Evaggelos Balaskas - System Engineer

Let’s Encrypt client: certbot is been written in python and as it’s predecessor needs at least Python 2.7.

But (still) in CentOS series 6 (currently 6.8) there is no natively support for python27.

So I did this thing below, quick & dirty:

# cd /usr/local/src/
# wget -c https://www.python.org/ftp/python/2.7.11/Python-2.7.11.tgz
# tar xf Python-2.7.11.tgz
# cd Python-2.7.11
# ./configure
# make
# make install

and these are my notes for renew certificates :

# ln -s /opt/Python-2.7/bin/python2.7 /usr/local/bin/python2

[root@1 certbot]# source venv/bin/activate
(venv)[root@1 certbot]#

# cd venv/bin/

# ./certbot renew --dry-run

# ./certbot renew

# rm /usr/local/bin/python2

Domain-based Message Authentication, Reporting and Conformance

What is dmarc in a nutshell:

An authentication Protocol that combines SPF & DKIM to reduce spoofed emails.
Depends on DNS so DANE would be great here!

notes on centos6:

You need to already have implemented SPF & DKIM

Outgoing Mail Servers

DNS

in your zone file, add something like this:

_dmarc    IN  TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.org"

increase the serial number of the zone and check it:

# dig +short txt _dmarc.example.org
"v=DMARC1; p=none; rua=mailto:postmaster@example.org"

dmarc tags

DMARC requires only two tags.

v: version
p: policy

version

Version is DMARC1 for the time being

policy

p=none
p=quarantine
p=reject

We start from policy=none and trying to investigate mail logs

reports

rua declares where the mail servers will send the reports regarding dmarc failures.

Incoming Mail Servers

installation

# yum search opendmarc

# yum -y install opendmarc.x86_64

check process:

# netstat -ntlp|grep dmarc
tcp    0    0 127.0.0.1:8893    0.0.0.0:*    LISTEN    14538/opendmarc     

postfix

Add another milter:

# opendkim & opendmarc
non_smtpd_milters=inet:127.0.0.1:8891,inet:127.0.0.1:8893
smtpd_milters=inet:127.0.0.1:8891,inet:127.0.0.1:8893

configuration

# grep -Ev '#|^$' /etc/opendmarc.conf 

Socket inet:8893@localhost
SoftwareHeader true
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
UMask 007
UserID opendmarc:mail

AuthservID example.org
MilterDebug 1

service

# /etc/init.d/opendmarc restart

# chkconfig opendmarc on

DMARC Inspector

dmarcian

The last couple months, I get over 400 unknown user errors on my imap (dovecot) server.

FYI this is the report:

dovecot: auth: ldap(aaaaaa,193.189.117.147): unknown user:
dovecot: auth: ldap(accountant,193.189.117.147): unknown user:
dovecot: auth: ldap(acosta,193.189.117.147): unknown user:
dovecot: auth: ldap(admin@balaskas.gr,89.248.162.175): unknown user:
dovecot: auth: ldap(adrian,193.189.117.152): unknown user:
dovecot: auth: ldap(alarm,193.189.117.152): unknown user:
dovecot: auth: ldap(alcala,185.125.4.192): unknown user:
dovecot: auth: ldap(alena,193.189.117.148): unknown user:
dovecot: auth: ldap(alfaro,185.125.4.192): unknown user:
dovecot: auth: ldap(alias,193.189.117.152): unknown user:
dovecot: auth: ldap(ally,185.125.4.192): unknown user:
dovecot: auth: ldap(almeida,185.125.4.192): unknown user:
dovecot: auth: ldap(alya,185.125.4.192): unknown user:
dovecot: auth: ldap(amara,185.125.4.192): unknown user:
dovecot: auth: ldap(amigo,185.125.4.192): unknown user:
dovecot: auth: ldap(amina,185.125.4.192): unknown user:
dovecot: auth: ldap(amity,185.125.4.192): unknown user:
dovecot: auth: ldap(analysis,185.125.4.192): unknown user:
dovecot: auth: ldap(analyst,185.125.4.192): unknown user:
dovecot: auth: ldap(anderson,185.125.4.192): unknown user:
dovecot: auth: ldap(andrade,185.125.4.192): unknown user:
dovecot: auth: ldap(andreea,185.125.4.192): unknown user:
dovecot: auth: ldap(andria,185.125.4.192): unknown user:
dovecot: auth: ldap(annalisa,185.125.4.192): unknown user:
dovecot: auth: ldap(annika,193.189.117.148): unknown user:
dovecot: auth: ldap(anon,185.125.4.192): unknown user:
dovecot: auth: ldap(anonymous,193.189.117.148): unknown user:
dovecot: auth: ldap(area,185.125.4.192): unknown user:
dovecot: auth: ldap(aris,185.125.4.192): unknown user:
dovecot: auth: ldap(arriaga,185.125.4.192): unknown user:
dovecot: auth: ldap(ashley,185.125.4.192): unknown user:
dovecot: auth: ldap(assistance,185.125.4.192): unknown user:
dovecot: auth: ldap(aya,185.125.4.192): unknown user:
dovecot: auth: ldap(azerty,185.125.4.192): unknown user:
dovecot: auth: ldap(baby,185.125.4.192): unknown user:
dovecot: auth: ldap(bad,185.125.4.192): unknown user:
dovecot: auth: ldap(ballesteros,185.125.4.192): unknown user:
dovecot: auth: ldap(banana,193.189.117.147): unknown user:
dovecot: auth: ldap(band,185.125.4.192): unknown user:
dovecot: auth: ldap(bank,193.189.117.149): unknown user:
dovecot: auth: ldap(barbara,193.189.117.147): unknown user:
dovecot: auth: ldap(barcode,193.189.117.147): unknown user:
dovecot: auth: ldap(barney,185.125.4.192): unknown user:
dovecot: auth: ldap(barrie,185.125.4.192): unknown user:
dovecot: auth: ldap(basil,185.125.4.192): unknown user:
dovecot: auth: ldap(bob,193.189.117.148): unknown user:
dovecot: auth: ldap(camp,155.133.82.65): unknown user:
dovecot: auth: ldap(campos,155.133.82.65): unknown user:
dovecot: auth: ldap(candi,155.133.82.65): unknown user:
dovecot: auth: ldap(carlo,193.189.117.147): unknown user:
dovecot: auth: ldap(carolina,193.189.117.147): unknown user:
dovecot: auth: ldap(cashier,193.189.117.148): unknown user:
dovecot: auth: ldap(casper,155.133.82.65): unknown user:
dovecot: auth: ldap(chad,155.133.82.65): unknown user:
dovecot: auth: ldap(challenge,155.133.82.65): unknown user:
dovecot: auth: ldap(chantal,155.133.82.65): unknown user:
dovecot: auth: ldap(charly,155.133.82.65): unknown user:
dovecot: auth: ldap(cher,155.133.82.65): unknown user:
dovecot: auth: ldap(cheryl,155.133.82.65): unknown user:
dovecot: auth: ldap(clare,155.133.82.65): unknown user:
dovecot: auth: ldap(classic,155.133.82.65): unknown user:
dovecot: auth: ldap(claudia,193.189.117.149): unknown user:
dovecot: auth: ldap(clock,155.133.82.65): unknown user:
dovecot: auth: ldap(consola,155.133.82.65): unknown user:
dovecot: auth: ldap(contactus,193.189.117.149): unknown user:
dovecot: auth: ldap(contract,155.133.82.65): unknown user:
dovecot: auth: ldap(craig,155.133.82.65): unknown user:
dovecot: auth: ldap(cuenta,155.133.82.65): unknown user:
dovecot: auth: ldap(cuentas,155.133.82.65): unknown user:
dovecot: auth: ldap(culture,155.133.82.65): unknown user:
dovecot: auth: ldap(dale,155.133.82.65): unknown user:
dovecot: auth: ldap(danielle,193.189.117.149): unknown user:
dovecot: auth: ldap(dante,155.133.82.65): unknown user:
dovecot: auth: ldap(davis,155.133.82.65): unknown user:
dovecot: auth: ldap(day,155.133.82.65): unknown user:
dovecot: auth: ldap(denis,193.189.117.149): unknown user:
dovecot: auth: ldap(dentrix,185.125.4.194): unknown user:
dovecot: auth: ldap(deposit,185.125.4.194): unknown user:
dovecot: auth: ldap(designer,185.125.4.194): unknown user:
dovecot: auth: ldap(desmond,155.133.82.65): unknown user:
dovecot: auth: ldap(devel,185.125.4.194): unknown user:
dovecot: auth: ldap(device,185.125.4.194): unknown user:
dovecot: auth: ldap(devin,185.125.4.194): unknown user:
dovecot: auth: ldap(diamante,185.125.4.194): unknown user:
dovecot: auth: ldap(digital,193.189.117.151): unknown user:
dovecot: auth: ldap(dimas,155.133.82.65): unknown user:
dovecot: auth: ldap(direktor,155.133.82.65): unknown user:
dovecot: auth: ldap(discount,185.125.4.194): unknown user:
dovecot: auth: ldap(discussion,185.125.4.194): unknown user:
dovecot: auth: ldap(disk,155.133.82.65): unknown user:
dovecot: auth: ldap(display,193.189.117.149): unknown user:
dovecot: auth: ldap(doctor,193.189.117.148): unknown user:
dovecot: auth: ldap(document,193.189.117.148): unknown user:
dovecot: auth: ldap(dolores,185.125.4.194): unknown user:
dovecot: auth: ldap(domingo,185.125.4.194): unknown user:
dovecot: auth: ldap(dominio,185.125.4.194): unknown user:
dovecot: auth: ldap(donald,185.125.4.194): unknown user:
dovecot: auth: ldap(donna,193.189.117.149): unknown user:
dovecot: auth: ldap(dorado,185.125.4.194): unknown user:
dovecot: auth: ldap(doreen,155.133.82.65): unknown user:
dovecot: auth: ldap(doris,155.133.82.65): unknown user:
dovecot: auth: ldap(dot,185.125.4.194): unknown user:
dovecot: auth: ldap(dovecot,193.189.117.151): unknown user:
dovecot: auth: ldap(draft,185.125.4.194): unknown user:
dovecot: auth: ldap(dragon,155.133.82.65): unknown user:
dovecot: auth: ldap(drama,155.133.82.65): unknown user:
dovecot: auth: ldap(drawing,185.125.4.194): unknown user:
dovecot: auth: ldap(dream,185.125.4.194): unknown user:
dovecot: auth: ldap(dundee,185.125.4.194): unknown user:
dovecot: auth: ldap(eagle,185.125.4.194): unknown user:
dovecot: auth: ldap(ear,185.125.4.194): unknown user:
dovecot: auth: ldap(easy,193.189.117.148): unknown user:
dovecot: auth: ldap(econom,185.125.4.194): unknown user:
dovecot: auth: ldap(eddy,185.125.4.194): unknown user:
dovecot: auth: ldap(edita,185.125.4.194): unknown user:
dovecot: auth: ldap(edu,185.125.4.194): unknown user:
dovecot: auth: ldap(education,193.189.117.151): unknown user:
dovecot: auth: ldap(eldon,185.125.4.194): unknown user:
dovecot: auth: ldap(elfa,185.125.4.194): unknown user:
dovecot: auth: ldap(eliza,185.125.4.194): unknown user:
dovecot: auth: ldap(elizabeth,193.189.117.151): unknown user:
dovecot: auth: ldap(ellen,185.125.4.194): unknown user:
dovecot: auth: ldap(elsie,185.125.4.194): unknown user:
dovecot: auth: ldap(elvin,185.125.4.194): unknown user:
dovecot: auth: ldap(emmanuel,193.189.117.151): unknown user:
dovecot: auth: ldap(empleos,193.189.117.149): unknown user:
dovecot: auth: ldap(enrique,193.189.117.151): unknown user:
dovecot: auth: ldap(envio,193.189.117.148): unknown user:
dovecot: auth: ldap(erin,193.189.117.151): unknown user:
dovecot: auth: ldap(estel,193.189.117.151): unknown user:
dovecot: auth: ldap(fax@balaskas.gr,212.67.127.105): unknown user:
dovecot: auth: ldap(felipe,193.189.117.149): unknown user:
dovecot: auth: ldap(fischer,193.189.117.151): unknown user:
dovecot: auth: ldap(florence,193.189.117.149): unknown user:
dovecot: auth: ldap(forum,193.189.117.148): unknown user:
dovecot: auth: ldap(fred,193.189.117.149): unknown user:
dovecot: auth: ldap(giuseppe,193.189.117.149): unknown user:
dovecot: auth: ldap(golden,193.189.117.151): unknown user:
dovecot: auth: ldap(hannah,193.189.117.149): unknown user:
dovecot: auth: ldap(henry,193.189.117.148): unknown user:
dovecot: auth: ldap(home,193.189.117.148): unknown user:
dovecot: auth: ldap(howard,193.189.117.151): unknown user:
dovecot: auth: ldap(hudson,193.189.117.149): unknown user:
dovecot: auth: ldap(ian,193.189.117.149): unknown user:
dovecot: auth: ldap(info@balaskas.gr,89.248.162.175): unknown user:
dovecot: auth: ldap(ingrid,193.189.117.151): unknown user:
dovecot: auth: ldap(inspector,193.189.117.151): unknown user:
dovecot: auth: ldap(installer,193.189.117.147): unknown user:
dovecot: auth: ldap(invite,193.189.117.149): unknown user:
dovecot: auth: ldap(irena,193.189.117.151): unknown user:
dovecot: auth: ldap(irene,193.189.117.147): unknown user:
dovecot: auth: ldap(isabel,193.189.117.151): unknown user:
dovecot: auth: ldap(ivan,193.189.117.148): unknown user:
dovecot: auth: ldap(jackie,193.189.117.149): unknown user:
dovecot: auth: ldap(jaime,193.189.117.151): unknown user:
dovecot: auth: ldap(jane,193.189.117.148): unknown user:
dovecot: auth: ldap(jerry,193.189.117.149): unknown user:
dovecot: auth: ldap(jo,193.189.117.151): unknown user:
dovecot: auth: ldap(joanna,193.189.117.148): unknown user:
dovecot: auth: ldap(joaquin,193.189.117.151): unknown user:
dovecot: auth: ldap(job,193.189.117.149): unknown user:
dovecot: auth: ldap(joline,185.125.4.196): unknown user:
dovecot: auth: ldap(jon,193.189.117.147): unknown user:
dovecot: auth: ldap(jose,193.189.117.147): unknown user:
dovecot: auth: ldap(joy,185.125.4.196): unknown user:
dovecot: auth: ldap(js,193.189.117.148): unknown user:
dovecot: auth: ldap(juanita,185.125.4.196): unknown user:
dovecot: auth: ldap(jule,185.125.4.196): unknown user:
dovecot: auth: ldap(julian,193.189.117.149): unknown user:
dovecot: auth: ldap(julieta,185.125.4.196): unknown user:
dovecot: auth: ldap(justin,193.189.117.147): unknown user:
dovecot: auth: ldap(kai,185.125.4.196): unknown user:
dovecot: auth: ldap(karan,185.125.4.196): unknown user:
dovecot: auth: ldap(karina,193.189.117.151): unknown user:
dovecot: auth: ldap(kathy,193.189.117.149): unknown user:
dovecot: auth: ldap(keith,193.189.117.149): unknown user:
dovecot: auth: ldap(keller,185.125.4.196): unknown user:
dovecot: auth: ldap(kelvin,185.125.4.196): unknown user:
dovecot: auth: ldap(kennedy,185.125.4.196): unknown user:
dovecot: auth: ldap(kernel,185.125.4.196): unknown user:
dovecot: auth: ldap(kid,185.125.4.196): unknown user:
dovecot: auth: ldap(kiki,193.189.117.149): unknown user:
dovecot: auth: ldap(kim,193.189.117.147): unknown user:
dovecot: auth: ldap(kimberley,185.125.4.196): unknown user:
dovecot: auth: ldap(kind,185.125.4.196): unknown user:
dovecot: auth: ldap(king,193.189.117.149): unknown user:
dovecot: auth: ldap(kiosk,193.189.117.147): unknown user:
dovecot: auth: ldap(kip,193.189.117.151): unknown user:
dovecot: auth: ldap(kira,193.189.117.151): unknown user:
dovecot: auth: ldap(kirk,185.125.4.196): unknown user:
dovecot: auth: ldap(kirsten,185.125.4.196): unknown user:
dovecot: auth: ldap(kitty,193.189.117.149): unknown user:
dovecot: auth: ldap(knife,185.125.4.196): unknown user:
dovecot: auth: ldap(koko,185.125.4.196): unknown user:
dovecot: auth: ldap(kraft,185.125.4.196): unknown user:
dovecot: auth: ldap(kris,185.125.4.196): unknown user:
dovecot: auth: ldap(kym,185.125.4.196): unknown user:
dovecot: auth: ldap(kyra,185.125.4.196): unknown user:
dovecot: auth: ldap(lane,185.125.4.196): unknown user:
dovecot: auth: ldap(language,185.125.4.196): unknown user:
dovecot: auth: ldap(larkin,185.125.4.196): unknown user:
dovecot: auth: ldap(laurie,185.125.4.196): unknown user:
dovecot: auth: ldap(leadership,193.189.117.156): unknown user:
dovecot: auth: ldap(lenny,185.125.4.196): unknown user:
dovecot: auth: ldap(lenovo,193.189.117.156): unknown user:
dovecot: auth: ldap(leslie,193.189.117.156): unknown user:
dovecot: auth: ldap(level,185.125.4.196): unknown user:
dovecot: auth: ldap(levi,185.125.4.196): unknown user:
dovecot: auth: ldap(libby,185.125.4.196): unknown user:
dovecot: auth: ldap(liliana,193.189.117.156): unknown user:
dovecot: auth: ldap(lina,193.189.117.147): unknown user:
dovecot: auth: ldap(linda,193.189.117.147): unknown user:
dovecot: auth: ldap(lisette,185.125.4.196): unknown user:
dovecot: auth: ldap(local,193.189.117.156): unknown user:
dovecot: auth: ldap(log,193.189.117.151): unknown user:
dovecot: auth: ldap(logs,193.189.117.148): unknown user:
dovecot: auth: ldap(lori,193.189.117.156): unknown user:
dovecot: auth: ldap(louis,193.189.117.156): unknown user:
dovecot: auth: ldap(luciano,193.189.117.148): unknown user:
dovecot: auth: ldap(magdalena,193.189.117.151): unknown user:
dovecot: auth: ldap(maggie,193.189.117.156): unknown user:
dovecot: auth: ldap(main,193.189.117.149): unknown user:
dovecot: auth: ldap(maint,193.189.117.151): unknown user:
dovecot: auth: ldap(management,193.189.117.156): unknown user:
dovecot: auth: ldap(manolo,193.189.117.156): unknown user:
dovecot: auth: ldap(manzanares,193.189.117.156): unknown user:
dovecot: auth: ldap(marcos,193.189.117.151): unknown user:
dovecot: auth: ldap(mariana,193.189.117.149): unknown user:
dovecot: auth: ldap(marion,193.189.117.156): unknown user:
dovecot: auth: ldap(marisa,193.189.117.151): unknown user:
dovecot: auth: ldap(marna,193.189.117.147): unknown user:
dovecot: auth: ldap(martina,193.189.117.156): unknown user:
dovecot: auth: ldap(mat,193.189.117.149): unknown user:
dovecot: auth: ldap(matt,193.189.117.147): unknown user:
dovecot: auth: ldap(mauricio,193.189.117.151): unknown user:
dovecot: auth: ldap(mauro,193.189.117.151): unknown user:
dovecot: auth: ldap(max,193.189.117.151): unknown user:
dovecot: auth: ldap(maximo,193.189.117.156): unknown user:
dovecot: auth: ldap(may,193.189.117.147): unknown user:
dovecot: auth: ldap(mendoza,193.189.117.151): unknown user:
dovecot: auth: ldap(mercadeo,193.189.117.148): unknown user:
dovecot: auth: ldap(mercado,193.189.117.156): unknown user:
dovecot: auth: ldap(meridian,193.189.117.156): unknown user:
dovecot: auth: ldap(message,193.189.117.156): unknown user:
dovecot: auth: ldap(mexico,193.189.117.156): unknown user:
dovecot: auth: ldap(michelle,193.189.117.149): unknown user:
dovecot: auth: ldap(miguel,193.189.117.148): unknown user:
dovecot: auth: ldap(mimi,193.189.117.156): unknown user:
dovecot: auth: ldap(mirella,193.189.117.156): unknown user:
dovecot: auth: ldap(modem,193.189.117.156): unknown user:
dovecot: auth: ldap(montero,185.125.4.191): unknown user:
dovecot: auth: ldap(morales,185.125.4.191): unknown user:
dovecot: auth: ldap(moreno,193.189.117.156): unknown user:
dovecot: auth: ldap(muriel,193.189.117.156): unknown user:
dovecot: auth: ldap(mysql,193.189.117.149): unknown user:
dovecot: auth: ldap(nadia,185.125.4.191): unknown user:
dovecot: auth: ldap(nandi,185.125.4.191): unknown user:
dovecot: auth: ldap(naranjo,193.189.117.156): unknown user:
dovecot: auth: ldap(nathalie,193.189.117.149): unknown user:
dovecot: auth: ldap(nathan,185.125.4.191): unknown user:
dovecot: auth: ldap(nava,185.125.4.191): unknown user:
dovecot: auth: ldap(neil,185.125.4.191): unknown user:
dovecot: auth: ldap(neptune,185.125.4.191): unknown user:
dovecot: auth: ldap(network,193.189.117.156): unknown user:
dovecot: auth: ldap(new,193.189.117.148): unknown user:
dovecot: auth: ldap(newton,185.125.4.191): unknown user:
dovecot: auth: ldap(nicholas,185.125.4.191): unknown user:
dovecot: auth: ldap(nichole,193.189.117.156): unknown user:
dovecot: auth: ldap(nicole,193.189.117.148): unknown user:
dovecot: auth: ldap(nikki,193.189.117.156): unknown user:
dovecot: auth: ldap(nina,193.189.117.149): unknown user:
dovecot: auth: ldap(noc,193.189.117.148): unknown user:
dovecot: auth: ldap(norma,193.189.117.156): unknown user:
dovecot: auth: ldap(norton,193.189.117.156): unknown user:
dovecot: auth: ldap(oleg,193.189.117.156): unknown user:
dovecot: auth: ldap(orlando,185.125.4.191): unknown user:
dovecot: auth: ldap(pablo,193.189.117.148): unknown user:
dovecot: auth: ldap(paige,185.125.4.191): unknown user:
dovecot: auth: ldap(paolo,193.189.117.152): unknown user:
dovecot: auth: ldap(password,185.125.4.191): unknown user:
dovecot: auth: ldap(pat,193.189.117.152): unknown user:
dovecot: auth: ldap(patricia,185.125.4.191): unknown user:
dovecot: auth: ldap(patty,185.125.4.191): unknown user:
dovecot: auth: ldap(payment,185.125.4.191): unknown user:
dovecot: auth: ldap(paz,185.125.4.191): unknown user:
dovecot: auth: ldap(pc03,193.189.117.152): unknown user:
dovecot: auth: ldap(pereira,185.125.4.197): unknown user:
dovecot: auth: ldap(perfil,193.189.117.152): unknown user:
dovecot: auth: ldap(perl,185.125.4.197): unknown user:
dovecot: auth: ldap(perry,185.125.4.191): unknown user:
dovecot: auth: ldap(pharmacy,185.125.4.191): unknown user:
dovecot: auth: ldap(philip,193.189.117.152): unknown user:
dovecot: auth: ldap(phoenix,193.189.117.152): unknown user:
dovecot: auth: ldap(physics,185.125.4.197): unknown user:
dovecot: auth: ldap(pics,185.125.4.197): unknown user:
dovecot: auth: ldap(pie,185.125.4.197): unknown user:
dovecot: auth: ldap(pina,185.125.4.197): unknown user:
dovecot: auth: ldap(place,185.125.4.191): unknown user:
dovecot: auth: ldap(plant,185.125.4.191): unknown user:
dovecot: auth: ldap(point,185.125.4.197): unknown user:
dovecot: auth: ldap(police,185.125.4.191): unknown user:
dovecot: auth: ldap(politics,185.125.4.191): unknown user:
dovecot: auth: ldap(polly,185.125.4.197): unknown user:
dovecot: auth: ldap(pool,185.125.4.191): unknown user:
dovecot: auth: ldap(pop3,185.125.4.197): unknown user:
dovecot: auth: ldap(portatil,193.189.117.148): unknown user:
dovecot: auth: ldap(poster,185.125.4.191): unknown user:
dovecot: auth: ldap(pot,185.125.4.197): unknown user:
dovecot: auth: ldap(potato,185.125.4.197): unknown user:
dovecot: auth: ldap(power,185.125.4.191): unknown user:
dovecot: auth: ldap(practice,185.125.4.197): unknown user:
dovecot: auth: ldap(praise,185.125.4.197): unknown user:
dovecot: auth: ldap(president,185.125.4.197): unknown user:
dovecot: auth: ldap(prince,185.125.4.191): unknown user:
dovecot: auth: ldap(priority,185.125.4.197): unknown user:
dovecot: auth: ldap(process,185.125.4.197): unknown user:
dovecot: auth: ldap(profesor,185.125.4.191): unknown user:
dovecot: auth: ldap(professional,185.125.4.197): unknown user:
dovecot: auth: ldap(professor,193.189.117.154): unknown user:
dovecot: auth: ldap(profile,193.189.117.152): unknown user:
dovecot: auth: ldap(promise,185.125.4.197): unknown user:
dovecot: auth: ldap(protocol,185.125.4.197): unknown user:
dovecot: auth: ldap(proyecto,193.189.117.152): unknown user:
dovecot: auth: ldap(ps,193.189.117.147): unknown user:
dovecot: auth: ldap(puertas,185.125.4.191): unknown user:
dovecot: auth: ldap(python,185.125.4.197): unknown user:
dovecot: auth: ldap(qtss,193.189.117.154): unknown user:
dovecot: auth: ldap(rabia,185.125.4.197): unknown user:
dovecot: auth: ldap(rack,185.125.4.197): unknown user:
dovecot: auth: ldap(rae,185.125.4.197): unknown user:
dovecot: auth: ldap(ralph,185.125.4.191): unknown user:
dovecot: auth: ldap(ram,185.125.4.191): unknown user:
dovecot: auth: ldap(ramiro,193.189.117.154): unknown user:
dovecot: auth: ldap(raquel,185.125.4.197): unknown user:
dovecot: auth: ldap(ray,193.189.117.152): unknown user:
dovecot: auth: ldap(read,185.125.4.197): unknown user:
dovecot: auth: ldap(reality,185.125.4.197): unknown user:
dovecot: auth: ldap(rebecca,193.189.117.154): unknown user:
dovecot: auth: ldap(rechnung,193.189.117.154): unknown user:
dovecot: auth: ldap(recording,185.125.4.197): unknown user:
dovecot: auth: ldap(recover,185.125.4.197): unknown user:
dovecot: auth: ldap(red,193.189.117.154): unknown user:
dovecot: auth: ldap(reed,185.125.4.197): unknown user:
dovecot: auth: ldap(reference,185.125.4.197): unknown user:
dovecot: auth: ldap(register,193.189.117.154): unknown user:
dovecot: auth: ldap(registro,193.189.117.147): unknown user:
dovecot: auth: ldap(remoto,193.189.117.152): unknown user:
dovecot: auth: ldap(ricky,193.189.117.148): unknown user:
dovecot: auth: ldap(robin,193.189.117.147): unknown user:
dovecot: auth: ldap(rocio,193.189.117.154): unknown user:
dovecot: auth: ldap(roger,193.189.117.148): unknown user:
dovecot: auth: ldap(roman,193.189.117.154): unknown user:
dovecot: auth: ldap(rosario,193.189.117.154): unknown user:
dovecot: auth: ldap(ruben,193.189.117.147): unknown user:
dovecot: auth: ldap(sales1,193.189.117.152): unknown user:
dovecot: auth: ldap(sally,193.189.117.152): unknown user:
dovecot: auth: ldap(sam,193.189.117.148): unknown user:
dovecot: auth: ldap(samantha,193.189.117.154): unknown user:
dovecot: auth: ldap(sandi,193.189.117.154): unknown user:
dovecot: auth: ldap(sandra,193.189.117.148): unknown user:
dovecot: auth: ldap(sandy,193.189.117.148): unknown user:
dovecot: auth: ldap(sarah,193.189.117.147): unknown user:
dovecot: auth: ldap(schmidt,193.189.117.152): unknown user:
dovecot: auth: ldap(sean,193.189.117.152): unknown user:
dovecot: auth: ldap(sensor,193.189.117.154): unknown user:
dovecot: auth: ldap(seo,193.189.117.148): unknown user:
dovecot: auth: ldap(share,193.189.117.147): unknown user:
dovecot: auth: ldap(sharon,193.189.117.152): unknown user:
dovecot: auth: ldap(ship,193.189.117.152): unknown user:
dovecot: auth: ldap(simon,193.189.117.147): unknown user:
dovecot: auth: ldap(smile,193.189.117.154): unknown user:
dovecot: auth: ldap(spam,81.168.60.61): unknown user:
dovecot: auth: ldap(spam@balaskas.gr,81.168.60.61): unknown user:
dovecot: auth: ldap(spectrum,193.189.117.147): unknown user:
dovecot: auth: ldap(sql,193.189.117.147): unknown user:
dovecot: auth: ldap(sqlservice,193.189.117.147): unknown user:
dovecot: auth: ldap(staging,193.189.117.152): unknown user:
dovecot: auth: ldap(standard,193.189.117.154): unknown user:
dovecot: auth: ldap(studio,193.189.117.154): unknown user:
dovecot: auth: ldap(summer,193.189.117.152): unknown user:
dovecot: auth: ldap(sunny,193.189.117.152): unknown user:
dovecot: auth: ldap(sync,193.189.117.154): unknown user:
dovecot: auth: ldap(tania,193.189.117.147): unknown user:
dovecot: auth: ldap(tatiana,193.189.117.154): unknown user:
dovecot: auth: ldap(tax,193.189.117.152): unknown user:
dovecot: auth: ldap(telecomunicaciones,193.189.117.152): unknown user:
dovecot: auth: ldap(test@balaskas.gr,89.248.162.175): unknown user:
dovecot: auth: ldap(testpc,193.189.117.154): unknown user:
dovecot: auth: ldap(tools,193.189.117.152): unknown user:
dovecot: auth: ldap(touch,185.125.4.198): unknown user:
dovecot: auth: ldap(tower,185.125.4.198): unknown user:
dovecot: auth: ldap(traci,185.125.4.198): unknown user:
dovecot: auth: ldap(tracy,193.189.117.154): unknown user:
dovecot: auth: ldap(trade,185.125.4.198): unknown user:
dovecot: auth: ldap(traffic,185.125.4.198): unknown user:
dovecot: auth: ldap(train,193.189.117.152): unknown user:
dovecot: auth: ldap(treasure,185.125.4.198): unknown user:
dovecot: auth: ldap(tristan,185.125.4.198): unknown user:
dovecot: auth: ldap(troy,193.189.117.154): unknown user:
dovecot: auth: ldap(trujillo,185.125.4.198): unknown user:
dovecot: auth: ldap(truman,185.125.4.198): unknown user:
dovecot: auth: ldap(ts,193.189.117.154): unknown user:
dovecot: auth: ldap(tucker,185.125.4.198): unknown user:
dovecot: auth: ldap(tyler,185.125.4.198): unknown user:
dovecot: auth: ldap(type,185.125.4.198): unknown user:
dovecot: auth: ldap(ubuntu,193.189.117.154): unknown user:
dovecot: auth: ldap(unicorn,193.189.117.154): unknown user:
dovecot: auth: ldap(union,185.125.4.198): unknown user:
dovecot: auth: ldap(upgrade,193.189.117.154): unknown user:
dovecot: auth: ldap(usuarioprueba,185.125.4.198): unknown user:
dovecot: auth: ldap(uucp,185.125.4.198): unknown user:
dovecot: auth: ldap(val,185.125.4.198): unknown user:
dovecot: auth: ldap(valenzuela,185.125.4.198): unknown user:
dovecot: auth: ldap(valeria,185.125.4.198): unknown user:
dovecot: auth: ldap(valerie,193.189.117.154): unknown user:
dovecot: auth: ldap(valerio,185.125.4.198): unknown user:
dovecot: auth: ldap(value,185.125.4.198): unknown user:
dovecot: auth: ldap(vanessa,193.189.117.152): unknown user:
dovecot: auth: ldap(vector,185.125.4.198): unknown user:
dovecot: auth: ldap(venta,193.189.117.154): unknown user:
dovecot: auth: ldap(ventas2,193.189.117.154): unknown user:
dovecot: auth: ldap(vente,185.125.4.198): unknown user:
dovecot: auth: ldap(verhaal,185.125.4.198): unknown user:
dovecot: auth: ldap(veronique,185.125.4.198): unknown user:
dovecot: auth: ldap(vincenzo,185.125.4.198): unknown user:
dovecot: auth: ldap(virgil,185.125.4.198): unknown user:
dovecot: auth: ldap(vnc,193.189.117.152): unknown user:
dovecot: auth: ldap(voice,185.125.4.198): unknown user:
dovecot: auth: ldap(wall,185.125.4.198): unknown user:
dovecot: auth: ldap(walter,193.189.117.152): unknown user:
dovecot: auth: ldap(watch,185.125.4.198): unknown user:
dovecot: auth: ldap(water,193.189.117.154): unknown user:
dovecot: auth: ldap(wave,185.125.4.198): unknown user:
dovecot: auth: ldap(webmaster,104.160.176.218): unknown user:
dovecot: auth: ldap(webmaster@ebalaskas.gr,104.160.176.218): unknown user:
dovecot: auth: ldap(william,193.189.117.154): unknown user:
dovecot: auth: ldap(x,193.189.117.152): unknown user:

Reading through “Smart Girl’s Guide to Privacy - Practical Tips for Staying Safe Online by Violet Blue” (totally recommend it), there is a great tip in the first few pages:

- Use different email addresses for different online accounts.

… but is it possible ?

Different Passwords

We already know that we need to use a different password for every site. So we use lastpass or password managers for keeping our different passwords safe. We are nowadays used to create/generate complex passwords for every site, but is it absolutely necessary to also have a different email address for every single one ?

Different Email Addresses

Let me be as clear as I can: There is no obvious answer.

If you value your online privacy and your security threat model is set really high, then Yes you also need a different email address.

But it depends entirely on you and how you use your online identity. Perhaps in social media sites (like facebook or twitter) you dont need to give your personal email address, but perhaps on linkedin you want to use your well-known email-identity. So again, it depends on your security thread model.

Another crucial tip: DO NOT cross-connect your online personas from different social medias.

Disposable Email Server

In this blog post, I will try to describe the simple steps you need to take, to create your own personal disposable email server. In simple words, that means that you can dynamically create and use a unique/specific-site-only email address that you can use for sign-up or register to a new site. Using a different email address & a different passwords for every site online, you are making it really difficult for someone to hack you.

Even if someone can get access to this specific website or -somehow- can retrieve your online account (sites are been hacked every day), you are sure that none of your other online accounts/identities can not be accessed too.

DOMAIN

To do that you will need a disposable domain. It does not have to be something clever or even useful. It needs to be something easy to write & remember. In my opinion, just get a cheap domain. If your registar support WHOIS Privacy, then even better. If dont, then try to find a registar that supports WHOIS Privacy but it isnt a blocking issue.

For this blog post I will use: example.org

Catch-All

In theory, we will create a “catch-all” domain/mail server, that will catch and forward all these emails to our current/primary email address.

DNS

So nice, you have a disposable domain. What next ?

You need to setup a new domain dns zone for your disposable domain.
And then add a MX record, like the notes below:

example.org.    86400   IN  MX  0 mail.example.org.
mail.example.org.   86400   IN  A   1.2.3.4

replace 1.2.3.4 with the server’s IP !!

Mail Server

Just install postfix !

My “notable” settings are these below:

# postconf -n

inet_interfaces = all
inet_protocols = all

message_size_limit = 35651584

smtp_address_preference = ipv6

smtpd_banner = The sky above the port was the color of television, tuned to a dead channel

virtual_alias_domains = example.org
virtual_alias_maps = hash:/etc/postfix/virtual

In my /etc/postfix/virtual I have these lines:

@example.org    my_email_address@example.net

(dont forget to postmap and reload)

# postmap /etc/postfix/virtual 

# postfix reload

…. and …. that is it, actually !!!

a. Be aware the my disposable email server is dual stack.

b. If you need to create an emailing list, try something like this:

list@example.org           my_email_address@example.net, my_other_email_address@gmail.com

dont forget to:

# postmap /etc/postfix/virtual

and reload postfix:

# postfix reload

How to use it

From now on, whenever you need to type an email address somewhere, just type a new (random or not) email address with this new disposable domain.

The catch-all setting will FWD any email to your primary email address.

I like to use the below specific pattern: When you need to sign-up to a new site, use the sites url as your new email address.

eg. twitter.com

twittercom@example.org

It’s now obvious that next time you get SPAM, you will know which one to blame (I am not suggesting that twitter is sending spam, it is just an example!).

You can also change your email address from all the sites that you have already subscribe (github, mailing lists, etc etc).

Hope this post has been helpful and easy enough for everyone.

Google Reader was -of general acceptance- the best RSS feed reader.
Yahoo had it’s own “perfect” project to parse feeds: Yahoo! Pipes

What did both projects have in common?

They both were cloud projects
that are now discontinued
cause their companies could not profit from them !!!

FreshRSS

So a lot of people started to look up on self-hosted RSS readers to overcome this issue.
Below are my notes on FreshRSS , a free, self-hostable aggregator…

First, download the latest version of FreshRSS:

Download and Setup

# wget -c https://github.com/FreshRSS/FreshRSS/archive/master.zip

# unzip master.zip 

# mv FreshRSS-master/ FreshRSS

# chown -R apache:apache FreshRSS

apache

Create a new Virtual Host on apache and use Let’s Encrypt to create a new SSL certificate:

< VirtualHost *:443 >

    ServerName  FreshRSS.example.com

    # SSL Support
    SSLEngine on

    SSLProtocol ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite HIGH:!aNULL:!MD5

    SSLCertificateFile /etc/letsencrypt/live/FreshRSS.example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/FreshRSS.example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/FreshRSS.example.com/chain.pem

    # Logs
    CustomLog logs/FreshRSS.access.log combined
    ErrorLog  logs/FreshRSS.error.log

    DocumentRoot /var/www/html/FreshRSS/

    < Directory /var/www/html/FreshRSS/ >
            Order allow,deny
            Allow from all
    < /Directory >

< /VirtualHost >

reload your apache and after that, open your browser to begin the installation process.

Installation

SQLite Backend

I prefer to use SQLite for my backend self-hosted projects, cause the backup process is a lot easier than with mysql.

At this point you have a fresh FreshRSS installation (self-hosted) on your server!
If you just want to use it through your browser, you are done.

OPML

If you already have a OPML (Outline Processor Markup Language) file with your rss/atom feeds, then you can upload it (import) through the Subscription Manager:

Feeds - Automated Updates

So conclude our FreshRSS setup, we need to automate the update of our feeds. To do that, we just need to add a cron script.

# vim /etc/crontab

*/15 * * * * apache /usr/bin/php /var/www/html/FreshRSS//app/actualize_script.php &> /tmp/fresh.log

EasyRSS

What about your android device (smart phone or tablet) ?

You can use EasyRSS !
Just install it from Fdroid and run it:

FreshRSS - API

To use EasyRSS with FreshRSS, you need to enable the API support from FreshRSS.
The EasyRSS then, will use the api through a token, so to keep things simple enough, we will also change our password to the token ID.

So go to Settings —> Authentication and enable:

    Allow API access (required for mobile apps)

Then go to Settings –> Profile and change your password too:

After that, you can now type your settings on your EasyRSS app:

https://freshrss.example.com/p/api/greader.php

Below is my setup to enable Forward secrecy

Generate DH parameters:

# openssl dhparam -out /etc/pki/tls/dh-2048.pem 2048

and then configure your prosody with Let’s Encrypt certificates

VirtualHost "balaskas.gr"

  ssl = {
      key = "/etc/letsencrypt/live/balaskas.gr/privkey.pem";
      certificate = "/etc/letsencrypt/live/balaskas.gr/fullchain.pem";
      cafile = "/etc/pki/tls/certs/ca-bundle.crt";

      # enable strong encryption
      ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4";
      dhparam = "/etc/pki/tls/dh-2048.pem";
    }

if you only want to accept TLS connection from clients and servers, change your settings to these:

c2s_require_encryption = true
s2s_secure_auth = true

Check your setup

XMPP Observatory

or check your certificates with openssl:

Server: # openssl s_client -connect balaskas.gr:5269  -starttls xmpp < /dev/null
Client: # openssl s_client -connect balaskas.gr:5222  -starttls xmpp < /dev/null

Top Ten Linux Distributions and https

A/A |  Distro    |          URL               | Verified by       | Begin      | End        | Key
01. | ArchLinux  | https://www.archlinux.org/ | Let's Encrypt     | 02/24/2016 | 05/24/2016 | 2048
02. | Linux Mint | https://linuxmint.com/     | COMODO CA Limited | 02/24/2016 | 02/24/2017 | 2048
03. | Debian     | https://www.debian.org/    | Gandi             | 12/11/2015 | 01/21/2017 | 3072
04. | Ubuntu     | http://www.ubuntu.com      | -                 | -          | -          | -
05. | openSUSE   | https://www.opensuse.org/  | DigiCert Inc      | 02/17/2015 | 04/23/2018 | 2048
06. | Fedora     | https://getfedora.org/     | DigiCert Inc      | 11/24/2014 | 11/28/2017 | 4096
07. | CentOS     | https://www.centos.org/    | DigiCert Inc      | 07/29/2014 | 08/02/2017 | 2048
08. | Manjaro    | https://manjaro.github.io/ | DigiCert Inc      | 01/20/2016 | 04/06/2017 | 2048
09. | Mageia     | https://www.mageia.org/    | Gandi             | 03/01/2016 | 02/07/2018 | 2048
10. | Kali       | https://www.kali.org/      | GeoTrust Inc      | 11/09/2014 | 11/12/2018 | 2048

Baïkal is a CalDAV and CardDAV server, based on sabre/dav,

To self hosted your own CalDAV & CardDAV server is one of the first step to better control your data and keep your data, actually, yours!So here comes Baikal which is really easy to setup. That easily you can also configure any device (mobile/tablet/laptop/desktop) to use your baikal instance and synchronize your calendar & contacts everywhere.

In this blog post are some personal notes on installing or upgrading baikal on your web server.

[ The latest version as this article was written is 0.4.1 ]

Change to your web directory (usually is something like: /var/www/html/) and download baikal:

Clean Install - Latest release 0.4.1
based on sabre/dav 3.1.2
You need at least PHP 5.5 but preferable use 5.6.

# wget -c https://github.com/fruux/Baikal/releases/download/0.4.1/baikal-0.4.1.zip
# yes | unzip baikal-0.4.1.zip

# chown -R apache:apache baikal/

That’s it !

Be Aware that there is a big difference between 0.2.7 and versions greater that 0.3.x.
And that is, that the URL has an extra part: html

from: https://baikal.example.com/admin
to : https://baikal.example.com/html/admin

If you already had installed baikal-0.2.7 and you want to upgrade to 0.4.x version and later, then you have to follow the below steps:

# wget -c http://baikal-server.com/get/baikal-flat-0.2.7.zip
# unzip baikal-flat-0.2.7.zip
# mv baikal-flat baikal

# wget -c https://github.com/fruux/Baikal/releases/download/0.4.1/baikal-0.4.1.zip
# yes | unzip baikal-0.4.1.zip

# touch baikal/Specific/ENABLE_INSTALL
# chown -R apache:apache baikal/

I prefer to create a new virtualhost every time I need to add a new functionality to my domain.

Be smart & use encryption !
Below is mine virtualhost as an example:

< VirtualHost *:443 >

    ServerName  baikal.example.com

    # SSL Support
    SSLEngine on

    SSLProtocol ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite HIGH:!aNULL:!MD5

    SSLCertificateFile /etc/letsencrypt/live/baikal.example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/baikal.example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/baikal.example.com/chain.pem

    # Logs
    CustomLog logs/baikal.access.log combined
    ErrorLog  logs/baikal.error.log

    DocumentRoot /var/www/html/baikal/

    < Directory /var/www/html/baikal/ >
            Order allow,deny
            Allow from all
    < /Directory >

< /VirtualHost >

Next step is to open your browser and browse your baikal's location,

eg. https://baikal.example.com/html/

admin interface:

https://baikal.example.com/html/admin/

or

if you have an older version (0.2.7) on your system

eg. https://baikal.example.com

I use SQLite for personal use (makes easy backup process) but you can always choose MySQL .

Dashboard on 0.4.1

Useful URIs are:

Principals:

Plugins:

Nodes:

Here is a sceen-guide on latest versions:

Login to the admin dashboard and create your user through
Users and resources tab

and you are done with the baikal installation & configuration process.

Principals

Applications (caldav/carddav and task clients) can now be accessed by visiting principals URI:

https://baikal.example.com/html/card.php/principals

or via dav.php

https://baikal.example.com/html/dav.php

but If your client does not support the above holistic URI, then try the below for calendar & contacts:

CalDAV

https://baikal.example.com/html/cal.php/calendars/test/default

CardDAV

https://baikal.example.com/html/card.php/addressbooks/test/default

On android devices, I use: DAVdroid

If you have a problem with your self-signed certificate,
try adding it to your device through the security settings.

I’ve started a new project with bottle.py and had some hiccups with static files and templates.

My project layout is (something) like that:

/

    app.wsgi
    bottle.py

    static/
        static/css
            static/css/bootstrap-theme.min.css
            static/css/bootstrap.min.css
        static/img
            static/img/logo.png
        static/js
            static/js/bootstrap.min.js
            static/js/npm.js
            static/js/tab.js
            static/js/jquery-1.12.1.min.js

    views/
        views/search.tpl
        views/index.tpl
        views/header.tpl
        views/footer.tpl

my app.wsgi is looking something like (dynamic routes & templates):

@bottle.route('/')
@bottle.route('/< action >/< name >')
def main(action='/',name=None):
    if ( action == '/' ) :
        return template("index", title=" some title ")
    else:
        return template(action, title=" some title ", name=name)

application = bottle.default_app()

I can translate every REST request to a new template and use AJAX inside the templates.

But what-about static files like stylesheets and javascripts ?

eg.

< script src="jquery-1.12.1.min.js"> < / script>
< img src="logo_hp.png" >

When working with dynamic routes (or any routes in bottle) unless you are using the main app.wsgi everything else will be translated to something like:

GET /search/jquery-1.12.1.min.js
GET /view/jquery-1.12.1.min.js
etc

If you noticed the layout then somehow we need to map all static files (css,js,images) to our static folder. We can map static files from "/" with the code below:

@bottle.get('< filename:re:.*.js >')
def static_js(filename):
    return static_file(filename, root='static/js')

@bottle.get(' < filename:re:.*.css > ')
def static_css(filename):
    return static_file(filename, root='static/css')

@bottle.get(' < filename:re:.*.png > ')
def static_img(filename):
    return static_file(filename, root='static/img')

Ok, that worked for the initial route (index page) but what about all the other templates & requests?

The solution was really (really) very very simply, even if it took me a couple hours to figure it out!!

I just needed to add a forward slash in front of every static file:

< script src="/jquery-1.12.1.min.js"> < / script>
< img src="/logo.png" >

and the GET request becomes:

"GET /jquery-1.12.1.min.js

and we can now route the static files to our static file directory.

I spent a lot of time on commute, so the last year I’ve spent a lot of time listening to podcasts and audio books!

Here are the latest books (in random order) I’ve heard:

Little Brother by Cory Doctorow

Information Doesn’t Want to Be Free by Cory Doctorow

The Hitchhiker’s Guide to the Galaxy (radio edition) by Douglas Adams

debootstrap is a very powerful tool that most of debian/ubuntu people already know about.

It’s really super easy to create your own basic debian docker image, even if you are not running debian.

I used the below steps to my archlinux box, but i believe are generic and you can also use them, without any effort.

Step One:

Download and prepare debootstrap

# wget -c http://ftp.debian.org/debian/pool/main/d/debootstrap/debootstrap_1.0.77.tar.gz
# tar xf debootstrap_*.tar.gz
# cd debootstrap

# sed -i -e 's#/usr/share/debootstrap#.#' debootstrap

Step Two:

debootstrap a new sid (unstable) debian:

# mkdir sid

# ./debootstrap --arch amd64 --include=aptitude  sid sid/

Step Three:

Just to be safe, extract debian packages with ar

# cd sid

# for i in `ls -1 var/cache/apt/archives/*deb`; do ar p $i data.tar.xz | tar xJ ; done
# for i in `ls -1 var/cache/apt/archives/*deb`; do ar p $i data.tar.gz | tar xz ; done
# rm -rf var/cache/apt/archives/*deb

Step Four:

Prepare your debian unstable directory.
eg. create the sources.list file

# cat > etc/apt/sources.list << EOF
> deb http://ftp.gr.debian.org/debian unstable main contrib non-free
> deb http://ftp.debian.org/debian/ Sid-updates main contrib non-free
> deb http://security.debian.org/ Sid/updates main contrib non-free
> EOF

Step Five:

Dockerized your debian image:

# tar -c . | docker import - debian:sid
cdf6f22b76f23fa95ae2d5858cec4546086a2064b66cf34b937bc87c83f13c91

# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
debian              sid                 cdf6f22b76f2        5 seconds ago       291.3 MB

You are now ready to play with your new image:

# docker run -t -i --rm debian:sid bash
I have no name!@f3ee67226a07:/# 

Some time ago, I wrote this article: How to create an archlinux docker image from the latest bootstrap but I think the below approach is even better.

Step 0

This step is optional.
If you want to reduce the size of the docker image:

# vi /etc/pacman.conf

and add the below lines:

NoExtract = usr/lib/firmware/*
NoExtract = usr/lib/modules/*
NoExtract = usr/share/locale/*
NoExtract = usr/share/man/*

Step 1

Create the latest archlinux on a temporary directory:

# mkdir -pv /tmp/latestarchlinux/var/lib/pacman
# pacman -Syy -r /tmp/latestarchlinux/
# pacman -S base -r /tmp/latestarchlinux/ --noconfirm

Step 2

dockerized the above directory

# cd /tmp/latestarchlinux/
# tar -c . | docker import - archlinux:latest
99a9d7cd2e357f2463b4bb8f3ad1e8bea4bfc10531dfac1931004405727bf035

Step 3

Actually you ‘ve done !
Just play with it already.

# docker run -t -i --rm archlinux:latest bash
[root@de9b7a1d6058 /]#

I am not trying to resolv this issue, I have lost any faith on sourceforge a long time ago.

Although, it is sad. Once, if you wanted to download free software for your linux machine, SF was the place to be.

Nowadays the site is awful. You cant even browse the site if you dont use an ad-blocker.

It is chaotic with all these features and extremely painful if you actually try to do something, even if it is the simplest thing like changing your email address.

This post is just a personal rant about SF subscriptions and nothing more.

I have changed my email address on sourceforge for about a year now. Still I am getting subscription notifies from projects to my previous (deprecated) mail address:

…. so …. yes …

by clicking on the “Manage your subscriptions” link on the bottom of the notify email:
seems that I dont have any project subscriptions !

And that’s not even the big issue here, cause I do want to get notifies whenever SystemRescueCD do updates.

The big issue, for me at least, is when I tried to subscribe on SystemRescueCD (thinking that at least now the notifies will come to my new email address):

If you missed it, the problem is with this quote below:

sponsored content from our select partners, and more

sourceforge simple dont get it !

A colleague asked me to install MySQL UDF (MySQL user defined functions) on a server.

So here are my notes on the subject, for a CentOS 6.7 linux box:

First you need to have mysql-devel on your system which install the mysql development headers on /usr/include/mysql/ directory:

# yum -y install mysql-devel

Then download the latest source code of mysqludf_udf:

# wget -c https://raw.githubusercontent.com/mysqludf/lib_mysqludf_udf/master/lib_mysqludf_udf.c

and compile it

# gcc -m64 -fPIC -Wall
        -I/usr/include/mysql -I.
        -L/usr/lib64/libstdc++.so.6
        -shared lib_mysqludf_udf.c
        -o /usr/lib64/mysql/plugin/lib_mysqludf_udf.so

confirm:

# ls -l /usr/lib64/mysql/plugin/lib_mysqludf_udf.so

Restart your MySQL and test it !

CPU

# cat /proc/cpuinfo
Processor   : ARMv7 Processor rev 1 (v7l)
processor   : 0
BogoMIPS    : 3.27

processor   : 1
BogoMIPS    : 3.27

processor   : 2
BogoMIPS    : 3.27

processor   : 3
BogoMIPS    : 3.27

Features    : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part    : 0xc05
CPU revision    : 1

Hardware    : ODROIDC
Revision    : 000a
Serial      : 1b00000000000000

MEM

# cat /proc/meminfo
MemTotal:         995480 kB
MemFree:          696624 kB
Buffers:           31200 kB
Cached:           119288 kB
SwapCached:            0 kB
Active:            73836 kB
Inactive:          87144 kB
Active(anon):      10596 kB
Inactive(anon):     1572 kB
Active(file):      63240 kB
Inactive(file):    85572 kB
Unevictable:           0 kB
Mlocked:               0 kB
HighTotal:        268288 kB
HighFree:         166504 kB
LowTotal:         727192 kB
LowFree:          530120 kB
SwapTotal:       1049084 kB
SwapFree:        1049084 kB
Dirty:                16 kB
Writeback:             0 kB
AnonPages:         10448 kB
Mapped:            17384 kB
Shmem:              1676 kB
Slab:              58992 kB
SReclaimable:      37252 kB
SUnreclaim:        21740 kB
KernelStack:        1080 kB
PageTables:          516 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:     1546824 kB
Committed_AS:      30284 kB
VmallocTotal:     245760 kB
VmallocUsed:       19892 kB
VmallocChunk:     214012 kB

UPDATED: 14 February 2016
Blog Post: 16 December 2015

I have started (for some time now, to be honest) to transfer my router’s function to my ODROID-c1

that runs Archlinux arm so I have my favorite distribution on this beautiful development board.

# uname -a
Linux myodroid 3.10.80-13-ARCH #1 SMP PREEMPT Tue Sep 15 15:43:38 MDT 2015 armv7l GNU/Linux

for specs you can click here

The board has an Gigabit Ethernet port but no Wireless Card.

I had a spare USB Wireless Network card, so I’ve used it on one of the four USB slots of the board.

Bus 001 Device 003: ID 148f:3370 Ralink Technology, Corp. RT3370 Wireless Adapter

You need to verify that your wireless card, can support Access Point functionality.
To verify your card, type:

# iw list | grep AP

if you see something like that: #{ AP } then you probably are ok.

The most important thing is to find out what your card can do, mine:

        valid interface combinations:
                 * #{ AP } <= 8,
                   total <= 8, #channels <= 1

That means that I can configure up to 8 AP (Access Points), 8 different ssid but only on one channel !

Reading through the internet (mostly on archlinux wiki) I had, first, to create a Bridge with my Ethernet card and then hostapd will add my Wireless Card to the same bridge.

