Archive for the ‘tech’ Category

on techinc and society

Sunday, June 1st, 2014

Back in the days I met people who were fundamentalist vegans, calling themselves “straight edge” – we lived for half a year in the same building till we could not stand each other anymore – Some people would boycott what the other was doing/liking/listening to because somewhere it conflicted with the ethics of one of the Vegans.

We stopped listening to music together (because %recordlabel% was supporting the exploitation of children somewhere), we stopped cooking and eating together (because %shop% supports the destruction of rice fields somewhere) and so on.. everything had a problem that made it unethical/impossible to reach common ground

Now you could ask yourself why this happened.. were the fundamentalists too fundamentalist? They would not be fundamentalist, then, right? <<--- edit: maybe ideologist/ideology would be more fitting - thanks Were we too "corrupted" by society to accept their point of view? In fact, everyone had sound arguments and reasons for what he was doing, yet our shared apartment that was started on the premise of "Hey, you people are cool, we meet at many parties, lets live together" The two emails I received on the techinc mailing list regarding hitb and the reputation of techinc painfully remind me of that time... Probably the katholics/protestants felt similar like 500 years ago.. we all know how that ended ;) Heck, the entire civilization we currently live in has been like that and I still don't like it but you know what? Democracy may be inherently bad it it is still the most common form of "how to piss the least people off and still manage to keep the show going". This system is powered by public reward for things done well (salary, media, etc.. ) and punishment for things not done right (penalties, fees, court, jail, public shaming, exclusion from the "club") Again, I don't think it is the best system to have but all the alternatives cause only more fragmentation and dissent.. do we want that? Shall we continue as one block of awesome people standing together or shall we just let it fall apart because we don't like the hair of the other person? (*glances at Mitch Altman and giggles*)

private server install log 03/2014

Saturday, March 8th, 2014

this is taken from here:
https://github.com/al3x/sovereign
and I want to play with ansible on my other server (the .eu domain) but this will be my private server where things are (of course) different.
UPDATE 7/2014: added webmail and roundcube and owncloud plugin
NEEDS: backup scripts / dumps

– create a VM with basic specs for Ubuntu
– set up 12.04 LTS with 64bit flavor >> UPDATE: 14.04 LTS is out – mail server is on 14, rest stays on 12 for now…
– chose for LVM and encrypted home directory during install
– install VMware tools / xen tools > or stick to KVM

– allow SSH on the firewall
dont’ forget IPv6 for the rules or use UFW
#ufw allow ssh
#ufw limit ssh/tcp < -- is this actually useful in combination with fail2ban? check /etc/ssh/sshd_conf if it uses PAM - we can plug in the 2-factor-authenticator, then :) – mosh – useful
apt-get install mosh
open ports correspondingly
#ufw allow proto udp from any to any port 60000:60010
this allows for mosh instead of ssh to your server which helps with lag/latency

– htop – interactive “top”
http://hisham.hm/htop/

– fail2ban – block connection attempts
apt-get install fail2ban
edit /etc/fail2ban/fail2ban.conf
and edit
/etc/fail2ban/jail.conf
or better: create a jail.local (it overrules the jail.conf)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

here check for the following:

separate whitelisted hosts/subnets/cidr blocks using space under ‘ignoreip’
also, set up your mta and receipient address under destemail
bantime and maxretry can be adjusted
backend can be auto

edit /etc/fail2ban/jail.local
and apply the banactions for UFW as we are not using iptables directly (we suck!)

