Just when I thought I made a note of a password I hardly ever use, I didn’t, luckily this open source tools understands how to recover many kinds of passwords: AlessandroZ/LaZagne: Credentials recovery project.
–jeroen
Archive for the ‘*nix-tools’ Category
AlessandroZ/LaZagne: Credentials recovery project
Posted by jpluimers on 2019/04/15
Posted in *nix, *nix-tools, Chrome, Development, DVCS - Distributed Version Control, Firefox, git, Internet Explorer, Office, Opera, Outlook, Power User, Python, Scripting, Skype, Software Development, Source Code Management, Web Browsers, WiFi, Windows | Leave a Comment »
Default OpenSuSE Postfix main.cf forgets to configure SASL for cyrus…
Posted by jpluimers on 2019/04/15
If you see the below in your Postfix log when trying to test your config, then the SASL configuration is empty. Oddly that seems the default on OpenSuSE for a while now, despite it providing cyrus SASL out of the box.
Sep 15 14:30:07 katrien postfix/smtpd[12719]: fatal: bad string length 0 < 1: smtpd_sasl_path =
Sep 15 14:30:08 katrien postfix/master[12400]: warning: process /usr/lib/postfix/smtpd pid 12719 exit status 1
Sep 15 14:30:08 katrien postfix/master[12400]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
Prior OpenSuSE versions had this in /etc/postfix/main.cf:
# SASL stuff
############################################################
smtp_sasl_auth_enable = no
smtp_sasl_security_options =
smtp_sasl_password_maps =
smtpd_sasl_auth_enable = no
#smtpd_sasl_path = private/auth
#smtpd_sasl_type = dovecot
Newer OpenSuSE versions have this:
# SASL stuff
############################################################
smtp_sasl_auth_enable = no
smtp_sasl_security_options =
smtp_sasl_password_maps =
smtpd_sasl_auth_enable = no
# cyrus : smtpd_sasl_type = cyrus, smtpd_sasl_path = smtpd
# dovecot : smtpd_sasl_type = dovecot, smtpd_sasl_path = private/auth
smtpd_sasl_path =
smtpd_sasl_type =
Despite the newer having these installed:
# rpm -qa | grep cyrus
cyrus-sasl-crammd5-2.1.26-14.2.aarch64
cyrus-sasl-2.1.26-14.2.aarch64
cyrus-sasl-plain-2.1.26-14.2.aarch64
cyrus-sasl-digestmd5-2.1.26-14.2.aarch64
cyrus-sasl-gssapi-2.1.26-14.2.aarch64
Solution:
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus
Since the values for both lines are default, you could even comment them out; see the documentation:
–jeroen
Via: [WayBack] postfix IRC logs [July 26 – 2007]
Share this:
Posted in *nix, *nix-tools, Linux, openSuSE, postfix, Power User, SuSE Linux, Tumbleweed | Leave a Comment »
When your triple/quad-play providers refuse to give your VoIP SIP credentials, but allows access to your modem: use Wireshark on the WAN side
Posted by jpluimers on 2019/04/12
Every now and then I hear about providers that refuse to hand over the VoIP SIP credentials.
If you do have access to your modem, you can Wireshark the WAN side, then reset the modem and capture traffic until it has obtained the VoIP information:
[WayBack] Telfort SIP (getest met Glasvezel) | Het leven van Teus & Simone:
Veel mensen op het forum van Telfort vragen zich af of ze de SIP gegevens kunnen krijgen voor telefonie zodat men de ExperiaBox niet hoeven te gebruiken. Gezien dat de Telfort Support deze gegevens…
Via:
- [WayBack] [Ubiquiti-apparatuur] Ervaringen & Discussie – Deel 2 – Netwerken – GoT
- [WayBack] SIP Telefonie – Wachtwoord achterhalen van provider (telfort)
Ik heb het zelf uitgeprobeerd en je kan inderdaad je wachtwoord achterhalen, ik heb screenshots en aanvullende data toegevoegd…
–jeroen
Share this:
Posted in *nix, *nix-tools, Internet, Power User, Wireshark | Leave a Comment »
crontab.guru – the cron schedule expression editor
Posted by jpluimers on 2019/04/12
Confused by crontab expressions? Me too, so I was happy to find: At minute 3 past every 12th hour: crontab.guru – the cron schedule expression editor.
