Archive for the ‘Linux’ Category
Posted by jpluimers on 2022/10/25
With the rise of *nix tools and infrastructure on Windows (including, but certainly not limited to Visual Studio Code and Windows Subsystem for Linux), I need to get acquainted to the new ways these interface to the Windows Console.
Since Windows Console is from the (now obsolete) UCS-2 days, so it is not even fully Unicode aware, and has trouble with UTF-8, UTF-16.
So here are some links for my reading list:
–jeroen
Read the rest of this entry »
Posted in *nix, *nix-tools, CommandLine, ConPTY, Console (command prompt window), Development, Linux, Power User, Software Development, Windows, Windows 10, Windows 11, Windows Development, Windows Terminal, WSL Windows Subsystem for Linux | Leave a Comment »
Posted by jpluimers on 2022/05/11
I wanted to know which pattern provides [WayBack] etckeeper which is in the [WayBack] openSUSE Software package etckeeper.
It seems no built-in search query can do that, so I built one my own.
Since the result takes quite a while to produce, the output is a pattern.txt that you can manually search.
This is the command:
zypper search -t pattern | grep "|" | tail -n +2 | perl -pe 's/^.*? \| //' | perl -pe 's/ *\| .*$//' | xargs -I {} sh -c "zypper info -t pattern {}" > patterns.txt
The content is like this (the 2017 date shows I wrote this a long time ago):
Read the rest of this entry »
Posted in *nix, *nix-tools, bash, bash, Development, etckeeper, Linux, Perl, Power User, Scripting, sed, Software Development | Leave a Comment »
Posted by jpluimers on 2022/02/24
IoT devices still often use the ‘Basic’ HTTP Authentication Scheme for authorisation, see [Wayback] RFC7617: The ‘Basic’ HTTP Authentication Scheme (RFC ) and [Wayback] RFC2617: HTTP Authentication: Basic and Digest Access Authentication (RFC ).
Often this authentication is used even over http instead of over https, for instance the Egardia/Woonveilig alarm devices I wrote about yesterday at Egardia/Woonveilig: some notes about logging on a local gateway to see more detailed information on the security system. This is contrary to guidance in:
- RFC7617:
This scheme is not considered to be a secure method of user
authentication unless used in conjunction with some external secure
system such as TLS (Transport Layer Security, [RFC5246]), as the
user-id and password are passed over the network as cleartext.
- RFC2617:
"HTTP/1.0", includes the specification for a Basic Access
Authentication scheme. This scheme is not considered to be a secure
method of user authentication (unless used in conjunction with some
external secure system such as SSL [5]), as the user name and
password are passed over the network as cleartext.
Fiddling with those alarm devices, I wrote these two little bash functions (with a few notes) that work both on MacOS and in Linux:
# `base64 --decode` is platform neutral (as MacOS uses `-D` and Linux uses `-d`)
# `$1` is the encoded username:password
function decode_http_Basic_Authorization(){
echo $1 | base64 --decode
echo
}
# `base64` without parameters encodes
# `echo -n` does not output a new-line
# `$1` is the username; `$2` is the password
function encode_http_Basic_Authorization(){
echo $1:$2 | base64
}
The first decodes the <credentials> from a Authorization: Basic <credentials> header into a username:password clean text followed by a newline.
The second one encodes a pair of username and password parameters into such a <credentials> string.
They are based on these initial posts that were not cross platform or explanatory:
- [Wayback] Decode HTTP Basic Access Authentication – Stack Pointer
- [Wayback] Create Authorization Basic Header | MJ’s Web Log
–jeroen
Posted in *nix, *nix-tools, Apple, Authentication, bash, bash, Communications Development, Development, HTTP, Internet protocol suite, Linux, Mac OS X / OS X / MacOS, Power User, Scripting, Security, Software Development, TCP, Web Development | Leave a Comment »
Posted by jpluimers on 2022/02/24
Two command-lines I use to view my Postfix logs:
journalctl --unit postfix --since "2 days ago"journalctl --unit postfix --pager-end
Note that neither of these work well with the --follow (or equivalent -f) option, as this will effectively disable the pager (which by default is less).
