simple AP with hostapd

Notes on configuring transient WiFi APs with linux and hostapd



hostapd config
node9:~# cat /etc/hostapd/hostapd.wlan0.conf |grep -v "#"
interface=wlan0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=4
ctrl_interface=/var/run/hostapd.wlan0
ctrl_interface_group=0
channel=6
hw_mode=g
macaddr_acl=0
auth_algs=3
eapol_key_index_workaround=0
eap_server=0
wpa=3
ssid=node9
wpa_passphrase=incellll
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP



To enable 802.11n add to the hostapd.conf
ieee80211n=1
wmm_enabled=1
and do not change
hw_mode=g


go
node9:~# hostapd /etc/hostapd/hostapd.wlan0.conf 
or run the hostapd deamon in the background
node9# hostapd -B /etc/hostapd/hostapd.wlan0.conf


Connect to node9
node7:~# wpa_supplicant -i wlan1 -c <(wpa_passphrase node9 incellll)
or put wpa_supplicant in the background
node7:~# wpa_supplicant -B -i wlan1 -c <(wpa_passphrase node9 incellll)


Check the client's wireless interface
node7:~# iwconfig wlan1
wlan1     IEEE 802.11abgn  ESSID:"node9"  
          Mode:Managed  Frequency:2.437 GHz  Access Point: 30:14:4A:15:B7:94   
          Bit Rate=54 Mb/s   Tx-Power=27 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=64/70  Signal level=-46 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:20   Missed beacon:0



List the AP client(s)
node9:~# iw dev wlan0 station dump 
Station 30:14:4a:15:bb:72 (on wlan0)
 inactive time: 2893 ms
 rx bytes: 871
 rx packets: 22
 tx bytes: 537
 tx packets: 3
 tx retries: 0
 tx failed: 0
 signal:   -42 dBm
 signal avg: -46 dBm
 tx bitrate: 1.0 MBit/s
 authorized: yes
 authenticated: yes
 preamble: short
 WMM/WME: no
 MFP:  no
 TDLS peer:  no



Network
node9:~# ifconfig wlan0 192.168.10.9/24
node7:~# ifconfig wlan1 192.168.10.7/24
node7:~# ping -c 1 192.168.10.9
PING 192.168.10.9 (192.168.10.9) 56(84) bytes of data.
64 bytes from 192.168.10.9: icmp_req=1 ttl=64 time=1.66 ms

--- 192.168.10.9 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.668/1.668/1.668/0.000 ms







kismet server and drones



Kismet Drone(s) Setup -- Voyage Linux

Install prerequisites
# apt-get update
# apt-get install libpcap-dev
# apt-get install libnl-dev
# apt-get install pkg-config


Get kismet
# wget http://www.kismetwireless.net/code/kismet-2013-03-R1b.tar.xz


Create the kismet user
# mkdir /var/log/kismet
# adduser kismet --home /var/log/kismet


Compile kismet
# tar xf kismet-2013-03-R1b.tar.xz 
# cd kismet-2013-03-R1b/
# ./configure --disable-client
# make dep
# make


Install kismet and kismet_drone
# make suidinstall
# usermod -a -G kismet kismet


Configure kismet_drone (the Kismet Server is at 10.0.0.225/24)
# grep \#g0 kismet_drone.conf |sed -e s/\#g0//
servername=drone4
dronelisten=tcp://0.0.0.0:2502 
allowedhosts=127.0.0.1,10.0.0.0/255.255.255.0 
gps=false 
ncsource=wlan0 
This is what I changed in the default kismet_drone.conf file.

Drone Test Run

# su - kismet -c "/root/kismet-2013-03-R1b/kismet_drone -f /root/kismet-2013-03-R1b/conf/kismet_drone.conf"
or
# /root/kismet-2013-03-R1b/kismet_drone --daemonize -f /root/kismet-2013-03-R1b/conf/kismet_drone.conf


Kismet Server --Collector and Client --Debian
# apt-get install kismet


To add drones to the Kismet sources in /etc/kismet/kismet.conf you may use the following syntax
 ncsource=drone:host=10.0.0.3,port=2502,name=dr0ne3
 ncsource=drone:host=10.0.0.4,port=2502,name=dr0ne4



Kismet collector,server and client test run
# kismet




tankos code







Remember tankos?



I wrote Tankos in C and I used the ATMEL Studio to put it together,
the code is on github ...





Hardware:
  • one ATmega328 Arduino ( UNO ) board
  • one SR04 ultrasonic range detector
  • tamiya tracks ( got them from a bulldozer toy )
  • one tamiya twin-motor gearbox that I geared to go slow with a lot of torque
  • one small tower pro servo
  • fuses, buttons , switches , breadboard cables , a tiny breadbord, 4 18650s, a twin 18650 case that connects them in series, two single 18650 cases , dc jacks , H bridges , plywood , screws , random pieces of clear plastic, etc




if you want to recreate tankos and you need help in choosing hardware or find your way around the code please contact me .







tankos code



upgrade to debian 8

Upgrade wheezy ( debian 7 ) to jessie ( debian 8 )

adjust /etc/apt/sources.list to something like this
deb http://ftp.gr.debian.org/debian/ jessie main non-free contrib
deb-src http://ftp.gr.debian.org/debian/ jessie main non-free contrib

deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free

# jessie-updates, previously known as 'volatile'
deb http://ftp.gr.debian.org/debian/ jessie-updates main contrib non-free
deb-src http://ftp.gr.debian.org/debian/ jessie-updates main contrib non-free

Most likely, NTUA 's debian mirror in athens is not your closest mirror.
You may want to use another debian mirror.

upon adjusting /etc/apt/sources.list update apt index
# apt-get update


and upgrade all the packages and the base system
# apt-get upgrade

or
# apt-get dist-upgrade


You will have to quit a few informative pagers and answer a few questions, but everything works out fine.





upgrade to debian 8



Just the Privacy and Security part

from ipduh privacy and the https search fix

Many computer users think that by installing and using some browser plugin they will magically protect their privacy --which is false.

Every time you install a browser-plugin you run yet more brilliant xor stupid and good xor evil code that expands the attack surface on your system and your privacy and adds features or bugs or backdoors.

Actually, privacy-wise disabling javascript is OK, installing random plugins that run tones of "obfuscated" javascript or compiled closed code that you have no clue of what it really does in your browser is usually not. Plugins like flash, java, quicktime, itunes, silverlight, adobe reader, windows media player may be more dangerous for your privacy or your security than javascript plugins.

In addition, every time that you do not look like an average human using an average system you stick out and many of your plugins are visible if you are running javascript.

In most modern web browsers you do not need special browser plugins in order to disable cookies or javascript. Try it out. You will soon realize that most of the web is broken without javascript even though ipduh is not very broken.

When it comes to modern web browsers I consider Chrome and Mozilla based browsers put together by companies or groups I "trust" (Google, Mozilla, Debian) more secure than Microsoft Internet Explorer and Opera and IE and Opera more secure than the rest ...
don't ask me for a formal proof ... it is an opinion ...

However, Chromium and Mozilla based browsers ( Chrome , Firefox , Seamonkey , Iceweasel etc ) , Safari , Internet Explorer , Opera and the rest of the modern web browsers are ridiculously complex pieces of software used by millions if not billions of humans. There you have both opportunity and motivation for profit, control and power. Hence, all modern browsers are insecure. Put together or read thoroughly the source of a basic text HTTP(s) client if you are really paranoid.

Certain three letter agencies may have exploits or backdoors that compromise your browser and your privacy ( accessing your system ,even gaining administrator privileges, and certainly seeing 'your' first public IP address ) even if you do not run javascript or plugins. And they may be able to do that without even having you visiting a website they (p)own. Connecting to the Internet and firing up your web browser may be enough.

Up untill recently I had a little 'java applet' that would reveal your private and your first public IP address in the anonymity checker. If an one man weekend software shop can do this, imagine what larger software shops, the software shops that put together your web browser or government agencies can do.

Unfortunately many incompetent or devious folks are in the business of talking privacy or selling privacy. If you are concerned about your privacy you should take the matter in your hands and not leave it to me or anyone else. Use a common up-to-date browser put together by someone you 'trust' that does not stick out and use a combination of privacy tools like Tor or some sort of VPN which is used by many users and not just you.

A VPN, a proxy or an intermediate 'dark net' like Tor or I2P may harm your system or compromise even more your privacy if it is misused by you or purposely configured by its operators to do so.

Combine and alternate privacy tools and test settings and tools in many ways. An easy privacy test is the ipduh anonymity checker.























Just the Privacy and Security part



















added the MAC address to vendor tool to apropos



A while ago I put together a little tool
that maps EUI-48 and EUI-64 Media Access Control ( MAC ) addresses to Vendors
eg 00:00:0C:DE:FE:DC



I just added it to apropos
and it works with : and - delimiters
eg 00:00:08:02:11:B0 or 00:00:08:02:11:a0



MAC to Vendor from apropos

ipduh privacy and the https search fix





If apropos gets a query not related to inter-networking technology stuff like ip , dns , etc
sends it to a custom google

The ipduh custom google search is using google APIs and javascript pulled from google.
By mistake the google javascript URI was using always HTTP even when someone was using ipduh over HTTPS --my bad. I am sorry.

Due to my mistake, javascript run by your browser and some ipduh queries were traveling the internets in plaintext even when you were visiting ipduh over HTTPS. My mistake is fixed now and the google javascript is being always downloaded from a TLS encrypted URL.

If you are concerned about your privacy you should at least visit ipduh over HTTPS.
It is safe to trust and install the ipduh Certificate Authority if you trust me. I am certainly less evil and more skilled than many managers of CAs installed in your browser or your OS by default.

However,there is not an established trust path to ipduh and someone in between you and an ipduh server may serve you another ipduh server cerificate or CA certificate the very first time.

If you want to be sure that you installed the original ipduh CA certificate verify the certificate's fingerprint at https://github.com/ipduh/ipduhca.
My github CA repository provides only a way to verify the certificate fingerprint through an established trust path and has nothing to do with my TLS.

Provided that you trust me and that you installed the original ipduh server certificate or CA certificate in your browser, the authentication of ipduh and the encryption between ipduh and you is the same with the authentication and encryption provided by keys signed by Certificate Authorities like Comodo, Thawte etc.
Authenticating the ipduh servers is just a little tougher the very first time.

Many computer users think that by installing and using this or the other browser plugin they will protect their privacy --which is false.
Every time you install a browser-plugin you run yet more brilliant xor stupid and good xor evil code that expands the attack surface on your system and your privacy and adds features or bugs or backdoors.
Actually, privacy-wise disabling javascript is OK, installing random plugins that run tones of "obfuscated" javascript or compiled closed code that you have no clue of what it really does in your browser is usually not.
Also, every time that you do not look like an average human using an average system you stick out and many of your plugins are visible if you are running javascript.

You may disable cookies and even javascript for ipduh. This way you will evade some of the ipduh analytics and the google ads and still get a somewhat usable site. ( ipduh analytics have absolutely nothing to do with google analytics )
I do my best to provide a service that does not depend on javascript and I tried from the beginning to accommodate scripts and automated tools provided they do not abuse my service.

At least in Mozilla based browsers you do not need special browser plugins in order to disable cookies or javascript. Try it out. You will soon realize that most of the web is broken.

Plugins like flash, java, quicktime, itunes, silverlight, adobe reader, windows media player may be more dangerous than javascript plugins.

When it comes to modern web browsers I consider Chrome and Mozilla based browsers put together by companies or groups I "trust" (Google,Mozilla,Debian) much more secure than Opera, Microsoft Internet Explorer and the rest. However, Chrome and Mozilla based browsers ( Firefox , Seamonkey , Iceweasel etc ) are ridiculously complex pieces of software used by millions if not billions of humans. There you have both opportunity and motivation for profit, control, power. Hence, all modern browsers are insecure. Put together a basic text HTTP(s) client if you are really paranoid.

Certain three letter agencies may have exploits or backdoors that compromise your browser and your privacy ( accessing your system ,even gaining administrator privileges, and certainly seeing 'your' first public IP address ) even if you do not run javascript or plugins.

Back to logging at ipduh.
Most ipduh usage analytics are based on connection logs from layer 3 up to HTTP(S). I am not using google analytics or any other third party web analytics service.
( I am using google analytics at alog though :) )
At ipduh I am the only one who looks at logs and only when something bad happens.

Many incompetent or devious folks are in the business of talking privacy or selling privacy. If you are concerned about your privacy you should take the matter in your hands and not leave to me or anyone else. Use a common up-to-date browser put together by someone you 'trust' that does not stick out and use a combination of privacy tools like Tor or some sort of VPN which is used by many users and not just you.

A VPN, a proxy or an intermediate 'dark net' like Tor or I2P may harm your system or compromise even more your privacy if it is misused by you or purposely configured by its operators to do so.

Combine and alternate privacy tools and test settings and tools in many ways. An easy privacy test is the ipduh anonymity checker.







ipduh https search fix and privacy stuff ...







Greek ISPs Caching DNS









A list with DNS servers provided by the Greek Internet Service Providers.

sl.ipduh.com/gr-isp-dns

gr-isp-dns (the actual ipduh-list URI)



Most caching name servers operated by Greek ISPs answer only to DNS queries coming from their own networks. You will need to use Public DNS Caches or your own recursive-resolver if you need caching DNS that works everywhere.











Nameservers-DNS for Greek ISPs

samba ... mount windows shares from windows

mount windows shares on windows
net use \\192.168.1.2\share password /USER:sambauser







simple git backup server

Simple git Backup Server Notes

Server

Install git on the server
# apt-get install git-core


Create a 'bare' repository on the storage server
$ cd ~
$ mkdir test
$ git init --bare test
Bare are repositories without a working directory, suitable for storage.

Workstation

Generate public and private key pair and copy the public key to the server
$ ssh-keygen -t rsa
$ ssh-copy-id user@server


Create a local repository and push it to the storage server
$ mkdir test
$ cd test
$ echo hi > test.txt
$ git init
$ git add test.txt
$ git commit -m 'first-commit-message'
$ git remote add origin ssh://user@server:/home/user/test
$ git push origin master








Simple git backup Server



bif

bif is a basic iptables firewall setter script



Installation
# git clone https://github.com/ipduh/bif.git
# cd bif/ && chmod 755 install.sh && ./install.sh


Configuration
Edit /etc/bif
Most likely, you will have to adjust WHITE_LIST, BAD_IP_URL and OPEN_INBOUND_TCP

Initialization
# /etc/bif














bif



winbox debian 64b jessie

Install winbox on a
# uname -a
Linux some-desktop 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linux
# cat /etc/debian_version 
8.1


Uninstall wine and remove it's configuration directory
# apt-get remove wine --purge
# rm -r ~/.wine


Install wine32
# apt-get install wine32


Run winbox
$ wine winbox.exe




Install winbox on debian jessie

debian add printer

Add an IP printer in debian

Install the Common UNIX Printing System --PPD/driver support, web interface, and the client programs
# apt-get install cups cups-client


Use a web-browser to go to http://localhost:631/
and then,
Adding Printers and Classes -> Add Printer
--you may use the root account credentials or add a user to lpadmin.

There is a good chance that you will not see the appropriate PDD there.

For HP printers you may use hplip, go to http://hplipopensource.com/hplip-web/supported_devices/index.html and select the printer model e.g. http://hplipopensource.com/hplip-web/models/officejet/hp_officejet_pro_8610.html for office jet pro 8610.



Download hplip and run it, the automatic installation worked for me in debian jessie



debian add printer



wpa debian

Notes on connecting to an 802.11X/WPA AP with wpa_cli

enable interface
# ifconfig wlan0 up


scan
# iwlist wlan0 scan
or

# iwlist wlan0 scan |egrep -i "ssid|signal|frequency|authenti"
to see just ESSID , Signal Strength , Quality, Frequency and Authentication suites for each cell

Interactive configuration of wpa_supplicant with wpa_cli
# echo "ctrl_interface=/run/wpa_supplicant" >> /etc/wpa_supplicant/t.conf
# echo "update_config=1" >> /etc/wpa_supplicant/t.conf
# wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/t.conf


Associate/Authenticate with the "thESSID" ssid
# wpa_cli
>scan
> scan_results
> add_network
0
> set_network 0 ssid "thESSID"
OK
> set_network 0 psk "thePASSWD"
OK
> enable network 0
OK
> save_config
OK
> quit


and then request an IP address from the DHCP server or set one manually
# ifconfig wlan0 192.168.168.13/24




wpa_cli debian

unmount all samba filesystems

Unmount all cifs ( samba ) shares.
# umount -a -t cifs -l






unount samba shares



GLBer

GLBer Notes



GLBer Creates the RouterOS configuration commands and a RouterOS script for the g0 Load BalanER aka GLBer. Then the Mikrotik RouterOS Router with the multiple point-to-point or point-to-multipoint uplinks balances the traffic among all uplinks without using source based policy routing.



You need to copy the configuration commands and the RouterOS script that GLBer produces from a host that has bash to the RouterOS router e.g. from a bash shell in a Terminal to a winbox terminal in the RouterOS.



RouterOS flushes the routing table every 10 minutes and then there is a good chance to reset the masqueraded connections. The RouterOS script created by GLBer runs every 10 minutes and resets the equal cost multipath route raising more the chance for the masqueraded connections to reset in a 10 minutes period.



Install GLBer
# wget https://raw.githubusercontent.com/ipduh/glber/master/glber -O /usr/bin/glber && chmod 755 /usr/bin/glber




Create the RouterOS GLBer Configuration For 3 point-to-point uplinks
$ glber 

GLBer, g0 2014
Quick How-To: http://sl.ipduh.com/glber

Enter gateways: alfa beta gama
Enter interfaces: 

If all the uplink interfaces are point-to-point just enter their names when asked for gateways and just hit enter when glber asks you for interfaces.