Although I use systemd for a while sometime, I wasnt able to create the bridge interface via systemd. I’ve tested my confs/files to a secondary linux machine and I know for a fact that my notes are correct. Somehow it seems that there is a problem with systemd on ODROID-c1 regarding this or perhaps I havent found the problem with my setup!

So I’ve created a shell script that runs after boot: net.sh

!/bin/sh

ip link add br0 type bridge
ip link set br0 up

ip link set eth0 up
ip link set eth0 master br0

ip addr add 10.10.10.10/24 dev br0
ip route add default via 10.10.10.1 dev br0

# Wireless Vlan (Guest Network)
ip address add 10.10.20.10/24 dev br0:0

# Enable Forwarding
sysctl -w net.ipv4.ip_forward=1

# Masquerade traffic
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

# Accept forwarding
iptables -P FORWARD ACCEPT

# Start (or restart) hostapd
systemctl restart hostapd.service

# Isolate Vlan 10.10.20.0/24 (Guest Network) from 10.10.10.0/24 (Home Network)
iptables -I FORWARD -s 10.10.20.0/24 -d 10.10.10.0/24 -j DROP

a basic setup of hostapd is below. I’ve used TEST as the ssid and TESTTESTTEST as the password:

/etc/hostapd/hostapd.conf

interface=wlan0
bridge=br0
driver=nl80211
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=Testing
hw_mode=g
channel=1
ap_isolate=1
own_ip_addr=127.0.0.1
wpa=2
wpa_passphrase=TestingTesting
wpa_key_mgmt=WPA-PSK

On this ODROID-C1 board, I run my own DNS Cache/DHCP server with dnsmasq.

/etc/dnsmasq.conf

interface=br0
# custom host file to reduce ads
addn-hosts=/etc/hosts.txt

dhcp-range=10.10.20.16,10.10.20.32,12h
dhcp-option=option:router,10.10.20.10
dhcp-option=option:dns-server,10.10.20.10
dhcp-option=option:ntp-server,193.93.167.241

As we getting closer to the amazing 32nd Chaos Communication Congress (32C3) we must consider some privacy steps to our electronic devices.

Perhaps it’s idiotic to take a smartphone to this conference, as we all know that in such events hacking is fair play to everyone.

The below quote, from Person of Interest, reminds us exactly that:

If they don’t want you to get inside, they ought to build it better.

You should treat every network as a hostile, already compromised network.
It’s probably true, anyway !

For us mere people that we dont have many security knowledge, we need to take some extra security measures if we want to bring our smartphone together. It’s just for browsing, taking some picture from the event (and not the people, respect that please), check some emails or tweet something interesting.

Btw, if you believe that it is ok to use your smartphone/laptop on your hotel room, think again!
Where do you think all the hackers from the event are going to sleep ?
Yeap, on the same hotel. So be extra careful in places you feel more safe!

This isnt a guide you must or should follow, or even a bulletproof solution. As the subject of this blog post suggest is just a step closer. You should also remind your self in idle times (as watching a presentation) to keep your phone in airplane mode and always use TOR for browsing.

So, on a spare -just formatted- android mobile phone install AFWall+, create a new profile and BLOCK everything. Whitelist only OpenVPN.

Check your browser to see that you dont have access on the internet:

Connect to your OpenVPN server and check again:

[UPDATE 2015 12 13]

How about if you could control your entire home temperature and hot water/central heating etc etc, through your smartphone over the internet ?

You are going to think that this is a dangerous IoT (Internet of Thing) that exposes your privacy to unknown attackers and your smart home is going to be under the control of an evil company.

What if I could tell you, that you can build your own smart controller with open-design/open hardware & free software that costs about €100 ?

Crazy, right ?

Actually there is a project that does exactly all the above and much more and it’s based on a Raspberry Pi.

Let me introduce you to HestiaPi .

The name comes from the greek word: εστία and everything you need to start with, have already been published by the core developer on their site.

The team behind this awesome project will host/run an open/free entrance two day Hackathon at Athens, Hackerspace on 2016.

If you are curious on the project, visit hackerspace.gr and be part of this amazing project.

First remove NetworkManager:

# systemctl stop NetworkManager

# systemctl disable NetworkManager
rm '/etc/systemd/system/multi-user.target.wants/NetworkManager.service'
rm '/etc/systemd/system/dbus-org.freedesktop.NetworkManager.service'
rm '/etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service'

# yum -y remove NetworkManager*

# /usr/bin/rm -rf /etc/NetworkManager

If you want to be more productive you should clean your system from FirewallD, install iptables-services and if you are going to install a redhat product/software disable SELinux as it’s manual going to suggest !

Now we can proceed.

# systemctl status network.service

will show us /etc/rc.d/init.d/network as the network orchestrator on the system.
Reading this file will get you a basic understanding of networking.

if [ ! -f /etc/sysconfig/network ]; then
    exit 6
fi

that tells us that file: /etc/sysconfig/network must exist on our system.

If you want to disable the network on this linux machine you can do it by adding the below declaration:

NETWORKING=no

So here are my notes for bonding:

eth0 + eth1 = bond0 with Adaptive transmit load balancing:

# cat /etc/sysconfig/network-scripts/ifcfg-em1
DEVICE=em1
MASTER=bond0
SLAVE=yes

# cat /etc/sysconfig/network-scripts/ifcfg-em2
DEVICE=em2
MASTER=bond0
SLAVE=yes

and bond0:

DEVICE=bond0

BONDING_OPTS="miimon=1 updelay=0 downdelay=0 mode=balance-tlb"
TYPE=Bond
BONDING_MASTER=yes

DNS1=xxx.xxx.xxx.xxx
GATEWAY=8.8.8.8
IPADDR=xxx.xxx.xxx.1
PREFIX=24
DEFROUTE=yes

BOOTPROTO=none
ONBOOT=yes

and as yoda would tell:

“else everything do not need you”

I had the opportunity to participate on an Athen’s Hackerspace event with a dozen debian developers about the issue with reproducible distribution’s package builds.

I had never thought of this thing before and the presentation blown me away !

So here is the deal, if you download the latest openssl package from an archlinux mirror (want archlinux users will going to do):

# pacman -Sw openssl

What if we tried to build openssl by our selfs from the PKGBUILD file ?

# cd /var/abs/core/openssl

$ makepkg -cf
==> Making package: openssl 1.0.2.e-1 (Sun Dec  6 13:07:08 EET 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found openssl-1.0.2e.tar.gz
  -> Found openssl-1.0.2e.tar.gz.asc
  -> Found no-rpath.patch
  -> Found ca-dir.patch
==> Validating source files with md5sums...
    openssl-1.0.2e.tar.gz ... Passed
    openssl-1.0.2e.tar.gz.asc ... Skipped
    no-rpath.patch ... Passed
    ca-dir.patch ... Passed
==> Verifying source file signatures with gpg...
    openssl-1.0.2e.tar.gz ... Passed
==> Extracting sources...
  -> Extracting openssl-1.0.2e.tar.gz with bsdtar
==> Starting prepare()...

...
...
...

==> Leaving fakeroot environment.
==> Finished making: openssl 1.0.2.e-1 (Sun Dec  6 13:11:06 EET 2015)
==> Cleaning up...

Let’s check the md5sum:

# md5sum /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
         /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz 

b555ac4294a2f39ef0caa19e21a28355  /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
08755bad654f74b8a1c4c5386934aeea  /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz

wat ???

why isnt both files similar exactly the same ?

Let’s find out what are the differences between these two files by using diffoscope

diffoscope --html /tmp/openssl.html
    /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
    /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz

fire up an html browser and open /tmp/openssl.html

Read carefully the output, most of them are timestamps.
So what this fuzz is all about ?

There is a huge problem actually, we trust our distributions for privacy and security.

But what if governments have already compromised ftp mirrors or by MITM we have already installed a backdoor software?

That’s what core developers from major distributions are fighting as we speak, they are trying to engage more core developers and find a way to redistribute reproducible builds so that you can actually verify a package build on your PC.

Need to know more?

Click here: reproducible-builds

Can you help ?
take a look on diffoscope