Squoggle
Mac's tech blog
IPTables
Posted by on May 4, 2020
These are my notes on IP tables. Maybe at some point I may do a complete tutorial or How To but don’t hold your breath.
Chains:
There are typically 3 chains in a standard setup. They are:
INPUT FORWARD OUTPUT
Input is things coming into the server.
Forward are things that are forwarded by the server.
Output are things that are leaving the server.
Policies:
There is a default policy (rule) set up for each chain. CentOS somes standard with the default policy of ACCEPT for each of these chains. The command line to set the policy is like this:
# iptables -P INPUT ACCEPT
Pretty simple really. The -P is the flag to set the policy.
Flush:
The command that flushes the iptables is -F. This deletes the rules in the table.
# iptables -F
If changing rules from a remote host, the tutorial says to first put the INPUT policy to ACCEPT especially if you are going to flush the table. The flush command flushes everything except the default policy so if you have set it to ACCEPT then you won’t lock yourself out. Be sure to undo the ACCEPT on the INPUT policy or it will basically be wide open unless you have some other rule locking it down.
So the first two commands, accept on the input policy and flush on the table leave you with a pretty much blank rule set.
Saving:
It’s important to understand that the commands take effect immediately so if you do a wrong command you can lock yourself out. However they are not permanently stored until you save them with this:
# service iptables save
If you did lock yourself out then theoretically you could reboot the server before saving and it would revert back to whatever it was on the last save. I have not tested this yet but that is what I understand.
Showing:
You need to be able to see the results of your commands so you can show your tables like this:
iptables -L
This leaves a bit to be desired as it shows everything and may be too much information. This will show all Chains. If you just want to list one of the Chains you can do it like this:
# iptables -L [CHAIN]
For example:
# iptables -L INPUT
Even more useful is to list with Line Numbers. This is helpful if you want to insert a rule after a certain existing rule. That command looks like this:
# iptables -L --line-numbers
or
# iptables -L INPUT --line-numbers
Even better is using the -v or the verbose flag. That’s probably the best.
# iptables -L INPUT -v --line-numbers
Adding Rules:
Rules are added or deleted to the table by the -A or -D flag. The -A appends a rule and the -D deletes a rule. For example:
# iptables -A INPUT -i lo -j ACCEPT
This will allow everything to reach the lo interface. This is a good idea as programs running on the server interact with the lo interface.
By the way, the -i flag specifies an interface. The -j flag is the jump flag. In the above example if something comes in (INPUT) on the lo interface, then jump to ACCEPT.
It is also important to note that rules are put into the table in the order they are typed in using the -A (append) command. You need to be sure you do not give permissions to something and then take it away later. It is also a good idea to set the policies for INPUT and FORWARD to drop then specifically set up the exceptions to this with the rules.
Deleting Rules:
The -D flag can be used with line numbers and is useful to delete specific lines in your IPTables config. The Delete command is done like this:
# iptables -D INPUT 4
In other words, deleting from the INPUT chain rule number 4.
Inserting Rules:
Rules need to be in certain orders or you could cause problems. You can insert a rule to the table with this:
# iptables -I INPUT 3 -p tcp --dport 23 -j ACCEPT
This inserts at line 3 the rule to accept telnet in the INPUT chain.
IP Addresses:
You can also specify IP addresses in a rule. For example if I wanted to specify that I wanted to accept connections coming from a certain source IP address I would use something like this:
# iptables -A INPUT -s 192.168.0.4 -j ACCEPT
The -s means source IP.
You can also specify entire networks like this:
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
Comments:
Comments can also be added. This is useful if you are putting the lines into a script or something. Everything after the “#” is ignored.
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # using standard slash notation
Mac Addresses:
You can also filter by mac addresses in a rule. Something like this:
# iptables -A INPUT -m mac --mac-source 00:26:B9:D1:D9:6B -j ACCEPT
Anything from the specified source mac address will be accepted by the above rule.
You can also add an IP address as well as a mac address for further filtering:
# iptables -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT
The above will append the rule to the end of the chain. It is probably better to insert it somewhere like this:
# iptables -I INPUT 75 -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT
Protocols & Ports:
To further refine you really need protocols and ports defined in a lot of the rules. Going back to this example:
# iptables -I INPUT 3 -p tcp --dport 23 -j ACCEPT
The -p means protocol, in this case TCP and the --dport means destination port, in this case port 23 or telnet.
