The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘*nix-tools’ Category

« Previous Entries
Next Entries »

‪Dear #lazyweb, can anyone point me to a modern email server setup (just emai…

Posted by jpluimers on 2019/02/01

Summary from [WayBack]‪ Dear #lazyweb, can anyone point me to a modern email server setup (just email) with letsencrypt, some spam filter, multi domain preferably on RHEL/Cent… – Jan Wildeboer – Google+

  • many SMTP servers on the interwebs do not have proper TLS setups, so do not require remote SMTP servers to deliver email with a proper certificate
  • delivering mail via SMTP using STARTTLS with a proper certificate yourself is a good step forward
  • postfix
  • dovecot
  • greylisting (although in practice it does not make much of a difference any more)
  • fail2ban
  • dnsbl (often called rbl)
  • spamassasin
  • rspamd (supports SPF, DKIM and many others)
  • letsencrypt automation can be tough, so here is a small wrapper: [WayBack] GitHub – DrGlitchMX/update-letsencrypt: Tiny script for updating “Let’s Encrypt!” certificates from cron
  • it helps having letsencrypt and the mail server to be on one machine:
    • multidomain let’s encrypt cert that has my webserver name and the mailserver in the Subject Alternative Names field. As both are on the same machine certbot can automatically update it and I just point Postfix and Dovecot to the LE files.
  • Hans-Martin Mosner SMTP as-is is just not suitable for the kind of decentralized mail that you would prefer. You need some mechanism to determine which mail senders to trust and which not. Cryptography is suitable at the MUA level and should be used much more, but at the MTA level, TLS for privacy and SPF(bleh) or DKIM(meh) for sender domain authentication are basically your only weapons -much too weak. The PGP web of trust must be considered a failed experiment – who of your mail contacts uses PGP properly or at all? Ironically the only secure messaging solutions for the masses are centralized.

Things to do:

  • find a proper multi-MX fallback setup guide for postfix

–jeroen

Read the rest of this entry »

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, postfix, Power User, SMTP | Leave a Comment »

linux – Test if a port on a remote system is reachable (without telnet) – Super User

Posted by jpluimers on 2019/01/29

Just learned that bash can do TCP and UDP itself:

Bash has been able to access TCP and UDP ports for a while. From the man page:

/dev/tcp/host/port
    If host is a valid hostname or Internet address, and port is an integer port number
    or service name, bash attempts to open a TCP connection to the corresponding socket.
/dev/udp/host/port
    If host is a valid hostname or Internet address, and port is an integer port number
    or service name, bash attempts to open a UDP connection to the corresponding socket.

So you could use something like this:

xenon-lornix:~> cat < /dev/tcp/127.0.0.1/22
SSH-2.0-OpenSSH_6.2p2 Debian-6
^C pressed here

Taa Daa!

This for systems that do not have telnet installed (Windows stopped using this a long time ago, many Linux distributions followed suit) and you cannot to use nc (also known as netcat).

–jeroen: [WayBacklinux – Test if a port on a remote system is reachable (without telnet) – Super User

Posted in *nix, *nix-tools, bash, bash, Development, Power User, Scripting, Software Development | Leave a Comment »

My 10 UNIX Command Line Mistakes – nixCraft

Posted by jpluimers on 2019/01/28

An interesting series of mistakes that anyone can make followed by a long thread of discussion with various people making mistakes on many operating systems:

My top 10 biggest UNIX / Linux command-line mistakes that cause some sort of down time. Try to avoid them.

[WayBackMy 10 UNIX Command Line Mistakes – nixCraft

Conclusion

All men make mistakes, but only wise men learn from their mistakes — Winston Churchill.
From all those mistakes I have learn that:

  1. You must keep a good set of backups. Test your backups regularly too.
  2. The clear choice for preserving all data of UNIX file systems is dump, which is only tool that guaranties recovery under all conditions. (see Torture-testing Backup and Archive Programs paper).
  3. Never use rsync with single backup directory. Create a snapshots using rsync or rsnapshots.
  4. Use CVS/git to store configuration files.
  5. Wait and read command line twice before hitting the dam [Enter] key.
  6. Use your well tested perl / shell scripts and open source configuration management software such as puppet, Ansible, Cfengine or Chef to configure all servers. This also applies to day today jobs such as creating the users and more.

