http://code.google.com/p/wifite/
http://www.aircrack-ng.org/doku.php?id=cracking_wpa&s[]=wpa&s[]=crack
!# linux (chrunchbang)
trying out this debian-based distro as ubuntu is getting a bit boring
I expect to learn more using a “proper” debian I thing – openbox is a bit tricky as a window manager (opposed to a desktop manager / environment)
note: apt-get dist-upgrade apparently replaced upgrade
problems/solutions/more nifty ideas:
https://debianhelp.wordpress.com/2012/10/02/crunchbang-11-waldorf-debian-wheezy-os/
http://crunchbanglinux.org/wiki/howto_pages
some thoughts on laptop / sensors:
lm-sensors
sensors-detect
stuff to add:
apt-get install unace rar unrar p7zip zip unzip p7zip-full p7zip-rar sharutils uudeview mpack arj cabextract file-roller audacious
apt-get install w64codecs libdvdcss2 gstreamer0.10-fluendo-mp3 ffmpeg sox twolame vorbis-tools lame faad gstreamer0.10-ffmpeg gstreamer0.10-plugins-bad
apt-get install ttf-mscorefonts-installer
apt-get install gstreamer0.10-ffmpeg gstreamer0.10-fluendo-mp3 gstreamer0.10-gnonlin gstreamer0.10-plugins-bad gstreamer-tools
apt-get install libxine1-ffmpeg gxine mencoder mpeg2dec vorbis-tools id3v2 mpg321 mpg123 libflac++6 ffmpeg libmp4v2-2 totem-mozilla icedax tagtool easytag id3tool lame libmad0 libjpeg-progs libquicktime2 flac faac faad sox ffmpeg2theora libmpeg2-4 uudeview flac libmpeg3-1 mpeg3-utils mpegdemux liba52-0.7.4-dev
use these repositories for xv (gxine wants it)
deb http://debian.physik.hu-berlin.de/addons wheezy /
#deb-src http://debian.physik.hu-berlin.de/addons wheezy /
now let’s save some power
create /etc/pm/power.d/powersave
thanks to:
#!/bin/sh
# A script to enable laptop power saving features for #! & Debian GNU+linux.
# http://crunchbanglinux.org/forums/topic/11954
# List of modules to unload, space seperated. Edit depending on your hardware and preferences.
modlist="uvcvideo"
# Bus list for runtime pm. Probably shouldn't touch this.
buslist="pci spi i2c"
case "$1" in
true)
# Enable some power saving settings while on battery
# Enable laptop mode
echo 5 > /proc/sys/vm/laptop_mode
# Less VM disk activity. Suggested by powertop
echo 1500 > /proc/sys/vm/dirty_writeback_centisecs
# Intel power saving
echo Y > /sys/module/snd_hda_intel/parameters/power_save_controller
echo 1 > /sys/module/snd_hda_intel/parameters/power_save
# Set backlight brightness to 50%
echo 5 > /sys/devices/virtual/backlight/acpi_video0/brightness
# USB powersaving
for i in /sys/bus/usb/devices/*/power/autosuspend; do
echo 1 > $i
done
# SATA power saving
for i in /sys/class/scsi_host/host*/link_power_management_policy; do
echo min_power > $i
done
# Disable hardware modules to save power
for mod in $modlist; do
grep $mod /proc/modules >/dev/null || continue
modprobe -r $mod 2>/dev/null
done
# Enable runtime power management. Suggested by powertop.
for bus in $buslist; do
for i in /sys/bus/$bus/devices/*/power/control; do
echo auto > $i
done
done
;;
false)
#Return settings to default on AC power
echo 0 > /proc/sys/vm/laptop_mode
echo 500 > /proc/sys/vm/dirty_writeback_centisecs
echo N > /sys/module/snd_hda_intel/parameters/power_save_controller
echo 0 > /sys/module/snd_hda_intel/parameters/power_save
echo 10 > /sys/devices/virtual/backlight/acpi_video0/brightness
for i in /sys/bus/usb/devices/*/power/autosuspend; do
echo 2 > $i
done
for i in /sys/class/scsi_host/host*/link_power_management_policy
do echo max_performance > $i
done
for mod in $modlist; do
if ! lsmod | grep $mod; then
modprobe $mod 2>/dev/null
fi
done
for bus in $buslist; do
for i in /sys/bus/$bus/devices/*/power/control; do
echo on > $i
done
done
;;
esac
exit 0
dont forget to make it executable!