To get more granular on the rules you will want to put them together. For ecample I want to accept on the INPUT chain connections coming from 192.168.0.0/24 and port 23 or telnet. The rule would look like this:
# -A INPUT -s 192.168.0.0/24 -p tcp --dport 23 -j ACCEPT
Drop & Reject:
The default configuration of IP Tables for CentOS is to have the INPUT, FORWARD & OUTPUT policies set to ACCEPT. This is probably not a good idea. Depending on your security posture it might be OK for your OUTPUT policy, unless you want to limit what goes out of your system. The way you solve this issue is to add some REJECT rules to the end of your configs. A REJECT rule looks something like this:
# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited # iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
A REJECT will send a TCP Reject whereas a DROP simply drops the connection. Depending on your security posture a DROP might be a better decision.
States:
The State Match
The most useful match criterion is supplied by the `state’ extension, which interprets the connection-tracking analysis of the `ip_conntrack’ module. This is highly recommended.
Specifying `-m state’ allows an additional `–state’ option, which is a comma-separated list of states to match (the `!’ flag indicates not to match those states). These states are:
NEW: A packet which creates a new connection.
ESTABLISHED: A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies).
RELATED: A packet which is related to, but not part of, an existing connection, such as an ICMP error, or (with the FTP module inserted), a packet establishing an ftp data connection.
INVALID: A packet which could not be identified for some reason: this includes running out of memory and ICMP errors which don’t correspond to any known connection. Generally these packets should be dropped.
An example of this powerful match extension would be:
# iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP
The default iptables configuration has the ESTABLISHED and RELATED states set to ACCEPT on the INPUT chain like this:
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Probably a good idea to keep that and put it first in the list. This will keep any connections going that have already been established. For example if you have an ssh connection going and you change the iptables for SSH and lock yourself out the connection will remain until you close the connection. This has saved me at least once but you could potentially keep bad connections going as well so use with care.
I have also seen that it is a good idea to use states with regular rules like this:
# iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
I don’t completely understand it myself. Things should work without it. I’ve just seen posts about it and think it is useful to mention here.
Another good thing to use might be the INVALID state. INVALID means a packet that could not be identified somehow. Just drop them:
# iptables -A INPUT -m state --state INVALID -j DROP # iptables -A FORWARD -m state --state INVALID -j DROP # iptables -A OUTPUT -m state --state INVALID -j DROP
Script:
Here’s a little script that sets up pretty much what I talked about on this page:
#!/bin/bash # iptables example configuration script # Flush all current rules from iptables iptables -F # Set default policies for INPUT, FORWARD and OUTPUT chains iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Drop invalid packets iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # Accept packets belonging to established and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow private lan to ping iptables -A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT # Set access for localhost iptables -A INPUT -i lo -j ACCEPT # Allow private lan to ssh iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Save settings /sbin/service iptables save # List rules iptables -L -v --line-numbers
Validate a Certificate’s Chain
Posted by on April 30, 2020
You can validate a Certificate’s chain by extracting the Authority Key Identifier from the cert like this:
$ openssl x509 -text -in [cert-name].crt | grep -A 1 "Authority Key Identifier"
You should get a result similar to this:
X509v3 Authority Key Identifier: keyid:FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43
This is the Key Identifier from the Intermediate Cert. This should match up with the “Subject Key Identifier” of the Intermediate Cert.
Get the “Subject Key Identifier” of the Intermediate Cert:
$ openssl x509 -text -in [intermediate-cert-name].crt | grep -A 1 "Subject Key Identifier"
You should get a result similar to this:
X509v3 Subject Key Identifier: FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43
If the two identifiers match then you have the correct Intermediate Cert for the Cert.
You can now repeat the process with the Intermediate Cert and the root Cert and validate that the root cert you have is the one for the Intermediate.
The tr command
Posted by on April 1, 2020
The tr command:
It’s short for “translate” but might be easier to remember thinking of it as “truncate”. The man page has this to say about it:
DESCRIPTION
Translate, squeeze, and/or delete characters from standard input, writing to standard output.
There are probably books written on what tr can do. I’m just going to leave some notes here on how I typically use it.
The tr program reads from standard input and writes to standard output.
Convert multiple lines of text into a single line of text:
Consider a file named file containing the following data:
abcde fghij klmno pqrst uvwxy
You want to convert the multiple lines into a single line of text. You can do that using tr with something like this:
$ cat file | tr -d '\n'
The result of the command is written to standard output as:
abcdefghijklmnopqrstuvwxy
The -d option deletes. In this case we’re deleting the newline character.
Replace comma with newline:
Sometimes you need to convert a single delimited line to multiple lines. Consider the following file named file containing the following data:
abcde,fghij,klmno,pqrst,uvwxy
We can translate the comma in the file into a new line character with the following command:
$ cat file | tr ',' '\n'
The results look like this:
abcde fghij klmno pqrst uvwxy
Convert PEM certificate to PFX or P12
Posted by on February 14, 2020
How to convert a PEM certificate to PFX or P12 format.
