ipduh v3

Finally! done "upgrading" ipduh to v3 ...


Some of the most noticeable changes-improvements are:










ipduh v3



dovecot imap over ssl in debian notes

IMAP over SSL with dovecot in debian

Install the Dovecot IMAP deamon
# apt-get install dovecot-imapd


For a quick (& perhaps sloppy) debian setup just append the following to /etc/dovecot/dovecot.conf
listen = 192.0.2.1
syslog_facility = mail
mail_location = maildir:~/Maildir
ssl = yes
ssl_cert = </etc/ssl/certs/imap.signed.crt
ssl_key = </etc/ssl/private/imap.private.pem
ssl_verify_client_cert = no
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
}
auth_mechanisms = plain login


The IMAP daemon listens at 192.0.2.1
and Maildir mailboxes are used by the Mail system.
The imap_client_workarounds definition is used to work around Thunderbird peculiarities and the auth_mechanisms definition to add login --work around Outlook pecularities.

For a cleaner configuration file you may do the following.
# cd /etc/dovecot
# stor dovecot.conf
# doveconf -n > dovecot.conf


Restart the imap daemon
# /etc/init.d/dovecot restart


However, it seems like it speaks up to SSLv3 and not TLS at all.



dovecot SSL IMAP



Trust the ipduh CA certificate in debian





Trust the ipduh CA certificate in debian.
# wget https://raw.githubusercontent.com/ipduh/ipduhca/master/ipduhca.crt -O /usr/local/share/ca-certificates/ipduhca.crt
# update-ca-certificates




Trust the ipduh CA



clone a KVM guest





"Clone" a KVM debian guest notes.



Shutdown or Suspend the host.



Create a clone of the host democritos.
# virt-clone -o democritos -n thales -f /home/vm/thales.qcow2 -d
...
Clone 'thales' created successfully.
...
The clone disk is at /home/vm/thales.qcow2

This is good enough if we just need a clone with a different MAC Address and a different UUID. However, if we need a host that can work simultaneously with the original host we (most likely) need a bit more variation.



Log in to the clone or mount it's image to change hostname, IP address(es), etc.



Change Hostname.
# cd /etc
# grep -ril `hostname -f` |tee hostname.file.list
apache2/sites-available/000.dup.ipduh.awmn.conf
postfix/main.cf
hostname
hosts
mailname
ssh/ssh_host_ecdsa_key.pub
ssh/ssh_host_rsa_key.pub
ssh/ssh_host_dsa_key.pub
aliases.db
# perl -i.0 -p -e 's/demokritos/thales/g;' `cat hostname.file.list`




Change IP address.
# grep -ril '192.0.2.61' /etc |tee ip.file.list
/etc/network/interfaces
/etc/hosts
# perl -i.old_ip -p -e 's/192.0.2.61/192.0.2.62/g;' `cat ip.file.list`




Reboot Clone
# shutdown -r now




Log in to thales ( the cloned system )



Create a new RSA ssh key
# ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
a6:fc:76:OF:F1:33:7C:04:77:07:ce:5a:cf:23:48:3a root@thales
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|             .   |
|            . .  |
|        S  . ----|
|     . o   .=  o.|
|      +   o..o..=|
|       ..E....o++|
|       ....  o=++|
+-----------------+




Overwrite the DSA SSH key with a new one.
# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa




Overwrite the ECDSA SSH key with a new with the largest (practical) key-size (allowed).
# ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521




In a debian based system you may use dpkg to replace the SSH keys
# dpkg-reconfigure openssh-server














clone a KVM guest



move kvm guest notes

Move (not live migration) a KVM VM from a host B to a host C.

Assuming that the guest VM is bridged and that both KVM hosts are in the same ethernet segment.

Shutdown guest VM.

Copy guest VM image from host B to host C.
b# scp /vm/vm2.qcow2 root@c:/vm


Dump XML definition and copy it to the destination host.
b# virsh dumpxml vm2 > vm2.xml
b# scp vm2.xml root@c:/etc/libvirt/qemu


On host C (the destination host) define the quest xml definition.
c# virsh define /etc/libvirt/qemu/vm2.xml
Domain vm2 defined from /etc/libvirt/qemu/vm2.xml


Start VM guest on the destination system.
c# virsh start vm2
Domain vm2 started


Disable autostart for the VM guest in B (the original host).
b# virsh autostart vm2 --disable
Domain vm2 unmarked as autostarted


Enable autostart for the moved VM guest in C (the destination host).
c# virsh autostart vm2
Domain vm2 marked as autostarted






Move KVM guest to another Host



install debian-packaged awstats





Notes on installing and using debian-packaged AWStats to analyze Apache logs.



