df error - 'df: cannot read table of mounted file systems'


[root@host]# df -h
df: cannot read table of mounted file systems
[root@host]# cat etc/mtab
(nothing)
[root@host]# lvdisplay
Parse error at byte 6 (line 1): unexpected token

This is often related to a disk space issue. A post from insanelabs.com recommended freeing up space and then rebuilding /etc/mtab from /proc/mounts like so:

[root@host]# grep -v rootfs /proc/mounts > /etc/mtab

Seemed to do the trick, df is now returning expected results.

ODBC logon scripts - ODBCCONF

ODBCCONF is deprecated, and "should not be used", but I couldn't find a better way to do this in the time that I had.
I needed a logon script to create some data sources (ODBC's) so I used ODBCCONF in a batch file that looked like this:
ODBCCONF CONFIGDSN "SQL Server" "DSN=DataSourceName| Description=| SERVER=DBhostnameorIP| Database=DB_name| Trusted_Connection=yes"

This breaks down as follows:
ODBCCONF - The utility to run
CONFIGDSN - Configures a User DSN (CONFIGSYSDSN would be for a System DSN)
"SQL Server" - The driver to use
DSN= Data source name
Description= A description of the DSN
SERVER= DB host or IP address
Database= DB name
Trusted_Connection=yes (Use Windows NT authentication)

Windows: Show or Delete files older than X days

Using forfiles to show and/or delete files older than X amount of days:

/p = path
/s = subdirectories (recursive)
/m = mask
/d = days
/c = cmd to be run

Show .log files in C:\LogFiles (recursively) older than 1 year:

forfiles /p C:\LogFiles /s /m *.log /d -365 /c "cmd /c echo @file is at least 1 year old."


Remove .log files in C:\LogFiles (recursively) older than 1 year:

forfiles /p C:\LogFiles /s /m *.log /d -365 /c "cmd /c del @file"


Save as a .bat and schedule it.

Domain Controller Troubleshooting with DCDIAG , REPADMIN , and NETDIAG

DCDIAG

DCDIAG analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting.

Details available at MS TechNet.

Example: dcdiag.exe /V /D /C /E > c:\dcdiag.log

REPADMIN

Repadmin.exe is a Microsoft Windows 2000 Resource Kit tool that is available in the Support Tools folder on the Windows 2000 CD-ROM. It is a command-line interface to Active Directory replication. This tool provides a powerful interface into the inner workings of Active Directory replication, and is useful for troubleshooting Active Directory replication problems.

Example: repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

Details available at MS TechNet.

NETDIAG

This command-line diagnostic tool helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client. These tests and the key network status information they expose give network administrators and support personnel a more direct means of identifying and isolating network problems. Moreover, because this tool does not require parameters or switches to be specified, support personnel and network administrators can focus on analyzing the output rather than on training users how to use the tool.

Example (to be run on each DC): netdiag.exe /v > c:\netdiag.log

Details available at MS TechNet.

Win Server 2008 DC RADIUS server for a Cisco ASA VPN

Thanks to FixingIT.wordpress.com. I pulled most of this post from there, made some tweaks, and added the Cisco CLI as an alternative to ASDM.

The following steps are a walk through of configuring a Windows 2008 Server Domain Controller as a RADIUS server for an ASA, and configuring that ASA as the RADIUS client. This will allow VPN users to authenticate against Active Directory instead of locally on the ASA.

These steps assume the following:

• Windows Server 2008: 192.168.0.10
• Cisco ASA: 192.168.0.5

Configure the ASA

CLI

The applicable parts of the config are as follows:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0

aaa-server SERVER protocol radius
accounting-mode simultaneous
aaa-server SERVER host 192.168.0.10
key mysecretkey
radius-common-pw mysecretkey


ASDM

Create an IP Name object for the target

1. Under the Firewall section, expand the Objects link and select the IP Names.
2. Click the Add button at the top.
3. Enter a descriptive name, the IP address of the DC/RADIUS server and a description of the server.
4. Click OK and then Apply

Create a new AAA Server Group

1. Click the Remote Access VPN section.
2. Expand AAA Setup and select AAA Server Groups.
3. Click the Add button to the right of the AAA Server Groups section.
4. Give the server group a name, like TEST-AD, and make sure the RADIUS protocol is selected.
5. Accept the default for the other settings. And click OK

Add the RADIUS server to the Server Group.

1. Select the server group created in the step above.
2. Click the Add button to the right of Servers in the Select Group.
3. Under the Interface Name select the interface on the ASA that will have access to the RADIUS server, most likely inside.
4. Under Server Name or IP Address enter the IP Name you created for the RADIUS server above.
5. Skip to the Server Secret Key field and create a complex password. Make sure you document this as it is required when configuring the RADIUS server. Re-enter the secret in the Common Password field.
6. Leave the rest of the settings at the defaults and click Ok.

Configuring the Windows 2008 DC/RADIUS Server

*requires domain admin privileges
Add the Network Policy Server function.

1. Connect to the Windows Server 2008 server and launch Server Manager.
2. Click the Roles object and then click the Add Roles link on the right.
3. Click Next on the Before You Begin page.
4. Select the Network Policy and Access Services role and click Next.
5. Under Role Service select only the Network Policy Server service and click Next.
6. Click Install.