The PFX or PKCS12 format is a binary format that stores a server certificate, any intermediate certificates, along with the private key into a single encrypted file. PFX files typically have the .pfx and .p12 extensions. PFX files are typically used on Windows machines and macOS machines to import and export certificates and private keys. Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores. The JKS format is Java’s standard “Java KeyStore” format, and is the format created by the keytool command-line utility. The PKCS12 format is an internet standard, and can be created with OpenSSL.
What you’ll need:
- You will need the private key that was used to create the public key and certificate.
- You will need the certificate in PEM format, typically with file extension of .crt, .pem or .cer.
- You will need Openssl.
Lets take a look at the Openssl command you would use to convert the PEM cert to PFX:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile chain.crt
Lets break down the different parts of the command to see what they do:
openssl – This starts the openssl software.
pkcs12 – This tells openssl to use PKCS#12 Data Management.
-export -out certificate.pfx – This tells openssl to export out a PFX file named certificate.pfx.
-inkey privateKey.key – This tells openssl to import the private key from a file named privateKey.key.
-in certificate.crt – This tells openssl to import the certificate from a file named certificate.crt.
-certfile chain.crt – This tells openssl to include any additional certificates contained in chain.crt you want to include in the PFX file. Typically this would be any Intermediate Certs that chain your cert to a root cert.
After you enter this command you will be prompted for a password that protects the PFX file. Without the password the PFX file is useless so do not forget it.
The end result of this command will be that you have a new file named certificate.pfx which contains your Private Key, the Certificate and any Intermediate certs you added as well, all wrapped into a binary format and protected by a password.
Mount OneDrive from Linux Mint
Posted by on December 5, 2019
How to Mount OneDrive from Linux Mint
Don’t install Rclone from the standard repository. That version is too old.
Install Rclone:
cd ~/Downloads wget https://downloads.rclone.org/rclone-current-linux-amd64.deb sudo apt install ./rclone-current-linux-amd64.deb
Run the Rclone wizard:
rclone config
Select n to create a new remote:
$ rclone config 2019/12/04 20:47:41 NOTICE: Config file "/home/mac/.config/rclone/rclone.conf" not found - using defaults No remotes found - make a new one n) New remote r) Rename remote c) Copy remote s) Set configuration password q) Quit config n/r/c/s/q>
Name is something meaningful like ‘onedrive’:
name> onedrive
Select 22 for Microsoft OneDrive:
22 / Microsoft OneDrive \ "onedrive"
You will be asked for a Microsoft App Client Id. Just hit Enter to accept the default and leave blank.
You will be asked for a Microsoft App Client Secret. Hit Enter to accept the default and leave blank.
You will be asked to edit advanced config. Type N
You will be asked to use auto config. Type y :
Use auto config? * Say Y if not sure * Say N if you are working on a remote or headless machine y) Yes n) No y/n> y
Your browser should open now and ask you to sign into OneDrive. Put in your email address. Hit next then your password and check the box to keep signed in then the sign in button.
At this point I seem to be locked out of OneDrive as my sign in did not work on this computer.
I tried again and instead of doing auto config I did N to not do auto config.
Use auto config? * Say Y if not sure * Say N if you are working on a remote or headless machine y) Yes n) No y/n> n For this to work, you will need rclone available on a machine that has a web browser available. Execute the following on your machine: rclone authorize "onedrive" Then paste the result below: result>
I did the above and got a very long “token” that I was able to copy and paste into this machine.
It then asked me to choose a number from below. I selected 1 for OneDrive
Then it said it found 2 drives. Not sure why. I selected drive 0
Then I was able to exit Rclone by typing q:
Current remotes: Name Type ==== ==== onedrive onedrive e) Edit existing remote n) New remote d) Delete remote r) Rename remote c) Copy remote s) Set configuration password q) Quit config e/n/d/r/c/s/q> q
Now create a new directory:
mkdir ~/OneDrive
Now mount OneDrive:
rclone --vfs-cache-mode writes mount onedrive: ~/OneDrive
This will appear to hang your session but you can stop it by doing CTRL C
Now to start at boot up you can open Startup Applications, and in Startup Applications click Add.
After clicking Add, use the following:
Name: Mount OneDrive Command: sh -c "rclone --vfs-cache-mode writes mount onedrive: ~/OneDrive"
Citrix Client on Linux Mint
Posted by on November 19, 2019
This is my document for attempting to install the Citrix Workspace App on Linux Mint.
