[UPDATE 2015 12 13]

How about if you could control your entire home temperature and hot water/central heating etc etc, through your smartphone over the internet ?

You are going to think that this is a dangerous IoT (Internet of Thing) that exposes your privacy to unknown attackers and your smart home is going to be under the control of an evil company.

What if I could tell you, that you can build your own smart controller with open-design/open hardware & free software that costs about €100 ?

Crazy, right ?

Actually there is a project that does exactly all the above and much more and it’s based on a Raspberry Pi.

Let me introduce you to HestiaPi .

The name comes from the greek word: εστία and everything you need to start with, have already been published by the core developer on their site.

The team behind this awesome project will host/run an open/free entrance two day Hackathon at Athens, Hackerspace on 2016.

If you are curious on the project, visit hackerspace.gr and be part of this amazing project.

First remove NetworkManager:

# systemctl stop NetworkManager

# systemctl disable NetworkManager
rm '/etc/systemd/system/multi-user.target.wants/NetworkManager.service'
rm '/etc/systemd/system/dbus-org.freedesktop.NetworkManager.service'
rm '/etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service'

# yum -y remove NetworkManager*

# /usr/bin/rm -rf /etc/NetworkManager

If you want to be more productive you should clean your system from FirewallD, install iptables-services and if you are going to install a redhat product/software disable SELinux as it’s manual going to suggest !

Now we can proceed.

# systemctl status network.service

will show us /etc/rc.d/init.d/network as the network orchestrator on the system.
Reading this file will get you a basic understanding of networking.

if [ ! -f /etc/sysconfig/network ]; then
    exit 6
fi

that tells us that file: /etc/sysconfig/network must exist on our system.

If you want to disable the network on this linux machine you can do it by adding the below declaration:

NETWORKING=no

So here are my notes for bonding:

eth0 + eth1 = bond0 with Adaptive transmit load balancing:

# cat /etc/sysconfig/network-scripts/ifcfg-em1
DEVICE=em1
MASTER=bond0
SLAVE=yes

# cat /etc/sysconfig/network-scripts/ifcfg-em2
DEVICE=em2
MASTER=bond0
SLAVE=yes

and bond0:

DEVICE=bond0

BONDING_OPTS="miimon=1 updelay=0 downdelay=0 mode=balance-tlb"
TYPE=Bond
BONDING_MASTER=yes

DNS1=xxx.xxx.xxx.xxx
GATEWAY=8.8.8.8
IPADDR=xxx.xxx.xxx.1
PREFIX=24
DEFROUTE=yes

BOOTPROTO=none
ONBOOT=yes

and as yoda would tell:

“else everything do not need you”

I had the opportunity to participate on an Athen’s Hackerspace event with a dozen debian developers about the issue with reproducible distribution’s package builds.

I had never thought of this thing before and the presentation blown me away !

So here is the deal, if you download the latest openssl package from an archlinux mirror (want archlinux users will going to do):

# pacman -Sw openssl

What if we tried to build openssl by our selfs from the PKGBUILD file ?

# cd /var/abs/core/openssl

$ makepkg -cf
==> Making package: openssl 1.0.2.e-1 (Sun Dec  6 13:07:08 EET 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found openssl-1.0.2e.tar.gz
  -> Found openssl-1.0.2e.tar.gz.asc
  -> Found no-rpath.patch
  -> Found ca-dir.patch
==> Validating source files with md5sums...
    openssl-1.0.2e.tar.gz ... Passed
    openssl-1.0.2e.tar.gz.asc ... Skipped
    no-rpath.patch ... Passed
    ca-dir.patch ... Passed
==> Verifying source file signatures with gpg...
    openssl-1.0.2e.tar.gz ... Passed
==> Extracting sources...
  -> Extracting openssl-1.0.2e.tar.gz with bsdtar
==> Starting prepare()...

...
...
...

==> Leaving fakeroot environment.
==> Finished making: openssl 1.0.2.e-1 (Sun Dec  6 13:11:06 EET 2015)
==> Cleaning up...

Let’s check the md5sum:

# md5sum /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
         /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz 

b555ac4294a2f39ef0caa19e21a28355  /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
08755bad654f74b8a1c4c5386934aeea  /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz

wat ???

why isnt both files similar exactly the same ?

Let’s find out what are the differences between these two files by using diffoscope

diffoscope --html /tmp/openssl.html
    /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
    /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz

fire up an html browser and open /tmp/openssl.html

Read carefully the output, most of them are timestamps.
So what this fuzz is all about ?

