Check disks for bad blocks with complete erase and smart-self test

This is another useful script, which do a complete erase and test disk in linux.
The first, we must have a tools “smartmontools”. We install it:

yum install smartmontools

Maybe, we nee som usefull software:

yum install epel-release.noarch
yum install htop dstat lm_sensors.x86_64 hddtemp
#!/bin/bash
#path of disk
test = /dev/sda
#find a serial number of disk
disk = `smartctl -a /dev/sda | grep Serial | awk '{print $3}'`
log = /home/vasil/$disk.log
#next, we destroy any of the partition table (mbr or gpt)
sgdisk --zap-all $test > $log
sleep 5
#notice a temperature of disk to log
hddtemp $test >> $log
#now we write zeros to every block of disk - secure erase contents
dd if=/dev/zero of=$test bs=4M
#notice a temperature of disk
hddtemp $test >> $log
sleep 5
#begin an internal self test - short
smartctl --test=short $test
sleep 150
#begin a long smart self test
hddtemp $test >> $log
smartctl --test=long $test
sleep 300
hddtemp $test >> $log
#print the output of tests
smartctl -l selftest $test >> $log
sleep 5
#start check of disk for bad-blocks a log bad blocks to log
`badblocks -v /dev/sda > /home/vasil/sda.txt` >> $log
sleep 5
hddtemp $test >> $log
smartctl --test=long $test
exit 0

This is fully automatized. We can start this script with modification of variable $test for more disks. And next day, we can examine logs. For bad blocks, for smart self-test and other.

Total Page Visits: 151993 - Today Page Visits: 53

Periodically check temp of hdd

This is a little how to. Its periodically in cron checking temperature of internal hard-disk and in some condition make an alert by mail.
So, as always, install some useful packages:

yum install epel-release.noarch
yum install htop dstat lm_sensors.x86_64 hddtemp

First, we must check, which disk we have inside. We use only paragraph without numbers:

ls -lah /dev/sd*
----------------
brw-rw---- 1 root disk 8,  0 Dec  1 07:20 /dev/sda
brw-rw---- 1 root disk 8,  1 Dec  1 07:20 /dev/sda1
brw-rw---- 1 root disk 8, 16 Dec  1 07:20 /dev/sdb
brw-rw---- 1 root disk 8, 17 Dec  1 07:20 /dev/sdb1
brw-rw---- 1 root disk 8, 32 Dec  1 07:20 /dev/sdc
brw-rw---- 1 root disk 8, 33 Dec  1 07:20 /dev/sdc1
brw-rw---- 1 root disk 8, 48 Dec  1 07:20 /dev/sdd
brw-rw---- 1 root disk 8, 49 Dec  1 07:20 /dev/sdd1
brw-rw---- 1 root disk 8, 64 Dec  1 07:20 /dev/sde
brw-rw---- 1 root disk 8, 65 Dec  1 07:20 /dev/sde1
brw-rw---- 1 root disk 8, 80 Dec  1 07:20 /dev/sdf
brw-rw---- 1 root disk 8, 81 Dec  1 07:20 /dev/sdf1
-----------------
we user only:
/dev/sda, /dev/sdb, /dev/sdc, /dev/sdd, /dev/sde, /dev/sdf

Create a folder, maybe like this:

mkdir /root/hddtemp

Create a script to check this temperatures, end some conditions:

#! /bin/bash
#written by vasil
HDDS="/dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf"
HDT=/usr/sbin/hddtemp
mail="/root/hddtemp/messagebody.txt"  #file for messasege by mail
LOG=/root/hddtemp/hddtemp.log         #log file
ALERT_LEVEL=48                        #temperature treshold
date >> $LOG
echo "Subject: "WARNING - name-of-server - temperature of hdds is high"" > $mail
echo " " >> $mail
date >> $mail
m=0
for disk in $HDDS
do
                        HDTEMP=$($HDT $disk | awk -F ":" '{ print $3}' | awk -F "°"  '{print $1}')
                        if [ $HDTEMP -ge $ALERT_LEVEL ];
                        then
                                echo "Temperature of disk $disk is higher then limit $ALERT_LEVEL celsius" >> $LOG
                                echo "Temperature of disk $disk is higher then limit $ALERT_LEVEL celsius" >> $mail
                                $HDT $disk >> $LOG
                                $HDT $disk >> $mail
                                echo " " >> $LOG
                                echo " " >> $mail
                                m=1
                        else
                                echo "Temperature of disk $disk Is normal: $HDTEMP celsius" >> $LOG                             
                                echo "Temperature of disk $disk Is normal: $HDTEMP celsius" >> $mail
                        fi
done
if [ "$m" -ne "0" ];
then
       sh /root/hddtemp/send_mail_script.sh
else
        echo
fi
echo "end of script...." >> $LOG
echo " " >> $LOG
exit 0

Next, we must create a script, to send mail to us, if we have a mail server in local network with allowed port 25:

vim /root/hddtemp/send_mail_script.sh
#!/bin/bash
#written by vasil
#
#if there is an error in syntax "sendmail", configure /etc/ssmtp/ssmtp.conf
#
# subject of email
SUBJECT="WARNING - name-of-server - temperature of hdds is high"
# destination
EMAIL="vasil@gonscak.sk"
# Email body
EMAILMESSAGE=/root/hddtemp/messagebody.txt
# send message using /bin/mail
#sendmail $EMAIL < $EMAILMESSAGE
/usr/bin/mail -s "$SUBJECT" $EMAIL < $EMAILMESSAGE