[ssh]
enabled = true
banaction = ufw-ssh
port = 2992
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[apache]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-auth
logpath = /var/log/apache*/error*.log
maxretry = 4

[apache-filenotfound]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-nohome
logpath = /var/log/apache*/error*.log
maxretry = 3

[apache-noscript]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-noscript
logpath = /var/log/apache*/error*.log
maxretry = 6

[apache-overflows]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-overflows
logpath = /var/log/apache*/error*.log
maxretry = 2

create /etc/fail2ban/action.d/ufw-ssh.conf:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from to any app OpenSSH
actionunban = ufw delete deny from
to any app OpenSSH

and /etc/fail2ban/action.d/ufw-apache.conf:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 2 deny from to any app “Apache Full”
actionunban = ufw delete deny from
to any app “Apache Full”

DISCUSS: IPv6 – hack a little 64 gateway or block SSH for IPv6 (which would be silly…)

restart ufw and fail2ban to activate:

andreas@telecity:~$ sudo service fail2ban restart
* Restarting authentication failure monitor fail2ban [ OK ]
andreas@telecity:~$ sudo service ufw restart
ufw stop/waiting
ufw start/running

check status (default only SSH is enabled)
andreas@telecity:~# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh
root@telecity:~#

it works! UFW injects a deny statement for every host that tries to bruteforce

tail -f /var/log/fail2ban.log
2014-07-19 11:24:49,201 fail2ban.actions: WARNING [ssh] Ban 116.10.191.163

$ sudo ufw status
Status: active
To Action From
— —— —-
OpenSSH DENY 116.10.191.163

– install build-essential, openssl and libssl-dev to be able to create a wildcard certificate (self-signed) and other stuff we have to build from scratch

– owncloud – via owncloud.com
install according to manual there (#apt-get install owncloud)
admin docs: http://doc.owncloud.com/
modify your webserver to allow owncloud to do its magic:
#chown -R www-data:www-data /path/to/your/owncloud/apps
#chown -R www-data:www-data /path/to/your/owncloud/data
#chown -R www-data:www-data /path/to/your/owncloud/config
set ‘AllowOverride All’ in the /var/www/ section of apache2 config file
(/etc/apache2/sites-available/default)
#a2enmod rewrite
#a2enmod headers
then restart apache
#service apache2 restart
open firewall ports: ufw enable http(s)
then point browser to https://[your server’s URL]/owncloud
if you want to install into mysql chose “advanced” – otherwise just go with sqlite and create an admin user
you are done!

go admin > create a group and some users
set up the client (owncloud-client) and point it to your server’s URL (use https and a full path)
create folders > they will be synced by owncloud and to your server

other features:
use cardDAV/calDAV
sync music (amaroK/tomahawk)
plugins (roundcube, large files, mobile interface, etc…)

once it works, why not make it secure and install SSL:
– create a self-signed SSL certificate (for web and mail server) or buy one ;)
https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html
and install them
# cp server.crt /etc/ssl/certs
# cp server.key /etc/ssl/private
adjust apache2 config to enable SSL:

edit sites-available/default-ssl
enable “AllowOverride All” for all /var/www instances as before
check ‘SSLEngine On’ is there
add the two certificates to it instead of the “snakeoil” cert

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

enable the engine with
#a2ensite default-ssl

and restart server
#service apache2

and check if your browser accepts the cert :)

hints to make SSL more secure from phra.gs
https://phra.gs/blob/2014-02-14-apachessl.html

now get connected using owncloud client using the username/password you set as admin

NOTE: every time you update the owncloud binaries you need to go to the website once to apply the update!

– quassel

http://bugs.quassel-irc.org/projects/quassel-irc/wiki

apt-get install quassel-core
for the server
open port 4242 on your firewall/iptables

and use quassel-client for the client
there is quasseldroid and iQuassel for mobile clients

it doesn’t use SSL by default – so stop the service and launch quasselcore manually
it will show you where it wants the config files and SSL certs

then create the cert as indicated here:
http://bugs.quassel-irc.org/projects/quassel-irc/wiki/Client-Core_SSL_support
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout ~/.config/quassel-irc.org/quasselCert.pem -out ~/.config/quassel-irc.org/quasselCert.pem

connect to your server for the first time and a welcome dialog will appear
set up the first user (who will be an admin)
and then go play :) (and chat from anywhere)

useful for irssi integration:
https://github.com/phhusson/quassel-irssi

mmarley has a more recent repository on launchpad – use it if you want to use 0.10 and not 0.8

