Philipp

Synology DSM as OpenVPN Client

 Uncategorized  Kommentare deaktiviert für Synology DSM as OpenVPN Client
Jan 182019
 

To connect your Synology Diskstation with your OpenVPN Server you can import your ovpn-Config file. In my case (authentication via certificates) I had to include/embed my certificates directly into the config file.

It is described here: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV

Another usefull post (but not needed if you include the certs, keys, tlsauth in your ovpn-config file): https://robert.penz.name/772/configure-a-synology-nas-as-openvpn-client-with-certificate-authentication-and-make-it-stable/

 

tls-client
pull
dev tun
proto udp
remote testserver.com XXXX
resolv-retry infinite
nobind
persist-key
persist-tun

<ca>
	// place the content of your ca.crt here
</ca>
<key>
	// place the content of your xxx.key here
</key>
<cert>
	// place the content of your xxx.crt here
</cert>
<tls-auth>
	// place the content of your xxx.tlsauth here
</tls-auth>

remote-cert-tls server
key-direction 1

verb 4

 

Linux performance problems and some helpful commands

 IT, Linux  Kommentare deaktiviert für Linux performance problems and some helpful commands
Apr 112017
 

On one of our RHEL systems we had an issue with high load. In some cases our java application crashed.

The following command helped us to find the reason (in our case it was the limit of processes per user).

vmstat -SM -t 10 10
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------ ---timestamp---
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 0  0      0  12448    562  36934    0    0     0     3    3    2  0  0 100  0  0       2017-04-11 17:20:38 CEST
 0  0      0  12448    562  36934    0    0     0     4 1059 1975  0  0 100  0  0       2017-04-11 17:20:48 CEST
 0  0      0  12448    562  36934    0    0     0     3 1158 2038  0  0 100  0  0       2017-04-11 17:20:58 CEST

with ulimit we could see, that the „max user processes“ was set to a very low level. That was the reason why our application crashed (java could not open addidtional threads).

ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 257569
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1000000
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 10240
cpu time               (seconds, -t) unlimited
max user processes              (-u) 1200
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

 

# show load, currently running threas/process and ?
cat /proc/loadavg
0.00 0.00 0.00 1/1570 14415

 

# with this command you can count the number of processes (limited by "max user process" of ulimits command)
ps -elfT | grep philipp | wc -l

Remove fingerprint for RSA Key for SSH connections (remove single line from file via terminal)

 Linux  Kommentare deaktiviert für Remove fingerprint for RSA Key for SSH connections (remove single line from file via terminal)
Jan 252017
 

Sometimes host key verification fails because the host was replaced, IP has changed or something like this (also it could be a man in the middle attack).

In my case I work with high availability clusters and we often have the case that there is switch of the host. To avoid manual editing of the .ssh/known_hosts file I have written a simple bashrc alias / function.

#simple function to remove a line from .ssh/known_hosts
cleanup_known_hosts(){
    if [ x$1 == x ]; then
        echo "Syntax : cleanup_known_hosts Linenumber"
    else
        \cp ~/.ssh/known_hosts ~/.ssh/known_hosts_backup.$$
        sed $1'd' ~/.ssh/known_hosts > /tmp/known_hosts_temp.$$ && \cp /tmp/known_hosts_temp.$$ ~/.ssh/known_hosts
        rm -f /tmp/known_hosts_temp.$$
        echo "Finished"
    fi
}
alias cleanup_known_hosts=cleanup_known_hosts

With small adoptions you can use this function for all situations where you have to remove a given line in a file.

Search LDAP Entries with ldapsearch on Linux/Unix

 Uncategorized  Kommentare deaktiviert für Search LDAP Entries with ldapsearch on Linux/Unix
Dez 092016
 

RedHat ldapsearch Documentation

ldapsearch -D "CN=<MyUser>,OU=S,OU=Useraccounts,DC=de,DC=<COMPANY>,DC=com" -w "PASSWORD" -b "DC=<MyCompany>,DC=com" 
   -s sub "(& (objectClass=user) (name=TestUser1))" -h "myLdapHost.de.myCompany.com" -p "3268" telephonenumber name department


# Result:
# extended LDIF
#
# LDAPv3
# base <DC=<MyCompany>,DC=com> with scope subtree
# filter: (& (objectClass=user) (name=TestUser1))
# requesting: telephonenumber name department
#

# TestUser, M, Useraccounts, XX, emea.MyCompany.com
dn: CN=TestUser1,OU=M,OU=Useraccounts,OU=XX,DC=emea,DC=MyCompany,DC=com
department: <HIDDEN>
name: TestUser1
telephonenumber : 0711-XXXXXXXXX

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Description:
-D     Username (BaseDN) that is used to connect to ldap
-w     Password to connect to ldap
-b     Specifies the starting point for the search
-s     Specifies the scope of the search
sub  search also in subtree
(& (objectClass=user) (name=mcp8wz)) = filter for objects with objectClass=user and where attribute „name“ = mcp8wz
-h     hostname of LDAP Server
-p     Port of LDAP Server
at the end of the command you can add all attributes you would like to fetch from LDAP. Leave empty to retrieve all information