revlis.nl
Stash of notes about OSS, OSes, virtualization, dev hobby projects &c
December 16, 2019 — 15:33
Author: silver Category: virtualization Comments: Off
Tired of typing that root (or admin) password into console? Thanks to the always excellent virtuallyghetto.com there’s an easier method now. It works with all kinds of text by sending usb scan codes.
It uses an object VMware.Vim.UsbScanCodeSpecKeyEvent which is used with $vm.PutUsbScanCodes()
However, ready to use PS and GO code is already provided.
Using PowerShell this can be combined with Get-Credential for example.
December 16, 2019 — 15:14
Author: silver Category: linux Comments: Off
ClamAV is a decent anti virus scanner for Linux. Unfortunately it does not run every well on low memory systems (<1GB).
Running it’s database update tool freshclam can cause OOM. You will notice this if getting daily cdiff’s keeps failing (see ‘dmesg’ and /var/log/clamdb). These are db differences only instead of full files. The problem is processing these to create whole cvd’s.
If there’s close to enough RAM you could try using cgroups (or systemd) – if thats available, or good old ulimit:
Edit /etc/cron.d/clamav-freshclam and replace whats there with:
29 */1 * * * clamav [ -x /usr/bin/freshclam ] && { ulimit -Sm 512000; ulimit -Sv 512000; ulimit -Hm 1024000; ulimit -Hv 1024000; /usr/bin/freshclam --quiet; } > /dev/null
But what if you’re on an embedded system or small vps and there’s not even close to 1GB memory available?
Simple, just get the full cvd files instead:
29 */1 * * * clamav { for i in bytecode.cvd daily.cvd main.cvd; do wget -N -q "http://db.local.clamav.net/$i" -O /var/lib/clamav/$i; done; } > /dev/null
December 11, 2019 — 15:34
There are basically 3 different categories to choose from, depending on location of service and db: Local, "Cloud"/SaaS or selfhosted On-Premise.
For single user/home usage KeePass is fine or perhaps even the password manager included in web browsers. Using one of the SaaS options such as LastPass adds ease of access.
For company/enterprise usage sharing passwords in groups/teams should be supported and preferably an on-prem option.
- KeePass (Local), good choice and free
- PGP/pass (Local), cli
- LastPass (Cloud)
- 1Password (Cloud)
- Team Password Manager (On-prem), recommended
- Bitwarden (On-prem), dotnet/mssql docker stack
- Thycotic Secret Server supposedly also does "PAM"(?) (On-prem)
December 11, 2019 — 14:41
Author: silver Category: network Comments: Off
RFC1918 (IPv4)
- 10.0.0.0 – 10.255.255.255 (10/8 prefix)
- 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
- 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
https://tools.ietf.org/html/rfc1918
https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
RFC1918 (IPv6)
- fd00::/8
Uncompressed:
fd00:0000:0000:0000:0000:0000:0000:0000
Range start-end:
fd00:0000:0000:0000:0000:0000:0000:0000
fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
https://tools.ietf.org/html/rfc4193
https://tools.ietf.org/html/draft-delong-ula-example-00
https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
December 11, 2019 — 14:32
nftables (nft) replaces iptables:
- Debian (10 buster) links ‘iptables’ to ‘iptables-nft’ and ‘iptables-legacy’ is actually ‘iptables’
- RH uses nft as as preferred firewall since RHEL8 and firewalld uses nft as backend
If you haven’t switched yet you might want to ‘translate’ your current iptables rules and make other programs use nft.
config
rules are located in:
- Debian
/etc/nftables.conf - RedHat
/etc/sysconfig/nftables.conf
list
nft list ruleset
nft list chain ip filter INPUT
nft list tables
nft list table ip filter
flush
nft flush ruleset
translate
iptables-restore-translate -f /etc/iptables/rules.v4 > /etc/iptables/ruleset.nft
ip6tables-restore-translate -f /etc/iptables/rules.v6 > /etc/iptables/ruleset6.nft
netfilter-persistent
Oddly enough the only place I could find a nft plugin was here
curl https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft -o /usr/share/netfilter-persistent/plugins.d/15-nft
fail2ban
Make f2b use nft. From https://wiki.meurisse.org/wiki/Fail2Ban:
-
edit ‘/etc/fail2ban/jail.local.conf’:
banaction = nftables-multiport -
add to ‘/etc/nftables.conf’:
include "/etc/fail2ban.conf" -
create ‘/etc/fail2ban.conf’:
#!/usr/sbin/nft -f
# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
chain input {
# Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
type filter hook input priority 100;
}
}
You must be logged in to post a comment.