, ansible rds module reguires security group ID to be provided. So how would you create an RDS instance if you have just the name of the group? Of course you can hardcode the id, or provide it via command line, but that may be quite cumbersome and not practical. You may also grab the group facts once you create a security group within ansible playbook (with "register:" on the spot), but if the group is already created by someone else - that is not an option. In the end, you may submit a feature request for ansible rds module to implement the security group hookup the same way as it is done for ansible ec2 or implement it yourself and to submit it to ansible. To my surprise I did not find a way to find a security group id by its name in ansible 2.2.0.0 out of the box. Fortunately there is an easy way around, thanks to Henrique Rodrigues (github.com/Sodki) and 2 other authors who came up with the same idea and implementations quite at the same time.

To gather security group facts in AWS with ansible 2.2.0.0 you will need to

1. Create library/ dir in your playbook root (same level as your inventory/, roles/ and whatever else you have there)

mkdir library

2. download the ec2_group_facts module from the development branch

cd library/
wget https://raw.githubusercontent.com/ansible/ansible-modules-extras/devel/cloud/amazon/ec2_group_facts.py

3. Use it in your playbook or role tasks to gather all available facts on security groups satisfying your search criteria. I had to get a security group id by name. To accomplish that I did:

- name: Gather security group facts
  ec2_group_facts:
  region: "{{ your_aws_region }}"
  filters:
    vpc-id: "{{ your_vpc_id }}"
    group_name: "{{ security_group_name_to_gather_facts_for }}"
  register: sg_facts


- debug: var=sg_facts
- debug: var=sg_facts.security_groups[0].group_id

More detail on AWS security groups gathering ansible module can be found here: https://github.com/ansible/ansible-modules-extras/blob/devel/cloud/amazon/ec2_group_facts.py. The module is not in the official deliverable yet at the time of writing, but I am sure it will be included into the official release pretty soon and it worked for me.

Views: 2172 | Added by: ep | Date: 2016-11-29 | Comments (0)

1 2 3 ... 7 8 »