gallery2:
simple: apt-get install gallery2
install mysql-server and set up the database (Remember the user/pass)
http://codex.galleryproject.org/Gallery2:Installation_on_Debian

then run the webinstaller and do the rest
http://yourdomain/gallery2

edit /etc/php5/apache2/php.ini and raise the file limits if you want /need

add a seedbox? transmission-bt !
http://filesharefreak.com/2012/05/10/seedbox-from-scratch-new-server-to-seeding-in-less-than-5-minutes

although that is something for my raspi at home / openelec style

install transmission-daemon – set up config and password
apt-get install transmission-daemon

nano /etc/transmission-daemon/settings.json

and open firewall for the tcp ports – done :)

– diaspora
https://wiki.diasporafoundation.org/Installation/Ubuntu/Precise
seems I need a “valid” SSL cert and a dedicated webserver – so I will do that virtually instead or from home or not at all.

– XMPP
apt-get install prosody
configure as per example / global settings and add an admin user there

create some keys:

openssl req -new -x509 -days 1000 -nodes -out “/etc/ssl/certs/xxxxxxxx.crt” -newkey rsa:4096 -keyout “/etc/ssl/private/xxxxxxxx.key”

under your server add the certs
ssl = {
/path/to,,,

and create symlinks

test the keys:
sudo chmod 600 /path/to/certificate.key
sudo chown prosody:prosody /path/to/certificate.key

Prosody should also be able to read the parent directories of the file.

To test that only Prosody can read the file:

sudo -u prosody cat /path/to/certificate.key # Should succeed
sudo -u nobody cat /path/to/certificate.key # Should fail

Declaring host

The configuration of the host im.example.org will be done in the file « /etc/prosody/conf.avail/im.example.org.cfg.lua », the file example.com.cfg.lua may serve as a model:

cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/.cfg.lua

With your favorite editor change the settings for VirtualHost and enabled so you have:

VirtualHost “im.example.org”
–enabled = false — Remove this line to enable this host

The line “- enabled = […]” can also be removed, instead of of removing the comment like above.

Also represent the key and the SSL certificate:

ssl = {
key = “/etc/prosody/certs/im.example.org.key”;
certificate = “/etc/prosody/certs/im.example.org.cert”;
}

If you already have a key / certificate pair on the same domain name (Common Name), for example for apache, point to it instead of the files listed above.

Now create the symbolic link in« /etc/prosody/conf.d/ » with:

ln -sf /etc/prosody/conf.avail/im.example.org.cfg.lua /etc/prosody/conf.d/im.example.org.cfg.lua

Several host by one configuration

Here is an example to declare a single configuration for multiple hosts (thank you MattJ):

for _, host in ipairs { “example.net”, “example.org” } do
VirtualHost (host)
option1 = “foo”
option2 = “bar”
end

Create users (single)

Creating user accounts is done with the command « prosodyctl »

prosodyctl adduser romeo@im.example.org

open firewall for ports 5222 and 5269 IP and IPv6

create DNS SRV records for optimal federation / domain delegation
use this template:
_xmpp-client._tcp.example.com. 18000 IN SRV 0 5 5222 xmpp.example.com.
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 xmpp.example.com.
_jabber._tcp.example.com 18000 IN SRV 0 5 5222 xmpp.example.com < -- that still relevant? also.. no dots after TLD? doubt this will work... in fact: the domain is automatically added so just add this: _xmpp-client._tcp type SRV with value 0 5 5222 xmpp.domain.com. and _xmpp-server._tcp type SRV with value 0 5 5222 xmpp.domain.com. it must point to an existing A-record - not an IP address (this also helps with IPv6 I guess...)

;; QUESTION SECTION:
;_xmpp-client._tcp.rudel.nl. IN SRV

;; ANSWER SECTION:
_xmpp-client._tcp.rudel.nl. 3600 IN SRV 0 5 5222 telecity.rudel.nl.

;; ADDITIONAL SECTION:
telecity.rudel.nl. 3600 IN A 80.252.86.117

– rkhunter

– sendmail / mail sever?
— dovecot imap and roundcube look neat – with a plugin for owncloud? awesome!
– tarpitting / greylisting / smarthost with ISP relay?
found iredmail!
http://www.iredmail.org/install_iredmail_on_ubuntu.html
install script works nice on a new /fresh ubuntu server – delete defaults later and change passwords
set up domain records (MX and A-records) and set up SPF

– two-factor authentication? google authenticator?
sudo apt-get install libpam-google-authenticator
run google-authenticator as the user you will be logging in as
it will create a qr code with the secret key that google authenticator app can scan
it will also update the PAM module and ask you some questions
do this for every user

now edit /etc/pam.d/sshd
add this line(s):
# enable Google authenticator
auth required pam_google_authenticator.so

then edit /etc/ssh/sshd_config
and change or add this line to say yes
ChallengeResponseAuthentication yes

restart ssh to enable
sudo service ssh restart

next login looks like that:
login as: andreas
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Verification code:

RIPE NCC 24/09/2013 Routing Security Training

Tuesday, September 24th, 2013

Intro

IRR / Internet routing registry (irr.net)
RIPE db is actually a subset of the IRR
some objects are part of both (ROUTE/AS-Numbers)
why all that? Question: “Is this ASN authorized to announce this IP range?”
Problem: Legacy space
Bigger Problems: ISP’s might not ask for ROUTE object and just announce IP address space – who holds them back?
> one way is to use ROUTE objects

the IRR is composed of 43 databases, RIPE is one of them, RPSL and Level3 are others..

the more south/east you go the less requirements you will have to announce a prefix (probably only a bag of money)

Issue/Challenge: Roting and the database are related / not the same
annouce? accept? >> RPSL!
~85% match between RIPE and BGP

database

primary lookup key for persons:
– handle
– email
primary lookup key for inetnum:
– netname
– ip range

what is a primary lookup?
query: “-v inetnum”

The inetnum class:

An inetnum object contains information on allocations and
assignments of IPv4 address space.

inetnum: [mandatory] [single] [primary/lookup key]
netname: [mandatory] [single] [lookup key]
descr: [mandatory] [multiple] [ ]
country: [mandatory] [multiple] [ ]
geoloc: [optional] [single] [ ]
language: [optional] [multiple] [ ]
org: [optional] [single] [inverse key]

now you have an assignment: 80.252.80.0 which results:
inetnum: 80.252.80.0 - 80.252.81.255
netname: TC-IS_SERVICES
descr: TelecityGroup customer Services/IS
country: NL
remarks: In case of abuse please email: abuse@telecity.com
admin-c: TA515-RIPE
tech-c: TT556-RIPE
status: ASSIGNED PA
mnt-by: TELECITY-MNT
mnt-by: TELECITY-NL-MNT
source: RIPE #Filtered

which is an assignment – but what is the allocation?

either: Do -L –no-personal x.x.x.x

or do inverse search!
-i org ORG-TP3-RIPE

shows all assignments for Telecity’s ORG ID

useful: -i person and your company handle!
example: -i person AR10441-RIPE
shows where you are allocated

remember to PROTECT objects and create ROLE OBJECTS
do not assign people to admin-c/tech-c

RIPE will never allow you to be MNT-BY in an inetnum or ASN
only mnt-lower, mnt-routes, mnt-domains (for PTRs)

so if you want to edit a ROUTE(6) object:
you need up to THREE passwords!
AS number
INET(6)NUM
ROUTE(6)

problem: Customer doesn’t want you to have his maintainer passwords
Solution: Create a mnt-routes in the INET(6)num and add the customer’s maintainer object there!
Alternative: customer has to add our maintainer in his AS number as “mnt-routes”
both will work

**EXERCISES**

Chapter 2: BGP/routing

AS-path prevents loops!
protect ASN
protect ROUTE
protect INETNUMs
protect ALL THE THINGS

RPSL

filtering ideas:
RegExp – exclude idividual ASN’s from the path?