It has a [WayBack] truckload of common crontab expressions, but more importantly allows you to live edit one, then explains in human terms what it means and when the schedule runs next.
If you like a step by step cron configurator, then you can try [WayBack] Cron Job Generator by GenerateIt.net but need to note it cannot interpret a cron expression.
–jeroen
Share this:
Posted in *nix, *nix-tools, cron, Linux, Power User | Leave a Comment »
{Updated} Linux server security checklist. #sysadmin
Posted by jpluimers on 2019/03/11
Most tips are OK, but:
- for password related policies, please read these:
- [WayBack] NIST Special Publication 800-63B: Digital Identity GuidelinesAuthentication and Lifecycle Management
- This is what the market says about them:
- [WayBack] New password guidelines say everything we thought about passwords is wrong | VentureBeat | Security | by Slava Gomzin
- [WayBack] Vendors approve of NIST password draft | CSO Online
- [WayBack] NIST’s new password rules – what you need to know – Naked Security:A lot of password rules are there simply “because we’ve always done it that way.” NIST aims to fix that, and here’s how.
- If you do DNS, implement DNSSEC
- I think ipv6 is OK, but like ipv4 needs to be firewalled
- Be really careful with fail2ban and similar tools: they are easy ways to lock yourself out as well, for instance by someone doing a nice (D)DoS on you.
- if you banned yourself, but you have an alternative access to your host: [WayBack] firewall – How to Unban an IP properly with Fail2Ban – Server Fault
Tips: [WayBack] 40 Linux Server Hardening Security Tips [2017 edition] – nixCraft
Via:
- [WayBack] a few good ones: {Updated} Linux server security checklist. #sysadmin – Joe C. Hecht – Google+
- [WayBack] {Updated} Linux server security checklist. #sysadmin – nixCraft – Google+
- [WayBack] Using the fail2ban interactive mode to get the status of a jail and unban an ip. Note: The jail for ssh is actually called “sshd”, not “ssh”, at least … – Thomas Mueller (dummzeuch) – Google+
–jeroen
Share this:
Posted in *nix, *nix-tools, Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
sudo command doesn’t source /root/.bashrc – Unix & Linux Stack Exchange
Posted by jpluimers on 2019/03/08
TL;DR:
sudo -iis not an interactive logon torootsudo -i bashis interactive and *does* execute/root/.bashrc
Source: [WayBack] sudo command doesn’t source /root/.bashrc – Unix & Linux Stack Exchange
–jeroen
Share this:
Posted in *nix, *nix-tools, bash, Power User | Leave a Comment »
sed in a bash script: backslash escape anything that looks suspicious
Posted by jpluimers on 2019/02/26
Did I ever tell I dislike regular expressions and old-skool shells?
They’re not good for anything but basic commands, so if you try any scripts in them, you’re basically lost.
If you disagree, please read [WayBack] Don’t write Shell scripts. I would recommend Python, but I tried “pip search mysql”…. – Kristian Köhntopp – Google+) and [WayBack] How did this shit ever work? by the same author.
On the other hand: on many system, the baseline isn’t much more than a shell and a very limited tool set.
With nx like systems that usually comes down to sed and a shell like bash.
Since I wanted to modify an openssh hardening script to cover more permutations that was using sed in a bash script, I had not much choice but to bite the bullet.
TL;DR:
When you use any of the below characters, prepend them with a backslash as they have a bash meaning in addition to a sed meaning.
?becomes\?(becomes\()becomes\)|becomes\|
The script
Hopefully by now it’s [Archive.is] been merged into https://github.com/comotion/gone/blob/github/modules/ssh. If not, it’s at https://github.com/jpluimers/gone/blob/jpluimers-ssh-hardening-patch/modules/ssh.