Version of Mint is 18.3 Cinnamon 64-bit
Go to Citrix download site:
https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html
Near the bottom of the page you will be presented with 3 versions:
- Full Packages (Self-Service Report)
- Web Packages (Web Workspace App Only)
- USB Support Packages
For this I’m going to get the Full Packages. I found the package for my version of Linux. (amd64.deb)
Download that to a directory on your PC then right click on the package and open with the GDebi Package Installer.
Install the package.
Open the URL of your Citrix Implementation and put in your credentials
Firefox DNS over HTTPS
Posted by on November 12, 2019
You can have all of your DNS queries that originate from Firefox go over HTTPS instead of a plain text query as would happen in a normal DNS query.
This only applies to Firefox. This is typically called DoH which stands for DNS over HTTPS.
Enable DoH:
Click the Menu button and then click Preferences
Click General on the left side of the screen then scroll down to the bottom of the screen and find Network Settings and click the Settings button.
Check the Enable DNS over HTTPS checkbox
Use the default provider Cloudflare. Then click OK
Your DNS queries that Firefox does will now be redirected to Cloudflare DNS servers and not your local or ISP DNS servers.
Exceptions:
There are certain web applications that don’t seem to work using DoH. They are somehow smart enough to know you are using DoH and don’t want you to. You can add exceptions to the rules to get around this. Make sure that the exceptions to the rules do not negate your reasons to do DoH in the first place.
To add exceptions:
Type about:config into the address bar of Firefox.
In the search bar type network.trr.excluded-domains to find the setting where you can add exclusions.
Double click the setting. You can now add comma separated domains to this list that will be excluded from doing DoH.
Make sure you remember that you have exceptions or you could get in some trouble.
Linux Mint 19.x
Posted by on November 1, 2019
Linux Mint 19.x
These are my notes on Linux Mint 19.x. If you find this and think it is useful, leave a comment and say what you like or don’t like. Keep in mind these are my own notes and are not intended to be a HowTo for the general public.
Install the OS from the USB Flash Drive. I chose to simply overwrite the existing version of Mint (19.1) that had already been installed on my laptop. I also chose to encrypt my home directory.
My first order of business is to make the native monitor and external monitor both set to the same resolution of 1920×1080 (16:9). The native laptop monitor supports a higher resolution of 2560×1440 but the screen is so small that it is very hard to see at that resolution so I’m standardizing both monitors at 1920×1080.
Get up and Running:
Here’s what I did to get up and running and customized the way I like it:
Update Everything:
-
- The first thing to do is open the Update Manager and update everything. The Update Manager is the little shield icon in the task bar down in the right hand corner. Open that up and click OK to dismiss the initial startup screen.
- You will be presented with a prompt to take a System Snapshot. I’m going to put this off until I have updated everything.
- You will see a message that a new version of Update Manager is available. Click the ‘Apply the Update’ button to install it.
- Once that is installed you will be presented with a list of updates that can be applied.
- Apply all the updates. It is a good idea to reboot after all the updates.
Video Drivers:
After I rebooted I got a pop up box that said to “Check your video drivers”. I launched the Driver Manager and entered my password. My software cache was updated. Then an NVIDIA Driver Manager opened up. It showed that the nouveau driver was installed, but the recommended driver was nvidia-driver-435 which I checked then “Apply Changes”. You will need to reboot after this.
System Reports:
Down in the bottom right corner of the desktop you may see a little triangular warning icon. This is the ‘System Reports’ application. Go ahead an open this up. You should see a list of detected problems that need to be addressed. Go ahead and resolve the issues. The last item in ‘System Reports’ is to configure the System Snapshot tool Timeshift. See the next section for this.
System Snapshot:
You will be asked to choose between RSYNC and BTRFS. Typically this is going to be RSYNC.
A blurb about BTRFS.
- First you have to have had installed the base OS with BTRFS file system for this to even be an option. In my case I did not want to use the BTRFS file system.
- Second the snapshot can only be installed on the same disk from which they are created. If your drive goes bad you’re screwed. Choose RSYNC.
A blurb about RSYNC:
- RSYNC snapshots are created by creating copies of system files using rsync and hard-linking unchanged files from previous versions.
- All files are copied when the first snapshot is created. Subsequent snapshots are incremental.
- Snapshots can be saved to any disk formatted with a Linux File system which means the snapshot can be external. In my case an attached USB memory stick.
I’m using a USB 3.0 Flash Stick.
When you run the setup wizard you will be asked to select your snapshot levels. I checked off Monthly, Weekly, Daily, Hourly & Boot and kept the default keep levels on each one.
I also included root and my user’s home directories and selected “Include All”.