more info on powersaving on linux:
Replace ice weasel with Firefox
install from ubuntuzilla repo
add to sources.list: deb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main
apt-key adv –recv-keys –keyserver keyserver.ubuntu.com C1289A29
apt-get install firefox, thunderbird, seamonkey
change / create symlink in /usr/bin
ln -s /opt/firefox/firefox /usr/bin/firefox
ln -s /usr/lib/mozilla/plugins /opt/firefox/plugins
(use -f to overwrite if exists in /opt)
update-alternatives –install /usr/bin/x-www-browser x-www-browser /opt/firefox/firefox 100
install adblockplus, java, flash?
apt-get install default-jre
# apt-cache search sun-java (find oracle-something)
what else… ? see chrunchbang thread for ideas :)
http://techpatterns.com/forums/about1435.html
http://crunchbang.org/forums/viewtopic.php?pid=271769
install keyring, GPG keys, SSH keys
.ssh/ needs to be 700, the actual key 600
don’t forget to add it to the system using ‘ssh-add’ – see below for more tips
easier: install ‘keychain’ and tie it to the terminal to unlock ssh key
update your $HOME/.bash_profile file
$ vi $HOME/.bash_profile
Append the following code:
### START-Keychain ###
# Let re-use ssh-agent and/or gpg-agent between logins
/usr/bin/keychain $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh
### End-Keychain ###
this will work for shell – add it for “terminator” aswell, the default for !#
next, install mosh,
Apt-get install mosh
open a port on the remote server between 60000 and 61000 and apply it to the raspi as server
take over a screen session using mosh:
$ mosh remotebox — screen -dr
raspberry installation
so I got this raspberry with free transit and hosting so I thought I’d turn it into a chat server, VPN/proxy server and a remote nagios probe
log:
after setting up hostnames and hosts file and manipulating my DNS settings
A-record, AAAA-record set up
/etc/hostname replaced with FQDN (matching DNS)
/etc/hosts amended with:
ip.ad.dr.ess fully.qualified.domain.name fully
[IPv6 address] fully.qualified.domain.name fully
reboot and test ssh to it, etc..
then:
apt-get install nagios-nrpe-server irssi irssi-scripts
consider:
iptables
logrotation
set up irssi with screen:
very nice website: http://quadpoint.org/articles/irssi
split-screen notify is nice
the hilight script makes it even better:
To do this, first load the script. The script I use is a modified version of cras’s hilightwin.pl that logs timestamps as well. It is available here: http://static.quadpoint.org/irssi/hilightwin.pl
Put the script in ~/.irssi/scripts/autorun/ and type /run autorun/hilightwin.pl in irssi.
Next, create the split window. This is done with the /window command. See /help window for details on how this works.
/window new split
/window name hilight
/window size 6
another nice idea: auto-away inside screen:
/set screen_away_active ON
/set screen_away_message
/set screen_away_nick <-- optional.. Annoys people
Download: scripts.irssi.org/scripts/screen_away.pl
Install mosh
http://mosh.mit.edu/#getting
RIPE NCC 25/09/2013 IPv6 for LIRs course
compress IPv6 addresses with double colons from the left to the right
also don’t compress a single quad of 4 zeroes
(read RFCs if wanted)
Status “ASSIGNED PA” becomes “ASSIGNED”
AGGREGATED-BY-LIR is new: put all your /56’s that you assign to customers there
use “assignment-size” switch to show how big the assignments are
sub-allocated-pa becomes “allocated-by-lir”
see: http://www.ripe.net/lir-services/resource-management/faq/sub-allocation
INFRASTRUCTURE is a
getting PI IPv6 space:
minimum /48
NO SUB-ASSIGNMENTS!!! Never.
example Fridge6:
4000 fridges – each with internet, security, alerting and wifi router
transition mechanisms
6in4?
6to4 uses anycast!
6RD > relay operations!
NAT64!
DNS64
464xlat > fixes the problems NAT64/DNS64 causes
DS-lite – tunnel ipv4 over ipv6
conclusion: DUAL-STACK while you can
it is still possible!
use /64’s for Loopbacks!
network design: Take the router with the most interfaces and prepare for a /64 per interface
STANDARDIZE!
don’t assign different sizes for routers
imagine: Nexus 7000 – maximum port density?