Create the RouterOS GLBer configuration for 4 point-to-point uplinks and an uplink available in the LAN through the router's eth5 interface.
$ glber 

GLBer, g0 2014
Quick How-To: http://sl.ipduh.com/glber

Enter gateways: 10.21.241.101 alfa beta gama delta
Enter interfaces: eth5 alfa beta gama delta





GLBer logs all runs in ~/glber/UTC-UNIX-EPOCH.log

To Clean a RouterOS from the GLBer configuration find the UTC-UNIX-EPOCH in the RouterOS created by GLBer e.g. for the epoch 1420624338 you would run
$ glber file ~/glber/1420624338.log
and run the GLBer RouterOS commands under
###RouterOS commands to remove the GLBer configuration###
in the RouterOS terminal.











old glber



glber

Virtualbox or VMware vmdk to KVM qcow2

Migrate Virtualbox or VMware guest (on vmdk) to KVM




See disk image information.
# qemu-img info lwa-flat.vmdk 
image: lwa-flat.vmdk
file format: raw
virtual size: 50G (53687091200 bytes)
disk size: 50G




Convert the vmdk image to a qcow2 image.
# qemu-img convert -O qcow2 lwa-flat.vmdk lwa-flat.qcow2




Create a guest definition and start guest.
# virt-install --connect qemu:///system --import -n lwa \
--vcpus=1 --ram=2048 \
--disk path=/home/vm/fromvbox/lwa-flat.qcow2,device=disk,format=qcow2 \
--vnc --noautoconsole --os-type linux --description lwa \
--network=bridge:b0 --hvm




Migrate VMware or Virtualbox vmdk to KVM qcow2



wpa_passphrase linux

Associate with 802.11X/WPA cell with wpa_passphrase in linux

# wpa_passphrase 
usage: wpa_passphrase  [passphrase]

If passphrase is left out, it will be read from stdin


# wpa_passphrase thESSID passphrase
network={
 ssid="thESSID"
 #psk="passphrase"
 psk=a104b1103fd32169a27080273828e77120234f9e113a5f15ff37e17729a0c266
}


to asscociate with the thESSID
# wpa_supplicant -B -i wlan0 -c <(wpa_passphrase thESSID passphrase)
or
# echo "update_config=1" > /etc/wpa_supplicant/thESSID.conf
# echo "fast_reauth=1" >> /etc/wpa_supplicant/thESSID.conf
# echo "ap_scan=1" >> /etc/wpa_supplicant/thESSID.conf
# wpa_passphrase thESSID passphrase > /etc/wpa_supplicant/thESSID.conf
# wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/thESSID.conf




wpa_passphrase debian voyage

convert qcow2 ( kvm ) images to vdi ( virtual box )

Convert qcow2 ( kvm ) images to vdi ( virtual box )

You will need at least qemu-utils
# apt-get install qemu-utils


Check the qcow2 image
# qemu-img info apollo.qcow2 
image: apollo.qcow2
file format: raw
virtual size: 50G (53687091200 bytes)
disk size: 50G


Convert the qcow2 image to vdi
# qemu-img convert -O vdi apollo.qcow2 apollo.vdi








convert qcow2 kvm images to vdi virtualbox images

ipduh v3

Finally! done "upgrading" ipduh to v3 ...


Some of the most noticeable changes-improvements are:










ipduh v3



dovecot imap over ssl in debian notes

IMAP over SSL with dovecot in debian

Install the Dovecot IMAP deamon
# apt-get install dovecot-imapd


For a quick (& perhaps sloppy) debian setup just append the following to /etc/dovecot/dovecot.conf
listen = 192.0.2.1
syslog_facility = mail
mail_location = maildir:~/Maildir
ssl = yes
ssl_cert = </etc/ssl/certs/imap.signed.crt
ssl_key = </etc/ssl/private/imap.private.pem
ssl_verify_client_cert = no
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
}
auth_mechanisms = plain login


The IMAP daemon listens at 192.0.2.1
and Maildir mailboxes are used by the Mail system.
The imap_client_workarounds definition is used to work around Thunderbird peculiarities and the auth_mechanisms definition to add login --work around Outlook pecularities.

For a cleaner configuration file you may do the following.
# cd /etc/dovecot
# stor dovecot.conf
# doveconf -n > dovecot.conf


Restart the imap daemon
# /etc/init.d/dovecot restart


However, it seems like it speaks up to SSLv3 and not TLS at all.



dovecot SSL IMAP



Trust the ipduh CA certificate in debian





Trust the ipduh CA certificate in debian.
# wget https://raw.githubusercontent.com/ipduh/ipduhca/master/ipduhca.crt -O /usr/local/share/ca-certificates/ipduhca.crt
# update-ca-certificates




Trust the ipduh CA