Install debian packaged awstats ( now v7.0 )
# apt-get install awstats




I would use the following setup in apache2 installations with site(s) or virtual host(s) that belong to the same person-organization and I would NOT use it in a shared hosting environment.



Get the apache configuration file.
# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf -O /etc/apache2/conf.d/awstats.conf


Restart Apache.
# /etc/init.d/apache2 restart




Enable ipduh_intel awstats plugin and disable PTR lookups.
# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf.local -O /etc/awstats/awstats.conf.local
IP numbers relay much more information than PTR names and PTR names can be (and commonly are) abused-manipulated.



Install the ipduh_intel awstats plugin.
# wget https://raw.githubusercontent.com/ipduh/awstats_plugins/master/ipduh_intel.pm -O /usr/share/awstats/plugins/ipduh_intel.pm




Create the apache password file and add the user 'user' with password 'userpass'
# htpasswd -cb /etc/awstats/A2Passwords user userpass
Add the user 'user2' with password 'user2pass' to the apache passwords file
# htpasswd -b /etc/awstats/A2Passwords user2 user2pass




Create an awstats configuration file for each (virtual) host in /etc/awstats. The configuration files should have the form awstats.host.conf e.g. for a host named example.com the configuration file would be awstats.example.com.conf and it could look like the following.
Include "/etc/awstats/awstats.conf"
SiteDomain="example.com"
HostAliases="www.example.com"
DirData="/logs/sites/example.com/awstats"
LogFile="/logs/sites/example.com/access_all"





Analyze for first time the access logs of one host.
# cat /logs/sites/example.com/access/* >> /logs/sites/example.com/access_all
# /usr/lib/cgi-bin/awstats.pl --configdir=/etc/awstats/ -config=example.com




View the awstats analysis with a web browser at http://example.com/awstats/awstats.pl?config=example.com



Get rid of debian package cronjob
# rm /etc/cron.d/awstats




Install debian packaged awstats



kismet server and drones



Kismet Drone(s) Setup -- Voyage Linux

Install prerequisites
# apt-get update
# apt-get install libpcap-dev
# apt-get install libnl-dev
# apt-get install pkg-config


Get kismet
# wget http://www.kismetwireless.net/code/kismet-2013-03-R1b.tar.xz


Create the kismet user
# mkdir /var/log/kismet
# adduser kismet --home /var/log/kismet


Compile kismet
# tar xf kismet-2013-03-R1b.tar.xz 
# cd kismet-2013-03-R1b/
# ./configure --disable-client
# make dep
# make


Install kismet and kismet_drone
# make suidinstall
# usermod -a -G kismet kismet


Configure kismet_drone (the Kismet Server is at 10.0.0.225/24)
# grep \#g0 kismet_drone.conf |sed -e s/\#g0//
servername=drone4
dronelisten=tcp://0.0.0.0:2502 
allowedhosts=127.0.0.1,10.0.0.0/255.255.255.0 
gps=false 
ncsource=wlan0 
This is what I changed in the default kismet_drone.conf file.

Drone Test Run

# su - kismet -c "/root/kismet-2013-03-R1b/kismet_drone -f /root/kismet-2013-03-R1b/conf/kismet_drone.conf"
or
# /root/kismet-2013-03-R1b/kismet_drone --daemonize -f /root/kismet-2013-03-R1b/conf/kismet_drone.conf


Kismet Server --Collector and Client --Debian
# apt-get install kismet


To add drones to the Kismet sources in /etc/kismet/kismet.conf you may use the following syntax
 ncsource=drone:host=10.0.0.3,port=2502,name=dr0ne3
 ncsource=drone:host=10.0.0.4,port=2502,name=dr0ne4



Kismet collector,server and client test run
# kismet




BGP as IGP with next-hop-self RR vs Fully Connected Mesh





A comparison of BGP as iGP with next-hop-self in a fully connected mesh vs BGP as iGP with next-hop-self with two Route Reflectors.

This is an effort to figure out the best of the two setups in terms of configuration and maintenance cost and it is inspired by a quest in the AWMN mailing list to find the best setup for AWMN nodes with many routers .

( AWMN is a wireless BGP internet where each wireless node has an Autonomous System Number and 1 to 15 routers with wireless interfaces. The routing within each node is done with static Routes or some iGP --usually OSPF-- or iBGP with next-hop-self. )



I assume that:

The maintenance cost is equal to the number of iBGP sessions --the number of connections in the mesh.

The total configuration cost is equal to the number of (neighbor) configuration stanzas for all iBGP connections.

The cost of adding a router is equal to the number of (neighbor) iBGP configuration stanzas needed in all the nodes in the mesh.













Get a little program that prints tables of maintenance and configuration costs for both setups.
$ wget https://raw.githubusercontent.com/ipduh/fmvsrr/master/fmvsrr.pl && chmod 755 fmvsrr.pl


Print costs for 2 to 27 routers.
$ ./fmvsrr.pl 27
N    = Number of routers
Πfm  = Maintenance Cost in a Fully Connected Mesh
Πrr  = Maintenance Cost in a Two Route Reflectors Setup
Kfm  = Total Configuration Cost in a Fully Connected Mesh
Krr  = Total Configuration Cost in a Two Route Reflectors Setup
Nfm  = Cost of adding one router in a Fully Connected Mesh
Nrr  = Cost of adding one router in a Two Route Reflectors Setup

N=2 Πfm=2  Πrr=2+  Kfm=2  Krr=2+  Nfm=2  Nrr=2+
N=3 Πfm=3  Πrr=3+  Kfm=6  Krr=3+  Nfm=6  Nrr=3
Ν=4  Πfm=6  Πrr=6  Kfm=12  Krr=9  Nfm=6  Nrr=3
Ν=5  Πfm=10  Πrr=7  Kfm=20  Krr=11  Nfm=8  Nrr=3
Ν=6  Πfm=15  Πrr=8  Kfm=30  Krr=13  Nfm=10  Nrr=3
Ν=7  Πfm=21  Πrr=9  Kfm=42  Krr=15  Nfm=12  Nrr=3
Ν=8  Πfm=28  Πrr=10  Kfm=56  Krr=17  Nfm=14  Nrr=3
Ν=9  Πfm=36  Πrr=11  Kfm=72  Krr=19  Nfm=16  Nrr=3
Ν=10  Πfm=45  Πrr=12  Kfm=90  Krr=21  Nfm=18  Nrr=3
Ν=11  Πfm=55  Πrr=13  Kfm=110  Krr=23  Nfm=20  Nrr=3
Ν=12  Πfm=66  Πrr=14  Kfm=132  Krr=25  Nfm=22  Nrr=3
Ν=13  Πfm=78  Πrr=15  Kfm=156  Krr=27  Nfm=24  Nrr=3
Ν=14  Πfm=91  Πrr=16  Kfm=182  Krr=29  Nfm=26  Nrr=3
Ν=15  Πfm=105  Πrr=17  Kfm=210  Krr=31  Nfm=28  Nrr=3
Ν=16  Πfm=120  Πrr=18  Kfm=240  Krr=33  Nfm=30  Nrr=3
Ν=17  Πfm=136  Πrr=19  Kfm=272  Krr=35  Nfm=32  Nrr=3
Ν=18  Πfm=153  Πrr=20  Kfm=306  Krr=37  Nfm=34  Nrr=3
Ν=19  Πfm=171  Πrr=21  Kfm=342  Krr=39  Nfm=36  Nrr=3
Ν=20  Πfm=190  Πrr=22  Kfm=380  Krr=41  Nfm=38  Nrr=3
Ν=21  Πfm=210  Πrr=23  Kfm=420  Krr=43  Nfm=40  Nrr=3
Ν=22  Πfm=231  Πrr=24  Kfm=462  Krr=45  Nfm=42  Nrr=3
Ν=23  Πfm=253  Πrr=25  Kfm=506  Krr=47  Nfm=44  Nrr=3
Ν=24  Πfm=276  Πrr=26  Kfm=552  Krr=49  Nfm=46  Nrr=3
Ν=25  Πfm=300  Πrr=27  Kfm=600  Krr=51  Nfm=48  Nrr=3
Ν=26  Πfm=325  Πrr=28  Kfm=650  Krr=53  Nfm=50  Nrr=3
Ν=27  Πfm=351  Πrr=29  Kfm=702  Krr=55  Nfm=52  Nrr=3



When the full mesh topology is used in a node with 10 routers the configuration and maintenance cost is ~4.5 times larger from a two-route-reflectors setup and the 11th router would cost me ~20 configuration stanzas and logging in 11 routers instead of ~3 stanzas in three routers ...









Full Mesh vs Route Reflectors











TSIG authenticated zone transfers in Bind

Notes on setting up secret key authenticated TSIG zone transfers in Bind 9.8.

Create an 128b HMAC-SHA256 of type HOST key to use as the shared secret.
# dnssec-keygen -a hmac-sha256 -b 128 -n HOST gemlocgem
Kgemlocgem.+163+12752


The previous command creates two files.
# ls Kgemlo*
Kgemlocgem.+163+12752.key  Kgemlocgem.+163+12752.private


The 128b base-64 string we need for the shared secret is in both files.
# cat Kgemlocgem.+163+12752.key
gemlocgem. IN KEY 512 3 163 Wh47ever64iPdUhb9nd8hg==


Create a named.conf.keys file.
# cat named.conf.keys

key gemlocgem. {
  algorithm hmac-sha256;
  secret  "Wh47ever64iPdUhb9nd8hg==";
};



Make secret and named.conf.keys files non-readable by all in this system.
# chmod 640 Kgemlocgem.+163+12752.*
# chmod 640 named.conf.keys


Send named.conf.keys to the slave.
# toprod named.conf.keys


Include named.conf.keys and add server-key stanza in the named.conf of the server at 192.0.2.111
# cat named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server 192.0.2.222 {
  transfer-format many-answers;
  keys { gemlocgem.; };
};



One of the name servers ( e.g. the slave) is at 192.0.2.222 and the other name server at 192.0.2.111

The named.conf file in the other server.
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server 192.0.2.111 {
  transfer-format many-answers;
  keys { gemlocgem.; };
};


Adjust allow-updates and allow-transfer directives to use TSIG in the options of both servers e.g.
  allow-transfer { key gemlocgem. ; };
  allow-update { key gemlocgem. ; };
You may use and other allow-transfer directives that specify IP addresses.

The systems used.
# named -v
BIND 9.8.4-rpz2+rl005.12-P1
# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 7 \n \l

7.7


TSIG authenticated zone transfers between Bind Servers



Change hostname in debian

A better way to change the hostname in debian systems.

# hostname -f
geminus


Sanity-check the list of /etc/* files in which the hostname appears.
# cd /etc
# grep -ril `hostname -f` /etc |tee hostname.files.list
/etc/mailname
/etc/hostname
/etc/exim4/update-exim4.conf.conf
/etc/hosts
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub
The above list seems fine but imagine what it would happen if the hostname was eth or work.

Save each file that contains the hostname to file.0 and replace geminus (old hostname) with gem (new hostname).
# perl -i.0 -p -e 's/geminus/gem/g;' `cat ./hostname.files.list`


Restart services (ssh and exim in this case) or better reboot the system if you can afford it.
# reboot




Change the hostname in debian systems

LXC container start at boot

Start a Linux Container at boot time

See the containers ' status.
# lxc-list
RUNNING

FROZEN

STOPPED
  squeezie



Link the container's config file to /etc/lxc/auto so it starts at boot time.
# ln -s /var/lib/lxc/squeezie/config /etc/lxc/auto/squeezie
squeezie is the name of the container.

Test if you can afford to reboot the host.
# reboot


...

# lxc-list 
RUNNING
  squeezie (auto)

FROZEN

STOPPED





start a LinuX Container at boot



change container root password from the host

Change a container's root password (you forgot) from the host.

I think that the easiest way is to run passwd chrooted to the container's root.

e.g. for the squeezie host created by the squeeze template
# chroot /var/lib/lxc/squeezie/rootfs/ passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully




Change a container's root password from the host



debian - gnome - disable log out lock screen etc





Disable automatic log-out / screen lock on debian gnome desktops ...

bad idea for your workstation, even worst for your laptop but a friend desperately wants it and he could not figure it out.



Check which values-keys are set to true in the relative section of the 'registry'
$ dconf list /org/gnome/desktop/lockdown


Set disable-lock-screen and disable-log-out to true
$ dconf-editor
and check /org/gnome/desktop/lockdown/disable-lock-screen and /org/gnome/desktop/lockdown/disable-log-out



( dconf write /org/gnome/desktop/lockdown/x false|0|... does not work the way I expected it to work )




> System Settings > Brightness And Lock > Lock > OFF









debian gnome disable lock screen and user logout

virtualbox debian guest with tiny screen

To 'fix' display issues of a virtualbox debian(6) guest with tiny not-usable screen
...
ssh into the guest and
# apt-get install virtualbox-ose-dkms
# reboot