Mistakes are the inevitable, so have you made any mistakes that have caused some sort of downtime? Please add them into the comments section below.

I didn’t know about rsnapshots, so I need to put some research in it, hence the links below.

Note that the rsnapshots documentation is a bit behind the source code, so if you look for the HOWTO, then you’ll get a 404. The old HOWTO is in a link below.

–jeroen

Via: [WayBack] Joe C. Hecht – Google+: Here are a few mistakes that I made while working at UNIX/Linux prompt.

Posted in *nix, *nix-tools, Power User | Leave a Comment »

ScanSnap ix100 open ports

Posted by jpluimers on 2019/01/25

For my archive: the open ports on the ix100 WiFi connection:

# sudo nmap -O -v -A -p- -Pn 192.168.0.1
Password:

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-01 17:40 CEST
NSE: Loaded 144 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:40
Completed NSE at 17:40, 0.00s elapsed
Initiating NSE at 17:40
Completed NSE at 17:40, 0.00s elapsed
Initiating ARP Ping Scan at 17:40
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 17:40, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:40
Completed Parallel DNS resolution of 1 host. at 17:40, 0.03s elapsed
Initiating SYN Stealth Scan at 17:40
Scanning 192.168.0.1 [65535 ports]
Discovered open port 53218/tcp on 192.168.0.1
Discovered open port 53219/tcp on 192.168.0.1
Completed SYN Stealth Scan at 17:40, 51.05s elapsed (65535 total ports)
Initiating Service scan at 17:40
Scanning 2 services on 192.168.0.1
Service scan Timing: About 50.00% done; ETC: 17:41 (0:00:32 remaining)
Completed Service scan at 17:41, 31.85s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.1
NSE: Script scanning 192.168.0.1.
Initiating NSE at 17:41
Completed NSE at 17:41, 0.04s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.02s elapsed
Nmap scan report for 192.168.0.1
Host is up (0.0037s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
53218/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequest, DNSVersionBindReq, GenericLines, LPDString, NULL, WMSRequest, afp, oracle-tns: 
|_    VENS
53219/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequest, DNSVersionBindReq, GenericLines, LPDString, NULL, WMSRequest, afp, oracle-tns: 
|_    VENS
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53218-TCP:V=7.50%I=7%D=8/1%Time=5980A106%P=x86_64-apple-darwin16.6.
SF:0%r(NULL,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0\0")%r(GenericLines,10,"\0\0\0
SF:\x10VENS\0\0\0\0\0\0\0\0")%r(DNSVersionBindReq,10,"\0\0\0\x10VENS\0\0\0
SF:\0\0\0\0\0")%r(DNSStatusRequest,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0\0")%r(
SF:LPDString,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0\0")%r(WMSRequest,10,"\0\0\0\
SF:x10VENS\0\0\0\0\0\0\0\0")%r(oracle-tns,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0
SF:\0")%r(afp,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53219-TCP:V=7.50%I=7%D=8/1%Time=5980A106%P=x86_64-apple-darwin16.6.
SF:0%r(NULL,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0\0")%r(GenericLines,10,"\0\0\0
SF:\x10VENS\0\0\0\0\0\0\0\0")%r(DNSVersionBindReq,10,"\0\0\0\x10VENS\0\0\0
SF:\0\0\0\0\0")%r(DNSStatusRequest,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0\0")%r(
SF:LPDString,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0\0")%r(WMSRequest,10,"\0\0\0\
SF:x10VENS\0\0\0\0\0\0\0\0")%r(oracle-tns,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0
SF:\0")%r(afp,10,"\0\0\0\x10VENS\0\0\0\0\0\0\0\0");
MAC Address: 84:25:3F:25:7F:21 (silex technology)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Uptime guess: 248.550 days (since Sat Nov 26 03:30:04 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   3.66 ms 192.168.0.1

NSE: Script Post-scanning.
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.09 seconds
           Raw packets sent: 65856 (2.898MB) | Rcvd: 65608 (2.625MB)

The nmap is aliased as nmap-fingerprint_host_all-ports-even-if-ping-fails

–jeroen

Posted in *nix, *nix-tools, Fujitsu ScanSnap, ix100, nmap, Power User, Scanners | Leave a Comment »

Passwordless SSH

Posted by jpluimers on 2019/01/22

Note: if the system you SSH from is ever compromised, then assume the passwordless targets are also compromised!