The second is via [Wayback] systemd – How to see the latest x lines from systemctl service log – Unix & Linux Stack Exchange (which got the--pagerend bit wrong, as it misses a dash and should be --pager-end, but still thanks [Wayback] Daniel Kmak):
Just:
journalctl -u SERVICE_NAME -e
Parameter -e stands for:
-e –pagerend
…
That’s the one ! Other answers will go through the whole log to get to its end, which can be veeeeery long for large syslogs.
The last bit (by [Wayback] Léo Germond, thanks!) is why I like it most.
Similarly, specifying --since in the first example will not go through the whole log.
Some background information:
Read the rest of this entry »
Posted in *nix, *nix-tools, bash, Development, journalctl and journald, Linux, postfix, Power User, Scripting, Software Development, systemd | Leave a Comment »
Posted by jpluimers on 2022/02/17
I wrote about Creating a bootable USB installer for ESXi and use it to create a bootable ESXi installation.
Just in case I ever need to do this on a non-Windows system, some links:
–jeroen
Posted in *nix, Apple, ESXi6, ESXi6.5, ESXi6.7, ESXi7, Linux, Mac OS X / OS X / MacOS, Power User, Virtualization, VMware, VMware ESXi, Windows | Leave a Comment »
Posted by jpluimers on 2022/02/09
As promised mid last year in “fixing” ESXi “rsync error: error allocating core memory buffers (code 22) at util2.c(106) [sender=3.1.2]”, I would follow up on building a static rsync for ESXi one day.
So below a few links on how to do this, roughly in the order I found them (most via [Wayback] vmware rsync “3.1.2” static – Google Search):
Especially the last link has a great set of steps on how to build manually.
Boy I forgot how long ago CentOS 3.9 was: [Wayback] [CentOS-announce] CentOS 3.9 is released for i386 and x86_64 Read the rest of this entry »
Posted in *nix, *nix-tools, CentOS, Development, Linux, Power User, RedHat, Software Development | 2 Comments »
Posted by jpluimers on 2022/01/27
Based on [Wayback] domain name system – Overriding some DNS entries in BIND for internal networks – Server Fault and some further reading, there seem to be two ways used in these scenarios:
I wonder how that would interact best with Pi-Hole based solutions. Would it be best to have your local network use the Pi-Hole server, then have the Pi-Hole server obtain the DNS information it cannot resolve through one of the above solutions? Or would other solutions work better?
So here are a few links:
- [Wayback] domain name system – Overriding some DNS entries in BIND for internal networks – Server Fault; A lot of information in the answers to this question; important takeaway is that BIND named does support RPZ, but the support is not as fine grained as what Unbound DNS Server supports.
- [Wayback] bind – Is it possible to split a domain using dns Bind9 – Server Fault
- [Wayback] domain name system – Redirecting time.windows.com to internal server – Server Fault: poor man’s approach for a single host.
- [Wayback] Chapter 4 DNS Configuration Types (Bind)
- [Wayback] Split horizon DNS master/slave with Bind | Jensd’s I/O buffer having a full set of steps for master and slave, explaining the how and why of each step
- [Wayback] DNS Response Policy Zones (RPZ) / [Wayback] draft-vixie-dnsop-dns-rpz-00: DNS Response Policy Zones (RPZ) (Internet-Draft, 2018):
This document describes a method for expressing DNS response policy inside a specially constructed DNS zone, and for recursive name servers to use such policy to return modified results to DNS clients. The modified DNS results can stop access to selected HTTP servers, redirect users to “walled gardens”, block objectionable email, and otherwise defend against attack. These “DNS Firewalls” are widely used in fighting Internet crime and abuse.
