Jul 072016
 

A simple cron job removing old kernels.

You may find yourself in situation where linux kernels accumulated under/boot are starting to fill up disk space. Especially painful on the systems with small /boot partition. No automated solution out of the box on Debian/Ubuntu. Here is a workaround, removing all but two newest kernels:

crontab -l

10 23 * * 1 /root/bin/kernel-cleanup.sh

 

vim /root/bin/kernel-cleanup.sh

#!/bin/bash
echo "---------- Starting autoremove, we get rid of the old kernels eating /boot space"|logger
OLD=$(ls -tr /boot/vmlinuz-* | head -n -2 | cut -d- -f2- | awk '{print "linux-image-" $0}')
if [ -n "$OLD" ]; then
 apt-get -qy remove --purge $OLD
fi

 

Bonus hint – same thing for Centos machines

# we need yum-utils
yum install yum-utils

# add cronjob
crontab -e
0 2 * * Sat root /usr/bin/package-cleanup -y --oldkernels --count=2 |logger

 

Dec 172015
 

Come Back Later

These are just examples to pick your imagination, please do refrain from blindly coping and pasting as you can cut yourself off 😀

UFW quick setup (Debian/Ubuntu)

 

aptitude install ufw
ufw allow 22/tcp
ufw allow from 124.111.0.0/16 to any port 22
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow proto tcp from IP.ADD.Here to any port 3306
ufw allow proto udp from IP.ADD.Here to any port 161
ufw allow proto udp from IP.ADD.Here to any port 161
ufw allow from 10.10.1.0/24
# allow traffic on interface
ufw allow in on em3

ufw enable
ufw status
ufw status numbered
ufw delete 10
# ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. 
# ufw will deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds.
ufw limit ssh
ufw logging off #once it working stop flooding logs!

# ufw on KVM server, edit /etc/ufw/sysctl.conf
# and make sure we don't filter packets to our libvirt guests
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

firewall-cmd quick setup (RedHat/CentOS 7)

firewall-cmd --get-services
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

# punch a hole for CIFS
firewall-cmd --permanent --add-service=samba

firewall-cmd --permanent --add-port 5989/tcp
firewall-cmd --list-all-zones
firewall-cmd --list-ports

firewall-cmd --get-active-zones
firewall-cmd --zone=public --list-all
firewall-cmd --permanent --remove-service=dhcpv6-client

firewall-cmd --zone=trusted --add-source=10.100.1.18 --permanent
firewall-cmd --reload

Some say firewalld is too complicated for most server type of use, who am I to judge? Alegedly firewalld also requires Network Manager so if Network Manager is disabled then we need to go back. If you want to replace firewalld with good ol’ iptables:

systemctl disable firewalld
systemctl stop firewalld
yum -y install iptables-services
touch /etc/sysconfig/iptables
touch /etc/sysconfig/iptables6
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables