Categories
Sysadmin

block countries based on Geo-IP with iptables Ubuntu 16 and 18

Blocking based on geographical locations like countries need a list of IP ranges allocated to this by IANA.

Now you have two options

  1. To get the list of IP ranges and create the IP tables rules your self
  2. To have module in Iptables which works above

Luckily there is module for iptables which can work as above following below guide

Allow or block whole countries

5.1 Install xtables-addons

You can install the xtables-addons module using various methods, feel free to use the installation method that works best for you.

Step:1 Install

# apt-get install iptables curl unzip perl
# apt-get install xtables-addons-common
# apt-get install libtext-csv-xs-perl libmoosex-types-netaddr-ip-perl

Step : 2 Get the counties list and convert them

download the original workout from github..
https://github.com/mschmitt/GeoLite2xtables

Step : 3 Convert the New GeoLite2 table..

# mkdir /usr/share/xt_geoip 
# cd /usr/local/src/GeoLite2xtables/ 
# ./00_download_geolite2 
# ./10_download_countryinfo 
# cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/GeoIP-legacy.csv 
# /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip /usr/share/xt_geoip/GeoIP-legacy.csv

Step : 4 Loading the module to the kernel

# modprobe xt_geoip
# lsmod | grep ^xt_geoip

Step : 5 Test: the GeoIP loaded Loaded Properly…
Just type on the console..

# iptables -m geoip –help

How to Block lets say China, Russia, Hong kong, The Black list mode , You can omit — dport 25 if u want ALL traffic to block

iptables -A INPUT -m geoip -p tcp –dport 25 –src-cc RU,CN,HK -j DROP

How to Block ALL Except Saudi Arabia The White list mode , You can omit — dport 25 if u want ALL traffic to block

iptables -A INPUT -m geoip -p tcp –dport 25 ! –src-cc SA -j DROP

Categories
Sysadmin

Get Hardware server model info in linux terminal

dmidecode | grep -A3 ‘^System Information’

Categories
Big Data

check host down or up with ping command line

for i in {01..36}; do ping -c 1 tancn$i.cm.cluster &> /dev/null && echo success || echo pcn$i fail ; done

Categories
Sysadmin

delete all files except in linux

find .!-iname dir1 !-iname dir2 -exec rm -rf {} \;
Categories
Big Data

zfs cache file regenerate

The /etc/zfs/zpool.cache file

Whenever a pool is imported on the system it will be added to the /etc/zfs/zpool.cache file. This file stores pool configuration information, such as the device names and pool state. If this file exists when running the zpool import command then it will be used to determine the list of pools available for import. When a pool is not listed in the cache file it will need to be detected and imported using the zpool import -d /dev/disk/by-id command.

Generating a new /etc/zfs/zpool.cache file

The /etc/zfs/zpool.cache file will be automatically updated when your pool configuration is changed. However, if for some reason it becomes stale you can force the generation of a new /etc/zfs/zpool.cache file by setting the cachefile property on the pool.

$ zpool set cachefile=/etc/zfs/zpool.cache tank

Conversely the cache file can be disabled by setting cachefile=none. This is useful for failover configurations where the pool should always be explicitly imported by the failover software.

$ zpool set cachefile=none tank
Categories
Sysadmin

setting pxe boot via ipmi

ipmitool -I lanplus -H bmc_ip -U root -P passwd chassis bootdev pxe options=persistent

Categories
Sysadmin

Installing Intel Omnipath 100G on Centos 7

Intel Omnipath is 100G fabric a less expensive alternative for Mellanox 100G.. we recently bought 10 Racks of servers with 100G Omnipath .

Until recently there is NO driver for Ubuntu , but i love centos so i kicked that in ..

 

Introduction to Intel® Omni-Path Architecture

Intel OPA is the latest generation of Intel’s high-performance fabric technology. It adds new capabilities to enhance high-performance computing performance, scalability, and quality of service. The Intel OPA components include Intel OP HFI, which provides fabric connectivity, switches that connect a scalable number of endpoints, copper, and optical cables, and a Fabric Manager (FM) that identifies all nodes, provides centralized provisioning, and monitors fabric resources. Intel OP HFI is the Intel OPA interface card which provides host-to-switch connectivity. Intel OP HFI can also connect directly to another HFI (back-to-back connectivity).

Categories
Sysadmin

change time zone in centos 6

Change the current timezone in CentOS 6 and older

Type the following commands as root:

cp /etc/localtime /root/old.timezone
rm /etc/localtime
ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
Categories
Big Data

Openssh 7+ ssh-dsa error fixed

The solution is to add the following line to ~/.ssh/config on every client machine (every machine where you run the SSH client):

PubkeyAcceptedKeyTypes=+ssh-dss

If the server is using OpenSSH 7.0 or newer, you’ll also need to add this line to /etc/ssh/sshd_config on each server machine.

Categories
Sysadmin

the following resource is signed with a weak signature algorithm md5withrsa

So, after some digging, I just found a quick (but temporary) solution:

Just comment out the setting of “jdk.jar.disabledAlgorithms” in the file of”lib/security/java.security” (which is located at “/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security, on my MacOS 10.12)

# jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

After that, the JNLP file will be running as usual again.