Sudoers:
Edit the /etc/sudoers file so you don’t have to put your password in each time:
$ sudo visudo
There’s a line that looks like this:
%sudo ALL=(ALL:ALL) ALL
Comment out that line and replace it with a line that looks like this:
%sudo ALL=(ALL) NOPASSWD: ALL
Install openssh server:
Install SSH Server so you can ssh to the host:
$ sudo apt install openssh-server -y
Test ssh to the new host. You may during this process encounter an error regarding an “Offending ECDSA key in ~/.ssh/known_hosts”. This is easily resolved by deleting the referenced line in ~/.ssh/known_hosts.
SSH Keys:
Now that you can ssh to your new host you will want to be able to ssh using your ssh key instead of password. From the remote host do this:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub [newhostname]
The above assumes the user name on the new host is the same as the user on the remote host. If not you can do the command like this:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub [user]@[newhostname]
You will be prompted to enter the password for the New Host. It will copy over your public ssh key from ~/.ssh/id_rsa.pub. This assumes your public ssh key is indeed ~/.ssh/id_rsa.pub.
You should be able to ssh to the new host now without entering your password.
(Optional) Now copy all the ~/.ssh directory contents from your remote host into this host so you have the keys, the known hosts and authorized keys files from your user on the old remote host and now have them on your new host.
From the remote host:
$ cd ~/.ssh
$ scp -r * [new-host-name]:~/.ssh
Copy /etc/hosts to new host:
Now copy the /etc/hosts file from old host to new host. From the old host:
$ sudo scp /etc/hosts [new-host-name]:~
On the new host edit the file and change the local host name on line 2 to the name of your new host.
Now copy the file into place:
$ sudo mv hosts /etc/hosts
Check it like this:
$ cat /etc/hosts
Install Dropbox:
Install Dropbox:
sudo apt install dropbox
Then go to start menu and find Dropbox and run it.
You will get a message that says in order to use Dropbox you must download the proprietary daemon. Click OK
A Web Page will pop up where you enter your credentials. Do so.
Install Insync:
Don’t use this. It does not work and sync of files does not happen. Tired of using it.
I want to sync my Google Drive locally. To do that I’m using Insync.
First, add Insync’s public GPG key to allow apt to authenticate the Insync repository:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ACCAF35C
You should see something like this that shows that it was successful:
gpg: key A684470CACCAF35C: public key "Insynchq Inc <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
If the previous command did not work, use this instead:
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ACCAF35C
Now create a file /etc/apt/sources.list.d/insync.list with the following content:
deb http://apt.insync.io/mint [CODENAME] non-free contrib
Replace [CODENAME] with the Linux Mint distro codename.
To get the codename of your distro you can find it in the /etc/apt/sources.list.d/official-package-repositories.list file. You can view it like this:
$ grep mint /etc/apt/sources.list.d/official-package-repositories.list | awk '{print $3}'
This is what I see when I run the above command:
tricia
So ‘tricia’ is the codename of this version of Linux Mint. That means the line I need to insert into /etc/apt/sources.list.d/insync.list would be:
deb http://apt.insync.io/mint tricia non-free contrib
Update the apt repository:
$ sudo apt-get update
Install Insync:
$ sudo apt-get install insync
You should see a pop up that says Insync installation has finished and if you want to start it. Go ahead and start it. A wizard will pop up to walk you through setting up Insync to sync your Google Drive to a directory on your host.
Install KeePassXC:
Install KeePassXC:
$ sudo apt install keepassxc -y
Install Chrome:
You’ll need Chrome for certain things.
Go to https://www.google.com/chrome/
Click the Download Chrome button. Mine automatically downloaded into ~/Downloads. The 64 bit version was automatically selected.
Install it like this:
$ cd ~/Downloads
$ sudo gdebi google-chrome-stable_current_amd64.deb
This will automatically install a repository as well for future updates.
Install Brave
Brave is a browser that automatically blocks trackers and Spam Ads. It is very buggy. I’d probably pass on this but if you insist…
$ sudo apt install apt-transport-https curl $ curl -s https://brave-browser-apt-release.s3.brave.com/brave-core.asc | sudo apt-key --keyring /etc/apt/trusted.gpg.d/brave-browser-release.gpg add - $ echo "deb [arch=amd64] https://brave-browser-apt-release.s3.brave.com/ stable main" | sudo tee /etc/apt/sources.list.d/brave-browser-release.list $ sudo apt update $ sudo apt install brave-browser
Install Signal:
Go to https://signal.org/en/download/
Click on Download for Linux and follow the instructions that pop up.
