Author Archives: jonas - Page 5

How to disable dnsmasq on ubuntu based distribution

dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is intended to provide coupled DNS and DHCP service to a LAN.
From time to time dnsmasq decided to resolve some hosts over a VPN tunnel to their external IP address instead the internal one. This was quite annoying... After digging a little bit I found that the root cause of all my VPN heartache was the dnsmasq daemon controlling my DNS. And, related, network-manager. Ok, so how can we disable dnsmasq?!

[codesyntax lang="bash"]

vim /etc/NetworkManager/NetworkManager.conf
:%s/dns=dnsmasq/#dns=dnsmasq/g
:wq

[/codesyntax]

Ta-da! No more problems! We're all set!

How to list loaded Linux module parameter values

Well, at some point you might need this. So, how do you do this?

[codesyntax lang="bash"]

cat /proc/modules | cut -f 1 -d " " | while read module; do \
 echo "Module: $module"; \
 if [ -d "/sys/module/$module/parameters" ]; then \
  ls /sys/module/$module/parameters/ | while read parameter; do \
   echo -n "Parameter: $parameter --> "; \
   cat /sys/module/$module/parameters/$parameter; \
  done; \
 fi; \
 echo; \
done

[/codesyntax]

Wasn't that hard, right?!

VMware modules, Ubuntu 14.04 & kernel 3.13

After many years of using Debian, I decided to give Ubuntu 14.04 a shoot... One of the many problems I have encountered was the installation of VMware. Well, everything went fine but the kernel modules... Ok, long story short, here's the patch:

[codesyntax lang="bash"]

vim ~/vmnet313.patch

[/codesyntax]

205a206
> #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 13, 0)
206a208,210
> #else
> VNetFilterHookFn(const struct nf_hook_ops *ops,        // IN:
> #endif
255c259,263
<    transmit = (hooknum == VMW_NF_INET_POST_ROUTING);
---
>    #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 13, 0)
>       transmit = (hooknum == VMW_NF_INET_POST_ROUTING);
>    #else
>       transmit = (ops->hooknum == VMW_NF_INET_POST_ROUTING);
>    #endif

[codesyntax lang="bash"]

:wq

[/codesyntax]

[codesyntax lang="bash"]

# Change directory into the vmware module source directory
cd /usr/lib/vmware/modules/source
# untar the vmnet modules
tar -xvf vmnet.tar
# run a the patch you should have just saved earlier
patch vmnet-only/filter.c < ~/vmnet313.patch
# re-tar the modules
tar -uvf vmnet.tar vmnet-only
# delete the previous working directory
rm -r vmnet-only
# just run the GUI app
vmware

[/codesyntax]

There you go!

Editing calendar permissions Office 365 with powershell

After adding a new user into Office 365, the user has to be allowed to read/write some shared calendars withing the organization.

First of all you will need to connect to Office 365

Add permission to the calendar

[codesyntax lang="powershell"]

Add-MailboxFolderPermission calendar@company.com:\Calendar -User dude@company.com -AccessRights Author

[/codesyntax]

Note: AccessRights can be: Owner, PublishingEditor, Editor, PublishingAuthor, Author, NonEditingAuthor, Reviewer, Contributor, AvailabilityOnly, LimitedDetails

Get permission for a specific users

[codesyntax lang="powershell"]

Get-MailboxFolderPermission -Identity calendar@company.com:\Calendar -User dude@company.com

[/codesyntax]

To remove permissions for a specific user:

[codesyntax lang="powershell"]

Remove-MailboxFolderPermission -Identity calendar@company:\calendar -user dude@company.com

[/codesyntax]

 

UPDATE:

What if you need to change the calendar permissions for all users within your organization?!

[codesyntax lang="powershell"]

$allmailbox = Get-Mailbox -Resultsize Unlimited

Foreach ($Mailbox in $allmailbox)
{
    $path = $Mailbox.alias + ":\" + (Get-MailboxFolderStatistics $Mailbox.alias | Where-Object { $_.Foldertype -eq "Calendar" } | Select-Object -First 1).Name
    Set-mailboxfolderpermission –identity ($path) –user Default –Accessrights AvailabilityOnly
}

[/codesyntax]

How to add an Out of Office message in Office 365 using powershell

I know it's a simply task to do from OWA, but if you want to add an Out of Office message for another user, you will have to reset it's password, login into OWA and setup the message there. But I don't want to reset the user's password. So, after connecting to office 365, use the following commands:

[codesyntax lang="powershell"]

Set-MailboxAutoReplyConfiguration -Identity user@example.com -AutoReplyState Enabled -ExternalMessage "message with whatever autoreply" -InternalMessage "internal something autoreply"

[/codesyntax]

How do I disable this?

[codesyntax lang="powershell"]

Set-MailboxAutoReplyConfiguration -Identity user@example.com -AutoReplyState Disabled

[/codesyntax]

How to deal with "RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)" problem

If you see [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) in you apache error.log file means you have created a cert that is intended to be used to sign other certs, but you're using that cert as your SSL cert. So, it depends how you create the SSL cert.

But how can we solve this problem?!

1. Generate private key and certificate signing request

[codesyntax lang="bash"]

openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm server.pass.key
openssl req -new -key server.key -out server.csr

[/codesyntax]

Note: when the openssl req command asks for a “challenge password”, just press return, leaving the password empty.

2. Generate SSL certificate

[codesyntax lang="bash"]

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

[/codesyntax]

Set port knocking with knockd and iptables

This document describes a stealth method to externally open ports that, by default, are kept closed by the firewall.

Server side

1. Install knockd

[codesyntax lang="bash"]

apt-get install knockd

[/codesyntax]

2. Configure knockd

[codesyntax lang="bash"]

vim /etc/knockd.conf

[options]
        UseSyslog

[OpenClosePort]
        sequence    = 2123:udp,3543:tcp,6454:udp
        seq_timeout = 5
        Start_Command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport PORT -j ACCEPT
        tcpflags    = syn
        Cmd_timeout = 3600
        Stop_Command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport PORT -j ACCEPT

:wq

[/codesyntax]

Notes:

  • sequence - the sequence required to open desired port
  • seq_timeout - time to wait for a sequence to complete
  • Start_Command - command to be executed when a client makes the correct port-knock
  • Stop_Command - command to be executed when Cmd_Timeout seconds have passed since Start_Command has been executed
  • Cmd_Timeout - time to wait between Start_Command and Stop_Command in seconds
  • PORT - port to be opened

3. Enable knockd

 

[codesyntax lang="bash"]

vim /etc/default/knockd

:%s/START_KNOCKD=0/START_KNOCKD=1/g
:%s/#KNOCKD_OPTS="-i eth1"/KNOCKD_OPTS="-i eth0"/g
:wq

[/codesyntax]

 

4. Start knockd

[codesyntax lang="bash"]

/etc/init.d/knockd restart

[/codesyntax]

Client side

1. Knock the port

[codesyntax lang="bash"]

nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 2123 host; nmap -Pn --host_timeout 201 --max-retries 0 -p 3543 host; nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 6454 host

[/codesyntax]

2. Check if the port is open

[codesyntax lang="bash"]

telnet host PORT

[/codesyntax]

How to enable syntax highlighting in less

I wanted to have syntax highlighting for a php file I was debugging. Source-highlight given a source file, produces a document with syntax highlighting.

These are the output formats already supported:

  • HTML
  • XHTML
  • LATEX
  • MediaWiki (new)
  • ODF (new)
  • TEXINFO
  • ANSI color escape sequences (you can use this feature with less)
  • DocBook

These are the input languages (or input formats) already supported (in alphabetical order):

  • Ada
  • Asm
  • Applescript
  • Awk
  • Autoconf files
  • Bat
  • Bib
  • Bison
  • C/C++
  • C#
  • CakePhp templates
  • Clipper
  • Cobol
  • Configuration files (generic)
  • Caml
  • Changelog
  • Css
  • D
  • Diff
  • Emacs Lisp
  • Erlang
  • errors (compiler output)
  • Flex
  • Fortran
  • GLSL
  • Haskell
  • Haskell literate programming
  • Haxe
  • Html
  • ini files
  • IsLisp (new)
  • Java
  • Javalog
  • Javascript
  • KDE desktop files
  • Latex
  • Ldap files
  • Lilypond (new)
  • Lisp
  • Logtalk
  • Log files
  • lsm files (Linux Software Map)
  • Lua
  • Makefile
  • Manifest
  • M4
  • ML
  • Opa
  • Oz
  • Pascal
  • Perl
  • pkg-config files
  • PHP
  • Po
  • Postscript
  • Prolog
  • Properties files
  • Protobuf (Google's Protocol Buffers)
  • Python
  • R statistics programming language (new)
  • RPM Spec files
  • Ruby
  • Scala
  • Scheme
  • Shell
  • S-Lang
  • Sql
  • T/Foswiki TML markup
  • Tcl
  • Texinfo
  • UPC (unified parallel C)
  • Vala
  • VBscript
  • XML
  • XOrg conf files

Exactly what I needed!

[codesyntax lang="bash"]

apt-get install source-highlight
echo "" >> ~/.bashrc
echo "export LESSOPEN=\"| /usr/share/source-highlight/src-hilite-lesspipe.sh %s\"" >> ~/.bashrc
echo "export LESS=' -R '" >> ~/.bashrc

[/codesyntax]

Note: Be sure this line isn't present in your .bashrc because it will interfere with source-highlight:
[codesyntax lang="bash"]

 [ -x /usr/bin/lesspipe ] && eval "$(lesspipe)"

[/codesyntax]

References:

How to install a OpenVPN System Based On User/Password Authentication with mysql & Day Control (libpam-mysql)

This document describes how to install a OpenVPN server with User/Password authentication with mysql and day control using libpam-mysql. This will be a brief, but a very practical document.

  • Install mysql server

[codesyntax lang="bash"]

apt-get install mysql-server

[/codesyntax]

  • Create a mysql user and a database to be used later

[codesyntax lang="bash"]

mysql -u root -p

[/codesyntax]

CREATE DATABASE openvpn;
USE openvpn;

CREATE USER 'openvpn'@'localhost' IDENTIFIED BY 'lNPg5TAIy82zFpEn';
GRANT ALL PRIVILEGES ON `openvpn`.* TO 'openvpn'@'localhost';
FLUSH PRIVILEGES;

CREATE TABLE IF NOT EXISTS `user` (
    `user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
    `user_pass` varchar(32) COLLATE utf8_unicode_ci NOT NULL DEFAULT '1234',
    `user_mail` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,
    `user_phone` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
    `user_start_date` date NOT NULL,
    `user_end_date` date NOT NULL,
    `user_online` enum('yes','no') NOT NULL DEFAULT 'no',
    `user_enable` enum('yes','no') NOT NULL DEFAULT 'yes',
PRIMARY KEY (`user_id`),
KEY `user_pass` (`user_pass`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

CREATE TABLE IF NOT EXISTS `log` (
    `log_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
    `user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
    `log_trusted_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
    `log_trusted_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
    `log_remote_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
    `log_remote_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
    `log_start_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
    `log_end_time` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
    `log_received` float NOT NULL DEFAULT '0',
    `log_send` float NOT NULL DEFAULT '0',
PRIMARY KEY (`log_id`),
KEY `user_id` (`user_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

\q

  • Install OpenVPN

[codesyntax lang="bash"]

apt-get install openvpn

[/codesyntax]

  • Generate keys

[codesyntax lang="bash"]

apt-get install openssl

cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/.
cd /etc/openvpn/easy-rsa/2.0/
sed -i -e 's/--interact //g' build-key

# search and replace the following values in /etc/openvpn/easy-keys/2.0/vars
vim vars

[/codesyntax]

export KEY_SIZE=2048

export KEY_COUNTRY="SE"
export KEY_PROVINCE="SE"
export KEY_CITY="STOCKHOLM"
export KEY_ORG="Company Name"
export KEY_EMAIL="email@example.org"
export KEY_CN=vpn.example.org
export KEY_NAME=operations
export KEY_OU=operations
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

[codesyntax lang="bash"]

:wq

sed -i -e 's/unique_subject = yes/unique_subject = no/g' /etc/openvpn/easy-rsa/2.0/keys/index.txt.attr

source ./vars
./clean-all
./build-ca
./build-key-server vpn.example.org
./build-dh
cp -a keys /etc/openvpn/.

[/codesyntax]

  • Install libpam-mysql and setup pam authentication based on it

[codesyntax lang="bash"]

apt-get install libpam-mysql
vim /etc/pam.d/openvpn

[/codesyntax]

auth sufficient pam_mysql.so user=openvpn passwd=lNPg5TAIy82zFpEn host=localhost db=openvpn [table=user] usercolumn=user.user_id passwdcolumn=user.user_pass [where=user.user_enable=1 AND user.user_start_date!=user.user_end_date AND TO_DAYS(now()) >= TO_DAYS(user.user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user.user_end_date) OR user.user_end_date='0000-00-00')] sqllog=0 crypt=0

account required pam_mysql.so user=openvpn passwd=lNPg5TAIy82zFpEn host=localhost db=openvpn [table=user] usercolumn=user.user_id passwdcolumn=user.user_pass [where=user.user_enable=1 AND user.user_start_date!=user.user_end_date AND TO_DAYS(now()) >= TO_DAYS(user.user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user.user_end_date) OR user.user_end_date='0000-00-00')] sqllog=0 crypt=0

[codesyntax lang="bash"]

:wq

[/codesyntax]

  • Create scripts to log OpenVPN access activity

[codesyntax lang="bash"]

mkdir /etc/openvpn/scripts/ && cd $_

vim /etc/openvpn/scripts/config.sh

[/codesyntax]

#!/bin/bash
##Dababase Server
HOST='127.0.0.1'
#Default port = 3306
PORT='3306'
#Username
USER='openvpn'
#Password
PASS='lNPg5TAIy82zFpEn'
#database name
DB='openvpn'

[codesyntax lang="bash"]

:wq

[/codesyntax]

[codesyntax lang="bash"]

vim /etc/openvpn/scripts/connect.sh

[/codesyntax]

#!/bin/bash
. /etc/openvpn/scripts/config.sh
##insert data connection to table log
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id,user_id,log_trusted_ip,log_trusted_port,log_remote_ip,log_remote_port,log_start_time,log_end_time,log_received,log_send) VALUES(NULL,'$common_name','$trusted_ip','$trusted_port','$ifconfig_pool_remote_ip','$remote_port_1',now(),'0000-00-00 00:00:00','$bytes_received','$bytes_sent')"
##set status online to user connected
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online='yes' WHERE user_id='$common_name'"
[codesyntax lang="bash"]

:wq

[/codesyntax]

[codesyntax lang="bash"]

vim /etc/openvpn/scripts/disconnect.sh

[/codesyntax]

#!/bin/bash
. /etc/openvpn/scripts/config.sh
##set status offline to user disconnected
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online='no' WHERE user_id='$common_name'"
##insert data disconnected to table log
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE log SET log_end_time=now(),log_received='$bytes_received',log_send='$bytes_sent' WHERE log_trusted_ip='$trusted_ip' AND log_trusted_port='$trusted_port' AND user_id='$common_name' AND log_end_time='0000-00-00 00:00:00'"

[codesyntax lang="bash"]

:wq

[/codesyntax]

[codesyntax lang="bash"]

chmod 755 /etc/openvpn/scripts/*.sh

[/codesyntax]

  • Create the password file for accessing OpenVPN management interface via telnet

[codesyntax lang="bash"]

echo "wYYoFlaQa8nGQoO8" > /etc/openvpn/pw-management-file
chmod 600 /etc/openvpn/pw-management-file

[/codesyntax]

  • Configure OpenVPN

[codesyntax lang="bash"]

vim /etc/openvpn/vpn.example.org.conf

[/codesyntax]

##general settings
port 1194
proto udp
dev tun

##keys
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn.example.org.crt
key /etc/openvpn/keys/vpn.example.org.key
dh /etc/openvpn/keys/dh2048.pem

##FIXME: ip for the clients
server 10.0.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
##FIXME: routes pushed to the client
push "route 172.16.1.0 255.255.255.0"
push "route 10.0.0.0 255.0.0.0"
push "route 195.248.229.19 255.255.255.255"

##Auth
comp-lzo
user nobody
#group nogroup
client-to-client
#client-cert-not-required
username-as-common-name

##user/pass auth from mysql
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

##script connect-disconnect
script-security 3 system
client-connect /etc/openvpn/scripts/connect.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh

##management
management localhost 1194 pw-management-file

keepalive 10 120
persist-key
persist-tun
status status.log
verb 3
[codesyntax lang="bash"]

:wq

[/codesyntax]

  • Start OpenVPN

[codesyntax lang="bash"]

/etc/init.d/openvpn start

[/codesyntax]

Note: I also created a script to manage OpenVPN users. If you would like to have it, please post a comment.
Note2: feel free to use my user management script! I am pretty sure it has a lot of bugs and things to improve!!! Use it on your own risk!

Segmented file transfer over ssh

Many people would say why don't you use rsync? rsync is, in deed, a wonderful little tool that has a lot of features, but it doesn't support segmented file transfer. Well, there are a lot of software applications out there that can handle segmented file transfers over FTP or HTTP protocol. One of them is prozilla. But, as rsync, prozilla doesn't support SFTP protocol. So, how can we handle this? The answer has four letters: lftp. Quote from lftp man page:

Gets  the specified file using several connections. This can speed up transfer, but loads the net and server heavily impacting other users. Use only if you really have to transfer the file ASAP

[codesyntax lang="bash"]

lftp sftp://user[:password]@host.ro[:port] -e "mirror -c --parallel=5 --use-pget-n=5 \"/path/to/folder/\""

[/codesyntax]

Very simple and effective, right?

(Very) Later edit:

[codesyntax lang="bash"]

echo 'set sftp:connect-program "ssh -a -x -i /full/path/to/the/ssh/private/key"' | tee ~/.lftprc
lftp -u user,xxx sftp://host.ro:6646 -e "mirror -c --parallel=10 --use-pget-n=10 \"/path/to/folder/\"; quit"

[/codesyntax]

 

Where:

  • user is your username on the system you connect to
  • xxx is just a junk password