Author: admin

How to start failed VNC service

  • The VNC server is configured on a Linux machine, but the service status is shown as failed.

systemctl status vncserver@:1.service
● vncserver@:1.service - Remote desktop service (VNC)
Loaded: loaded (/etc/systemd/system/vncserver@:1.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2021-09-01 11:30:03 +04; 11s ago
Process: 13739 ExecStart=/usr/sbin/runuser -l vncuser -c /usr/bin/vncserver %i (code=exited, status=1/FAILURE)
Process: 13739 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill %i > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)
Main PID: 1231 (code=exited, status=0/SUCCESS)

  • The main reason for failed VNC server service is that X1-lock and socket files are present in /tmp/.X11-unix. Remove the files to start the VNC session.

rm /tmp/.X11-unix/X1 /tmp/.X1-lock

  • Start the VNC server service as follows:

systemctl start vncserver@:<display>.service

  • The root cause of this error is that files in /tmp/.X* are VNC session log files, and deliberately killing the session will not remove the /tmp/.X* files. The result is that the user cannot start the VNC session on the same display again. The first solution is to remove these stale files.
  • You should remove all stale files under these directories.

/tmp/.X11-unix/
X2 X3 X3 X5

/tmp/.X1-lock
.X0-lock .X11-unix/ .X1-lock .X2-lock .X3-lock .X4-lock

How to restrict normal user to run only limited set of commands

  • Normal users in Linux are usually given permission to execute a certain command in /bin/ and /usr/local/bin. Follow the below steps to remove those permissions and restrict users to run only specific commands.
  • Enter the following command to generate a restricted shell.

cp /bin/bash /bin/rbash

  • Change the shell as a restricted shell while adding the target user.

useradd -s /bin/rbash user-restrict

  • For present users on the machine.

usermod -s /bin/rbash user-restrict

  • In this way, the user user-restrict is chrooted and will not be able to access the links outside his $HOME directory /home/user-restrict
  • Create a directory under /home/user-restrict as follows:
    mkdir /home/user-restrict/directory
  • At this point, the user user-restrict can access all commands that are allowed to execute. These commands are presented from environment PATH variable set in /home/user-restrict/.bash_profile. Change it as follows:

cat /home/user-restrict/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
readonly PATH=$HOME/directory
export PATH

  • Now, if the user user-restrict log in, he/she will not be able to run even simple commands.
  • Now make softlinks of commands for user user-restrict to execute in the directory /home/user-restrict/directory

ln -s /bin/date /home/user-restrict/directory/
ln -s /bin/ls /home/user-restrict/directory/
ll /home/user-restrict/directory/
total 8
lrwxrwxrwx 1 root root 10 Aug 17 18:00 date -> /bin/date
lrwxrwxrwx 1 root root 10 Aug 17 18:00 ls -> /bin/ls

  • Logout and login again and execute the following commands

[user-restrict@example ~]$ date
Sun Aug 17 20:00:00 IST 2021
[user-restrict@example ~]$ ls
filea fileb filec filed directory
[user-restrict@example ~]$ tail
-rbash: tail: command not found

  • To restrict user user-restrict for making any modification in their .bash_profile.

chattr +i /home/user-restrict/.bash_profile

  • The above command will make the .bash_profile immutable. Only root will be able to remove the immutable flag from the file.

chattr -i /home/user-restrict/.bash_profile

How to configure VNC server in AlmaLinux 8.3

  • Install the required VNC server packages in AlmaLinux 8.3 as follows:

yum -y install tigervnc-server tigervnc

  • The default configuration files for the tigervnc-server are located in /etc/tigervnc. In this directory, the following files are present.

vncserver.users
vncserver-config-mandatory
vncserver-config-defaults

  • Map the users to a particular port by adding the following option (:x=user) in /etc/tigervnc/vncserver.users file.

:1=vnc-user1
:2=vnc-users2

  • You should configure one vnc session per user as AlmaLinux 8.3 only supports one unique user per GUI session per machine.
  • Now you will have to edit vncserver-config-defaults file to configure Xvnc parameters. The values in this file will be applied to every user unless the user has its own configuration file in $HOME/.vnc/config. The same options with different values are set in vncserver-config-mandatory file, which replaces the default configuration file and has a higher priority. The format of the configuration file is option=value.

session=gnome
#securitytypes=vncauth,tlsvnc
#desktop=myserver
#geometry=1900x1100
#localhost
#alwaysshared

  • Make sure the parameter session=gnome in the above code matches the name of the session desktop file in the/usr/share/xsessions directory (case-sensitive).
  • Run the following command to start the Tigervnc server. This command should be run as a user who will be starting and using the vnc server. The vnc password must be set while the user is logged in and not by the root.

vncpasswd

  • As root, start the Tigervnc server as follows:

# systemctl enable vncserver@:$x.service
# systemctl start vncserver@:$x.service

  • In the above command, you should replace the variable $x by the actual number configured in /etc/tigervnc/vncserver.users

systemctl enable vncserver@:1.service --now

  • Open vnc default port 5901 in the firewall as follows:

firewall-cmd --permanent --zone=public --add-port 5901/tcp

  • Reload firewall.

firewall-cmd --reload

How to set interface to promiscuous mode permanently

  • You can use a script to apply promiscuous settings to an interface or multiple interfaces when they come online.

touch /etc/NetworkManager/dispatcher.d/30-promisc
chmod +x /etc/NetworkManager/dispatcher.d/30-promisc

  • Add following script code to 30-promisc file.