The diff: [Archive.is] https://github.com/jpluimers/gone/commit/329bf12a320704080e68eee90f4c099e92d8388d?diff=unified
The relevant portion (which also uses backslashes as line continuation and wrap a command over multiple lines [WayBack]):
sed -i \ -e 's/#\?MaxAuthTries *[0-9]*.*/MaxAuthTries 2/' \ -e 's/#\?PermitRootLogin *\(yes\|no\).*/PermitRootLogin no/' \ -e 's/#\?UsePrivilegeSeparation *\(yes\|no\|sandbox\).*/UsePrivilegeSeparation sandbox/' \ -e 's/#\?StrictModes *\(yes\|no\).*/StrictModes yes/' \ -e 's/#\?IgnoreRhosts *\(yes\|no\).*/IgnoreRhosts yes/' \ -e 's/#\?PermitEmptyPasswords *\(yes\|no\).*/PermitEmptyPasswords no/' \ -e 's/#\?ChallengeResponseAuthentication *\(yes\|no\).*/ChallengeResponseAuthentication yes/' \ -e 's/#\?KerberosAuthentication *\(yes\|no\).*/KerberosAuthentication no/' \ -e 's/#\?GSSAPIAuthentication *\(yes\|no\).*/GSSAPIAuthentication no/' \ -e 's/#\?GatewayPorts *\(yes\|no\).*/GatewayPorts no/' \ -e 's/#\?X11Forwarding *\(yes\|no\).*/X11Forwarding no/' \ -e 's/#\?PrintMotd *\(yes\|no\).*/PrintMotd no/' \ -e 's/#\?PrintLastLog *\(yes\|no\).*/PrintLastLog yes/' \ -e 's/#\?TCPKeepAlive *\(yes\|no\).*/TCPKeepAlive no/' \ -e 's/#\?PermitUserEnvironment *\(yes\|no\).*/PermitUserEnvironment no/' \ -e 's/^\(HostKey .*ssh_host_dsa_key\)/#\1/' \ sshd_config
More on sshd hardening
In case I have to revisit the script again, here are some more links on ssh and hardening from my blog posts:
- More secure SSH: hardening both client and server. And use Tor
- openSUSE – Review of the week 2018/03 – Dominique a.k.a. DimStar (Dim*) – be sure to review your openssh config!
- OpenSSH keygen guidelines
- Hardening: sshd_config – How to configure the OpenSSH server | SSH.COM
- Good read for starting to intermediate ssh users is “SSH Essentials: Working with SSH Servers, Clients, and Keys | DigitalOcean” and pointers to more advanced reading material
–jeroen
Share this:
Posted in *nix, *nix-tools, bash, bash, Development, Power User, Scripting, sed, sed script, Software Development | Leave a Comment »
Follow up on “btrfs free space. It’s complicated. Still.”
Posted by jpluimers on 2019/02/14
In the mean time I’ve made a bit of progress on btrfs free space. It’s complicated. Still.
Let me start with an example system that has details further below.
- total of quotas is slightly more than 1.1 Gibibyte
- Sometimes this helps making the quota list better:
btrfs quota rescan /
- Sometimes this helps making the quota list better:
- the disk partition itself is 10 Gibibyte
- btrfs indicates there is 6.6 Gibibyte used
- df indicates there is 11 Gigabyte total, 6.9 Gigabyte used and 2.6 Gigabyte available.
In short: the used 6.6 Gibibyte (which matches 6.9 Gigabyte) does not match the 11 Gibibyte. A situation very similar to [WayBack] Disk usage is more than double the snapshots exclusive data — Linux BTRFS.
Reminder to self: try
bedupthat is supposed to deduplicate btrfs data: [WayBack] Re: Disk usage is more than double the snapshots exclusive data — Linux BTRFS
- Repository g2p/bedup: Btrfs deduplication
- Not sure which package is needed (
bedup,python3-bedupnorburpare found)
I need to check out on de-duplication (as I know this particular machine has quite a bit of duplicate data).