256 interfaces per router is assumed so /56 per router
or /52 per router, 4096 x /64 per port
/40 per router/switch that can handle customers > 256 x /48 possible
the number of hosts in a /64 is irrelevant!
SLAAC
flip the bit and use EUI-64
listen to RA’s
a router’s response will contain:
– address of router
– prefixes allowed on link
– SLAAC allowed?
– MTU
problem: Privacy! – same MAC address
solution: Privacy extensions (random ID)
“managed” flag forces DHCPv6
security:
use RA guard
disable RA’s (cisco)
human error!!!
colo checklist:
set ACLs
set SNMP (and protect)
have DNS working
SLAAC can assign you a subnet “unexpectedly”
not all firewalls support ipv6
be careful with “ipv6 ready”
DSL provider:
/48 per pop
/56 per router
/64 per interface
servers:
don’t use EUI-64!
no autoconfig
port number for services > IPv6 addresses!
set gateway manually
in the CORE: USe /64 per link – ::1 and ::2 stuff
easy to remember
RIPE tools:
download RIPE 554 and “what to do with IPv6”
> stars get t-shirt
RIPE NCC 24/09/2013 Routing Security Training
Intro
IRR / Internet routing registry (irr.net)
RIPE db is actually a subset of the IRR
some objects are part of both (ROUTE/AS-Numbers)
why all that? Question: “Is this ASN authorized to announce this IP range?”
Problem: Legacy space
Bigger Problems: ISP’s might not ask for ROUTE object and just announce IP address space – who holds them back?
> one way is to use ROUTE objects
the IRR is composed of 43 databases, RIPE is one of them, RPSL and Level3 are others..
the more south/east you go the less requirements you will have to announce a prefix (probably only a bag of money)
Issue/Challenge: Roting and the database are related / not the same
annouce? accept? >> RPSL!
~85% match between RIPE and BGP
database
primary lookup key for persons:
– handle
– email
primary lookup key for inetnum:
– netname
– ip range
what is a primary lookup?
query: “-v inetnum”
The inetnum class:
An inetnum object contains information on allocations and
assignments of IPv4 address space.
inetnum: [mandatory] [single] [primary/lookup key]
netname: [mandatory] [single] [lookup key]
descr: [mandatory] [multiple] [ ]
country: [mandatory] [multiple] [ ]
geoloc: [optional] [single] [ ]
language: [optional] [multiple] [ ]
org: [optional] [single] [inverse key]
now you have an assignment: 80.252.80.0 which results:
inetnum: 80.252.80.0 - 80.252.81.255
netname: TC-IS_SERVICES
descr: TelecityGroup customer Services/IS
country: NL
remarks: In case of abuse please email: abuse@telecity.com
admin-c: TA515-RIPE
tech-c: TT556-RIPE
status: ASSIGNED PA
mnt-by: TELECITY-MNT
mnt-by: TELECITY-NL-MNT
source: RIPE #Filtered
which is an assignment – but what is the allocation?
either: Do -L –no-personal x.x.x.x
or do inverse search!
-i org ORG-TP3-RIPE
shows all assignments for Telecity’s ORG ID
useful: -i person and your company handle!
example: -i person AR10441-RIPE
shows where you are allocated
remember to PROTECT objects and create ROLE OBJECTS
do not assign people to admin-c/tech-c
RIPE will never allow you to be MNT-BY in an inetnum or ASN
only mnt-lower, mnt-routes, mnt-domains (for PTRs)
so if you want to edit a ROUTE(6) object:
you need up to THREE passwords!
AS number
INET(6)NUM
ROUTE(6)
problem: Customer doesn’t want you to have his maintainer passwords
Solution: Create a mnt-routes in the INET(6)num and add the customer’s maintainer object there!
Alternative: customer has to add our maintainer in his AS number as “mnt-routes”
both will work
**EXERCISES**
Chapter 2: BGP/routing
AS-path prevents loops!
protect ASN
protect ROUTE
protect INETNUMs
protect ALL THE THINGS
RPSL
filtering ideas:
RegExp – exclude idividual ASN’s from the path?
blah.. complicated .. do not want
Tools
use them!