Additional Software:
There are other software packages I need. I’ll do them one at a time because I don’t want to confuse error message between one package or another:
$ sudo apt install kwrite -y
$ sudo apt install kate -y
$ sudo apt install terminator -y
$ sudo apt install sshuttle -y
$ sudo apt install vim -y
$ sudo apt install sshpass -y
$ sudo apt install whatsapp-desktop -y
$ sudo apt install nfs-common -y
$ sudo apt install rofi -y
$ sudo apt install gparted -y
$ sudo apt install imagemagick -y
$ sudo apt install whois -y
For Mint 20:
$ sudo apt install warpinator -y
Spoof Mac Address:
Mac Address:
Set your custom mac address to get the IP address you want.
Go to start, search for ‘Network Connections’
Click on Wired connection 1
Click Edit
Put your custom mac address in the ‘Cloned MAC address’ box.
##:##:##:FF:FF:FE
Click Save. You should now get the IP address you are expecting.
You may need to reboot. You should get your IP address.
Mount NFS share:
Create a mount point:
$ cd ~
$ mkdir -p mnt/[nfs-server-host-name]
Edit /etc/fstab and add these lines:
# External Mounts
[nfs-server-host-name]:[path-to-nfs-export] /home/[your-user]/mnt/[nfs-server-host-name] nfs rw,soft,noauto 0 0
Edit /etc/hosts and add the IP address of Serenity
Then mount the NFS share:
$ sudo mount [nfs-server-host-name]:[path-to-nfs-export]
You will need to modify the firewall rule on the NFS server to allow connections from your new host before this will work.
https://squoggle.wordpress.com/2020/05/04/iptables/
Install Slack:
Go to https://slack.com/downloads/linux
Download the .deb 64 bit package into your ~/Downloads directory.
Then install it:
$ cd ~/Downloads
$ sudo gdebi slack-desktop*.deb
I found a packagecloud.io repo but I have no way of knowing if it is secure. I’ll try to figure out how to create my own local repo for this.
Install Synergy:
Linux Mint 19.2 is based off of Ubuntu 18.04 LTS.
Go to https://symless.com/account and sign in. Go to the download page and get the package for Synergy 2 Beta for Ubuntu 16.04 LTS and save in ~/Downloads
Install it:
$ cd ~/Downloads
$ sudo gdebi synergy_2.*.deb
This is literally the best software in the world.
There’s a gotcha if you’re trying to install this on Mint 20. Mint 20 is based on Ubuntu 20.04. Ubuntu 20.04 has updated libssl from version 1.0.0 to version 1.1.
If you attempt to install with the above instructions you will get an error regarding a failed dependency. I was able fix the dependency issue by editing the deb package using these instructions:
cd ~/tmp
cp ~/Downloads/synergy_2.0.12.beta_b1705+e5daaeda_amd64.deb .
ar x synergy_2.0.12.beta_b1705+e5daaeda_amd64.deb
tar xzf control.tar.gz
Edit the control file and replace libssl1.0.0 with libssl1.1 and save the file.
Now repackage the tar file and the deb package:
tar --ignore-failed-read -cvzf control.tar.gz postinst postrm prerm md5sums control
ar rcs synergy_2.0.12.beta_b1705+patched_amd64.deb debian-binary control.tar.gz data.tar.xz
You should now have a “patched” version of synergy 2.0.12.beta. Save that in your software store so you don’t have to do this part again.
Now you can install it with the gdebi command listed above.
The package installed fine it just does not work. I get a “There was a problem connecting to the background service.” Error.
Look at this page:
https://members.symless.com/forums/topic/6465-ubuntu-2004-support/
Near the end of the post. There might be some stuff there that helps
Fix your Profile:
Edit ~/.bashrc and change
alias ll='ls -alF'
to
alias ll='ls -lF'
Directories:
Delete extra directories you don’t like
$ cd ~
$ rm -rf Videos Templates Public
Create a symlink for mount
$ ln -s /home/mac/mnt/Serenity/ mac
Fix up your bin dir:
Set up your ~/bin directory:
$ cd ~
$ mkdir bin
Copy your scripts over from your other system.
Set your $PATH to include ~/bin
Edit ~/.bashrc and change. Add this to the bottom of the file:
# Set your path to inclue $HOME/bin
PATH="$HOME/bin:$PATH"
Date & Time:
Click on the Date in the bottom right corner.