There is a huge problem actually, we trust our distributions for privacy and security.

But what if governments have already compromised ftp mirrors or by MITM we have already installed a backdoor software?

That’s what core developers from major distributions are fighting as we speak, they are trying to engage more core developers and find a way to redistribute reproducible builds so that you can actually verify a package build on your PC.

Need to know more?

Click here: reproducible-builds

Can you help ?
take a look on diffoscope

There are some companies that have just started to dual stack (IPv4 & IPv6) their infrastructure, like twimg (the twitter hosting images site).

Reminder that IPv6 is preferable on the Internet (by design)

query[AAAA] pbs.twimg.com from 192.168.1.4
pbs.twimg.com to xxx.xxx.xxx.xxx
reply pbs.twimg.com is 

reply ipv6.twimg.com is 2606:1f80:a000:102::2
reply ipv6.twimg.com is 2606:1f80:a000:106::2
reply ipv6.twimg.com is 2606:1f80:a000:105::2
reply ipv6.twimg.com is 2606:1f80:a000:107::2
reply ipv6.twimg.com is 2606:1f80:a000:104::2
reply ipv6.twimg.com is 2606:1f80:a000:100::2
reply ipv6.twimg.com is 2606:1f80:a000:101::2
reply ipv6.twimg.com is 2606:1f80:a000:103::2

query[A] pbs.twimg.com from 192.168.1.4
cached pbs.twimg.com is 
forwarded pbs.twimg.com to xxx.xxx.xxx.xxx
reply pbs.twimg.com is 

reply ipv6.twimg.com is 104.244.43.103
reply ipv6.twimg.com is 104.244.43.231
reply ipv6.twimg.com is 104.244.43.135
reply ipv6.twimg.com is 104.244.43.39
reply ipv6.twimg.com is 104.244.43.199
reply ipv6.twimg.com is 104.244.43.71
reply ipv6.twimg.com is 104.244.43.7
reply ipv6.twimg.com is 104.244.43.167

but twitter itself, doesnt support IPv6 !

query[AAAA] twitter.com from 192.168.1.4
forwarded twitter.com to xxx.xxx.xxx.xxx
reply twitter.com is NODATA-IPv6

query[A] twitter.com from 192.168.1.4
forwarded twitter.com to xxx.xxx.xxx.xxx
reply twitter.com is 199.16.156.102
reply twitter.com is 199.16.156.70
reply twitter.com is 199.16.156.38
reply twitter.com is 199.16.156.6

So below is the result on IPv4 twitter that calls IPv6 twimg:

UPDATE Thu Nov 26 11:28:05 EET 2015

Does SPF break forwarding?
(like in mailing lists)

• Yes, it does break forwarding.

So learn from my mistake and think this through.

Wednesday, 25 November 2015

There is a very simply way to add spf [check] support to your postfix setup.
Below are my notes on CentOS 6.7

Step One: install python policy daemon for spf

# yum -y install pypolicyd-spf

Step Two: Create a new postfix service, called spfcheck

# vim + /etc/postfix/master.cf

spfcheck     unix  -       n       n       -       -       spawn
    user=nobody argv=/usr/libexec/postfix/policyd-spf

Step Three: Add a new smtp daemon recipient restrictions

# vim +/^smtpd_recipient_restrictions /etc/postfix/main.cf
smtpd_recipient_restrictions =
    permit_mynetworks,
...
    check_policy_service unix:private/spfcheck
policy_time_limit = 3600

And that’s what we see in the end on a receiver’s source-view email:

Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=xxx.xxx.xxx.xxx;
helo=server.mydomain.tld; envelope-from=user@mydomain.tld; receiver=username@example.com

where xxx.xxx.xxx.xxx is the IP of the sender mail server
server.mydomain.tld is the name of the sender mail server
user@mydomain.tld is the sender’s email address
and of-course
username@example.com is the receiver’s mail address

You can take a better look on postfix python SPF policy daemon by clicking here: python-postfix-policyd-spf

SPF Record Checker

A few days ago, I gave a presentation on fosscomm 2015 about DNS, OpenNic Project and DNScrypt

So without further ado, here it is: dns_opennic_dnscrypt.pdf

updated versions for rpm spec files here

• dnscrypt-wrapper v0.1.17
• libsodium v1.0.4

# rpmbuild -ba libsodium.spec
# rpmbuild -ba dnscrypt-wrapper.spec

I did a road trip last week and had almost 11 hours to “kill” while driving.
So I’ve downloaded an audio book to accompany me all those hours.