> IRRToolset can create configs
RPSLtool
IRR powertool
level3 filtergen
and so on
RPKI
does the same thing than the routing registry – but different
(route object on steroids)
ideal: use both!
is that ASN authorized to announce the IP range
so what makes RPKI easier / better?
– usable toolset
– integrated in routers
Use the certificate from RIPE to create ROA’s (resource origin something)
it states what AS the address range is announced from
and teh max. length
multiples possible, overlap possible
“invalid” comparison only when different ASN announces (or not matching prefix )
invalid ROA != invalid BGP announcement
Validator runs locally at your company
fetches data from RIPE via rsync
router runs the validation software in 7600, ASR9K is in early field trials
more RPKI
RIPE NCC 23/09/2013 LIR training notes
RIPE NCC database lookups TIPS
– use -r (blocks recursive lookups)
or better
– use –no-personal to block searching person objects
failure to do so will get you blocked quickly!
– an ASN without an AUT-NUM can not be announced without a ROUTE object
– an AUT-NUM is for an AS number
– a ROUTE object combines inetnum and aut-num
(more stuff goes here)
MAINTAINER
want to use PGP key instead? (or x.509 object)
> create key-cert object
> associate the public PGP key with it
> add extra line to MNT object: PGPKEY-id (in single text area edit)
> once PGP is in there you’ll have to update the object and sign it using your private key
adding multiple AUTH objects works (password and PGP and cert)
BUT: adding multiple maintainers to a person object will _not_ make it more secure – just adds more gates to the castle
large companies: need ROLE object!
imagine someone who is in charge of a lot of objects dies…
tech-c / admin-c
associate the handles with the role > done!
DATABASE updates
use webupdates (easiest)
if you want to play > use the sandbox (RIPE test database)
first time registration: Use the “new object” wizard if your organization does not have a maintainer/org object
it will create a person and a maintainer
ROLE objects need to be two words
When asked for a NIC handle while creating the role do NOT use your person’s nic handle
use auto-1 to create one
under “admin-c” add your maintainer
Example Telecity:
Persons (engineers) have objects
they are added to tech-c and (if authorized) to the admin-c role object
the telecity maintainer has members, too
your person NIC should _not_ have the same maintainer
you might leave your organization one day
LIR portal – what do do there?
edit registry data queries and updates
also: ASN resources, ip analyser
lots of API’s available!
LIR portal and RIPE database are protected by different models / mechanisms
the one is public, the other is confidential
Exercise: first day as a LIR: “request resources” should go LAST
a mnt-routes object guards creation of a route/route6 object
a mng-domains object guards the reverse delegation (see PTR’s / mail servers)
— it should contain your nameservers (slide 54)
transfer allocations: allowed between RIPE members – 80% rule applies
> inter-RIR transfers in discussion (proposal 2012-03)
request PI space:
no ipv4 without ipv6!
request org, person and mntner objects!
send request form, end user agreement and registration KvK/company house to RIPE
sponsoring LIR is needed
no LIR? find a new one or become one!
if not? > return space!
see slide 59!!! there is now a fee for P.I. space > include into contract
RPKI digital certificate:
issue certificates with registration
a ROA is a ROUTE object signed by a certificate (by the LIR)
one cert for all allocations
“chain of trust”
AS32 can announce this address range – incorporate into routers
>> BGP origin validation!
important: this is not obligatory
you can group customer assignments (4096 x /48) into one large assignment (like, a /36)
IPv6 status: Aggregated by LIR
assignment-size: 48
mnt-by: MNT-LIR
infrastructure assignments:
P2P links, access points, etc…
grey area: colo locations, hosting, housing
be a (male) ally to women
http://michaelurbina.com/101-everyday-ways-for-men-to-be-allies-to-women/
http://www.ihollaback.org/
http://amptoons.com/blog/the-male-privilege-checklist/
this post is about how to become aware of sexism that is happening every day…
first we need to understand the “male privilege”
once we are aware of that we can become allies that women don’t have to fear but can live with
I am for improvement but reading this list makes me sad because I recognize a lot of these items – and some even in myself.
Hamburger patties – the quest for the perfect ones
Looking for more tasty (and cheaper) hamburger patties so I decided to check and try out a lot of recipes
So far this is the ideal candidate but it lacks some bite…
500 g beef mince (organic! Totally worth it!)