After the role finishes installing you will need to set up the server using the Network Policy Server (NPS) management tool found under Administrative Tools.

Registering the server.
After launching the NPS tool right-click on the entry NPS(Local) and click the Register Server in Active Directory. Follow the default prompts.

Create a RADIUS client entry for the ASA.

1. Expand the RADIUS Clients and Servers folder.
2. Right-click on RADIUS Clients and select New RADIUS Client.
3. Create a Friendly Name for the ASA device. I used “CiscoASA” but if you had more than one you might want to make it more unique and identifiable. Make sure you document the Friendly Name used as it will be used later in some of the policies created.
4. Enter the Server Secret Key specified on during the ASA configuration in the Shared secret and Confirm shared secret field.
5. Leave the default values for the other settings and click OK. See Figure 1 for all the complete RADIUS Client properties.

Create a Connection Request Policy

1. Expand the Policies folder.
2. Right-click on the Connection Request Policies and click New.
3. Set the Policy Nameto something meaningful. I used CiscoASA because this policy is geared specifically for that RADIUS client. Leave the Type of network access server as Unspecified and click Next.
4. Under Conditions click Add. Scroll down and select the Client Friendly Name condition and click Add
5. Specify the friendly name that you used when creating the RADIUS Client above. Click OK and Next.
6. On the next two pages leave the default settings and click Next.
7. Under the Specify a Realm Name select the Attribute option on the left. From the drop down menu next to Attribute: on the right select User-Name. Click Next again.
8. Review the settings on the next page and click Finish.

Create a Network Policy.

1. Right-click the Network Policy folder and click New.
2. Set the Policy Name to something meaningful. Leave the Type of network access server as Unspecified and click Next.
3. Under Conditions click Add.
4. Add a UsersGroup condition to limit access to a specific AD user group. You can use a generic group like Domain Users or create a group specifically to restrict access.
5. Add a Client Friendly Name condition and again specify the Friendly Name you used for your RADIUS client.
   
6. Click Next. Leave Access granted selected and click Next again.
7. (Important Step) On the authentication methods leave the default selection and add Unencrypted authentication (PAP, SPAP).
8. Accept the default Constraints and click Next.
9. Accept the default Radius Settings and click Next. Review the settings and click Finish.

Restart the Network Policy Server service. Probably not be necessary, but not a bad idea.

Test Your RADIUS Authentication

CLI

test-fw# test aaa authentication SERVER host 192.168.0.10 username testuser password mypassword 
INFO: Attempting Authentication test to IP address <192.168.0.10> (timeout: 12 seconds)
INFO: Authentication Successful

ASDM

The ASDM utility includes functionality to test RADIUS Authentication.

1. If necessary re-launch the ASDM utility.
2. Return to Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.
3. Select the new Server Group you created.
4. From the Servers in the Selected Group section highlight the server you created. Click the Test button on the right.
5. Select the Authentication radio button. Enter the Username and Password of a user that meets the conditions specified in the Network Policy created above then click OK.
6. If everything works as designed you should see something similar to "Authentication test to host is successful"

Bash Scripting repetitive tasks

An audit on a Linux server made it necessary to get information regarding every user on the machine, and match those users to a mail directory (which may or may not have a different name). Instead of running the 'finger' command three hundred times and copying the output somewhere I used this:

#! /bin/sh
while read username; do
finger ${username}
done < inputfile > outputfile
exit 0
I saved this as finger_script.sh and copied each of the usernames to the file 'inputfile'. The 'inputfile' contained just the usernames that I cut and pasted from the mail directory in question, and looked like this:

bill frank keith user01 user05 user09
carl gary larry user02 user06 user10
dan heather mary user03 user07 user11
denise joe nancy user04 user08 user12

Running finger_script.sh ran the finger command on each user in the 'inputfile' and immediately output a list of users that did not exist. It also created 'outputfile', which contained a list of the information on each user:

Login: bill Name: Bill Person
Directory: /home/b/bill Shell: /bin/nologon
Never logged in.
No mail.
No Plan.

Login: carl Name: Carl Guy
Directory: /users/carl Shell: /bin/nologon
Never logged in.
No mail.
No Plan.

Login: dan Name: Dan Theman
Directory: /users/dan Shell: /bin/nologon
Never logged in.
No mail.
No Plan.


Fail2Ban - Reload banned IP's after a restart

Restarting fail2ban will drop all of your currently banned IP's from iptables. To reload those banned IP's try this.

First, output your currently fail2-banned IP's to a text file with the iptables commands:
iptables-save | grep '\-A fail2ban' | sed 's/\-A/iptables\ \-A/' > bannedIPs.txt

Stop fail2ban, make your config changes, etc. and restart:
service fail2ban stop
service fail2ban start

Load your iptables commands by piping your saved rules to bash:
cat bannedIPs.txt | /bin/bash

Broken yum - yum hangs when trying to remove a package

I removed a package with yum "successfully" but was unable to reinstall it, as yum seemed to think it was already installed.

Check a package for corruption: rpm -Vv package

Remove a package from the rpm database:
rpm -e --justdb --nodeps package

Probably a good idea to yum clean all if you didn't already.