I chose ‘I, Robot’ a collection of short stories by Isaac Asimov.

I have to admit that although I was aware on the core beliefs and the Three Laws of Robotics, I had never had the change to read (or listen) I, Robot.

These dystopia stories captivate me from the start!
If anyone havent yet read these stories, PLZ make yourself a present and read (or listen) them.

After that, you should really watch the swedish TV series Real Humans / Äkta människor and/or the british version Humans which are about androids!

So … it seems that some router gives dhcp ipv6 prefixes for specific lans.

The default behaviour of CentOS is to autoconfigure the network interface with ifup script.

We havent finished our #ipv6 schema/deployment so we need to disable this ipv6 autoconfigure feature.

global

# vim /etc/sysconfig/network

NETWORKING_IPV6=no
IPV6FORWARDING=no
IPV6_AUTOCONF=no

interface

# vim /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=no

Flushing

# ip -6 addr flush eth0

# ip -6 route flush scope global

and finally restart

# service restart network

remove unnecessary locales:

# localedef --list-archive | egrep -v '^el_GR|^en_US' | xargs localedef --delete-from-archive
# mv -f /usr/lib/locale/locale-archive /usr/lib/locale/locale-archive.tmpl
# build-locale-archive

Just finished

τα ουγγρικά ψάρια του Γιάννη Πλιώτα

Μπορείτε να διαβάσετε ολόκληρο το βιβλίο εδώ

Απίθανη, μυστηριώδης, κωμική απαγωγή !

Ματωμένο Μήνυμα του Jussi Adler-Olsen

Ενοχή του Jussi Adler-Olsen

So at athen’s hackerspace our bots made a new podcast for this season!

If you are a greek listener, take a look here: botcast s02e01

podcast

This blog post is dedicated to “rwman os” for contacting me to suggest that I was wrong !

And indeed I was !! ( <— two exclamation marks)

So this blog post create true random passwords has some mistakes and I am here to make amens.

the correct syntax on creating random passwords is this:

$ cat /dev/urandom | tr -dc $'\x21-\x7E' | head -c 21

and after further investigation (with GNU coreutils 8.23) seems that you can use octal as well:

$ cat /dev/urandom | tr -dc '\041-\176'  | head -c 21

This is a list with podcasts I listen on a regular base

• Security Now Steve Gibson and Leo Laporte podcast about security news
• Hacker Public Radio Various podcasts, mostly about free software
• Talk Python To Me Podcast Podcast about python
• The Changelog The Changelog is a member supported blog, weekly newsletter and podcast that covers the intersection of software development and open source.
• ask-mrdns Matt Larson and Cricket Liu expound on DNS
• Future Thinkers Podcast Various: Obsessed with all things future: singularity, technology, spirituality, and philosophy.
• The Command Line Thomas Gideon’s podcast
• cybersecurity-initiative American politics, prosperity, and purpose in the digital age through big ideas, technological innovation

Μου αρέσουν τα σκοτεινά βιβλία … δεν μπορώ να προσδιορίσω το γιατί. Ίσως μιλάνε υποσυνείδητα σε μέρη που δεν μπορώ ηθικά να φτάσω …

Ειδικά οι συγγραφείς των Σκανδιναβικών Χωρών έχουν γράψει αριστουργήματα κι ο Γιούσι Άντλερ-Όλσεν δεν αποτελεί εξαίρεση.

Στην αρχή του 2013 διάβασα το Βεβήλωση όπου ήταν το 2ο βιβλίο της σειράς Q. Το βιβλίο θυμάμαι το είχα ρουφήξει. Η σύγχυσή μου όταν διαπίστωσα πως είναι το 2ο στην σειρά κι ο Λιβάνης δεν είχε πουθενά το 1ο, απίστευτη. Μάλιστα θυμάμαι πως έχω κάνει φασαρία για το συγκεκριμένο θέμα σε περίπτερο του Λιβάνη σε έκθεση βιβλίων. Ο άνθρωπος στο περίπτερο μίλησε στο τηλέφωνο (καλοκαίρι 2013) μου είπε πως πράγματι δεν είναι διαθέσιμο γκρρρρρρ

Μιας κι η λίστα με τα todo list μου φτάνει στο φεγγάρι, το ξέχασα μέχρι πριν από μερικές μέρες. Όπου η αδελφή μου αγόρασε το 2ο βιβλίο (μετά από προτροπή μου). Μέσα σε 8 ώρες (σάββατο απόγευμα/κυριακή πρωί) ρούφηξα κι αυτό το βιβλίο!!!

