Category Archives: Linux

The Linux Category actually encompasses *BSD, RH, Fedora, Ubuntu, and the like.

Linux, Networking

U6 Pro Unifi Not Updating

Leave a comment

I’ve had many access points from Unifi over the years. Updating from the controller is generally a painless operation, and only rarely have I ever needed to utilize the CLI to make any changes (mostly set-inform related).

However, when attempting to update the firmware of my Unifi systems (U6-Pro, US-24-250W, US-8-60W, UAP-nanoHD, and U6-Pro), I got stuck on the U6-Pro. I would click on upgrade the firmware and then the access point would get stuck on the blue/white blinking LED for hours. I even let it sit there overnight just to see. For the record, I was attempting to upgrade from 6.0.14 to 6.0.15 at the time, and it was not happy. Unplugging from power and then plugging back in would get me back to the 6.0.14 version, so no harm no foul.

I figured it would get fixed with a new release of the controller as well as a firmware release to 6.0.18. Wrong. Same issue. I even attempted to CLI it by logging in via SSH and running the “upgrade https://dl.ui.com/unifi/firmware/UAP6MP/6.0.18.13660/BZ.ipq50xx_6.0.18+13660.220413.1958.bin” command. No dice. Hard reboot and it’s back on 6.0.14.

Swannman had the same issue posted on the unifi forms, and UI-Glenn gave an updated command for me to try:

curl https://dl.ui.com/unifi/firmware/UAP6MP/6.0.18.13660/BZ.ipq50xx_6.0.18+13660.220413.1958.bin -o /tmp/fwupdate.bin && fwupdate.real -m &

Magically this worked and the controller reads it just fine. Posting for future sake of my sanity.

Linux

OPNSense Booting.. Stuck

Leave a comment

Trying to install OPNSense on an older Alibaba system I had laying around, and I noticed that I couldn’t install due to the system freezing at the “Booting…” prompt (post kernel loading).

When booting, press “3” to Escape to loader prompt.

  • Type set kern.vty=sc
  • Press enter
  • Type boot
  • Press enter

Assuming the system boots and you can install, you’ll have to edit a file in the /boot directory to get the system to boot with future restarts.

  • cd /boot; press enter
  • vi loader.conf.local; press enter
  • i
  • kern.vty=sc
  • Press esc
  • :wq!; press enter

I should note that this fix was permanent between reboots and updates until just recently; patched a remote system of similar specs and it required the creation of the loader.conf.local file again.

Linux, Miscellaneous

HAProxy and Kace SMA

Leave a comment

Running Kace SMA (K1000) version 11.0.273. Wanted to run it behind a reverse proxy so it wasn’t directly exposed to the internet. Generally speaking, you really don’t want things like webservers directly exposed to the internet for obvious reasons, but KACE has been really adamant about security and running it in a DMZ and it hasn’t had any known intrusions to date.

In any case, I decided to move it out of the DMZ and run HAProxy in its place. I have my outside-of-this-documents-scope reasons. However, KACE SMA 10.x didn’t play nicely with reverse proxies even with legit SSL’s installed (you can read about konea certificates vs web ones on the kace support pages).

Upgraded to version 11 and from there it splits into two – konea certificates are unpublished but necessary, and then our web certificates for all other traffic. And yes, all traffic does terminate to port 443, but the konea side changes to a new port.

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        lua-load        /etc/haproxy/acme-http01-webroot.lua

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE>
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
        bind *:80
        acl url_acme_http01 path_beg /.well-known/acme-challenge/
        http-request use-service lua.acme-http01 if METH_GET url_acme_http01


frontend sma
#       bind *:443 ssl crt /etc/letsencrypt/live/pem/
        bind *:443
        tcp-request inspect-delay 5s
#       tcp-request content capture req.ssl_sni len 25
        tcp-request content accept if { req_ssl_hello_type 1 }


        use_backend sma_agent if { req_ssl_sni konea }
        use_backend sma_webui if { req_ssl_sni mykacesite.domain.tld }
        default_backend sma_webui

backend sma_webui
        server sma_apache 10.130.20.6:443

backend sma_agent
        server sma_koneas 10.130.20.6:52230

I should point out that I also am utilizing letsencrypt for the web portion, however, by switching to tcp mode instead of http it bypasses that requirement. TCP mode is REQUIRED for the konea portion to actually function.

Linux

Gnome popos Linux

Leave a comment

I was reflecting on my tech career just last night and I thought it best to give a bit of background.

I grew up on Macs – a Macintosh SE with an 8MHz processor, 1MB RAM, a 720KB floppy drive, and a 20MB SCSI 25-pin hard disk drive. Running OS 6.

From there we acquired a PowerMac 7100/80AV. Had a 80MHz processor, 16MB RAM, 700MB 50-pin SCSI hard disk drive, and a 1.4MB FDD. Oh and a 2x CDROM – I fondly remember the sounds this would make when trying to load Myst. We also successfully upgraded this to 24MB RAM and replaced the 700MB HDD with a 2.1GB version.