Turn off 24 hour clock
Turn on the date
Hot Keys:
Go to System Settings > Keyboard > Shortcuts
Set up your custom hot keys:
Launchers:
Launch Terminal = Super+T
Launch Nemo = Super+E
Close Window = Super+Shift+C
Log out = Super+Shift+Q
rofi -show run = Super+R
rofi -show window = Super+Tab
Other resources:
Sed
Posted by on October 29, 2019
Down & Dirty Notes on SED
Replace a word with another word:
To replace all instances of a certain word in a file with another word:
$ sed 's/[oldword]/[newword]/' file
This will not modify the original file but output to the screen
Strip the last letter of a list of words:
If you have a file with a bunch of words that all end in the same letter, something like this:
austin1a denver1a dallas1a phoenix1a
and you want to strip the last letter off of each word you can do it with something like this:
$ sed 's/\(.*\)./\1/' file
Output is to screen.
Add a letter to the end of a list of words:
Lets say you want to add a letter to that list of words. You can do that like this:
$ sed 's/$/b/'file
This will add a letter b to the end of each word in the list.
Replace the last letter of word:
You can combine the above two commands and if you want to change all the of the a to letter b then you can do that like this:
$ sed 's/\(.*\)./\1/' file | sed 's/$/b/'
The first part of this command strips the last letter of each word. Then the second part of the command adds the letter b to the end of each word.
Add a trailing \
Many times you want to run a script against a list of servers or something. You can create a list with a space slash \ after each word in the file:
$ sed 's/$/ \\/' file
The results will look something like this:
austin1a \ denver1a \ dallas1a \ phoenix1a \
Insert text at the beginning of a word:
If you want to insert the word router at the beginning of each word you could do something like this:
$ sed 's/^/router/' file
Insert text at the end of a word:
Same as above but at the end of the word:
$ sed 's/$/router/' file
Convert commas to newline:
Lets say you have CSV list in a file that looks something like this:
austin1a,denver1a,dallas1a,phoenix1a
and you want to convert those commas into newline. You can do something like this:
$ sed -e $'s/,/\\\n/g' file
Sometimes that list will have a space after the comma like this:
austin1a, denver1a, dallas1a, phoenix1a
You can modify the command slightly like this:
$ sed -e $'s/, /\\\n/g' file
Convert TABs (White space) to Commas:
Lets say you have a TAB separated file and you want to convert it to a CSV file. An example would be something like this:
austin1a.example.com. 300 IN A 10.10.20.10 denver1a.example.com. 300 IN A 10.10.30.10 dallas1a.example.com. 300 IN A 10.10.40.10 phoenix1a.example.com. 300 IN A 10.10.50.10
This command will convert any white space to a comma:
$ sed 's/[[:space:]]\+/,/g' file
Convert multiple spaces to single space:
Or if you simply want to convert multiple spaces to a single space you can do like this:
$ sed 's/[[:space:]]\+/ /g' file
More to come…
GPG HowTo
Posted by on October 18, 2019
Here’s my notes on GPG
Here’s a nice GPG Cheat Sheet:
http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html
Directory:
GPG will automatically store your configs in ~/.gnupg
List Keys:
To list the keys in your public key ring. These will be public keys that you have imported already:
$ gpg --list-keys
List Private Keys:
To list the keys in your secret key ring (your private keys):
$ gpg --list-secret-keys
Typically you will only have one Private Key, your own.
List Signatures:
To list the keys and signatures:
$ gpg --list-sigs
Check Keys:
To check the keys and signatures:
$ gpg --check-sigs
I’m not exactly sure what this does. It seems to be the same as ‘List Signatures’ from my perspective.
Delete Private Key:
To delete keys in your secret key ring. This is typically going to be your private key:
$ gpg --delete-secret-keys "Jimmy McKlosky"
Delete Public Key:
To delete keys in your public key ring (your public key):
Delete Secret Key First, then:
$ gpg --delete-keys "Jimmy McKlosky"
This is how you would delete other people’s public keys from your store as well.
Help:
To get help:
$ gpg --help
Generate a new key pair:
Generate your public and private keys:
$ gpg --gen-key
You should see:
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
Hit [ENTER] for the default or type in another number:
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
2048 should be fine. Hit [ENTER] to accept.
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
The default is to never expire. This should be fine.
Hit [ENTER] to select no expiration date.
Key does not expire at all Is this correct? (y/N) y Hit 'y' to confirm no expiration date.
GnuPG needs to construct a user ID to identify your key. Real name: Jimmy McKlosky
Enter your real name.
Email address: [email protected]
Add your email address.
Comment: Jimmy's Bar & Grill
I put my org in the comment section.
You selected this USER-ID: "Jimmy McKlosky (Jimmy's Bar & Grill) <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Select ‘O’ to confirm this is OK.
You need a Passphrase to protect your secret key.
A dialog box may open, or you may get a text prompt to enter your private key password. Check your database for this.
