So … it seems that some router gives dhcp ipv6 prefixes for specific lans.
The default behaviour of CentOS is to autoconfigure the network interface with ifup script.
We havent finished our #ipv6 schema/deployment so we need to disable this ipv6 autoconfigure feature.
global
# vim /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6FORWARDING=no
IPV6_AUTOCONF=no
interface
# vim /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=no
Flushing
# ip -6 addr flush eth0
# ip -6 route flush scope global
and finally restart
# service restart network
So at athen’s hackerspace our bots made a new podcast for this season!
If you are a greek listener, take a look here: botcast s02e01
podcast
This blog post is dedicated to “rwman os” for contacting me to suggest that I was wrong !
And indeed I was !! ( <— two exclamation marks)
So this blog post create true random passwords has some mistakes and I am here to make amens.
the correct syntax on creating random passwords is this:
$ cat /dev/urandom | tr -dc $'\x21-\x7E' | head -c 21
and after further investigation (with GNU coreutils 8.23) seems that you can use octal as well:
$ cat /dev/urandom | tr -dc '\041-\176' | head -c 21
This is a list with podcasts I listen on a regular base
- Security Now Steve Gibson and Leo Laporte podcast about security news
- Hacker Public Radio Various podcasts, mostly about free software
- Talk Python To Me Podcast Podcast about python
- The Changelog The Changelog is a member supported blog, weekly newsletter and podcast that covers the intersection of software development and open source.
- ask-mrdns Matt Larson and Cricket Liu expound on DNS
- Future Thinkers Podcast Various: Obsessed with all things future: singularity, technology, spirituality, and philosophy.
- The Command Line Thomas Gideon’s podcast
- cybersecurity-initiative American politics, prosperity, and purpose in the digital age through big ideas, technological innovation
Μου αρέσουν τα σκοτεινά βιβλία … δεν μπορώ να προσδιορίσω το γιατί. Ίσως μιλάνε υποσυνείδητα σε μέρη που δεν μπορώ ηθικά να φτάσω …
Ειδικά οι συγγραφείς των Σκανδιναβικών Χωρών έχουν γράψει αριστουργήματα κι ο Γιούσι Άντλερ-Όλσεν δεν αποτελεί εξαίρεση.
Στην αρχή του 2013 διάβασα το Βεβήλωση όπου ήταν το 2ο βιβλίο της σειράς Q. Το βιβλίο θυμάμαι το είχα ρουφήξει. Η σύγχυσή μου όταν διαπίστωσα πως είναι το 2ο στην σειρά κι ο Λιβάνης δεν είχε πουθενά το 1ο, απίστευτη. Μάλιστα θυμάμαι πως έχω κάνει φασαρία για το συγκεκριμένο θέμα σε περίπτερο του Λιβάνη σε έκθεση βιβλίων. Ο άνθρωπος στο περίπτερο μίλησε στο τηλέφωνο (καλοκαίρι 2013) μου είπε πως πράγματι δεν είναι διαθέσιμο γκρρρρρρ
Μιας κι η λίστα με τα todo list μου φτάνει στο φεγγάρι, το ξέχασα μέχρι πριν από μερικές μέρες. Όπου η αδελφή μου αγόρασε το 2ο βιβλίο (μετά από προτροπή μου). Μέσα σε 8 ώρες (σάββατο απόγευμα/κυριακή πρωί) ρούφηξα κι αυτό το βιβλίο!!!
Έχουν βγει και δύο ταινίες (βασισμένες στα δύο πρώτα βιβλία του συγγραφέα) -κι αυτές απίστευτες- κι ευτυχώς έχουν βγει και τα επόμενα δύο βιβλία της σειράς Q.
Προσπαθώ να διαβάζω τα βιβλία στα αγγλικά (εάν ο συγγραφέας το έχει γράψει στα αγγλικά) αλλά μιας και δεν μιλώ την γλώσσα του Γιούσι, προτειμώ την εκπληκτική μετάφραση του Χρήστου Καψάλη.
Server_A —> Server_B —> Server_C
Let’s say that we have our elasticsearch/kibana setup on Server_C
but Server_A can’t talk to Server_C.