But first lets get the size down a bit with this series of commands:
sftp-host:~ # btrfs balance start -dusage=0 -musage=0 /
Done, had to relocate 0 out of 18 chunks
sftp-host:~ # btrfs balance start -dusage=10 -musage=10 /
Done, had to relocate 1 out of 18 chunks
sftp-host:~ # btrfs balance start -dusage=20 -musage=20 /
Done, had to relocate 1 out of 18 chunks
sftp-host:~ # btrfs balance start -dusage=30 -musage=30 /
Done, had to relocate 2 out of 18 chunks
sftp-host:~ # btrfs balance start -dusage=40 -musage=40 /
Done, had to relocate 1 out of 17 chunks
sftp-host:~ # btrfs balance start -dusage=50 -musage=40 /
Done, had to relocate 2 out of 17 chunks
sftp-host:~ # btrfs balance start -dusage=60 -musage=40 /
Done, had to relocate 2 out of 17 chunks
sftp-host:~ # btrfs balance start -dusage=60 -musage=60 /
sftp-host:~ # btrfs filesystem show
Label: none uuid: 6492a1c6-5fbc-4938-bf11-57d6194e6b8f
Total devices 1 FS bytes used 6.61GiB
devid 1 size 10.00GiB used 8.88GiB path /dev/sda2
sftp-host:~ # btrfs filesystem df /
Data, single: total=7.82GiB, used=6.35GiB
System, DUP: total=32.00MiB, used=16.00KiB
Metadata, DUP: total=512.00MiB, used=263.47MiB
GlobalReserve, single: total=22.67MiB, used=0.00B
Compare this to the initial situation:
sftp-host:~ # btrfs filesystem show
Label: none uuid: 6492a1c6-5fbc-4938-bf11-57d6194e6b8f
Total devices 1 FS bytes used 6.61GiB
devid 1 size 10.00GiB used 10.00GiB path /dev/sda2
sftp-host:~ # btrfs filesystem df /
Data, single: total=8.94GiB, used=6.35GiB
System, DUP: total=32.00MiB, used=16.00KiB
Metadata, DUP: total=512.00MiB, used=264.27MiB
GlobalReserve, single: total=23.48MiB, used=0.00B
Now you see that:
- far less of the partition is actually used by the filesystem (was 10 Gibibyte, now 8.88 Gibibyte)
- far less storage is needed for the data (was 8.94 Gibibyte, now 7.82 Gibibyte to store 6.35 Gibibyte)
If the above succeeds
Continue with steps closer to 99 (which is a percentage) and if that succeeds try this:
btrfs balance start --full-balance /
In my experience it needs at least 60% free dh -f disk space to run to completion. If it fails, it’s no problem: it merges the final almost full blocks. But those blocks will be split soon anyway because of file system write activity.
Nicer overview
You can even get a nicer view by executing btrfs filesystem usage -T / (which I did after continuing up to 99):
Overall:
Device size: 10.00GiB
Device allocated: 8.22GiB
Device unallocated: 1.78GiB
Device missing: 0.00B
Used: 7.00GiB
Free (estimated): 2.72GiB (min: 1.83GiB)
Data ratio: 1.00
Metadata ratio: 2.00
Global reserve: 24.55MiB (used: 48.00KiB)
Data Metadata System
Id Path single DUP DUP Unallocated
-- --------- ------- --------- -------- -----------
1 /dev/sda2 7.41GiB 768.00MiB 64.00MiB 1.78GiB
-- --------- ------- --------- -------- -----------
Total 7.41GiB 384.00MiB 32.00MiB 1.78GiB
Used 6.47GiB 269.88MiB 16.00KiB
If the above fails
Three things to try now:
- Try to start with lower values of
-dusageand-musage. - Split
-dusageand-musagein differentbtrfs balance startcommands. - Try to remove any snapper snapshots that you do not need. (you can delete ranges using
snapper, see [Wayback/Archive] How to delete disk snapshots in SUSE)
Log:
sftp-host:~ # df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 176M 0 176M 0% /dev
tmpfs 182M 0 182M 0% /dev/shm
