Paste into a VMWare VM
December 16, 2019 — 15:33

Author: silver  Category: virtualization  Comments: Off

Tired of typing that root (or admin) password into console? Thanks to the always excellent virtuallyghetto.com there’s an easier method now. It works with all kinds of text by sending usb scan codes.

It uses an object VMware.Vim.UsbScanCodeSpecKeyEvent which is used with $vm.PutUsbScanCodes()

However, ready to use PS and GO code is already provided. Using PowerShell this can be combined with Get-Credential for example.

ClamAV
December 16, 2019 — 15:14

Author: silver  Category: linux  Comments: Off

ClamAV is a decent anti virus scanner for Linux. Unfortunately it does not run every well on low memory systems (<1GB).

Running it’s database update tool freshclam can cause OOM. You will notice this if getting daily cdiff’s keeps failing (see ‘dmesg’ and /var/log/clamdb). These are db differences only instead of full files. The problem is processing these to create whole cvd’s.

If there’s close to enough RAM you could try using cgroups (or systemd) – if thats available, or good old ulimit:

Edit /etc/cron.d/clamav-freshclam and replace whats there with:

29 */1 * * *    clamav [ -x /usr/bin/freshclam ] && { ulimit -Sm 512000; ulimit -Sv 512000; ulimit -Hm 1024000; ulimit -Hv 1024000; /usr/bin/freshclam --quiet; } > /dev/null

But what if you’re on an embedded system or small vps and there’s not even close to 1GB memory available?

Simple, just get the full cvd files instead:

29 */1 * * *     clamav { for i in bytecode.cvd daily.cvd main.cvd; do wget -N -q "http://db.local.clamav.net/$i" -O /var/lib/clamav/$i; done; }  > /dev/null

Password Managers
December 11, 2019 — 15:34

Author: silver  Category: encryption linux windows  Comments: Off

There are basically 3 different categories to choose from, depending on location of service and db: Local, "Cloud"/SaaS or selfhosted On-Premise.

For single user/home usage KeePass is fine or perhaps even the password manager included in web browsers. Using one of the SaaS options such as LastPass adds ease of access.

For company/enterprise usage sharing passwords in groups/teams should be supported and preferably an on-prem option.

Private ranges
December 11, 2019 — 14:41

Author: silver  Category: network  Comments: Off

RFC1918 (IPv4)

  • 10.0.0.0 – 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)

https://tools.ietf.org/html/rfc1918

https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

RFC1918 (IPv6)

  • fd00::/8

Uncompressed:

fd00:0000:0000:0000:0000:0000:0000:0000

Range start-end:

fd00:0000:0000:0000:0000:0000:0000:0000
fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

https://tools.ietf.org/html/rfc4193

https://tools.ietf.org/html/draft-delong-ula-example-00

https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml

nftables
December 11, 2019 — 14:32

Author: silver  Category: linux network  Comments: Off

nftables (nft) replaces iptables:

  • Debian (10 buster) links ‘iptables’ to ‘iptables-nft’ and ‘iptables-legacy’ is actually ‘iptables’
  • RH uses nft as as preferred firewall since RHEL8 and firewalld uses nft as backend

If you haven’t switched yet you might want to ‘translate’ your current iptables rules and make other programs use nft.

config

rules are located in:

  • Debian /etc/nftables.conf
  • RedHat /etc/sysconfig/nftables.conf

list

nft list ruleset

nft list chain ip filter INPUT

nft list tables nft list table ip filter

flush

nft flush ruleset

translate

iptables-restore-translate -f /etc/iptables/rules.v4 > /etc/iptables/ruleset.nft

ip6tables-restore-translate -f /etc/iptables/rules.v6 > /etc/iptables/ruleset6.nft

netfilter-persistent

Oddly enough the only place I could find a nft plugin was here

curl https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft -o /usr/share/netfilter-persistent/plugins.d/15-nft

fail2ban

Make f2b use nft. From https://wiki.meurisse.org/wiki/Fail2Ban:

  • edit ‘/etc/fail2ban/jail.local.conf’: banaction = nftables-multiport

  • add to ‘/etc/nftables.conf’: include "/etc/fail2ban.conf"

  • create ‘/etc/fail2ban.conf’:

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
                type filter hook input priority 100;
        }
}








We use Matomo free and open source web analytics (opt-out)