Rsync review and some examples

rsync — a fast, versatile, remote (and local) file-copying tool
-a        archive mode
-r        recursive – recurse into directories
-v         verbose – increase verbosity
-z        compress – With this option, rsync compresses the file data as it is sent to the destination machine, which  reduces the amount of data being transmitted something that is useful over a slow connection Note  that  this  option typically achieves better compression ratios than can be achieved by using a compressing remote shell or a compressing transport because it takes advantage of the implicit information in the matching data blocks that are not explicitly sent over the connection
-P        is equivalent to –partial –progress.  Its purpose is to make it  much  easier     to  specify these two options for a long transfer that may be interrupted
-n        perform a trial run with no changes made
-u        skip files that are newer on the receiver
-t        preserve modification times
–bwlimit=KBPS    limit I/O bandwidth; KBytes per second
This option allows you to specify a maximum transfer rate in kilobytes per second.  This  option  is  most effective  when using rsync with large files (several megabytes and up). Due to the nature of rsync transfers, blocks of data are sent, then if rsync determines the transfer was too fast,  it  will  wait  before
sending  the next data block. The result is an average transfer rate equaling the specified limit. A value of zero specifies no limit.
(25Mb = 3200 KB)
(10Mb = 1250 KB)
(7.5 Mb = 960 KB)
(5Mb = 640 KB)
(2.5Mb = 320 KB)
(3Mb = 384 KB)
(1Mb = 128 KB)
–append              append data onto shorter files
–append-verify        append w/old data in file checksum

rsync -avz foo:src/bar /data/tmp

This  would  recursively  transfer all files from the directory src/bar on the machine foo into the /data/tmp/bar directory on the local machine. The files are transferred in “archive” mode, which ensures that  symbolic  links,
devices, attributes, permissions, ownerships, etc. are preserved in the transfer.  Additionally, compression will be used to reduce the size of data portions of the transfer.
– Trailing slash on the source avoid to create directory on the destinations. So without trailing slash at the end, this will
create this directory at the destination. This is the same

 rsync -av /src/foo /dest
 rsync -av /src/foo/ /dest/foo

This will synchronize and copy left folder to to right. It preserve unfinished files. With next commenad, it will resume
and append data to unfinished files.

rsync -avP /mnt/nfs /media/adm-nfs/
rsync -avP --append /mnt/nfs /media/adm-nfs/
Total Page Visits: 47272 - Today Page Visits: 43

hdparm useful commands

Some useful commands:
This check current IDE power mode status of the disk:
– unknown (drive does not support this command),
– active/idle (normal operation),
– standby (low power mode, drive has spun down),
– sleeping (lowest power mode, drive is completely shut down)
The operators: -S, -y, -Y, -Z can be used to manipulate the IDE power modes

hdparm -C /dev/sda

Force an IDE drive to immediately enter the low power consumption STANDBY mode, usually causing it to spin down:

hdparm -y /dev/sda

Force  an  IDE  drive to immediately enter the lowest power consumption sleep mode, causing it to shut down completely. A hard or soft reset is required before the drive can be accessed again:

hdparm -Y /dev/sda

Put the drive into idle  (low-power)  mode,  and  also  set  the standby (spindown) timeout for the drive.  This timeout value is used by the drive to determine how long to wait  (with  no  disk activity)  before  turning  off the spindle motor to save power:

hdparm -S /dev/sda

Disable  the  automatic power-saving function of certain Seagate drives (ST3xxx models?), to prevent them  from  idling/spinning down at inconvenient times.
An example:

hdparm -y /dev/sdd
/dev/sdd
      issuing standby command
hdparm -C /dev/sdd
/dev/sdd
      drive state is: standby
Total Page Visits: 47272 - Today Page Visits: 43

Check disks for bad blocks with complete erase and smart-self test

This is another useful script, which do a complete erase and test disk in linux.
The first, we must have a tools “smartmontools”. We install it:

yum install smartmontools

Maybe, we nee som usefull software:

yum install epel-release.noarch
yum install htop dstat lm_sensors.x86_64 hddtemp
#!/bin/bash
#path of disk
test = /dev/sda
#find a serial number of disk
disk = `smartctl -a /dev/sda | grep Serial | awk '{print $3}'`
log = /home/vasil/$disk.log
#next, we destroy any of the partition table (mbr or gpt)
sgdisk --zap-all $test > $log
sleep 5
#notice a temperature of disk to log
hddtemp $test >> $log
#now we write zeros to every block of disk - secure erase contents
dd if=/dev/zero of=$test bs=4M
#notice a temperature of disk
hddtemp $test >> $log
sleep 5
#begin an internal self test - short
smartctl --test=short $test
sleep 150
#begin a long smart self test
hddtemp $test >> $log
smartctl --test=long $test
sleep 300
hddtemp $test >> $log
#print the output of tests
smartctl -l selftest $test >> $log
sleep 5
#start check of disk for bad-blocks a log bad blocks to log
`badblocks -v /dev/sda > /home/vasil/sda.txt` >> $log
sleep 5
hddtemp $test >> $log
smartctl --test=long $test
exit 0

This is fully automatized. We can start this script with modification of variable $test for more disks. And next day, we can examine logs. For bad blocks, for smart self-test and other.

