Configuring Fasttrack on Mikrotik

FastTrack accelerates the processing of packets, started working on firmware from 6.29.

Setting example:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related

The added rules should be before the others.

Let’s see a list of rules:

/ip firewall filter print

We will move our two added to the top (I have them under ID 33 and 34):

/ip firewall filter move 33  destination=1
/ip firewall filter move 34  destination=2

How to enable PHP short tags?

It was necessary recently to include short PHP tags since the site code that I transferred to another server was written with their use.
By default, they are disabled.
For example, the usual tags look like this:

<?php  code  ?>

And short ones like this:

<? code ?>

To include short ones, you need to find the short_open_tag parameter in the php.ini configuration file and specify its value in On, for example:

short_open_tag=On

php.ini is usually located in the /etc/php5/directory, if cpanel is used, in /usr/local/lib/php.ini.

You need to reboot the web server to apply the change, in Ubuntu apache2 is rebooted with the command:

sudo service apache2 restart

How to change the SSH port in Ubuntu

On the test, I change the SSH port in Ubuntu Server 14.0.4 LTS and Ubuntu Server 16.0.4 LTS.

Open the SSH configuration for example in the nano text editor (in nano, press Ctrl+X to exit, y/n to save or cancel changes):

sudo nano /etc/ssh/sshd_config

Find the line “Port 22” and change it for example to “Port 58222“.

To apply the changes, restart ssh (on different systems it can reboot in different ways, so here is a list of possible commands):

sudo service ssh restart
sudo /etc/init.d/ssh restart
sudo /etc/init.d/sshd restart

After restarting SSH, it will be available on the new port, and the current session on the old one will remain active, so without disconnecting for testing, we will try to connect to the new port, if not, then the firewall is working in the system and you need to allow it in the system, for example in iptables this is done this way (where 58222 is our new port):

sudo iptables -A INPUT -p tcp --dport 58222 -j ACCEPT

You can allow iptables to connect to SSH only from the specified range of IP addresses:

sudo iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 58222 -j ACCEPT

If everything is ok, we connect through a new port and can delete the old iptables rule, for example:

sudo iptables -D INPUT -p tcp --dport 22 -j ACCEPT

An example of a command to connect from Linux to SSH on a non-standard port:

ssh -p 58222 user@192.168.0.2

View the system on which port and on what network interfaces SSH works like this:

netstat -tulpan | grep ssh

Solution of the error NMI watchdog: BUG: soft lockup – CPU#0 stuck for 23s!

I noticed several times that the server was crashing with Ubuntu Server installed on 14.04.01, after which only a hard reset with power outage helped.

I will quote some of the logs at this moment:

Jun 17 20:16:19 server-gw kernel: [3455576.132542] Code: be 00 02 00 00 e8 46 26 8c ff 5d c3 0f 1f 40 00 66 66 66 66 90 55 48 89 e5 53 48 89 f3 66 66 66 66 90 66 83 07 02 48 89 df 57 9d <66> 66 90 66 90 5b 5d c3 0f 1f 44 00 00 b8 02 00 00 00 f0 66 0f
Jun 17 20:16:47 server-gw kernel: [3455604.143698] NMI watchdog: BUG: soft lockup – CPU#0 stuck for 23s! [kworker/0:2:19206]
Jun 17 20:16:47 server-gw kernel: [3455604.146475] Modules linked in: xt_nat xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 ipt_ISG(OE) iptable_filter ip_tables x_tables ipmi_ssif gpio_ich amdkfd amd_iommu_v2 intel_powerclamp coretemp radeon kvm_intel kvm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul ttm glue_helper ablk_helper cryptd drm_kms_helper serio_raw drm lpc_ich joydev i2c_algo_bit i7core_edac hpilo edac_core shpchp ipmi_si 8250_fintek ipmi_msghandler mac_hid acpi_power_meter nf_nat_pptp nf_nat_proto_gre nf_conntrack_pptp nf_conntrack_proto_gre nf_nat nf_conntrack lp parport hid_generic usbhid hid psmouse be2net vxlan bnx2 pata_acpi ip6_udp_tunnel udp_tunnel hpsa
Jun 17 20:16:47 server-gw kernel: [3455604.146529] CPU: 0 PID: 19206 Comm: kworker/0:2 Tainted: G IOEL 3.19.0-39-generic #44~14.04.1-Ubuntu
Jun 17 20:16:47 server-gw kernel: [3455604.146531] Hardware name: HP ProLiant DL380 G7, BIOS P67 09/30/2010
Jun 17 20:16:47 server kernel: [3455604.146537] Workqueue: events inet_frag_worker

The problem was a bug in the Ubuntu kernel version – 3.19.0-39-generic, and naturally the solution to the problem was to update the system with commands:

sudo apt-get update
sudo apt-get upgrade

After that, the error disappeared.

The kernel version can be viewed by the command:

uname -r

Ubuntu version:

lsb_release -r

Install and use Partclone

Partclone — utility for cloning and restoring disk partitions.

Perform the installation of Partclone in Ubuntu:

sudo apt-get update
sudo apt-get install partclone

Partclone can work with many file systems, when you start it through a point, you must specify the type of file system, for example:

partclone.btrfs (btrfs)
partclone.ext2/ext3/ext4 (ext2, ext3, ext4)
partclone.reiserfs (reiserfs 3.5)
partclone.reiser4 (reiser 4)
partclone.xfs (xfs)
partclone.ufs (ufs/ufs2)
partclone.jfs (jfs)
partclone.hfs+/hfsplus (hfs plusfs)
partclone.vmfs (vmfs)
partclone.ntfs (ntfs)
partclone.fat12/fat16/fat32 (fat12, fat16, fat32)
partclone.exfat (exfat)
partclone.minix (minix)
partclone.f2fs (f2fs)
partclone.nilfs2 (nilfs2)

Here are the possible startup options:

-s FILE, --source FILE

The data source specifies the file or partition to be cloned from or from which data will be restored.