Server_A
# tail /etc/rsyslog.d/20_central_logging.conf
*.* @192.168.1.100:42185
& ~
Server_B
install fluentd
# wget -c http://packages.treasuredata.com.s3.amazonaws.com/2/redhat/6/x86_64/td-agent-2.2.1-0.el6.x86_64.rpm
# rpm -ivh td-agent-2.2.1-0.el6.x86_64.rpm
configure fluentd
# vim /etc/td-agent/td-agent.conf
<source>
type syslog
port 42185
tag rsyslog
</source>
<match ***>
type forward
send_timeout 10s
recover_wait 10s
heartbeat_interval 1s
phi_threshold 16
hard_timeout 60s
<server>
host 192.168.1.200
</server>
</match>
Server C
install fluentd
# wget -c http://packages.treasuredata.com.s3.amazonaws.com/2/redhat/6/x86_64/td-agent-2.2.1-0.el6.x86_64.rpm
# rpm -ivh td-agent-2.2.1-0.el6.x86_64.rpm
configure fluentd
# vim /etc/td-agent/td-agent.conf
<match ***>
type elasticsearch
flush_interval 10s # for testing
logstash_format true
</match>
PLZ Dont forget your iptables rules !!!!
UDP & TCP
One of the great features that PowerDNS has, is the concepts of ‘backends’.
Backends give you the ability to choose the datastore you would like to save (or not) your dns data. If you are looking to migrate from another dns server (lets say bind ics) with bind zone files support, then you can choose the bind backend, copy the files and voila !
PowerDNS can also support multiple backends. So you can build/test your “new” infrastructure without compromise any existing data structure or as the consultants love to say: “With no-downtime!” Another approach is that you can add support for provisioning automate mechanism or whatever else you can think of !
A very good example of Pipe Backend is the PowerDNS Dynamic Reverse script that @kargig has modified to support reverse ipv6 responses (amazing, right ?).
I have a few (half–baked) ideas that I would like to implement with PowerDNS and I was looking on Remote Backend. It took me some time to understand the logic behind this (as I am not a developer, nor I will ever be!) and create a proof of concept script.
So this is my initial script, that I would like to share:
pdns remote - pipe
It doesnt do anything (yet), just sends everything to your syslog (/var/log/messages) for debugging.
The key to success is this quote:
You must always reply with JSON hash with at least one key, ‘result’
This amazing Free Software Foundation - Europe has a “Spread the word” page that promotes freedom via stickers [0].
One of my all time favorite sticker is the
There is no cloud, just other people’s computers
but it is in pdf format.
I am avoiding flash and pdf in general and someone asked on twitter an SVG format.
Without any delay, the fsfe published the scribus source files!
You can find the .sla files here and a SVG format here: FSFE_No_Cloud_120×120-001.svg.
I strongly advice you, to help, promote and donate to this amazing foundation.
You can also translate the stickers to your native language and help spreading the freedom message to everybody.
[0] https://fsfe.org/contribute/spreadtheword.en.html
I am really disappointed about some of mozilla’s decisions.
One of them is the pocket integration.
Serves no purpose at all to embed a company’s add-on,
inside firefox without the choice of remove it!
So here is how to disable it :
open about:config and search for pocket
empty every string and change every boolean value to false:
Systemd Timers
It’s time to see an example on timers in systemd.
Intro
Before we start, let’s clarify some things.
systemd’s Timers are units. Units are the simplest form of systemd files. Units are describing “when and if” a unit service “should or must” run, based on real or relative time.
-
A real time example is similar to a cron job entry. You can find out all the configuration settings/values for OnCalendar here.
-
A relative time example is more close to something like:
“Run this unit service, ten minutes after boot, before this service and also that services must have already been started cause I am depend on them.”
List of systemd-timers
To view the declared timers on a systemd, run the below command:
$ systemctl list-timers
we can see all timers, even the in-active ones, with:
# systemctl list-timers --all
one simple example
ok, let’s start with an example.
I’ll use the /usr/local/bin directory to store my custom scripts, as this directory is in the PATH enviroment variable and I can run these scripts from anywhere.
Our systemd unit files, must be under the /etc/systemd/system/ directory.
Part One: The Script
As an example, the script will mount some volumes after boot time.
The basic script contents the below lines:
# cat /usr/local/bin/mount.volumes.sh
#!/bin/sh
/usr/bin/mount /mnt/backup
/usr/bin/mount /var/lib/docker
and make it executable:
# chmod +x /usr/local/bin/mount.volumes.sh
You can run this script, once or twice to see if everything goes as planned.
Part Two: The Service
Now it’s time to create a systemd service unit:
# vim /etc/systemd/system/mount.volumes.service
[Unit]
Description=Mount Backup & Docker Volume Service
[Service]
Type=simple
ExecStart=/usr/local/bin/mount.volumes.sh
[Install]
WantedBy=multi-user.target
Part Three: The Timer
Now it is time to create the systemd timer unit:
# vim /etc/systemd/system/mount.volumes.timer
We have to decide when we want to service to run.
eg. Every day, but 45sec after boot
[Unit]
Description=Mount Backup & Docker Volume @ reboot
[Timer]
OnBootSec=45sec
OnUnitActiveSec=1day
Unit=mount.volumes.service
[Install]
WantedBy=multi-user.target
-
Time to wait after booting before we run first time: OnBootSec
-
Time between running each consecutive time: OnUnitActiveSec
voila !
Part Four: Enable Service
Be aware, we havent finished yet!
Check that systemd can identify these files:
# systemctl list-unit-files | egrep mount.volumes
mount.volumes.service disabled
mount.volumes.timer disabled
We can run the systemd service by hand:
# systemctl start mount.volumes.servicee
and see the ouput/results via journalct:
# journalctl -f
Part Five: Enable Timer
finally we need to start & enable (so that runs after reboot) the timer:
start
# systemctl start mount.volumes.timer
enable
# systemctl enable mount.volumes.timer
Created symlink /etc/systemd/system/multi-user.target.wants/mount.volumes.timer → /etc/systemd/system/mount.volumes.timer.
after that:
# systemctl list-timers | egrep mount.volume
Sat 2018-01-27 09:51:01 EET 23h left Fri 2018-01-26 09:51:01 EET 1min 16s ago mount.volumes.timer mount.volumes.service
verify
# systemctl list-unit-files | egrep mount.volume
systemctl list-unit-files | egrep mount.volume
mount.volumes.service disabled
mount.volumes.timer enabled
To all the systemd haters, I KNOW, its one line on crontab !
I am using fluxbox as my primary window manager on both my laptop and home desktop. If you want a non distractive environment to work with, I strongly suggest to take a look.
On the laptop, I had a problem to configure the backlight. It was always on 100%, fixed without the ability to change it. If you run on battery, then you need to lower the brightness of your display.
After Linux kernel v3.16, things got a lot easier and better for newest models of laptops that had problems with the backlight and brightness.
You can find a lot of blog/site & wiki pages that suggest to append something of the below to your grub menu entry:
video.use_native_backlight=0
video.use_native_backlight=1
acpi_backlight=vendor
or something similar.
Note: On Dell XPS13 laptops a firmware bug exists when disabling legacy boot or switching through UEFI & legacy. That can break the backlight support and the result is a blank screen. This is a stupid manufacture error of Dell cause they used a different firmware module for backlight that can send different acpi events!
For me that’s irrelevant now. I am using UEFI and Linux kernel v4.0.5 and I have disabled legacy boot from my laptop a long time ago.
My grub menu doesnt have any of the above settings.
Ok, so now it’s time to explain how you can use fluxbox keys to control the brightness on your laptop.
Open a terminal and type:
xev
With this program you can capture the keycode of the keys your are pressing.
I want to use the same keys that I would normally use for adjusting the display brightness on my laptop.
So on my machine, FN+F4 returns 232 and FN+F5 233.
Edit your ~/.fluxbox/startup file to add the below lines:
exec xmodmap -e "keycode 232 = F14 " &
exec xmodmap -e "keycode 233 = F15 " &
somewhere before
exec fluxbox
With the above commands, you are telling xorg to map the keycodes to a new key (even if that key doesnt exist on our keyboard). From now on, fluxbox will recognize FN+F4 (keycode 232) as F14 and FN+F5 (keycode 233) as F15.
At this point, if you have not already installed xorg-xbacklight, do it now.
The final step is to map our new keys to specific commands. Edit your ~/.fluxbox/keys so that you can add the below:
None F14 : ExecCommand xbacklight -dec 5
None F15 : ExecCommand xbacklight -inc 5
and restart your fluxbox !
a back to vim basics post !
It’s quite obvious that we need different vimrc settings for different files/languages. This is mostly about tabs and characters but it can be extended to more. For example in pytnon (ansible etc) you need to replace the tab to four or eight characters. Most of us are using something like this:
:set tabstop=4 shiftwidth=4 softtabstop=4 expandtab
every time we open a python related file.
But you can set your own options in every file using a comment in the end or in the begging of the file. Like this one:
#!/usr/bin/python2.6
# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4
... (awesome code) ...
This is called: modeline and is something magic!
Just add the below line to your ~./vimrc file or if you need a more global setting append it to your /etc/vimrc
set modeline
This post is for coffee lovers and is about how to assemble the Graef CM 800, which is a coffee grinder, after a proper clean up.
Has many images, so it may be “heavy” to browse. Click on every image for full size display.
Below are the removable parts.
Be CAREFUL the smallest parts are the most important !!!
Dont loose them !
The internal part of our conical grinder.
This image is without the case and the coffee stopper
Be very careful with the smallest parts.
Their job is to power on our grinder!
Putting the coffee stopper case (you have to hear the click!).
Screw the top to cover the internals.
Adjust the collar by facing back (numbers must be in the back)
Put the upper conical grinder part:
And switch till it fits perfectly
Turn the adjustment collar clockwise, till it’s lock to your settings
I mostly grind on the 10 setting and the result looks like this:
and after tamping:
The inspiration for this post comes from Kees Cook’s tweet about having
VisualHostKey yes
on his ~/.ssh/config file.
I’ve played with this option in the past, but having some scripts running over ssh, I was afraid about parsing the “wrong” things on the output.
I’ve enabled this option again this evening, so the head of my ~/.ssh/config looks like:
Host *
VisualHostKey yes
Compression yes
I started to ssh login in to a few machines, just to see the output.
A sample output, looks like this:
+---[RSA 2048]----+
|.E . . o |
|= . . . . o o |
| + o . ..o. . |
| o . o . .*. |
| . +S...*. o |
| . ...+o.+oo|
| . +o +.B|
| . + oo+ +=|
| . o.=o. .|
+----[SHA256]-----+
RSA 2048 is the size of the servers public key and you can check the size of the servers key -as of course yours too- with this command:
# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
on your local machine:
> ssh-keygen -l -f ~/.ssh/id_rsa.pub
I have changed a few times my ssh key pair (you must remember to append your new public key to your server authorized_keys, before removing your old key) but I never changed the servers key pairs.
After searching online for a few minutes to educate my self on the matter, seems that when your (in this case) centos machine is starting ssh daemon for the first time, it creates new ssh key pairs.
The procedure is really easy, but before doing anything, we need to edit
/etc/init.d/sshd to add a 4096 bit keysize for SSHv2 RSA:
echo -n $"Generating SSH2 RSA host key: "
rm -f $RSA_KEY
if test ! -f $RSA_KEY && $KEYGEN -q -b 4096 -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
The final steps are these:
> ssh linuxbox
> sudo -s
# cd /etc/
# tar cf ssh.tar ssh
# cd ssh
# rm -f ssh_host_*
# service sshd restart
If you test your ssh connection, you will get an ugly message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
BUT you have to see this error msg.
If you dont, then you have a very serious problem !
Edit your ~/.ssh/known_hosts to get rid of this message and delete the previous record about the old server ssh public key.
Try again, now it should show you something like:
Are you sure you want to continue connecting (yes/no)? yes
Type yes and memorize your new VisualHostKey !
In my previous post , I documented my notes on setting up a new PowerDNS Recursor for our own clients.
In this post, I will present a simple way to reduce unnecessary traffic by blocking every FQDN you dont want.
Download a well known custom HOSTS file:
# curl -s -L http://winhelp2002.mvps.org/hosts.txt -o /etc/pdns-recursor/hosts.blocked
Add your FQDNs you want to block,
eg.
# echo "0.0.0.0 facebook.com" >> /etc/pdns-recursor/hosts.blocked
be very careful not to block something you need.
Reminder: No support for wildcards, only FQDNs
Edit your /etc/pdns-recursor/recursor.conf to support the new hosts file:
etc-hosts-file=/etc/pdns-recursor/hosts.blocked
export-etc-hosts=on
restart your pdns and test it
# dig www.facebook.com @localhost
;; ANSWER SECTION:
www.facebook.com. 86400 IN A 0.0.0.0
Once you have done that, you can edit your hosts.blocked when ever you want!
But dont forget to reload:
# rec_control reload-zones
First rule of DNS: Always keep in separted machines your authoritative and recursor DNS server.
Disclaimer: The below notes are made on a fresh centos7 server. This is not an openresolver, is just for personal use. You need to adjust your settings.