#!/bin/bash
if [ "$1" == "eth0" ] && [ "$2" == "up" ]; then
ip link set dev "$1" promisc on
fi

  • You can also use network initscripts by adding code in /sbin/ifup-local file. Create a file if it is not present.

#!/bin/bash
if [ "$1" == "eth0" ]; then
/usr/sbin/ip link set dev "$1" promisc on
fi

How to apply ethtool settings to interface using Network Manager dispatcher script

In the same way as above, you can use the network manager dispatcher script to apply ethtool commands.

  • create files as follows:

touch /etc/NetworkManager/dispatcher.d/30-ethtool
chmod +x /etc/NetworkManager/dispatcher.d/30-ethtool

  • Now to apply settings to a single network interface:

#!/bin/bash
if [ "$1" == "eth1" ] && [ "$2" == "up" ]; then
ethtool -K "$1" lro off rx on gro off 
fi

  • For multiple interfaces:

#!/bin/bash
if [ "$1" == "eth1" -a "$2" == "up" ] || [ "$1" == "eth0" -a "$2" == "up" ] ; then
ethtool -K "$1" lro off rx off gro off 
fi

  • For bonding interface:

#!/bin/bashif [ "$1" == "bond0" ] && [ "$2" == "up" ]; then
for INTERFACE in bond0 eth1 eth0; do
ethtool -K "$INTERFACE" lro off rx off gro off 
done
fi

How to set up RDP with Xfce in Kali Linux

Kali Linux is supported on multiple devices. On some systems, you will only get CLI mode installation and may not have direct access to GUI. One way to have GUI on Kali Linux is to install Xfce and setting up RDP. You can do this with the simple script as follows:

#!/bin/sh
echo "[+] Installing Xfce, this will take a while"
apt-get update
apt-get dist-upgrade -y
apt-get install -y kali-desktop-xfce xrdp
echo "[+] Configuring XRDP to listen to port 3390 (but not starting the service)..."
sed -i 's/port=3389/port=3390/g' /etc/xrdp/xrdp.ini

  • To execute the above script, do the following:

wget https://gitlab.com/kalilinux/build-scripts/kali-wsl-chroot/-/raw/master/xfce4.sh
chmod +x xfce4.sh
sudo ./xfce4.sh

  • If you are not using WSL, you need to start service and connect as follows:
    sudo systemctl enable xrdp --now
  • If you are using WSL, you should install dbus-x11 for Xfce and RDP to connect.

sudo apt install -y dbus-x11

  • Start xrdp as follows:

sudo /etc/init.d/xrdp start

  • Open RDP client on Windows system, enter the IP address of the Kali Linux server and port 3390, which is the default port if you have used the script above.

192.168.1.1:3390

How to disable ssh access for a user/group but allow command execution

You can restrict users as well as groups to execute all commands over ssh without having access to the server.

  • The first step is to add a new option in /etc/ssh/sshd_config file as follows:
  • For user restriction, add the following and make sure to replace the username with the actual username:

Match User username
PermitTTY no

  • For group restriction, add the following and make sure to replace testgroup with the actual group:

Match Group testgroup
PermitTTY no

  • Reboot the server or restart the service until the new change takes effect.

systemctl restart sshd

Why AlmaLinux server receiving very slow incoming ssh connections?

  • For quick resolution, though not a permanent fix in the DNS environment, add IP hostname entries in /etc/hosts file. If you use this method, make sure the following entries are in /etc/nsswitch.conf file:

hosts: files dns

  • The second method is to add/update the below directive in the /etc/ssh/sshd_config file:

UseDNS no

The default for the UseDNS directive is yes. UseDNS specifies whether sshd should look up the remote hostname and make sure that the resolved hostname for the remote IP address maps back to the same IP address.

  • If you do not want to change UseDNS directive to no and keep the directive option to yes, consider running the below command on the server.

tcpdump -n -i any port 53 -w /tmp/ssh-whyslow.pcap

The above command will cause simultaneous query requests reaching all name servers. If the primary DNS server is slow and secondary/tertiary are responding quickly then consider exchanging secondary with primary DNS server. Always check ssh-whyslow.pcap file to find out which DNS server is slow.

Change nameserver orders in /etc/resolv.conf file and again ssh from the client and hopefully, a slow connection error will be resolved.