Total Page Visits: 47272 - Today Page Visits: 43

Periodically check temp of hdd

This is a little how to. Its periodically in cron checking temperature of internal hard-disk and in some condition make an alert by mail.
So, as always, install some useful packages:

yum install epel-release.noarch
yum install htop dstat lm_sensors.x86_64 hddtemp

First, we must check, which disk we have inside. We use only paragraph without numbers:

ls -lah /dev/sd*
----------------
brw-rw---- 1 root disk 8,  0 Dec  1 07:20 /dev/sda
brw-rw---- 1 root disk 8,  1 Dec  1 07:20 /dev/sda1
brw-rw---- 1 root disk 8, 16 Dec  1 07:20 /dev/sdb
brw-rw---- 1 root disk 8, 17 Dec  1 07:20 /dev/sdb1
brw-rw---- 1 root disk 8, 32 Dec  1 07:20 /dev/sdc
brw-rw---- 1 root disk 8, 33 Dec  1 07:20 /dev/sdc1
brw-rw---- 1 root disk 8, 48 Dec  1 07:20 /dev/sdd
brw-rw---- 1 root disk 8, 49 Dec  1 07:20 /dev/sdd1
brw-rw---- 1 root disk 8, 64 Dec  1 07:20 /dev/sde
brw-rw---- 1 root disk 8, 65 Dec  1 07:20 /dev/sde1
brw-rw---- 1 root disk 8, 80 Dec  1 07:20 /dev/sdf
brw-rw---- 1 root disk 8, 81 Dec  1 07:20 /dev/sdf1
-----------------
we user only:
/dev/sda, /dev/sdb, /dev/sdc, /dev/sdd, /dev/sde, /dev/sdf

Create a folder, maybe like this:

mkdir /root/hddtemp

Create a script to check this temperatures, end some conditions:

#! /bin/bash
#written by vasil
HDDS="/dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf"
HDT=/usr/sbin/hddtemp
mail="/root/hddtemp/messagebody.txt"  #file for messasege by mail
LOG=/root/hddtemp/hddtemp.log         #log file
ALERT_LEVEL=48                        #temperature treshold
date >> $LOG
echo "Subject: "WARNING - name-of-server - temperature of hdds is high"" > $mail
echo " " >> $mail
date >> $mail
m=0
for disk in $HDDS
do
                        HDTEMP=$($HDT $disk | awk -F ":" '{ print $3}' | awk -F "°"  '{print $1}')
                        if [ $HDTEMP -ge $ALERT_LEVEL ];
                        then
                                echo "Temperature of disk $disk is higher then limit $ALERT_LEVEL celsius" >> $LOG
                                echo "Temperature of disk $disk is higher then limit $ALERT_LEVEL celsius" >> $mail
                                $HDT $disk >> $LOG
                                $HDT $disk >> $mail
                                echo " " >> $LOG
                                echo " " >> $mail
                                m=1
                        else
                                echo "Temperature of disk $disk Is normal: $HDTEMP celsius" >> $LOG                             
                                echo "Temperature of disk $disk Is normal: $HDTEMP celsius" >> $mail
                        fi
done
if [ "$m" -ne "0" ];
then
       sh /root/hddtemp/send_mail_script.sh
else
        echo
fi
echo "end of script...." >> $LOG
echo " " >> $LOG
exit 0

Next, we must create a script, to send mail to us, if we have a mail server in local network with allowed port 25:

vim /root/hddtemp/send_mail_script.sh
#!/bin/bash
#written by vasil
#
#if there is an error in syntax "sendmail", configure /etc/ssmtp/ssmtp.conf
#
# subject of email
SUBJECT="WARNING - name-of-server - temperature of hdds is high"
# destination
EMAIL="vasil@gonscak.sk"
# Email body
EMAILMESSAGE=/root/hddtemp/messagebody.txt
# send message using /bin/mail
#sendmail $EMAIL < $EMAILMESSAGE
/usr/bin/mail -s "$SUBJECT" $EMAIL < $EMAILMESSAGE