tmpfs 182M 868K 181M 1% /run
tmpfs 182M 0 182M 0% /sys/fs/cgroup
/dev/sda2 11G 6.9G 2.6G 73% /
/dev/sda2 11G 6.9G 2.6G 73% /var/spool
/dev/sda2 11G 6.9G 2.6G 73% /tmp
/dev/sda2 11G 6.9G 2.6G 73% /boot/grub2/i386-pc
/dev/sda2 11G 6.9G 2.6G 73% /boot/grub2/x86_64-efi
/dev/sda2 11G 6.9G 2.6G 73% /var/crash
/dev/sda2 11G 6.9G 2.6G 73% /var/lib/named
/dev/sda2 11G 6.9G 2.6G 73% /var/opt
/dev/sda2 11G 6.9G 2.6G 73% /var/lib/mailman
/dev/sda2 11G 6.9G 2.6G 73% /var/tmp
/dev/sda2 11G 6.9G 2.6G 73% /var/log
/dev/sda2 11G 6.9G 2.6G 73% /var/lib/pgsql
/dev/sda2 11G 6.9G 2.6G 73% /var/lib/machines
/dev/sda2 11G 6.9G 2.6G 73% /srv
/dev/sda2 11G 6.9G 2.6G 73% /usr/local
/dev/sda2 11G 6.9G 2.6G 73% /opt
/dev/sda2 11G 6.9G 2.6G 73% /.snapshots
/dev/sda3 5.5G 36M 5.5G 1% /home
tmpfs 37M 0 37M 0% /run/user/1000
sftp-host:~ # btrfs filesystem show
Label: none uuid: 6492a1c6-5fbc-4938-bf11-57d6194e6b8f
Total devices 1 FS bytes used 6.61GiB
devid 1 size 10.00GiB used 10.00GiB path /dev/sda2
sftp-host:~ # btrfs filesystem df /
Data, single: total=8.94GiB, used=6.35GiB
System, DUP: total=32.00MiB, used=16.00KiB
Metadata, DUP: total=512.00MiB, used=264.27MiB
GlobalReserve, single: total=23.48MiB, used=0.00B
sftp-host:~ # btrfs qgroup show /
qgroupid rfer excl
-------- ---- ----
0/5 16.00KiB 16.00KiB
0/257 1.05MiB 1.05MiB
0/258 2.55GiB 51.11MiB
0/259 2.36MiB 2.36MiB
0/260 16.00KiB 16.00KiB
0/261 16.00KiB 16.00KiB
0/262 16.00KiB 16.00KiB
0/263 36.00KiB 36.00KiB
0/264 16.00KiB 16.00KiB
0/265 16.00KiB 16.00KiB
0/266 16.00KiB 16.00KiB
0/267 16.00KiB 16.00KiB
0/268 16.00KiB 16.00KiB
0/269 533.83MiB 533.83MiB
0/270 16.00KiB 16.00KiB
0/271 48.00KiB 48.00KiB
0/272 16.00KiB 16.00KiB
0/289 16.00KiB 16.00KiB
0/401 2.80GiB 396.91MiB
0/402 2.55GiB 9.57MiB
0/403 2.55GiB 12.91MiB
0/404 2.54GiB 676.00KiB
0/405 2.54GiB 660.00KiB
0/406 2.81GiB 60.34MiB
0/407 2.55GiB 8.66MiB
0/408 2.55GiB 4.57MiB
0/409 2.56GiB 24.31MiB
0/410 2.55GiB 7.28MiB
0/411 2.57GiB 20.55MiB
255/289 16.00KiB 16.00KiB
sftp-host:~ # !~
~/Versioned/btrfs-size/btrfs-size.sh
===============================================================================================
Snapshot / Subvolume ID Total Exclusive Data
===============================================================================================
257 gen 505741 top level 5 path .snapshots 257 1.05MB 1.05MB
258 gen 505796 top level 257 path .snapshots/1/snapshot 258 2.55GB 51.11MB
259 gen 505736 top level 5 path boot/grub2/i386-pc 259 2.36MB 2.36MB
260 gen 452028 top level 5 path boot/grub2/x86_64-efi 260 16.00KB 16.00KB
261 gen 452028 top level 5 path opt 261 16.00KB 16.00KB
262 gen 505720 top level 5 path srv 262 16.00KB 16.00KB
263 gen 505791 top level 5 path tmp 263 36.00KB 36.00KB
264 gen 505717 top level 5 path usr/local 264 16.00KB 16.00KB
265 gen 452028 top level 5 path var/crash 265 16.00KB 16.00KB
266 gen 452028 top level 5 path var/lib/mailman 266 16.00KB 16.00KB
267 gen 452028 top level 5 path var/lib/named 267 16.00KB 16.00KB
268 gen 452028 top level 5 path var/lib/pgsql 268 16.00KB 16.00KB
269 gen 505795 top level 5 path var/log 269 533.83MB 533.83MB
270 gen 452028 top level 5 path var/opt 270 16.00KB 16.00KB
271 gen 505796 top level 5 path var/spool 271 48.00KB 48.00KB
272 gen 505771 top level 5 path var/tmp 272 16.00KB 16.00KB
289 gen 452028 top level 5 path var/lib/machines 289 16.00KB 16.00KB