PowerDNS is an amazing product. Has two flavors, one for Authoritative NS and one for Recursor. I always use @KeesMonshouwer RPMs for two reasons:
a. Works perfectly
b. I trust his work
- Installation
Let’s start, by installing the pdns-recursor:
# rpm -ivh https://www.monshouwer.eu/download/3rd_party/pdns-recursor/el7/x86_64/pdns-recursor-3.7.2-1.el7.MIND.x86_64.rpm
- User/Group
Verify that you have the pdns User/Group, if not create them:
# grep pdns /etc/group pdns-recursor:x:996: # grep pdns /etc/passwd pdns-recursor:x:996:996:PowerDNS Recursor:/dev/null:/sbin/nologin
- root hint
Create the hint (root NS) zone:
# dig NS . @a.root-servers.net. | grep -vE '^;|^$' | sort -V > /etc/pdns-recursor/root.hint
I prefer to use and work with the opennicproject cause it’s an amazing community open DNS project. They also provide their own gTLDs and the majority of them dont have any logs at all or they anonymize the dns logs. In the times we are living, I prefer my DNS queries NOT to be obtained and recorded by companies.
I strongly suggest to participate to this amazing community project.
So my root.hint file is the result of this:
# dig . NS @75.127.96.89 | grep -v '^;' | sort -u -V > /etc/pdns-recursor/root.hint
Dont forget to edit your /etc/pdns-recursor/recursor.conf so that you tell pdns where is your root hint file:
hint-file=/etc/pdns-recursor/root.hint
- ACL
As i mentioned above, I dont want (at the current moment) to create an openresolver. So I need to create an ACL.
That can be done by two ways (combined or separated).
- iptables
The first one is via iptables. My iptables default policy is DROP, so I need to ACCEPT tcp/udp traffic from the networks I want to provide dns recursion. The below example are for a specific IP and a class C (/24) network
# TCP -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -s XXX.XXX.XXX.XXX -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -s YYY.YYY.YYY.0/24 -j ACCEPT # UDP -A INPUT -p udp -m state --state NEW -m udp --dport 53 -s XXX.XXX.XXX.XXX -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -s YYY.YYY.YYY.0/24 -j ACCEPT
Dont forget to restart your iptable service.
- ACL in pdns
The second way is by configure the allow-from pdns setting accordingly:
# vim /etc/pdns-recursor/recursor.conf allow-from=127.0.0.0/8, XXX.XXX.XXX.XXX, YYY.YYY.YYY.0/24
- Listen IP address
PowerDNS Recursor will start on your local IP address. To change it to your public IP, you need to edit the below entry:
# vim /etc/pdns-recursor/recursor.conf local-address=127.0.0.1, XXX.XXX.XXX.XXX
At this point you are ready to start and use your own DNS recursor.
# systemctl status pdns-recursor.service # systemctl enable pdns-recursor.service
- Testing
Before you exit your machine, you need to test your DNS server.
# dig soa powerdns.com @127.0.0.1
and from a machine inside your ACL:
# dig soa powerdns.com @XXX.XXX.XXX.XXX
Everything must work just fine.
-or how i spent a morning fixing something that didnt need fixing !!!
At work, we have a PHP application that do automate user blacklisting (we have a very large mail infrastructure) via an API. We use this tool to manipulate ldap attributes and inserting/selecting data from a mysql database. Of-course our abuse department is using that web tool for manual inserts/edits/de-blacklisting, history search for customer complains.
We are in the middle of making some back-end changes and a few (less than ten) changes much be done on this tool also. Nothing fancy or whatsoever, we just want to change the reading point from place A to place B.
Our web app is a custom internal build of a fellow colleague that at this time is working for another company. So I take charge to this easy and simple task.
Five minutes later and all the changes were made. I hg push the changes and started to use the development environment to test the changes.
And nothing is working !!!!
What-the-feck ?
Did a hg diff and see the SEVEN (7) tiny changes on the code.
To clear some things up, the changes was in the below form:
// read from ldap the attribute Profile
$attr_old = array ("Profile" );
// write to mysql the value of Profile
$old_profile = $entries [$i] ["Profile"] [0];
after almost a full hour -I was hitting my head on the wall at that time- i tried to var_dump all the arrays.
And WHAT I see, was unreal !!!
The code is reading the ldap attribute: Profile from the ldap as Profile.
BUT
when I var_dump $entries I saw that PHP is handling all the variables in lowercase.
so Profile is becoming profile
I still dont know/understand whys is this happening!
I just did two more tiny changes, so that mysql is now inserting
$entries [$i] ["profile"] [0];
and not the wrong one:
$entries [$i] ["Profile"] [0];
and everything is OK now.