Now, we can test the above scripts. Maybe we must add +x permissions:

sh -x /root/hddtemp/hddtemp.sh
------------------------------
+ HDDS=/dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf
+ HDT=/usr/sbin/hddtemp
+ mail=/root/hddtemp/messagebody.txt
+ LOG=/root/hddtemp/hddtemp.log
+ ALERT_LEVEL=28
+ date
+ echo Subject: WARNING - name-of-server - temperature of hdds is high
+ echo
+ date
+ m=0
+ /usr/sbin/hddtemp /dev/sda
+ awk -F : { print $3}
+ awk -F ° {print $1}
+ HDTEMP= 38
+ [ 38 -ge 28 ]
+ echo Temperature of disk /dev/sda is higher then limit 28 celsius
+ echo Temperature of disk /dev/sda is higher then limit 28 celsius
+ /usr/sbin/hddtemp /dev/sda
+ /usr/sbin/hddtemp /dev/sda
+ echo
+ echo
+ m=1
+ /usr/sbin/hddtemp /dev/sdb
+ awk -F : { print $3}
+ awk -F ° {print $1}
+ HDTEMP= 35
+ [ 35 -ge 28 ]
+ echo Temperature of disk /dev/sdb is higher then limit 28 celsius
+ echo Temperature of disk /dev/sdb is higher then limit 28 celsius
+ /usr/sbin/hddtemp /dev/sdb
...
...
...
+ m=1
+ [ 1 -ne 0 ]
+ sh /root/hddtemp/send_mail_script.sh
+ echo end of script....
+ echo
+ exit 0

And then, we have a mail:

Subject: WARNING - name-of-server - temperature of hdds is high
Thu Jan 26 11:52:20 CET 2017
Temperature of disk /dev/sda is higher then limit 28 celsius
/dev/sda: TOSHIBA DT01ACA100: 37°C
Temperature of disk /dev/sdb is higher then limit 28 celsius
/dev/sdb: ST3500418AS: 35°C
....
Total Page Visits: 47272 - Today Page Visits: 43

How to create a site-to-site ipsec vpn connection

Install and enable the EPEL using Yum, with some useful software:

yum install epel-release.noarch
yum install htop dstat tcpdump

On Red Hat based Systems (CentOS, Fedora or RHEL):

yum install openswan

Now we disable VPN redirects, if any, in the server using these commands:

for vpn in /proc/sys/net/ipv4/conf/*;
do echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
echo 0 > $vpn/rp_filter;
done

Edit /etc/ipsec.conf to debug in pluto.log

    plutostderrlog=/var/log/pluto.log
    protostack=netkey
#if using NAT, use variable below
#    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently by:

 vim /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0

Reload /etc/sysctl.conf:

 sysctl -p

Now, we customize firewall to allow ports for ipsec

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-port=4500/tcp
firewall-cmd --zone=public --add-port=50/udp --permanent
firewall-cmd --zone=public --add-port=51/udp --permanent

We don’t use masquerade, because ipsec tunnel parameters automatic enable routing in these situations. If  not working, we add masquerade, but first we must add rule for match packets for this tunnel. Like: src leftsubnet dst rightsubnet on both sides

#In some posts in world I found this code, but explanation above cancel this
#code and in my situation it not working with this
#firewall-cmd --zone=public --permanent --add-masquerade

We reload firewalld and check our rules:

firewall-cmd --reload
firewall-cmd --zone=public --list-all

Check if is ipsec OK for itself:

ipsec verify
------------
Verifying installed system and configuration files
Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.6.1.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

Now, create a configuration file for our one connection

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=%defaultroute
    leftid=192.168.201.75
    leftsubnet=192.168.201.0/24
   
    right=#public IP other side#
    rightid=192.168.202.177
    rightsubnet=192.168.202.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=start
    compress=no

And configuration file for other connection:

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=#public IP this side#
    leftid=192.168.202.177
    leftsubnet=192.168.202.0/24
    right=%any
    rightid=192.168.201.75
    rightsubnet=192.168.201.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=add
    compress=no
    keep_alive=30

Now create on both sides secrets file for PSK with your public IP:

vim /etc/ipsec.d/blava.secrets
------------------------------
%any 1.1.1.1: PSK "ahoj12345"
vim /etc/ipsec.d/blava.secrets
------------------------------
1.1.1.1 %any: PSK "ahoj12345"

Now, restart ipsec for apply configurations

systemctl restart ipsec.service

And if we are good, we must see some like this in pluto.log

 STATE_MAIN_R3: sent MR3, ISAKMP SA established
 STATE_QUICK_R2: IPsec SA established tunnel mode

Or check ipsec status:

ipsec auto --status
-------------------
Total IPsec connections: loaded 4, active 1
STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 85318s
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27718s;

Some usefull commands for work with ipsec…
When we update configuration file and if we must reload one ipsec tunnel, use these step rather then restart ipsec service itself:

ipsec auto --down blava
ipsec auto --replace blava
ipsec auto --up blava

If we change secrets file and PSK, we must use too, before –up:

ipsec auto --rereadall
Total Page Visits: 47272 - Today Page Visits: 43