blah.. complicated .. do not want

Tools

use them!
> IRRToolset can create configs
RPSLtool
IRR powertool
level3 filtergen

and so on

RPKI

does the same thing than the routing registry – but different
(route object on steroids)
ideal: use both!
is that ASN authorized to announce the IP range
so what makes RPKI easier / better?
– usable toolset
– integrated in routers

Use the certificate from RIPE to create ROA’s (resource origin something)
it states what AS the address range is announced from
and teh max. length

multiples possible, overlap possible

“invalid” comparison only when different ASN announces (or not matching prefix )
invalid ROA != invalid BGP announcement

Validator runs locally at your company
fetches data from RIPE via rsync
router runs the validation software in 7600, ASR9K is in early field trials

more RPKI

RIPE NCC 23/09/2013 LIR training notes

Tuesday, September 24th, 2013

RIPE NCC database lookups TIPS

– use -r (blocks recursive lookups)
or better
– use –no-personal to block searching person objects

failure to do so will get you blocked quickly!

– an ASN without an AUT-NUM can not be announced without a ROUTE object
– an AUT-NUM is for an AS number
– a ROUTE object combines inetnum and aut-num

(more stuff goes here)

MAINTAINER

want to use PGP key instead? (or x.509 object)
> create key-cert object
> associate the public PGP key with it
> add extra line to MNT object: PGPKEY-id (in single text area edit)
> once PGP is in there you’ll have to update the object and sign it using your private key

adding multiple AUTH objects works (password and PGP and cert)
BUT: adding multiple maintainers to a person object will _not_ make it more secure – just adds more gates to the castle

large companies: need ROLE object!
imagine someone who is in charge of a lot of objects dies…
tech-c / admin-c
associate the handles with the role > done!

DATABASE updates

use webupdates (easiest)
if you want to play > use the sandbox (RIPE test database)

first time registration: Use the “new object” wizard if your organization does not have a maintainer/org object
it will create a person and a maintainer

ROLE objects need to be two words

When asked for a NIC handle while creating the role do NOT use your person’s nic handle
use auto-1 to create one
under “admin-c” add your maintainer

Example Telecity:
Persons (engineers) have objects
they are added to tech-c and (if authorized) to the admin-c role object
the telecity maintainer has members, too
your person NIC should _not_ have the same maintainer
you might leave your organization one day

LIR portal – what do do there?
edit registry data queries and updates
also: ASN resources, ip analyser
lots of API’s available!

LIR portal and RIPE database are protected by different models / mechanisms
the one is public, the other is confidential

Exercise: first day as a LIR: “request resources” should go LAST

a mnt-routes object guards creation of a route/route6 object
a mng-domains object guards the reverse delegation (see PTR’s / mail servers)
— it should contain your nameservers (slide 54)

transfer allocations: allowed between RIPE members – 80% rule applies
> inter-RIR transfers in discussion (proposal 2012-03)

request PI space:
no ipv4 without ipv6!
request org, person and mntner objects!
send request form, end user agreement and registration KvK/company house to RIPE
sponsoring LIR is needed

no LIR? find a new one or become one!
if not? > return space!
see slide 59!!! there is now a fee for P.I. space > include into contract

RPKI digital certificate:
issue certificates with registration
a ROA is a ROUTE object signed by a certificate (by the LIR)
one cert for all allocations
“chain of trust”
AS32 can announce this address range – incorporate into routers
>> BGP origin validation!
important: this is not obligatory

you can group customer assignments (4096 x /48) into one large assignment (like, a /36)
IPv6 status: Aggregated by LIR
assignment-size: 48
mnt-by: MNT-LIR

infrastructure assignments:
P2P links, access points, etc…
grey area: colo locations, hosting, housing

xbox360 revival

Sunday, December 16th, 2012

it seems unbelievable but I actually managed to revive two xbox 360 consoles from the RROD death
using these guides (attached as PDF) – it can be done!
so far I have refused to drill holes and replace the X-clamps with screws but I might do that in the future
just used fresh thermal compound and bent the x-clamps to clamp a bit tighter on that heatsink (eliminating any movement)
I did do the overheating part, just to torture the console a bit :P

the airflow guide is also something I will do tonight, can’t hurt :P
http://www.instructables.com/id/Fix-the-Red-Ring-of-Deathwithout-towels/

original instructions and opening guide:
http://www.llamma.com/xbox360/repair/xbox-360-repair.htm
http://www.llamma.com/xbox360/repair/ring_of_light_x-clamp_fix.htm
http://www.llamma.com/xbox360/repair/Xbox-360-Disassembly.htm

TRIM for 10.6.8

Sunday, November 18th, 2012

stolen from:
Keeping TRIM on Snow Leopard 10.6.8 Update

cd /System/Library/Extensions/IOAHCIFamily.kext\
/Contents/PlugIns/IOAHCIBlockStorage.kext/Contents/MacOS/

sudo cp -pX IOAHCIBlockStorage ~IOAHCIBlockStorage

sudo perl -pi -e \
‘s|\x41\x50\x50\x4c\x45\x20\x53\x53\x44|\x00\x00\x00\x00\x00\x00\x00\x00\x00|g’ \
IOAHCIBlockStorage

sudo rm /System/Library/Caches/com.apple.kext.caches/Startup/Extensions.mkext

sudo touch /System/Library/Extensions/

>> Maintenance, etc.. reboot and it should work

techie Wish-List (for 2012)

Tuesday, November 6th, 2012

XBOX 360 with 2 controllers and Skyrim (249,- Euro)
http://www.mediamarkt.nl/mcs/product/MICROSOFT-Xbox-360-250GB-Starter-Pack,10259,350957,449704.html

Apple TV (99,- Euro)
http://store.apple.com/us/browse/home/shop_ipod/family/apple_tv

NAS project (560,- Euro)
https://plus.google.com/u/0/106273092865405563044/posts/PkaWvSpkqqe

HP-WWAN (2300) card under Ubuntu 11.10

Wednesday, April 25th, 2012

seems the WWAN (3G module) is not switched by the hardware switch in my Compaq 6910p under Ubuntu 11.10
In Windows I need to run some tool that is branded by Vodafone, in ubuntu now there is rfkill.

andreasr@komm-pack:/sys/class/rfkill$ rfkill list
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
1: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
2: hp-wifi: Wireless LAN
Soft blocked: no
Hard blocked: no
3: hp-bluetooth: Bluetooth
Soft blocked: no
Hard blocked: no
4: hp-wwan: Wireless WAN
Soft blocked: yes < ---------- Hard blocked: no

so we do:

andreasr@komm-pack:/sys/class/rfkill$ sudo rfkill unblock 4

result:

andreasr@komm-pack:/sys/class/rfkill$ rfkill list
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
1: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
2: hp-wifi: Wireless LAN
Soft blocked: no
Hard blocked: no
3: hp-bluetooth: Bluetooth
Soft blocked: no
Hard blocked: no
4: hp-wwan: Wireless WAN
Soft blocked: no < ----------- Hard blocked: no andreasr@komm-pack:/sys/class/rfkill$

and there it is:

disable again by using "rfkill block"

Linux (Ubuntu/GRUB) on ASUS P5Q-E

Thursday, January 28th, 2010

To successfully install Linux on ASUS’ P5Q-E motherboard the following _must_ be done (and will fail when you reset the BIOS)

1. Under MAIN / Storage Configuration, ‘configure
SATA as’ must be set to [AHCI]. This allowed the kernel to find my disks
and boot.

2. I experienced some weird USB problems while booting, and so under
ADVANCED / USB Configuration, I had to change ‘BIOS EHCI
Hand-Off’ to [Disabled].

3. For good luck, I also made sure ACPI 2.0 was enabled under power
saving. (off by default)

I have not heard from anyone getting Q-fan and/or EPU 6-engine (ASUS’ power saving / dynamic under-/overclocking software) to work under Linux.

Pity…

Customize the Snow Leopard Guest login

Sunday, January 17th, 2010

Customize the Snow Leopard Guest login.