The first internet-connected Mac was next: the PowerMac G3 minitower. This featured a 233MHz processor, 32MB RAM, and a 4GB HDD. The CDROM was a 24x, and the FDD was still there. Ours came with a 100MB Zip drive too. We upgraded to 64MB RAM, added a 12x CD Burner, and replaced the HDD with a 20GB eventually. This came with OS 8, and we attempted to load OSX beta and it was Slow AF.

A buddy and I decided we wanted to try our hands at Linux – I acquired an AMD K6-2 350MHz with 32MB RAM and a 40GB HDD. Playing around with ISA and PCI network cards was fun (10/100). We originally ran Redhat as an internet router, but when the install broke (my fault, but that’s how I learned breaking/fixing), I replaced with Slackware Linux instead.

At this time I started College and I got 2 computers – the first was a PowerMac G4 dual 450Mhz with 128MB RAM, 30GB HDD, and an external Firewire 12x CDBurner. This also had a 100MB Zip Drive. Eventually upgraded to 3x 80GB HDD in RAID5 along with 512MB RAM. Came with OS9 which I upgraded to OSX. The second was a custom built AMD – Asus Board with an AMD Athlon Thunderbird running at 1.4GHz, 40GB HDD, 24x CD Burner, and 128MB RAM – I believe I upgraded it to 256MB at some point. Ran Windows 2000 on this.

I bought a used white iBook 500MHz 64MB RAM 20GB Drive somewhere along the way – it was pretty slow even for the time.

It gets a bit hazy here since I started building PC’s for family and friends.

I bought a used HP Laptop – maybe like an N810 or something? It was back when HP/Compaq merged.

I got a couple laptops for free – gateway tablet and a EeePC (Asus netbook).

ANYWAY, since I’m getting wordy and not actually accomplishing anything, I wanted to say this was now the 3rd time in my career that I’ve attempted to go “Full Linux” on my work computer. The first time ended poorly when I kept breaking the installation (Ubuntu 8.04), the second time I had a systemboard die, although I was cheating on that – Running Linux MX with virtualbox running Win10.

Now I’m running PopOS. I have a VM of Win10 just in case, but overall I’ve been happy as a clam just using the linux OS. Slack, Cisco VPN, RDP, Browser.. it just works for me.

The only problem I had – being my first GNOME GUI – was the lack of a task bar at the bottom. Easy fix:

https://extensions.gnome.org/extension/1160/dash-to-panel/

Linux

Tinypilot KVM

Leave a comment

I decided to get a tinypilot kvm device for testing purposes – it’s actually pretty neat. Sure I could have saved a few bucks by building it myself, but this way I save time and support someone else’s great ideas.

Anyway, to update the device, SSH to it (DNS name is generally tinypilot)

Login with tinypilot/flyingsopi

Run 

/opt/tinypilot/scripts/upgrade && sudo reboot

Linux

Enable SNMP on ESXi

Leave a comment

Inheriting 3 different companies’ worth of Virtual infrastructure is sometimes a giant PITA. This holds true especially when the 3 different companies all had multiple “admin’s” working at any given time without established standards for naming, setup, configuration, or even maintenance.

Some of the newly-installed VMWare equipment wasn’t showing up on my Nagios monitoring board. First step is to make sure that snmp is setup and actually running (hint, it was not).

I ended up at this auvik support site – and, if it wasn’t so expensive (our budget is about 1/3 of what it “should be” – I would be running this for monitoring of our infrastructure. Think of it as cloud prtg. https://support.auvik.com/hc/en-us/articles/206311526-How-to-enable-SNMP-on-a-VMware-ESXi-hypervisor#topic_esx6

Since we’re running ESXi 6.5 and 6.7 currently:

  • SSH to your ESXi box using the root account
  • esxcli system snmp set -r
  • esxcli system snmp set -c YOURCOMMUNITY
  • esxcli system snmp set -p 161
  • esxcli system snmp set -L "City, State, Country"
  • esxcli system snmp set -C noc@domain.tld
  • esxcli system snmp set -e yes

Or, if you’re using ESXi 7:

  • SSH to your ESXi box using the root account
  • esxcli system snmp set --communities YOURCOMMUNITY
  • esxcli system snmp set --enable true

Linux

Nagios Add User

Leave a comment

Yes, I’m a creature of habit. I started using Nagios back in 2005 and it was awful. I mean it “worked”, but I had no idea what I was doing. Reinstalling, installing, configuring, new jobs… each time I was learning from my previous mistakes and making it better. It’s now at the point I can perform most of the work without actually referencing anything else. But the point of this blog is for my own notes, so here goes.

  • SSH to your nagios server. I use putty from my primary Windows desktop.
  • Switch to root
    • sudo su -
  • Create the new web user account and password
    • htpasswd /usr/local/nagios/etc/htpasswd.users MYNEWUSER
  • Enter the password twice

Sometimes you’ll receive an error message about “You do not have permission to view information for any of the services you requested”. So we’ll have to edit the cgi.cfg.

  • SSH to your nagios server
  • sudo su -
  • nano /usr/local/nagios/etc/cgi.cfg
  • Add the MYNEWUSER wherever necessary
    • authorized_for_system_information=nagiosadmin,userhere,MYNEWUSER