-o FILE, --output FILE

The output file in which the data or partition to which data will be restored will be stored.

-O FILE, --overwrite FILE

Overwrite the file if it exists.

-c, --clone

Preservation

-r, --restore

Recovery

-b, --dev-to-dev

Copy from device to device mode

-l FILE, --logfile FILE

Path to the log file (default /var/log/partclone.log)

-R, --rescue

Continue after disk read errors

-C, --no_check

Do not check disk size and free space

-N, --ncurse

Ncurses text-based user interface

-X, --dialog

Output of messages in a dialogue format

-I, --ignore_fschk

Ignore file system check

--ignore_crc

Ignore crc errors

-F, --force

Forced mode

-f SECONDS, --UI-fresh SECONDS

Changing the interval

-z SIZE, --buffer_size SIZE

The size of the read / write buffer (default: 1048576)

-q, --quiet

Quiet mode, information about the execution process will not be displayed

-dlevel, --debug level

Debug mode level 1/2/3

-h, --help

Display Help

-v, --version

Display the version of the program

I will give examples of running partclone.
First let’s see what drives in the system are used:

sudo fdisk -l | grep '/dev/'

Example of cloning a partition to a file:

sudo partclone.ext3 -c -d -s /dev/sda1 -o sda1.img

Example of cloning a partition into an archive:

sudo partclone.ext3 -c -d -s /dev/sda1 | gzip -c > /dev/sdb2/sda1.gz

Restoring the partition from the file:

sudo partclone.ext3 -r -d -s sda1.img -o /dev/sda1

Restoring the partition from the archive:

sudo gzip -d /dev/sdb2/sda1.gz | partclone.ext3 -d -r -o /dev/sda1

We clone the partition into the partition of another disk:

sudo partclone.ext3 -b -d -s /dev/sda1 -o /dev/sdb2

The solution of the error “Permission denied: .htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable”

I noticed somehow the following error:

[Mon Sep 05 10:24:38 2016] [crit] [client 192.168.1.1] (13)Permission denied: /home/user/public_html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

Before the error occurred, I moved the files through sudo (from the root user) and to return the rights I executed the command:

sudo chown user:user -R /home/user/public_html

Which changed the owner to the one specified in all the subfolders and files, but the other directory should have been specified to the public_html directory (not its contents), because of which apache2 wrote that access was denied. Therefore, if you point to the public_html of the user and the group from which apache2 is running, the error disappears.
It can also be helped by specifying permissions 777 on this folder, it will give full access to all users (but this option is better not to use for security purposes).

How to restore the standard mac-addresses of MikroTik interfaces

Recently, I had to copy the settings of one MikroTik router to another one and after I saved the settings to a file and populated them on the second, I noticed that mac addresses were also copied.

Therefore, we had to reset them to standard ones.
First, let’s see what the interface numbers are (I have ether1 for 0, ether2 for 1, etc.):

interface ethernet print

And reset their mac-addresses:

interface ethernet reset-mac-address 0
interface ethernet reset-mac-address 1
interface ethernet reset-mac-address 2
interface ethernet reset-mac-address 3
interface ethernet reset-mac-address 4

If you need to reset the mac of the wireless interface, then save the wireless settings to the file:

interface wireless export file wifibackup

Look at the wireless interfaces (I have one at number 0):

interface wireless print

Reset all settings including the mac address:

interface wireless reset-configuration 0

Restore the settings from the previously saved file (mac-address in this case will remain standard):

import wifibackup.rsc

Done.

Limiting access to management of Huawei SmartAX MA5600

For example, to allow to connect to the Huawei SmartAX MA5600 series via telnet only to the specified IP address ranges 192.168.0.100-192.168.0.254 and 172.16.24.1-172.16.24.50 we will connect to the device and go into the configuration mode:

enable
config

And execute the following commands (for non-specified IP access is immediately prohibited):

sysman ip-access telnet 192.168.0.100 192.168.0.254
sysman ip-access telnet 172.16.24.1 172.16.24.50
sysman firewall telnet enable

Similarly for SSH:

sysman ip-access ssh 192.168.0.100 192.168.0.254
sysman firewall ssh enable

And SNMP for example for one IP:

sysman ip-access snmp 192.168.0.100 192.168.0.100
sysman firewall snmp enable

To deny access to the specified subnet, we specify ip-refuse instead of ip-access, for example:

sysman ip-refuse telnet 192.168.1.200 192.168.1.220
sysman firewall telnet enable

On the test, I performed the settings for Huawei SmartAX MA5683T, they are essentially the same for the entire MA5600 series.

Solution of VirtualBox error “Kernel driver not installed (rc=-1908)”

I noticed somehow an error in VirtualBox working on Linux Ubuntu Desktop 16.04:

Kernel driver not installed (rc=-1908)
The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please install virtualbox-dkms package and load the kernel module by executing
‘modprobe vboxdrv’
as root. If it is available in your distribution, you should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles the vboxdrv kernel module if necessary.
where: suplibOsInit what: 3 VERR_VM_DRIVER_NOT_INSTALLED (-1908) – The support driver is not installed. On linux, open returned ENOENT.

To solve the problem it was necessary to disable the secure boot in the BIOS, in my case “Windows UEFI” was selected, changed to “Other OS”.
Then, after running the system, executed the command from the root user:

modprobe vboxdrv

In Ubuntu, you can switch to root as follows:

sudo -i

Done, the error is solved.