Stokkeland Stuff to Remember

This page was created just to keep notes for myself - things to remembers - some of it is old and irrelevant now, and perhaps some pieces even wrong...

Ubuntu/Linux bridging to sniff /packet capture within a vmware host

Not the best heading - the scenario is I was troubleshooting some data passing through an F5 BigIP LTM (Virtual Applicance), so I wanted to set up something to do packet sniffing as well as firewalling/packet-interception transparantly on both sides.

This is easy enough, just needed to have a VM with 4 extra nic's, 2 on each bridge, a couple isolated vswitches - problem was I couldnt get it to pass traffic.. if I assigned a local ip it worked fine, but any packets to go across didnt -  it took me nearly an hour to figure it out therefore I figured I would post it here.

The fix - enable promiscous mode Accept on all port groups (or vswitches) connected to a bridge. The default vmware/esx setting is to reject it - have to change that to accept, otherwise the bridge never see's the traffic.

A couple people asked me of the bridge setup for ubuntu/debian - that info is all ove rthe internet, but anyway, here is my /etc/network/interfaces on a VM with 5 nics.

auto lo
iface lo inet loopback

# vm management/console
auto eth0
iface eth0 inet static
        address 192.168.88.88
        netmask 255.255.255.0
        gateway 192.168.88.88
        dns-nameservers 192.168.88.2 192.168.88.3

iface eth1 inet manual
iface eth2 inet manual
iface eth3 inet manual
iface eth4 inet manual

auto br0
iface br0 inet manual
  bridge_ports eth1 eth2

auto br1
iface br1 inet manual
  bridge_ports eth3 eth4

and dont forget 

apt-get install bridge-utils ebtables

Ubuntu/Linux KVM virtualization Windows 7 Guest - virt-install and virsh

General virsh stuff
  • list running vm: virsh list
  • virsh list --all
  • kill running vm:  virsh destroy vmname
  • remove vm: virsh undefine vmname
Create a windows 7 vm, note the video, it may be needed, especially if vm boot gets stuck on "Starting windows..."
virt-install -n vmname -r 4096 \
  -c /path/to/media/iso/windows_7.iso \
  --disk path=/path/to/vm/vmname.sysvol \
  --vcpus 4 \
  --video=cirrus \
  --network bridge=br0 \
  --os-type windows --os-variant win7 --accelerate --noautoconsole \
  --vnc --vnclisten=0.0.0.0
This assumes you want to use a file for disk, and of course you need to create vmname.sysvol with fallocate or something first, you need the windows 7 boot media iso. Connect to your host system with vnc (the original tightvnc viewer 1.3 works fine,  newer RealVNC viewer crashes), if you only have one vm you vnc to  ip like  1.1.1.1:5900   but port may increment as you add vms.

vIM / gvIM - quickly fixing line endings dos/unix/mac CR LF

This is from http://vim.wikia.com/wiki/File_format which has all the details, for me it is usually about getting it from Mac or Linux to Dos/Win, or sometimes from Dos to Linux

Make it dos (CRLF):

  • :update
  • :e ++ff=dos

Make it Unix (LF):

  • :update
  • :e ++ff=unix


OpenSSL Stuff

Check out https://www.sslshopper.com/article-most-common-openssl-commands.html

Get PEM from pfx/p12

openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes

Create P12 from PEM

openssl pkcs12 -export -in mycertandbundle.pem -inkey my.key -out mycertbundle.p12