Now, we can test the above scripts. Maybe we must add +x permissions:

sh -x /root/hddtemp/hddtemp.sh
------------------------------
+ HDDS=/dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf
+ HDT=/usr/sbin/hddtemp
+ mail=/root/hddtemp/messagebody.txt
+ LOG=/root/hddtemp/hddtemp.log
+ ALERT_LEVEL=28
+ date
+ echo Subject: WARNING - name-of-server - temperature of hdds is high
+ echo
+ date
+ m=0
+ /usr/sbin/hddtemp /dev/sda
+ awk -F : { print $3}
+ awk -F ° {print $1}
+ HDTEMP= 38
+ [ 38 -ge 28 ]
+ echo Temperature of disk /dev/sda is higher then limit 28 celsius
+ echo Temperature of disk /dev/sda is higher then limit 28 celsius
+ /usr/sbin/hddtemp /dev/sda
+ /usr/sbin/hddtemp /dev/sda
+ echo
+ echo
+ m=1
+ /usr/sbin/hddtemp /dev/sdb
+ awk -F : { print $3}
+ awk -F ° {print $1}
+ HDTEMP= 35
+ [ 35 -ge 28 ]
+ echo Temperature of disk /dev/sdb is higher then limit 28 celsius
+ echo Temperature of disk /dev/sdb is higher then limit 28 celsius
+ /usr/sbin/hddtemp /dev/sdb
...
...
...
+ m=1
+ [ 1 -ne 0 ]
+ sh /root/hddtemp/send_mail_script.sh
+ echo end of script....
+ echo
+ exit 0

And then, we have a mail:

Subject: WARNING - name-of-server - temperature of hdds is high
Thu Jan 26 11:52:20 CET 2017
Temperature of disk /dev/sda is higher then limit 28 celsius
/dev/sda: TOSHIBA DT01ACA100: 37°C
Temperature of disk /dev/sdb is higher then limit 28 celsius
/dev/sdb: ST3500418AS: 35°C
....
Total Page Visits: 151993 - Today Page Visits: 53

How to create a site-to-site ipsec vpn connection

Install and enable the EPEL using Yum, with some useful software:

yum install epel-release.noarch
yum install htop dstat tcpdump

On Red Hat based Systems (CentOS, Fedora or RHEL):

yum install openswan

Now we disable VPN redirects, if any, in the server using these commands:

for vpn in /proc/sys/net/ipv4/conf/*;
do echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
echo 0 > $vpn/rp_filter;
done

Edit /etc/ipsec.conf to debug in pluto.log

    plutostderrlog=/var/log/pluto.log
    protostack=netkey
#if using NAT, use variable below
#    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently by:

 vim /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0

Reload /etc/sysctl.conf:

 sysctl -p

Now, we customize firewall to allow ports for ipsec

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-port=4500/tcp
firewall-cmd --zone=public --add-port=50/udp --permanent
firewall-cmd --zone=public --add-port=51/udp --permanent

We don’t use masquerade, because ipsec tunnel parameters automatic enable routing in these situations. If  not working, we add masquerade, but first we must add rule for match packets for this tunnel. Like: src leftsubnet dst rightsubnet on both sides

#In some posts in world I found this code, but explanation above cancel this
#code and in my situation it not working with this
#firewall-cmd --zone=public --permanent --add-masquerade

We reload firewalld and check our rules:

firewall-cmd --reload
firewall-cmd --zone=public --list-all

Check if is ipsec OK for itself:

ipsec verify
------------
Verifying installed system and configuration files
Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.6.1.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

Now, create a configuration file for our one connection

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=%defaultroute
    leftid=192.168.201.75
    leftsubnet=192.168.201.0/24
   
    right=#public IP other side#
    rightid=192.168.202.177
    rightsubnet=192.168.202.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=start
    compress=no

And configuration file for other connection:

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=#public IP this side#
    leftid=192.168.202.177
    leftsubnet=192.168.202.0/24
    right=%any
    rightid=192.168.201.75
    rightsubnet=192.168.201.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=add
    compress=no
    keep_alive=30

Now create on both sides secrets file for PSK with your public IP:

vim /etc/ipsec.d/blava.secrets
------------------------------
%any 1.1.1.1: PSK "ahoj12345"
vim /etc/ipsec.d/blava.secrets
------------------------------
1.1.1.1 %any: PSK "ahoj12345"

Now, restart ipsec for apply configurations

systemctl restart ipsec.service

And if we are good, we must see some like this in pluto.log

 STATE_MAIN_R3: sent MR3, ISAKMP SA established
 STATE_QUICK_R2: IPsec SA established tunnel mode

Or check ipsec status:

ipsec auto --status
-------------------
Total IPsec connections: loaded 4, active 1
STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 85318s
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27718s;

Some usefull commands for work with ipsec…
When we update configuration file and if we must reload one ipsec tunnel, use these step rather then restart ipsec service itself:

ipsec auto --down blava
ipsec auto --replace blava
ipsec auto --up blava

If we change secrets file and PSK, we must use too, before –up:

ipsec auto --rereadall
Total Page Visits: 151993 - Today Page Visits: 53