A message appears about generating random data.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
If you are logged into the host remotely, see the gotcha below about generating entropy.
gpg: key E3541042 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/E3541042 2017-02-10 Key fingerprint = 8367 6BB4 9178 6D45 DF58 C2C4 2D6F 813A E354 1042 uid Jimmy McKlosky (Jimmy's Bar & Grill) <[email protected]> sub 2048R/997E61F3 2017-02-10
This completes the GPG Key Generation Process.
Gotcha: On Virtual Machines there is not a way of generating entropy via keyboard and mouse as there are no physical keyboard or mouse. The way I got around this is to generate entropy on the drive. Open another session to the server, then kick off the Key Gen as above. When it says it needs to generate entropy, go to the other session and enter this command:
$ find / -type f | xargs grep blahblahblha
In a few seconds you should have enough entropy and the Key Gen completes!
Export Keys:
List the keys to get the Key IDs:
$ gpg --list-keys /x/home/jimmy/.gnupg/pubring.gpg ------------------------------------- pub 1024D/F1ADF609 2013-05-15 Jimmy McKlosky (Trusted Master for BFD User Key Signing) <[email protected]> sub 1024g/835CFDE8 2013-05-15 [expires: 2015-05-15]
List the secret keys to make sure they exist and match:
$ gpg --list-secret-keys /x/home/jimmy/.gnupg/secring.gpg ------------------------------------- sec 1024D/F1ADF609 2013-05-15 Jimmy McKlosky (Trusted Master for BFD User Key Signing) <[email protected]> ssb 1024g/835CFDE8 2013-05-15
In this case you are simply ensuring that you are working with both your public and private keys and they match. It is possible to have more than on set of keys so this step is simply to ensure you are working with the correct set.
Export your Public Key:
$ gpg --export -a "Jimmy McKlosky" > public.key
This will result in a single file named public.key that contains your public key. The -a means –armor.
Export all the Public Keys in your public keyring:
$ gpg --export -a > public.keys
This is useful if you want to export all the public keys you have imported and move them to a new machine. This command results in a file named public.keys and contains all of the public keys you have previously imported.
Export your Private Key:
$ gpg --export-secret-key -a "Jimmy McKlosky" > private.key
The only reason you would have to export your private key would be to install it on another computer. You probably don’t want to have a private key for every computer you use. Since this is a private key, care should be taken to safeguard it like you would any other private key.
Export your Public and Private Keys using the numeric key ID:
If you have multiple keys identified by your name then the above is not a good way to do this as it will just take the first one. A better way of doing that is by using the numeric key ID. The numeric key ID is unique and is the same for both the Public and Private key. It is the number behind the “/” in this case “F1ADF609” prepended with “0x” to look like this: “0xF1ADF609”. The command to export your keys via Key ID looks like this:
$ gpg --export -a 0xF1ADF609 > public.key $ gpg --export-secret-key -a 0xF1ADF609 > private.key
You can now send your public key to someone who needs to send you some encrypted data. They can encrypt the data with your public key and when you get it you can decrypt it with your private key and read it.
Decrypt an encrypted file:
How to decrypt a file that was encrypted with your public key:
$ gpg --decrypt [file-name]
You will be prompted to enter your passphrase to decrypt it.
Encrypt a file:
$ gpg -e -u "Sender-Name" -r "Receiver-Name" [file-name]
Make the output file look nice and pretty:
$ gpg -e -u "Sender-Name" -r "Receiver-Name" --armor [file-name]
This should probably be your standard as it makes it much easier to read.
Import a public key:
Put the public key you received from someone into a file named public.key and import it like this:
$ gpg --import public.key
This adds the public key in the file public.key to your public key ring.
Import multiple public keys:
In the case where you may have exported multiple public keys, you can import them all. Put them all in a file and import like this:
$ gpg --import public.keys
Import a private key:
Typically this will only be your own private key from a different computer.
$ gpg --allow-secret-key-import --import private.key
I’ve also been able to do it simply like this:
$ gpg --import private.key
This adds the private key in the file private.key to your private key ring.
I’ve had to do it like this to actually import the secret key:
gpg --edit-key 818E4A41
Then choose trust and choose the level of trust. Then quit.
List key fingerprints:
This will show the fingerprints for keys in your key ring. This may be useful for some ways of authenticating those keys.
$ gpg --fingerprint
A fingerprint is a way you can verify with a person that they key you have for them is valid. For example you could call them and they could tell you the key fingerprint and you could validate it with this command.
Sign Public Keys:
Once you have validated the public key you can sign it so it will no longer bark at you when you attempt to encrypt data for a certain user.
Do it like this:
$ gpg --sign-key "User-Name"
Squoggle 
Recent Comments