- [Wayback] Overriding DNS for fun and profit (with bind)
- [Wayback] Chapter 7 – Response Policy Zone (Bind)
- [Wayback] configuration – Large zone file for bind9 : ad-blocking – Unix & Linux Stack Exchange
- [Wayback] HOWTO – Configure a DNS firewall with RPZ (with examples)
- [Wayback] Jan-Piet Mens :: RPZ revisited (Bind, with very clear examples no order of processing)
- [Wayback] domain name system – Alternative ways to get past 32 rpz zone limit in BIND? …without running BIND a thousand times – Server Fault (yes, as zones can be in views)
- [Wayback] Build a Privacy-respecting and Threat-blocking DNS Server
Learn how you can install your own DNS server to protect your devices from phishing, malware and ransomware
- [Wayback] Glen Pitt-Pladdy :: Blog – DNS Firewall (blackhole malicious, like Pi-hole) with bind9
- [Wayback] DNSRPZ performance and scaleability when using multiple RPZ zones (Bind)
- [Wayback] debian – DNS server for blacklisting tons of domains and also some TLDs – Unix & Linux Stack Exchange (Bind)
- [Wayback] NLnet Labs – Unbound – About
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. Late 2019, Unbound has been rigorously audited, which means that the code base is more resilient than ever. To help increase online privacy, Unbound supports DNS-over-TLS …
- [Wayback] NLnet Labs – News – Unbound 1.10.0 released: rpz support and serve-stale conformance
The 1.10.0 release has RPZ support and serve stale functionality according to draft draft-ietf-dnsop-serve-stale-10. And a number of other, smaller, features, and bug fixes.
- [Wayback] jimh.dev: Unbound Pi-hole without scripts
- The Internet is full of Ads and Trackers. Some of them are useful to monetize free content. Some are used in a non-ethical manner. Savvy users will configure Ad-Blocker on their Web browser. Others won’t. Most Appliance and IoT modules won’t allow third-party blocking addons. Here’s how to add an extra layer of privacy using … Continue reading “Blocking Ads using unbound(8) on OpenBSD”[Wayback] Blocking Ads using unbound(8) on OpenBSD – TuM’Fatig
The public blocklists used by Pi-Hole are the following:
I wrote a [Wayback] script that will fetch the blocklists content, parse it and create a local zone file for unbound(8). That file will contain all the blocked domains and use the redirect answer to resolve those as invalid.
- [Wayback] geoghegan.ca: unbound-adblock, The Ultimate DNS Firewall! with [Wayback] script version 0.5p4
Pi-Hole seems not interested in RPZ: [Wayback] Implement Response Zone Policies (NXDOMAIN) for end-user performance increase – Feature Requests / Implemented – Pi-hole Userspace
Pi-Hole default blacklist is mentioned in [Wayback/Archive.is] pi-hole/basic-install.sh at master · pi-hole/pi-hole (look for adlistFile which defaults to [Wayback/Archive.is] StevenBlack/hosts: 🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.).
Since I need this for ESXi: [Wayback/Archive.is] Let’s Encrypt SSL for ESXi
–jeroen
Posted in *nix, *nix-tools, bind-named, DNS, Internet, Linux, Power User | Leave a Comment »
Posted by jpluimers on 2021/11/17
[Wayback] How do I restart sshd on my Unix system | StarNet Knowledge Database – PC X, X Windows, X 11 & More – StarNet
RedHat and Fedora Core Linux
/sbin/service sshd restart
Suse linux
/etc/rc.d/sshd restart
Debian/Ubuntu
/etc/init.d/sshd restart
Solaris 9 and below
/etc/init.d/sshd stop
/etc/init.d/sshd start
Solaris 10
svcadm disable ssh
svcadm enable ssh
AIX
stopsrc -s sshd
startsrc -s sshd
HP-UX
/sbin/init.d/secsh stop
/sbin/init.d/secsh start
Note that for opensuse, by now you need this to restart sshd:
/usr/sbin/rcsshd restart
Edit 20211118: some tweets in reaction to this post
–jeroen
Posted in *nix, *nix-tools, Debian, Development, Linux, openSuSE, Power User, RedHat, Scripting, Software Development, SuSE Linux, systemd, Tumbleweed | Leave a Comment »
The Wiert Corner - irregular stream of stuff 