Tomcat / Java keystore - import key and cert (SSL)

battling with tomcat and certificates - Godaddy G2 SHA2 certificate specifically causes headaches
The information at http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x is/was wrong
You can find your intermediates at https://certs.godaddy.com/anonymous/repository.pki
From Godaddy download the tomcat bundle (this gives you the correct file) - the cert file itself in this example is named mycert.crt and the private key 
is just named my.key, the new keystore generated is mytomcat.keystore.
This was amended October 2016 - found the minimum/correct way basically. (No need for aliased entries)
Overview is
- Have your key, cert and intermediary files on PEM format
- Put root and intermediate certs all in one file (gd_bundle-g2-g1.crt is godaddy's for g1/g2 cross, sha2)
- Add your own issues cert to the bottom of the same file
- Create a P12 file from that
- Create a keystore file from the p12
cat gd_bundle-g2-g1.crt > mycertandbundle.pem
cat mycert.crt >> mycertandbundle.pem
openssl pkcs12 -export -in mycertandbundle.pem -inkey my.key -out mycertbundle.p12
keytool -importkeystore -destkeystore mytomcat.keystore -srckeystore mycertbundle.p12 -srcstoretype PKCS12
Now your keystore should be fully usable.

Citrix Netscaler certs need DER

If you try import certs to a netscaler and it keeps telling you the private key is wrong chances are you need to convert your PEM to DER
openssl x509 -outform der -in cert.pem -out cert.der
openssl rsa -outform der -in key.pem -out key.der


Linux Misc things

Quickly get contents of a web page to stdout:  wget -q -O - http://url

Ubuntu quick everything Samba Share

This is completely unsafe and a very bad thing to do - should never be used for anything on any production or internet or network facing system. I use this myself in development, when I spin up a new box to do some testing for a bit, the box to be thrown out later. If you do this to a system that could be exposed to anything, your system will be taken over/compromised within milliseconds, so be warned, DO NOT DO THIS!
The details are likely more than needed, just what I did and now copy paste when i need it.
sudo apt-get install samba
edit /etc/samba/smb.conf
in GLOBAL add
   netbios name = something
   load printers = no
   printing = bsd
   printcap name = /dev/null
   socket options = TCP_NODELAY
posssibly add this if you are brave
  wins server = n.n.n.n
change to
  unix password sync = no
Delete any sections other than global (such as printerstuff
add your new section(s), somehting like this
[myshare]
       path = /my/share/loc
        read only = No
        guest ok = Yes
        create mask = 0644
        force user = root

Ubuntu 16 LTS - Samba Domain Member.

Ubuntu 12.04 LTS  Samba and SSH AD Integrated Domain Member (Likewise-Open) - outdated - see Ubuntu 16 notes

This is not the solution, but just a few notes, I had a hell of time with it, so here are some pointers - as of 10/31/2013

This list may not be what exactly is needed - its a list how I got it to work, minus all the failed attempts

  • Samba 4 package is VERY badly broken - seems like it is meant to be only a DC, and not a member - installs fail anyway, I stick with Samba 3
  • Ubuntu Package for Likewise-Open is broken, the samba-interop-install does not work
  • install samba (3.6) from ubuntu package
  • install likewise-open from BeyondTrust, download the debian package script and run it with defaults
  • Edit your smb.conf to match domain stuff, you do NOT need all the crap mentioned in various places, here is mine:

[global]
 workgroup = MYDOMAIN
 realm = MYDOMAIN.LOCA
L
 server string = %h server
 wins server = 192.168.5.5
 dns proxy = no
 log file = /var/log/samba/log.%m
 syslog = 0
 max log size = 1000
 panic action = /usr/share/samba/panic-action %d
 security = ADS
 encrypt passwords = true
 passdb backend = tdbsam
 obey pam restrictions = no
 unix password sync = yes
 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 pam password change = yes
 map to guest = bad user
 usershare allow guests = yes
 machine password timeout = 0


[share]
    comment = My Share
    path = /path/to/share
    browsable = yes
    guest ok = no
    read only = no
    valid users = @MYDOMAIN\adGroupName

  • Restart nmbd and smbd
  • do
      domainjoin-cli MYDOMAIN.LOCAL yourdomainusername
      lw-ad-cache --delete-all
      samba-interop-install --install
  • Reboot
  • Should work now, for SSH and for Samba.
  • One thing to watch for, from another windows domain member, try  \\1.2.3.4\share  instead of machine name -  I still havent solved that part of it.. pls email me if you know wtf is causing that stokkeland overat gmail.com




Server 2008 (2008r2 and probably 2012 as well) - File Permission Crap

If you're a sysadmin on wintendo you probably experienced this - while on Server 2003 and older, permissions where pretty straight forward, set and forget..  well, server 2008 and UAC crap srewed that up - it doesnt help to add Domain Admins or local admins, you still have to "force" your way in.. 

I dont know the exact reason, I know it is related to UAC and ability to use the Domain Admins group - so, the fix is to just create your own Domain group, call it "FileServerAdmins" or something, add the domain admin accounts to it, now add this  group to the volume security with full permissions, and as long as your directories inherit you should now be doing a lot better.

Bill Gates doesnt seem to have any usable best practices out there so I made my own, perhaps there are reasons this is bad, but I dont know them yet.

A newly attached volume comes with the ability for domain users (via  sysname\Users) to create and add junk right from the root - wtf kind of security principle is this? so here is what I do:

  • Edit Volume permissions
    • Change CREATOR OWNER, Remove: Full Control, Change Permissions, Change Ownership
    • Change SYSNAME\Users, Remove EVERYTHING except: Read permissions
    • Add your File Server Admin Group with Full Control

  • Add a directory to share
  • Change Share Permissions to Everyone Full Control
  • Change Security Permissions - Add users and groups that need access (NEVER remove inheritance, anywhere - if you have to do that you designed your directory structure wrong).
    • Read Only Users Only get: Traverse/Exec, List/Read, Read Attrib, Read Ext Attrib, Read permissions
    • Read Write Users get everything except: Full Control, Change Permissions, Take Ownership

  • Use DFS (well, thats just what I do)

If you use the above security settings from the getko, no-one but admins can change permissions and screw things up, and your file server admins can get into folders without clicking the "continue" button (and waiting for hours if the structure is large)..



SSH Key Exchange Debian and derivatives

on your client:  
    ssh-keygen
    ssh-copy-id user@otherhost

where other host is the target you want to authenticate to without pass phrase

Adobe Acrobat

I dont know what versions I used before, possibly 7 or 8 - which I could do stuff just fine, add text boxes, remove the stupid box around it, the background fill, and change the text color.. well, I started doing it on version X, or 10 as sane people would call it, and not you can't with menu or right-click, which is VERY annoying and sucky.

Anyway, do to that, highlight the text (not the object, just the text), then hit Ctrl+E, now you can change text color and size and such...

OpenSSL commands for SSL Certs (RSA/X509) 

.pem files are typically one with both key and cert in it.

Generate Private Key (skip -des3 for unsecured key)

  openssl genrsa -des3 -out keyfile 1024

 

Generate CSR, (Common name is domain name!) 

  openssl req -new -key keyfile -out csrfile 

 

Generate self signed cert

 openssl x509 -req -days 360 -in csrtfile -signkey keyfile -out certfile 

 

Remove encryption from a key

  openssl rsa -in keyfile 

 

Verify that  a Cert and Key has the same modulus

  openssl x509 -noout -modulus -in certfile | openssl md5

  openssl rsa -noout -modulus -in keyfile | openssl md5


Need to use a key/cert on IIS? for whatever reason Bill Gates makes this hard - here is how I did it on IIS7:
 Export as pkcs12 cert:  openssl pkcs12  -export -in hoyt.dom.cert -inkey hoyt.dom.key -out hoyt.dom.p12
 You can set a password if you like when it asks, probably a good idea
 transfer the p12 file to a Bill Gates machine, in IIS7, click on the server name (root of tree) on left, and then server-certificates on the right, import cert - now you can choose this cert under bindings for the web site object.


Create your own CA and sign a request (issue cert) - e.g. for Dell iDrac cert issuance

Create the CA, this is of course against any best practices, and makes it completely insecure, so never do this or use this for anything. I put the CA key and cert in a separate folder, and reference it when signing CSR's.
(To create a CA for real, see the openssl.org web site and info, you dont want to do this i have here in production or for anything that really needs to be secure). The common name for the CA cert must NOT be the same as a domain name or something you will need a cert for, I used   "mydomain.com CA"  for my cn.

Create the CA key:  openssl genrsa -out ca.key 4096
Create the CA cert: openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

It is VERY important that each cert issued gets a unique (to the CA) serial, I recommend using openssl and sequence file for that, as in the example below

To sign a request (issue a cert), you now need a CSR from somewhere else, e.g. in Dell iDrac use the web utility to generate a csr, save that file as e.g.  myhost.csr - then do this

    openssl x509 -req -days 365 -in myhost.csr  -out myhost.crt
        -CA /path/CA/ca.crt -CAkey /path/CA/ca.key -CAcreateserial -CAserial /path/CA/myhost.seq 

The .seq file is your serial sequence. Now if you happen to try upload this .crt file to an iDrac 6 - it may say upload failed, but it may have worked anyway (as long as you had just done a CSR, each new one you have to do a CSR in the gui, Michael Dell is almost as retarted as Bill Gates and Steve ballmer)- give it some time, reload your interface and check what issuer the cert has - I really think it sucks what firefox (v8 and beyond, now v15) did with ssl checks (Error code: sec_error_reused_issuer_and_serial) and Dell iDrac not having any self-sign onboard option, I have been having a hell of time getting to flush the old certs in firefox, and it doesnt tell you which f'n one it is - doing this crap above fixed it for me...

Networking OSPF / CISCO ++

On a Router (and perhaps switch?) - to enable Console messages (syslog) on a telnet or ssh session:    terminal monitor

As they say in the cisco world - the Light is Not Off

 

*nix Tips and Tricks

FIxing ^M in files to correct format (with only Newline)

Bill Gates Systems, use vi :   %s/^M//g 

To get the ^M in there hit CTRL+V then enter

From Macintosh and Fruity Crap

cat badfile | tr '\015' '\012' > newfile

CVS diff of all changes between tagged revisions:  cvs diff -N -c -r START-TAG -r END-TAG


Quickly create a empty file

A lot of instruction will tell you to use dd, which works, but it is slow - the advantage of course is that you get all blockes zeroed out or whatever - but if you just need a large file as a disk image for a vm or something, use fallocate:

  fallocate -l 15G mydisk.img


Disk and Partition Images

If backing up a physical with the hopes of quickly throwing the image on a VM or other physical device, ALWAYS back up the entire disk as well as the individual partitions. if disk with errors add  conv=noerror
dd if=/dev/sda  of=/some/place/disk.img
dd if=/dev/sda1  of=/some/place/part1.img

To loop mount a partition in an image, first get the offset and bytes per sector info
fdisk -lu disk.img
your offset will be bytes per sector times start sector.
echo $((512*38))
mount -o loop,offset=19456 disk.img targetdir

Match All Files Except (apache htaccess)

 I spent some time looking for this and others did to, since there is no "negative string match" in regex its tricky, I did eventually find a trick here, its about limiting access to all files except some or one.


 AuthUserFile .htpasswd
AuthGroupFile /dev/null
AuthName "Staff"
AuthType Basic

<Files "*">
require valid-user
</Files>
<Files "filename">
Allow from all
Satisfy any
</Files>

 

 

Towing Beer cans behind a boat or canoe

 As I was preparing myself mentally for this years yagottaregatta  I was also working on a way to safely string beer cans to keep cool in the water behind the canoe. Searching for this revealed little to nothing, so I figured I will improvise and figure out a method. Unfortunately I did not take pictures of my work, but it turned out pretty well; Use the constrictor knot around each can, and a 3 inch piece of duct tape, not over the knot but on the other side just to prevent slipping... you can find tons of web pages showing how the constrictor knot is done, it holds up really well and is easy to tie even if you are hooking it on without the ends.... good luck! :)

 







Older Stuff probably not very useful anymore (Original Stuff to Remember)

 personal link http://jts.fyi


Copyleft