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Linux, openSuSE, Power User, SSH, SuSE Linux, TCP, Tumbleweed | Leave a Comment »

Testing SMTP from the console on Linux, BSD and Mac OS: swaks and smtp-cli Perl script clients

Posted by jpluimers on 2019/01/03

Testing SMTP using telnet is tedious as you have to remember the commands and responses in the SMTP protocol. It gets even harder when doing SMTP AUTH, as then you have to base encode a bunch of strings [WayBackHow to Test SMTP AUTH using Telnet [Wiki] | NDCHost

Luckily there is a Perl script swaks: [WayBackSwaks – Swiss Army Knife for SMTP which does ESMTP and LMTP as well as TLS.

The funny thing is that the repository at jetmore/swaks: Swaks – Swiss Army Knife for SMTP only has the readme, but the not the script which you can get from [WayBack] swaks.pl.

Despite that, most Linux distributions have an installation package.

[WayBackswaks for OpenSuse is in the [WayBacknetwork repository, so for Tumbleweed (actually: Factory) on Raspberry Pi you need to perform this:

zypper addrepo http://download.opensuse.org/repositories/network/openSUSE_Factory_ARM/network.repo
zypper refresh
zypper install swaks

On Mac OS X it is even easier: if you have the homebrew package manager installed, you just install the [WayBackswaks formula using the [WayBack] swaks.rb script:

brew install swaks

Note there is also the smtp-cli Perl script which I mentioned before at Fake/Mock SMTP servers and services for use during development, which also does TLS, but few environments have ready built packages for them. If you still want to try it out:

For SMTP AUTH:

swaks -tls --to jeroen.wiert.me@pluimers.com --from jeroen.wiert.me@pluimers.com --server smtp.xs4all.nl --auth-user username

Which prompts for the password, then outputs like this:

=== Trying smtp.xs4all.nl:25...
=== Connected to smtp.xs4all.nl.
<- 220 smtp-cloud3.xs4all.net ESMTP ESMTP server ready -> EHLO rmbpro1tbjwp
<-  250-smtp-cloud3.xs4all.net hello [188.206.68.219], pleased to meet you
<-  250-HELP
<-  250-AUTH LOGIN PLAIN
<-  250-SIZE 157286400
<-  250-8BITMIME
<-  250-STARTTLS
<- 250 OK -> STARTTLS
<- 220 Ready to start TLS === TLS started with cipher TLSv1:DHE-RSA-AES256-SHA:256 === TLS no local certificate set === TLS peer DN="/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.xs4all.nl" ~> EHLO rmbpro1tbjwp
<~  250-smtp-cloud3.xs4all.net hello [188.206.68.219], pleased to meet you
<~  250-HELP
<~  250-AUTH LOGIN PLAIN
<~  250-SIZE 157286400
<~  250-8BITMIME
<~ 250 OK ~> AUTH LOGIN
<~ 334 ############ ~> anA=
<~ 334 ############ ~> ############################
<~ 235 ... authentication succeeded ~> MAIL FROM:<jeroen.wiert.me@pluimers.com>
<~  250 <jeroen.wiert.me@pluimers.com> sender ok
 ~> RCPT TO:<jeroen.wiert.me@pluimers.com>
<~  250 <jeroen.wiert.me@pluimers.com> recipient ok
 ~> DATA
<~ 354 enter mail, end with "." on a line by itself ~> Date: Wed, 19 Jul 2017 09:09:57 +0200
 ~> To: jeroen.wiert.me@pluimers.com
 ~> From: jeroen.wiert.me@pluimers.com
 ~> Subject: test Wed, 19 Jul 2017 09:09:57 +0200
 ~> Message-Id: <20170719090957.052207@rmbpro1tbjwp>
 ~> X-Mailer: swaks v20170101.0 jetmore.org/john/code/swaks/
 ~> 
 ~> This is a test mailing
 ~> 
 ~> .
<~ 250 smtp-cloud3.xs4all.net accepted mail mXA71v00C4jr6ac01XA9Bo for delivery ~> QUIT
<~  221 smtp-cloud3.xs4all.net ESMTP closing connection
=== Connection closed with remote host.