Fix display issues of virtual box debian guest

mp3 tags - id3v2

Install id3v2 --A command line id3v2 tag editor
# apt-get install id3v2


$ id3v2 -l Thievery\ Corporation\ 2hr\ mix.mp3
id3v2 tag info for Thievery Corporation 2hr mix.mp3:
COMM (Comments): (simpleyoutubeconverter.com)[eng]: Downloaded from simpleyoutubeconverter.comn
TIT2 (Title/songname/content description): Thievery Corporation 2hr mix
Thievery Corporation 2hr mix.mp3: No ID3v1 tag


$ id3v2 -d Thievery\ Corporation\ 2hr\ mix.mp3
Stripping id3 tag in "Thievery Corporation 2hr mix.mp3"...id3v2 stripped.


$ id3v2 -s Thievery\ Corporation\ 2hr\ mix.mp3
Stripping id3 tag in "Thievery Corporation 2hr mix.mp3"...id3v1 stripped.


$ id3v2 -l Thievery\ Corporation\ 2hr\ mix.mp3
Thievery Corporation 2hr mix.mp3: No ID3 tag


$ id3v2 -a "Thievery Corporation" Thievery\ Corporation\ 2hr\ mix.mp3
$ id3v2 -c "two hour mix" Thievery\ Corporation\ 2hr\ mix.mp3
$ id3v2 -g "(27)" Thievery\ Corporation\ 2hr\ mix.mp3
$ id3v2 -l Thievery\ Corporation\ 2hr\ mix.mp3
id3v1 tag info for Thievery Corporation 2hr mix.mp3:
Title  :                                 Artist: Thievery Corporation
Album  :                                 Year:     , Genre: Trip-Hop (27)
Comment: two hour mix                    Track: 0
id3v2 tag info for Thievery Corporation 2hr mix.mp3:
TPE1 (Lead performer(s)/Soloist(s)): Thievery Corporation
COMM (Comments): ()[]: two hour mix
COMM (Comments): (ID3v1 Comment)[XXX]: two hour mix
TCON (Content type): Trip-Hop (27)


ID3v1 Genre List
  0. Blues
  1. Classic Rock
  2. Country
  3. Dance
  4. Disco
  5. Funk
  6. Grunge
  7. Hip-Hop
  8. Jazz
  9. Metal
 10. New Age
 11. Oldies
 12. Other
 13. Pop
 14. R&B
 15. Rap
 16. Reggae
 17. Rock
 18. Techno
 19. Industrial
 20. Alternative
 21. Ska
 22. Death Metal
 23. Pranks
 24. Soundtrack
 25. Euro-Techno
 26. Ambient
 27. Trip-Hop
 28. Vocal
 29. Jazz+Funk
 30. Fusion
 31. Trance
 32. Classical
 33. Instrumental
 34. Acid
 35. House
 36. Game
 37. Sound Clip
 38. Gospel
 39. Noise
 40. AlternRock
 41. Bass
 42. Soul
 43. Punk
 44. Space
 45. Meditative
 46. Instrumental Pop
 47. Instrumental Rock
 48. Ethnic
 49. Gothic
 50. Darkwave
 51. Techno-Industrial
 52. Electronic
 53. Pop-Folk
 54. Eurodance
 55. Dream
 56. Southern Rock
 57. Comedy
 58. Cult
 59. Gangsta
 60. Top 40
 61. Christian Rap
 62. Pop/Funk
 63. Jungle
 64. Native American
 65. Cabaret
 66. New Wave
 67. Psychadelic
 68. Rave
 69. Showtunes
 70. Trailer
 71. Lo-Fi
 72. Tribal
 73. Acid Punk
 74. Acid Jazz
 75. Polka
 76. Retro
 77. Musical
 78. Rock & Roll
 79. Hard Rock


id3v2

edit mp3 tags, comments, etc with id3v2

rs232 to terminal emulator debian



Find out if your RS232 interface is seen and to the serial port attached to
$ lsusb |grep 23
Bus 003 Device 007: ID 067b:2303 Prolific Technology, Inc. PL2303 Serial Port
$ dmesg |grep tty |grep pl
[ 3881.178720] usb 3-1: pl2303 converter now attached to ttyUSB0


(Install) Start minicom
$ su
# apt-get install minicom
# minicom -s
a) to set Serial Device and so forth
...
and then Exit to apply configuration and start the terminal emulator



rs232 to terminal emulator debian