Subscribe: Machine Room Cacophony
http://secsup.net/index.php/shaded_grey/rss_atom/
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
apt install  apt  clone  configure  dev  git clone  install  interface  ipv  nmsg  postfix  python  sasl  sudo apt  sudo 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Machine Room Cacophony

Machine Room Cacophony



Loud rambling noise



Modified: 2014-02-17T07:49:33-05:00

Copyright: Copyright (c) 2014, chris
 



Installing nmsg on ubuntu 12.04

2014-02-17T07:49:33-05:00

# git clone the repository
git clone https://github.com/farsightsec/nmsg

# install required dependent packages.
sudo apt-get install libpcap0.8-dev
sudo apt-get install libprotobuf-c0-dev protobuf-c-compiler
sudo apt-get install zlib1g-dev
sudo apt-get install pkg-config

# Add quantal universe packages to /etc/apt/sources.list.d/quantal_universe.list
# Set the default os version to precise:
echo ‘APT::Default-Release “precise”;’ > /etc/apt/apt.conf.d/00release

# run an update to pull down the package files.
apt-get update

# install libxs-dev
sudo apt-get install libxs-dev

# get libwdns
git clone https://github.com/farsightsec/wdns
cd wdns
sh ./autogen.sh
./configure
make
sudo make install

# Configure/make nmsg
run autogen.sh:
sh ./autogen.sh
./configure
make
sudo make install

# git clone the pynmsg repository
git clone https://github.com/farsightsec/pynmsg

# install cython from apt: (and python-dev)
sudo apt-get install cython python-dev

# Now, install the nmsg python bindings.
sudo ./setup.py install

# git clone the sie-nmsg modules for install
git clone https://github.com/farsightsec/sie-nmsg
sh ./autogen.sh
./configure
Replace @PROTOC_C@ in Makefile with /usr/bin/protoc-c

# Finally, mess around with LD_LIBRARY_PATH.. why? :(
TODO(morrowc): Fix ld-library-path problems in a way that’s not /etc/profile.
echo “export LD_LIBRARY_PATH=/usr/lib:/lib:/usr/local/lib” | sudo tee -a /etc/profile

NOTE: This is probably not the best option for install, apparently you could also go the PPA route with:
https://archive.farsightsecurity.com/SIE_Software_Installation_Debian/

# Cripple the ID reported in nmsg, due to:
###################################################
## START python error message #####################
File “/usr/local/scripts/nmsg_fifo.py”, line 165, in run
email_nmsg.source = SPAMMER_ID
File “nmsg_message.pyx”, line 9, in _nmsg.message.source.__set__ (_nmsg.c:5729)
OverflowError: Python int too large to convert to C long

## END python error message #######################
###################################################




Tivo, which I like, and email validation on websites... which I dislike

2014-02-13T03:11:49-05:00

Copied from a tivo support filed tonight… (id: 140212-018933)

-------------------------------------------------------------------------------------------------

While trying to reset my account password tonight I notice that the page:
https://my.tivo.com/cyril-app-ui/desktop/#/resetpwd

attempts to validate the input email address, for example mine:
morrowc@ops-netman.net

This validation fails, the regular expression match your site attempts is:
^[A-Za-z0-9._%+-]+@(?:[A-Za-z0-9]+\.)+[A-Za-z]{2,4}$

for the input field:

This regular expression does not take into account the fact (at least) that ‘-’ is a valid character for domain names on the internet. here’s an example of attempting to validate using your regular expression with python’s regular expression library:
>>> import re
>>> re.match(’^[A-Za-z0-9._%+-]+@(?:[A-Za-z0-9]+\.)+[A-Za-z]{2,4}$’, ‘morrowc@ops-netman.net’)
>>>

note that the email address above is valid, but your regex fails to see this fact. Now, remove the ‘-’ from the domain and:
>>> re.match(’^[A-Za-z0-9._%+-]+@(?:[A-Za-z0-9]+\.)+[A-Za-z]{2,4}$’, ‘morrowc@opsnetman.net’)
<_sre.SRE_Match object at 0x10e4168>

see, a match is found. The right regular expression is likely:
>>> re.match(’^[A-Za-z0-9._%+-]+@(?:[A-Za-z0-9-]+\.)+[A-Za-z]{2,4}$’, ‘morrowc@ops-netman.net’)
<_sre.SRE_Match object at 0x10e41d0>
>>> re.match(’^[A-Za-z0-9._%+-]+@(?:[A-Za-z0-9-]+\.)+[A-Za-z]{2,4}$’, ‘morrowc@opsnetman.net’)
<_sre.SRE_Match object at 0x10e4168>
>>>

Note that my regex change permits the ‘-’ and works for both versions of my domain name. I hope you’ll fix this so other customers won’t be befuddled and have to take time with customer support on the phone.

---------------------------------------------------------

Note that I had to spend a significant amount of time on the phone with tivo ‘technical support’ for the support individual to tell me:
1) he has to reset so many customer’s passwords by hand because the website doesn’t work right
2) that he clearly didn’t understand the actual problem
3) make me sad…

email validation is ‘hard’... only it REALLY ISN’T!




Comcast Consumer - IPv6 configuration (Raspberry-pi as bridge/base-station)

2013-12-19T18:37:38-05:00

Because I didn’t want to do this the easy way, apparently and I went through: * Cisco E1200 (no ipv6 support) * dlink 615 - broken ipv6 support or dd-wrt ‘no useful ipv6 support’ * netgear-disaster thing (no working ipv6) I happened to have a raspberry-pi around + tp-link usb->wifi dongle… Props to some extent should go to: http://www.ipcalypse.ca/?p=204 Oh! and props to adafruit industries as well! (http://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/overview)

I installed rasbian on a sd-card and booted up the pi.
I apt-get installed:
* wide-dhcpv6
* radvd

I reset two sysctl toggles:
* net.ipv6.conf.all.forwarding = 1 (forward ipv6 traffic from interface to interface)
* net.ipv6.conf.eth0.accept_ra=2 (keep listening to Router-Advertisement from the upstream device)

I configured wide-dhcpv6 thusly:

pi@pi ~ $ cat /etc/wide-dhcpv6/dhcp6c.conf
# Default dhpc6c configuration: it assumes the address is autoconfigured using
# router advertisements.

interface eth0 {
send ia-pd 0;
send ia-na 0;
script “/etc/wide-dhcpv6/dhcp6c-script”;
};

id-assoc pd 0 {
prefix-interface wlan0 { # Internal interface
sla-id 1;
ifid 1;
sla-len 0;
};
};
id-assoc na 0 {
};

and the radvd daemon is configured like:


pi@pi ~ $ cat /etc/radvd.conf
interface wlan0 # LAN interface
{
# AdvManagedFlag off; # no DHCPv6 server here.
# AdvOtherConfigFlag off; # not even for options.
AdvSendAdvert on;
# AdvDefaultPreference high;
# AdvLinkMTU 1280;
prefix ::/64 #pick one non-link-local prefix assigned to the interface and start advertising it
{
AdvOnLink on;
AdvAutonomous on;
};
};

Hostapd’s configuration is simple, and personal but for completeness sake:


$ more /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=YOURSSIDHERE
hw_mode=g
channel=11
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=YOURKEYHERE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
$

Configuration of the NAT for the ipv6 wlan0 -> eth0 traffic is left as an exercise to the reader:

$ sudo iptables -t nat -L
...
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all — anywhere anywhere

$ sudo iptables -L
...
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all — anywhere anywhere

As well as the configuration of the WLAN0 interface in /etc/network/interfaces:


$ cat /etc/network/interfaces
...
auto wlan0
...
allow-hotplug wlan0
iface wlan0 inet static
address 100.64.64.1
netmask 255.255.255.0

Link appropriate startup scripts for proper bootstrapping:


sudo ln -s /etc/init.d/networking /etc/rc2.d/S00networking
sudo ln -s /etc/init.d/hostapd /etc/rc2.d/S02hostapd
sudo ln -s /etc/init.d/isc-dhcp-server /etc/rc2.d/S02isc-dhcp-server
sudo ln -s /etc/init.d/wide-dhcpv6-client /etc/rc2.d/S02wide-dhcpv6-client

After this a reboot and things are working well enough.




go-read clone

2013-07-23T19:53:36-05:00

I didn’t want to pay, so.... go-read clone at rarcreader_appsport.com.

git pull the current src:
github.com/mjibson/goread/goapp

set the gopath:
export GOPATH=PLACE/scripts/git/go_app

update the running app:
./appcfg.py update -e EMAILADDR --oauth2 -A rarcreader ./src/github.com/mjibson/goread/app.yaml




Making a bootable USB stick dos image

2013-07-16T22:08:12-05:00

Take the LSI firmware crapola from (LSI Firmware Download (9650SE)) and make a bootable USB stick.

o Download the firmware zip file.
o Download a dos boot image Pioneer boot image iso
o make a simple dos filesystem in a file

mkdosfs -C -v new.img `expr 120 \* 1024`

o mount the src/dst images and copy crap-from-pioneer + lsi-foo onto the new dos image

$ mkdir src dst
$ mount -o loop win.img src
$ mount -o loop new.img dst
$ cp src/* dst
$ cp lsi-foo/* dst
$ umount src
$ umount dst
$ rmdir src dst

o Copy in the bootblock data from the pioneer image to the new dos file image


# count=3 would suffice to get the jump instructions, 11 is for additional 8 byte OEM string
dd if=win.img of=new.img bs=1 count=11 conv=notrunc
# the boot code proper
dd if=win.img of=new.img bs=1 skip=62 seek=62 count=448 conv=notrunc

o dd new image onto usbstick


$ dd if=new.img of=/dev/sdb1

boot with joy?




Some GE ColorEffects/Cheerlights links

2012-01-08T19:27:57-05:00

There are a few sets of links I’ll hold here until I can review them later.

Code for python control of Cheerlights/GEColorEffects - These claim a max refresh rate of 23fps ... which seems super cool.

Good teardown of the coloreffects lights, including some data on the electronics.

Original IOBridge GITHub - and links to the external code library for G35 libraries.




iDrac setup and use

2011-10-05T03:21:21-05:00

For a r4xx version Dell server with an iDrac6 Express controller installed. o configure the ip interface o configure the admin user o test a serial console connection

To enable the ipmitool on the host server:


modprobe ipmi_msghandler
modprobe ipmi_devintf
modprobe ipmi_si

Then configure the ip info for the iDrac:


ipmitool lan set 1 netmask 255.255.255.0
ipmitool lan set 1 defgw ipaddr 192.168.1.1
ipmitool lan set 1 bakgw ipaddr 192.168.1.2

Then configure a basic user on the system:


sudo ipmitool user list 1
sudo ipmitool user set password 2

SSH should be accessible now on the iDrac, ssh in and start a console on serial1:


ssh root@ip.address
/admin1-> console com2

Escape from the console with ^\

be sure to also configure the getty on the host server too.




Ubuntu, Cyrus SASL auth and Postfix

2011-07-15T06:33:50-05:00

I have no idea why, but postfix + ubuntu + sasl (cyrus-type) are stupidly unhappy… and honestly I’m tired it it.

Install cyrus sasl2 (from apt)
Download the latest source for postfix
compile postfix with the right flags (wietse could do far better with this conglomeration!!)


make makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl” AUXLIBS="-lssl -lcrypto -lsasl2”

install this postfix. Yes, you should really use the .deb from Ubuntu but for 3 major versions (from 7 through 10) they’ve not been able to offer a postfix package, a sasl2 package and a saslauthd that all play nice together.

Configure the minimal postfix bits (follow the postfix tutorial)
configure sasl handoff from postfix to saslauthd:


# cat /etc/postfix/sasl2/smtpd.conf
log_level: 4
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Make saslauthd validate against shadow passwds and listen in a socket in /var/run/saslauthd.

Add postfix to the saslauthd group

restart saslauthd
restart postfix

test a client connection:


openssl s_client -host mailsystem -port 465
ehlo me
AUTH PLAIN bW9ycm9adsasd3Ywdjasdasdasd=

Create the string of base64 with:


perl -MMIME::Base64 -e ‘print encode_base64("username\0username\0password")’

If you get back an ‘Authentication Succeeded!’ everything’s looking good!




Making sure kvm serial consoles work (Ubuntu Lucid)

2011-07-14T05:17:35-05:00

There are two parts to the serial-console-game: 1) vm base config (guest hardware config) 2) vm software config

For the guest hardware config, you can either hand-edit all vms as they are built (sucky) or simply edit the template used. Templates are stored in /etc/vmbuilder/libvirt, I added a devices/serial section like:






inside the section. This creates a serial interface on the guest hardware.

For the vm software config, simply have the first-boot script install /etc/init/tty0.conf for you!




Cleaned up KVM creation process

2011-07-12T04:49:56-05:00

Shortened steps that work, creating a KVM instance on an Ubuntu Lucid host server.

Install these packages:
o kvm
o python-vm-builder

apt-get update && apt-get install kvm python-vm-builder

Create the destination directory for the VM to be installed into:

mkdir /data/vm/vm-name

Download the first-boot.sh script (you should have this already)

Run the vmbuilder creation command


vmbuilder kvm ubuntu --suite=lucid --flavour=virtual --arch=amd64 \
--mirror=http://apt-squid.rarc.net/apt-cacher/us.archive.ubuntu.com/ubuntu -o \
--libvirt=qemu:///system --dest /data/vm/test-vm1 \
--ip=192.168.122.101 --gw=192.168.122.1 \
--rootsize=100000 \
--user=USERNAME --name=’COMMENT’ --pass=PASSWD \
--addpkg=vim-nox --addpkg=unattended-upgrades \
--addpkg=openssh-server --firstboot=/home/morrowc/first-boot.sh \
--mem=4096 --hostname=test-vm1 --bridge=virbr0 \
--domain=ops-netman.net --cpus=2

Use virsh to test whether the instance finished/available for startup


# virsh list --all
Id Name State
----------------------------------
- test-vm1 shut off

Start the instance with virsh

virsh start test-vm1