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Hardware Development, Internet protocol suite, Linux, openSuSE, Power User, Raspberry Pi, SMTP, SuSE Linux, Tumbleweed | Leave a Comment »

Easy Running of Scripts at Boot and Shutdown – SUSE Blog | SUSE Communities

Posted by jpluimers on 2019/01/01

Cool:

/etc/init.d/after.local

–jeroen

Posted in *nix, *nix-tools, bash, Development, Linux, openSuSE, Power User, Scripting, Software Development, SuSE Linux, Tumbleweed | Leave a Comment »

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)

Posted by jpluimers on 2018/12/24

If you want to setup an account on your system that will be used only to transfer files (and not to ssh to the system), you should setup SFTP Chroot Jail.

This explains how: [WayBack] How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, SFTP, SSH, TCP | Leave a Comment »

Reptyr – Forgot to “screen” your ssh session first, and now that long running…

Posted by jpluimers on 2018/12/24

From a while back, but still so cool! It allows you to “recover” the terminal (stdin/stdout/stderr) of a process that was attached to a terminal or ssh session.

Reptyr – Forgot to “screen” your ssh session first, and now that long running thing is stuck?

»reptyr PID will grab the process with id PID and attach it to your current terminal.«

server:~ # zypper install reptyr
...
Retrieving: reptyr-0.3dev_git20120325-7.1.2.x86_64.rpm ...................[done]
(1/1) Installing: reptyr-0.3dev_git20120325-7.1.2 ........................[done]
server:~ # rpm -qi reptyr
...
Summary     : A tool for "re-ptying" programs
Description :
reptyr is a utility for taking an existing running program and
attaching it to a new terminal. Started a long-running process over
ssh, but have to leave and don't want to interrupt it? Just start a
screen, use reptyr to grab it, and then kill the ssh session and head
on home.
Distribution: openSUSE 13.1

Source: [WayBack] Reptyr – Forgot to “screen” your ssh session first, and now that long running thing is stuck?… – Kristian Köhntopp – Google+

It works with tmux too and is supported on many Linux distributions, see for instance [WayBackReptyr – Move A Running Process From One Terminal To Another Without Closing It – OSTechNix.

You can even redirect a pty for gdb usage: [WayBackreptyr(1): new terminal – Linux man page

StackExchange thread: [WayBack] How to recover a shell after a disconnection with these entries:

Originally from 2011 [WayBackreptyr: Attach a running process to a new terminal – Made of Bugs it is still maintained:

GitHub repository [WayBacknelhage/reptyr: Reparent a running program to a new terminal

–jeroen

Posted in *nix, *nix-tools, Linux, openSuSE, Power User, screen, SuSE Linux, tmux | Leave a Comment »

linux – Keeping the fancy sudo warning forever – Super User

Posted by jpluimers on 2018/12/21

Be careful what you do: blindly following Super User can make sudo unavailable: [WayBacklinux – Keeping the fancy sudo warning forever – Super User.

Following the answer archived in the WayBack machine gets you into this situation:

sudo -i
>>> /etc/sudoers.d/privacy: syntax error near line 1 <<<
sudo: parse error in /etc/sudoers.d/privacy near line 1
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

The cause:

I forgot to put a line terminator at the end of the line in the privacy file.

If you do that, then it works fine: add this line INCLUDING A LINE TERMINATOR to /etc/sudoers.d/privacy (any file in that directory will do):

Default lecture=always

Related

–jeroen

Posted in *nix, *nix-tools, Power User | Leave a Comment »

« Previous Entries
Next Entries »