1 onion, finely chopped
1 beef stock cube, crumbled
2 tablespoons tomato sauce
2 tablespoons barbeque sauce
2 teaspoons garlic (chopped fine)
20 mL port or red wine (optional compulsory!)
¼ cup flour
2 eggs, beaten
1 teaspoon mixed herbs (which?)
2 teaspoons Worcestershire sauce
1 carrot, grated
Canola oil / olive oil
When too soft mix with breadcrumbs
These work for BBQ and for the pan
unibeast
I might actually give unibeast a try…
http://www.tonymacx86.com/61-unibeast-install-os-x-mountain-lion-any-supported-intel-based-pc.html
OUTDATED – customizing Ubuntu GNOME
this is no longer relevant – Ubuntu Gnome is now quite mature and doesn’t need these teaks anymore…
I recently switched to Ubuntu GNOME (as I remove Unity all the time anyway)
Soooo.. here the recipe for “my” Ubuntu:
1) install Ubuntu GNOME distro
2) enable partner and proposed updates
Software updater > Settings > Software sources > Tab “updates” and enable backports and proposed
Close and run a update and upgrade cycle
2a) for Compaq 6910p: (high speed fans on after resume)
sees this is fixed in Kernel 3.9 but tuxonice depends on 3.8 so will have to work around:
Create the file â€/etc/pm/sleep.d/99fancontrol.shâ€, insert the code below and chmod 755 it. Script:
make worker script /bin/fan.sh
#!/bin/bash
# fan spindown for hp nx9420
# @see https://bugzilla.redhat.com/show_bug.cgi?id=895276#c18
cd /sys/class/thermal/
echo 0 > cooling_device0/cur_state
echo 0 > cooling_device1/cur_state
echo 0 > cooling_device2/cur_state
echo 0 > cooling_device3/cur_state
echo 0 > cooling_device4/cur_state
echo 0 > cooling_device5/cur_state
echo 0 > cooling_device6/cur_state
# optional
# echo 0 > cooling_device7/cur_state
# echo 0 > cooling_device8/cur_state
# echo 0 > cooling_device9/cur_statemake controller script /etc/pm/sleep.d/99_fan
#!/bin/sh
# fan spindown controller script
# @see https://bugzilla.redhat.com/show_bug.cgi?id=895276#c18
case “$1” in
hibernate|suspend)
;;
thaw|resume)
/bin/fan.sh
;;
*) exit $NA
;;
esacmake both scripts runnable:
chmod +x /bin/fan.sh
chmod +x /etc/pm/sleep.d/99_fanWhen computer goes from sleep the power management runs all /etc/pm/sleep.d/ scripts. The fan will spin down.
The script is run as root so we don’t need to make sudo magic here.
The spindown takes few seconds so one can hopefully hear when this bug is fixed and the fan won’t go crazy right after resume.
3) Use ubuntuguide.org to get valuable input such as:
ubuntu-restricted-extras
GnomeDo, STEAM, X-chat, Pidgin (with OTR support), Thunderbird, Enigmail, Adblock/Flashblock/HTTPS everywhere, audacious, VLC, f.lux
and remove openoffice stuff, etc..
Import your GPG keys and certificates
4) install tuxonice / re-enable suspend in the menus
disable encryped swap
http://codenachos.com/view/ubuntu-enable-and-disable-swap-encryption
#enable encryption
sudo ecryptfs-setup-swap
#disable encryption (allows hibernation)
sudo swapoff -a
sudo cryptsetup remove /dev/mapper/cryptswap1
sudo cp /etc/crypttab /etc/crypttab_bk
sudo vim /etc/crypttab
#remove the /dev/sda5 line
sudo /sbin/mkswap /dev/sda5
sudo swapon /dev/sda5
sudo cp /etc/fstab /etc/fstab_bk
sudo vim /etc/fstab
#replace /dev/mapper/cryptswap1 with /dev/sda5 (or the correct UUID)
replace menus
create file: /var/lib/polkit-1/localauthority/50-local.d/hibernate.pkla
add this:
[Re-enable Hibernate]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
this should allow hibernation
check ‘sudo pm-hibernate’ if everything works – consider installing “hibernate” package
cosmetic stuff:
gconftool-2 -s /apps/gnome-session/options/show_splash_screen -t bool false
also remove quiet and splash from grub (using grub-customizer?)
bonus:
https://extensions.gnome.org/extension/5/alternative-status-menu/