401 gen 451786 top level 257 path .snapshots/92/snapshot 401 2.81GB 396.91MB
402 gen 465358 top level 257 path .snapshots/93/snapshot 402 2.55GB 9.57MB
403 gen 465363 top level 257 path .snapshots/94/snapshot 403 2.55GB 12.91MB
404 gen 471598 top level 257 path .snapshots/95/snapshot 404 2.54GB 676.00KB
405 gen 471603 top level 257 path .snapshots/96/snapshot 405 2.54GB 660.00KB
406 gen 471658 top level 257 path .snapshots/97/snapshot 406 2.81GB 60.34MB
407 gen 487231 top level 257 path .snapshots/98/snapshot 407 2.55GB 8.66MB
408 gen 490073 top level 257 path .snapshots/99/snapshot 408 2.55GB 4.57MB
409 gen 490081 top level 257 path .snapshots/100/snapshot 409 2.56GB 24.31MB
410 gen 505715 top level 257 path .snapshots/101/snapshot 410 2.55GB 7.28MB
411 gen 505739 top level 257 path .snapshots/102/snapshot 411 2.57GB 20.55MB
===============================================================================================
Exclusive Total: 1.11GB
sftp-host:~ #
–jeroen
Share this:
Posted in *nix, *nix-tools, btrfs, File-Systems, Power User | Leave a Comment »
Ancient Unix based keyboard shortcuts
Posted by jpluimers on 2019/02/14
Somehow I’ve been doing Unix like work off and on for most of my life. So I know many ancient shell shortcuts (like Ctrl-E for end-of-line and Ctrl-A for start-of-line) by heart.
Many don’t, or even list shortcuts as if they are for the shell, but in fact aren’t.
So here are some links that distinguish between various kinds of keyboard shortcuts and give some insight in the history of these shortcuts (that go back into the 1970s, yes I’m that old).
- [WayBack] Keyboard shortcuts – ArchWiki has a nice distinction of the various kinds of shortcuts:
- [WayBack]: Table of keyboard shortcuts – Wikipedia: Command line shortcuts which has a table comparing between shells of various operating systems.
- [WayBack] bash – Why is the shortcut Ctrl + A jumping to the start of a line in the terminal? – Unix & Linux Stack Exchange (lots of history by [WayBack] mr-spuratic).
–jeroen
via:
- [WayBack] Know your history:$ ls$ !!$ history – Thomas Mueller (dummzeuch) – Google+
- [WayBack] Ask a Swiss: 7 tips & tricks to get you started on the Unix command line
Share this:
Posted in *nix, *nix-tools, Development, Power User, Software Development | Leave a Comment »
Some Postfix configuration guidelines
Posted by jpluimers on 2019/02/08
Not just for Postfix are the first two guidelines:
- Change one thing at a time
- Save known working configurations
For the latter, I’m using etckeeper pushing to an external git repository hoster.
For Postfix are the others from [WayBack] Postfix Configuration Guidelines.
One tip that’s missing, but saved my life numerous of times:
In
/etc/postfix/main.cfgdo not use this line ever:
inet_interfaces = $myhostnameIf the resolving (through DNS or hosts file) of
$myhostnamefails for any reason in the future, then Postfix will not start at all, but in stead emit a fatal error like this:
/usr/sbin/postconf: fatal: parameter inet_interfaces: no local interface found for 127.0.0.2Specify exact interfaces in stead, like any of these:
inet_interfaces = all
inet_interfaces = localhost
inet_interfaces = 192.168.24.68
–jeroen
Share this:
Posted in *nix, *nix-tools, etckeeper, Linux, postfix, Power User | Leave a Comment »
The Wiert Corner - irregular stream of stuff 