Έχουν βγει και δύο ταινίες (βασισμένες στα δύο πρώτα βιβλία του συγγραφέα) -κι αυτές απίστευτες- κι ευτυχώς έχουν βγει και τα επόμενα δύο βιβλία της σειράς Q.

Προσπαθώ να διαβάζω τα βιβλία στα αγγλικά (εάν ο συγγραφέας το έχει γράψει στα αγγλικά) αλλά μιας και δεν μιλώ την γλώσσα του Γιούσι, προτειμώ την εκπληκτική μετάφραση του Χρήστου Καψάλη.

Server_A —> Server_B —> Server_C

Let’s say that we have our elasticsearch/kibana setup on Server_C
but Server_A can’t talk to Server_C.

Server_A

# tail /etc/rsyslog.d/20_central_logging.conf 

*.*      @192.168.1.100:42185
& ~

Server_B

install fluentd

# wget -c http://packages.treasuredata.com.s3.amazonaws.com/2/redhat/6/x86_64/td-agent-2.2.1-0.el6.x86_64.rpm
# rpm -ivh td-agent-2.2.1-0.el6.x86_64.rpm

configure fluentd

# vim /etc/td-agent/td-agent.conf

<source>
  type syslog
  port 42185
  tag  rsyslog
</source>

<match ***>
  type forward
  send_timeout 10s
  recover_wait 10s
  heartbeat_interval 1s
  phi_threshold 16
  hard_timeout 60s

  <server>
    host 192.168.1.200
  </server>
</match>

Server C

install fluentd

# wget -c http://packages.treasuredata.com.s3.amazonaws.com/2/redhat/6/x86_64/td-agent-2.2.1-0.el6.x86_64.rpm
# rpm -ivh td-agent-2.2.1-0.el6.x86_64.rpm

configure fluentd

# vim /etc/td-agent/td-agent.conf

<match ***>
  type elasticsearch
  flush_interval 10s # for testing
  logstash_format true
</match>

PLZ Dont forget your iptables rules !!!!
UDP & TCP

One of the great features that PowerDNS has, is the concepts of ‘backends’.

Backends give you the ability to choose the datastore you would like to save (or not) your dns data. If you are looking to migrate from another dns server (lets say bind ics) with bind zone files support, then you can choose the bind backend, copy the files and voila !

PowerDNS can also support multiple backends. So you can build/test your “new” infrastructure without compromise any existing data structure or as the consultants love to say: “With no-downtime!” Another approach is that you can add support for provisioning automate mechanism or whatever else you can think of !

A very good example of Pipe Backend is the PowerDNS Dynamic Reverse script that @kargig has modified to support reverse ipv6 responses (amazing, right ?).

I have a few (half–baked) ideas that I would like to implement with PowerDNS and I was looking on Remote Backend. It took me some time to understand the logic behind this (as I am not a developer, nor I will ever be!) and create a proof of concept script.

So this is my initial script, that I would like to share:
pdns remote - pipe

It doesnt do anything (yet), just sends everything to your syslog (/var/log/messages) for debugging.

The key to success is this quote:

You must always reply with JSON hash with at least one key, ‘result’

This amazing Free Software Foundation - Europe has a “Spread the word” page that promotes freedom via stickers [0].

One of my all time favorite sticker is the

There is no cloud, just other people’s computers

but it is in pdf format.

I am avoiding flash and pdf in general and someone asked on twitter an SVG format.

Without any delay, the fsfe published the scribus source files!

You can find the .sla files here and a SVG format here: FSFE_No_Cloud_120×120-001.svg.

I strongly advice you, to help, promote and donate to this amazing foundation.

You can also translate the stickers to your native language and help spreading the freedom message to everybody.

[0] https://fsfe.org/contribute/spreadtheword.en.html

I am really disappointed about some of mozilla’s decisions.

One of them is the pocket integration.

Serves no purpose at all to embed a company’s add-on,
inside firefox without the choice of remove it!

So here is how to disable it :

open about:config and search for pocket

empty every string and change every boolean value to false: