other Archives - Safematix IT-Security

Vagrant 1.8.5 – public key problem

29. August 2016 by Robert Ressl

If you like to create with kitchen a new Vagrant instance with the Vagrant version 1.8.5 you get the following problem:

           default: Vagrant insecure key detected. Vagrant will automatically replace
           default: this with a newly generated keypair for better security.
           default:
           default: Inserting generated public key within guest...
           default: Removing insecure key from the guest if it's present...
           default: Key inserted! Disconnecting and reconnecting using new SSH key...
           default: Warning: Authentication failure. Retrying...
           default: Warning: Authentication failure. Retrying...
           default: Warning: Authentication failure. Retrying...
           default: Warning: Authentication failure. Retrying...
           default: Warning: Authentication failure. Retrying...
           default: Warning: Authentication failure. Retrying...
           default: Warning: Authentication failure. Retrying...
           default: Warning: Authentication failure. Retrying...

To fix this, you should create this file:

vi .vagrant.d/Vagrantfile

With the content:

Vagrant.configure("2") do |config|
  config.ssh.insert_key = false
end

rsync status with lsof

25. April 201718. August 2016 by Robert Ressl

To see the status from rsync, you can use lsof:

lsof -ad3-999 -c rsync

Output:

COMMAND  PID USER   FD   TYPE             DEVICE SIZE/OFF       NODE NAME
rsync   8097 root    3r   REG             252,17   404832 7559983121 /srv/data/safematix
rsync   8097 root    4u  unix 0xffff8806f4447080      0t0      85225 type=STREAM
rsync   8097 root    5u  unix 0xffff8806f4444ec0      0t0      85226 type=STREAM
rsync   8098 root    3u  unix 0xffff880738502580      0t0      77431 type=STREAM
rsync   8099 root    4u  unix 0xffff880738500b40      0t0      77432 type=STREAM

Raspberry Pi ntp server gps

2. May 201712. December 2015 by Robert Ressl

raspberry pi ntp server gps

You need:

stty -F /dev/ttyAMA0 raw 9600 cs8 clocal -cstopb

test gps

cat /dev/ttyAMA0

gpsmon

(eg, remove console=ttyAMA0,115200 and if there, kgdboc=ttyAMA0,115200) /boot/cmdline.txt

dwc_otg.lpm_enable=0 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait

Install ntp package

apt-get install ntp gpsd

/etc/default/gpsd

# Default settings for the gpsd init script and the hotplug wrapper.

# Start the gpsd daemon automatically at boot time
START_DAEMON="true"

# Use USB hotplugging to add new USB devices automatically to the daemon
USBAUTO="false"

# Devices gpsd should collect to at boot time.
# They need to be read/writeable, either by user gpsd or the group dialout.
DEVICES="/dev/ttyAMA0"

# Other options you want to pass to gpsd
GPSD_OPTIONS="-b -n"

/lib/systemd/system/gpsd.service

#ExecStart=/usr/sbin/gpsd -N $GPSD_OPTIONS $DEVICES
ExecStart=/usr/sbin/gpsd -N -b -n /dev/ttyAMA0

/usr/local/bin/leap-seconds.sh

#!/bin/sh
cd /etc/ntp
wget https://www.ietf.org/timezones/data/leap-seconds.list &> /dev/null
service ntp restart &> /dev/null

/etc/cron.d/ntp

0 0 31 6,12 * root /usr/local/bin/leap-seconds.sh

mkdir /etc/ntp

download the leap-seconds.list the first time

/usr/local/bin/leap-seconds.sh

/etc/ntp.conf

driftfile /var/lib/ntp/ntp.drift
leapfile /etc/ntp/leap-seconds.list

# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# pool
server 0.ch.pool.ntp.org iburst
server 1.ch.pool.ntp.org iburst
server 2.ch.pool.ntp.org iburst
server 3.ch.pool.ntp.org iburst


# HW GPS
server 127.127.28.0 iburst
fudge 127.127.28.0 flag1 1 flag2 0 time2 0.600 refid GPS

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page 
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 172.23.0.0 mask 255.255.0.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

Tricks:

query and synchronize against a pool

ntpdate -q 0.ch.pool.ntp.org 1.ch.pool.ntp.org

/etc/udev/rules.d/99-com.rules
KERNEL==”ttyAMA0″, SYMLINK+=”gps0″
KERNEL==”pps0″, SYMLINK+=”gpspps0″

The NTP status codes that ntpq is showing you are on this list, yours is showing an “*” which means you aren’t using the PPS, just the serial output of the GPS chip. You might want to look into that as the PPS is probably going to give you better time accuracy.

o = pps peer
* = sys peer
# = too distant
+ = selected
x = false ticker
– = discarded

[![MIT license](http://img.shields.io/badge/license-MIT-brightgreen.svg)](http://opensource.org/licenses/MIT)

curl HTTP-header only

2. May 20178. November 2015 by Robert Ressl

curl HTTP-header only

-I, --head
              (HTTP/FTP/FILE) Fetch the HTTP-header only! HTTP-servers feature the command HEAD which this uses to get nothing but the header of a document. When used on an FTP or FILE file, curl displays the file size and last modification time only.

root@vh01 ~ # curl -I https://git.safematix.com 
HTTP/1.1 302 Found
Server: nginx
Date: Sun, 08 Nov 2015 15:51:31 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 302 Found
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Location: https://git.safematix.com/users/sign_in
Cache-Control: no-cache
Set-Cookie: _gitlab_session=08f48dd9e9a254b8ef0531f16e58963c; path=/; expires=Sun, 15 Nov 2015 15:51:31 -0000; secure; HttpOnly
Set-Cookie: request_method=HEAD; path=/
X-Request-Id: 20f8f32e-79ca-4bdd-97c0-092e70e39abc
X-Runtime: 0.007302
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Public-Key-Pins: pin-sha256="tqbNSQH3NzwHzRVt1iYPI4cncKFhKQRCDrt8nt4mqhE="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; max-age=5184000; includeSubDomains

Google Chrome DNS cache clear / flush

2. November 2015 by Robert Ressl

Google Chrome DNS cache clear / flush

To clear the DNS cache open the following URL in Chrome:

Click on “Clear host cache”

chrome://net-internals/#dns

Click on “Flush socket pools”

chrome://net-internals/#sockets

ownCloud occ

2. May 201721. October 2015 by Robert Ressl

ownCloud occ

Go to the ownCloud directory /var/www/owncloud and run occ

sudo -u www-data php occ 
ownCloud version 8.2.0

Usage:
 [options] command [arguments]

Options:
 --help (-h)           Display this help message
 --quiet (-q)          Do not output any message
 --verbose (-v|vv|vvv) Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
 --version (-V)        Display this application version
 --ansi                Force ANSI output
 --no-ansi             Disable ANSI output
 --no-interaction (-n) Do not ask any interactive question

Available commands:
 check                                check dependencies of the server environment
 help                                 Displays help for a command
 list                                 Lists commands
 status                               show some status information
 upgrade                              run upgrade routines after installation of a new release. The release has to be installed before.
app
 app:check-code                       check code to be compliant
 app:disable                          disable an app
 app:enable                           enable an app
 app:list                             List all available apps
background
 background:ajax                      Use ajax to run background jobs
 background:cron                      Use cron to run background jobs
 background:webcron                   Use webcron to run background jobs
config
 config:app:delete                    Delete an app config value
 config:app:get                       Get an app config value
 config:app:set                       Set an app config value
 config:import                        Import a list of configs
 config:list                          List all configs
 config:system:delete                 Delete a system config value
 config:system:get                    Get a system config value
 config:system:set                    Set a system config value
db
 db:convert-type                      Convert the ownCloud database to the newly configured one
 db:generate-change-script            generates the change script from the current connected db to db_structure.xml
encryption
 encryption:change-key-storage-root   Change key storage root
 encryption:decrypt-all               Disable server-side encryption and decrypt all files
 encryption:disable                   Disable encryption
 encryption:enable                    Enable encryption
 encryption:encrypt-all               Encrypt all files for all users
 encryption:list-modules              List all available encryption modules
 encryption:set-default-module        Set the encryption default module
 encryption:show-key-storage-root     Show current key storage root
 encryption:status                    Lists the current status of encryption
files
 files:cleanup                        cleanup filecache
 files:scan                           rescan filesystem
l10n
 l10n:createjs                        Create javascript translation files for a given app
log
 log:manage                           manage logging configuration
 log:owncloud                         manipulate ownCloud logging backend
maintenance
 maintenance:mimetype:update-db       Update database mimetypes and update filecache
 maintenance:mimetype:update-js       Update mimetypelist.js
 maintenance:mode                     set maintenance mode
 maintenance:repair                   repair this installation
 maintenance:singleuser               set single user mode
trashbin
 trashbin:cleanup                     Remove deleted files
user
 user:add                             adds a user
 user:delete                          deletes the specified user
 user:lastseen                        shows when the user was logged it last time
 user:report                          shows how many users have access
 user:resetpassword                   Resets the password of the named user
versions
 versions:cleanup                     Delete versions

Enable ownCloud maintenance mode

sudo -u www-data php occ maintenance:mode --on

Disable ownCloud maintenance mode

sudo -u www-data php occ maintenance:mode --off

Upgrade ownCloud

sudo -u www-data php occ upgrade
ownCloud or one of the apps require upgrade - only a limited number of commands are available
Set log level to debug - current level: 'Warning'
Checked database schema update
Checked database schema update for apps
Updated database
Disabled 3rd-party app: documents
Disabled 3rd-party app: search_lucene
Updating  ...
Updated  to 2.0
Updating  ...
Updated  to 14.2.0
Updating  ...
Updated  to 1.2.0
Updating  ...
Updated  to 2.1.3
Updating  ...
Updated  to 0.7.0
Updating  ...
Updated  to 0.7.0
Updating  ...
Updated  to 1.1.0
Updating  ...
Updated  to 0.3.0
Update successful
Maintenance mode is kept active
Reset log level to 'Warning'

Status from ownCloud

sudo -u www-data php occ status
  - installed: true
  - version: 8.2.0.12
  - versionstring: 8.2.0
  - edition:

ntpd and OpenNTPD status

21. September 2015 by Robert Ressl

ntpd and OpenNTPD status

ntpd

ntpq -p

ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ts1.safematix.com 192.168.0.1    2 u   19   64  377    0.572   -0.064   0.173
+ts2.safematix.com 192.168.0.2    3 u   28   64  377    0.406    0.021   0.298

OpenNTPD

Since OpenBSD 5.5, you have the tool ntpctl

ntpctl -s all

ntpctl -s all
4/4 peers valid, clock unsynced

peer
   wt tl st  next  poll          offset       delay      jitter
82.197.188.130 from pool ch.pool.ntp.org 
    1 10  2   29s   32s         0.268ms     8.530ms     1.015ms
212.51.144.44 from pool ch.pool.ntp.org 
    1 10  1   31s   33s         0.075ms     9.118ms     0.575ms
91.235.212.22 from pool ch.pool.ntp.org 
    1 10  2    1s   32s        -0.835ms     9.015ms     0.791ms
91.240.0.5 from pool ch.pool.ntp.org 
    1 10  3    5s   32s         0.459ms     9.860ms     1.492ms

rsync not older

2. May 20178. September 2015 by Robert Ressl

rsync not older

Copy all data are not older than 23 days.

Version 01 – from file path

find /var/log/nginx -mtime -23 -printf %P\\0 | rsync -av --files-from=- --from0 /var/log/nginx/ safematix@172.23.0.23:/srv/safematix/

Version 02 – full path

find /var/log/nginx -mtime -23 -print0 | rsync -av --files-from=- --from0 / safematix@172.23.0.23:/srv/safematix/

openssl self signed certificate one liner

2. May 20172. September 2015 by Robert Ressl

openssl self signed certificate one liner

openssl req -new -newkey rsa:4096 -sha256 -days 3650 -nodes -x509 -keyout www.safematix.com.key -out www.safematix.com.crt -subj /C=CH/ST=Zurich/L=Zurich/O=Safematix/CN=www.safematix.com

wget test website

2. May 201719. August 2015 by Robert Ressl

wget test website

wget --proxy=off --spider www.safematix.com