Dec 062015
 
 December 6, 2015  Posted by at 10:36 pm android, backup, documentation, security Tagged with: , , ,  2 Responses »

For those unfamiliar: SMSSecure (now called Silence) is a text messaging application that supports encryption. It has exceptional integration on your phone and will handle your non-encrypted friends acquaintances texts as well.
https://smssecure.org
I recommend using fdroid to install it. F-droid is a Free Software repository for Android.
https://f-droid.org

When moving to a new phone you can export a plain text copy of all your sms texts for import on the new phone. This is fine but has many drawbacks. The export feature of smssecure does not export a users encryption keys. Here are instructions on doing this yourself. Its really not as bad as it might seem and is worth doing to avoid re-keying with every friend you text with. You can also avoid exporting sensitive txt’s to plain-text.

PREREQ’s:
Install SMSSecure on the new phone.
You will need adb access to both phones.

Enable developer options by going into Settings -> About phone -> then press “Build number” 7 times.

Enable adb access under Settings -> Developer options -> Android debugging.

Allow adb root access from “developer options -> Root access” “Apps and ADB”. Otherwise you will get a permission error like so:

shell@ville:/ $ su -
Permission denied

Also, be sure your computer can see the phone:
[jason@local ~] $ adb devices
List of devices attached
393520931D5B00EC device

    If usb is broken you can use ADB over the network. Enable it under Developer options -> Android debugging -> ADB over network. Connect to your local wireless first and take out your sim card before enabling. Otherwise your phone will be fully reachable over the cell network/public internet.

    Now connect to the phone over the network:
    [jason@local ~] $ adb connect 192.168.123.12:5555

    You can continue as if it was plugged in directly…
    To disconnect from the phone use this:
    [jason@local ~] $ adb disconnect 192.168.123.12:5555

STEPS:
I wasn’t able to directly copy the smssecure directory to my computer. It errors with zero files transferred:

[jason@local ~] $ adb pull /data/data/org.smssecure.smssecure/ org.smssecure.smssecure-balz
pull: building file list...
0 files pulled. 0 files skipped.

First I copy it to the sdcard of the old phone:

[jason@local ~] $ adb shell
shell@crespo:/ $ su -
root@crespo:/ # cp -rv /data/data/org.smssecure.smssecure/ /sdcard/

Copy the smssecure data from your old phone /sdcard/ to your local computer:

[jason@local ~] $ adb pull /sdcard/org.smssecure.smssecure/ org.smssecure.smssecure

Now plugin the new phone

Next, we will copy the org.smssecure.smssecure directory to the new phone:
Note: I attempted to copy directly to the new phone at /data/data but there was a permission denied:

[jason@local ~] $ adb push org.smssecure.smssecure/ /data/data/
push: org.smssecure.smssecure/databases/messages.db-journal -> /data/data/databases/messages.db-journal
failed to copy 'org.smssecure.smssecure/databases/messages.db-journal' to '/data/data/databases/messages.db-journal': Permission denied

Instead copy it to the /sdcard/ of the new phone, first:

[jason@local ~] $ adb push org.smssecure.smssecure/ /sdcard/org.smssecure.smssecure

Before we proceed lets check what permissions the org.smssecure.smssecure directory is currently set to (from the phones shell). In this case its chown u0_a63.u0_a63 and chmod 755:

root@crespo:/ # ls -ld /data/data/org.smssecure.smssecure/
drwxr-xr-x u0_a63   u0_a63            2015-12-06 21:35

Keep note of this for later.

Using the new phone’s root shell you will delete the existing (un-used) directory and copy your smssecure directory (with all your text’s) from sdcard to /data/data:

[jason@local ~] $ adb shell
shell@crespo:/ $ su -
root@crespo:/ # 
root@crespo:/ # rm -fr /data/data/org.smssecure.smssecure/
root@crespo:/ # cp -rv /sdcard/org.smssecure.smssecure  /data/data/

Note: If you try using move (mv) instead of copy (cp) and your sdcard is on a separate partition you will get this error:
root@maguro:/ # mv /sdcard/org.smssecure.smssecure/ /data/data/
failed on '/sdcard/org.smssecure.smssecure/' - Cross-device link
255|

Back to permissions:
After the data is copied to the new phone the directory and file permissions will be wrong (owned by root):

root@crespo:/ # ls -l /data/data/org.smssecure.smssecure/       
drwxrwx--- root     root              2015-12-06 21:35 app_parts
drwxrwx--- root     root              2015-12-06 21:35 databases
drwxrwx--- root     root              2015-12-06 21:35 files
lrwxrwxrwx install  install           2015-12-06 15:07 lib -> /data/app-lib/org.smssecure.smssecure-1
drwxrwx--- root     root              2015-12-06 21:35 shared_prefs

We need to change ownership to user and group. In my case I need to change it to u0_a63. Android’s chown doesn’t work as expected:

root@crespo:/ # chown -R u0_a63.u0_a63 /data/data/org.smssecure.smssecure/
No such user '-R'

Unfortunately, android sucks and chown is broken so we must get creative. Like any puzzle, its simple once you know the answer :-)

root@crespo:/ # find /data/data/org.smssecure.smssecure/ -exec chown u0_a63.u0_a63 {} \;

Luckily, chmod works ok:

chmod -R 755 /data/data/org.smssecure.smssecure/

Be sure to reboot your phone.
Note: My SMSSecure disappeared and I needed to re-install. Everything was there after I re-installed and it survived subsequent reboots.

done;

Feb 052014
 
 February 5, 2014  Posted by at 2:20 pm documentation, networking, security, vpn Tagged with: , , ,  21 Responses »

OpenVPN Client/Server Implemenation

==== key signing ====
You can host the certificate authority on the vyos device itself. This is obviously not as secure as hosting it on a separate system. If someone was to get into the vyos they would have access to all your keys and would be able to sign new keys against the CA. Nonetheless, it is convenient and secure-enough for many sites. This is how it can be done.
From the VyOS, copy the easy-rsa directory into /config, where it won’t get lost on an upgrade.

cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2
vi /config/easy-rsa2/vars

edit the options at the bottom of /config/easy-rsa2/vars to personalize them. Increasing KEY_SIZE to 2048 is recommended. Also, you can increase the certificate authority and key expiration. These are the defaults:

 ...
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

now load the variables

$ cd /config/easy-rsa2/
$ source ./vars

start fresh in case there is something old lingering around in there. This will delete all keys, etc.

$ ./clean-all

Build the certificate authority files

$ ./build-ca

Build the diffie-hellman key exchange

$ ./build-dh

Build the key for the server

$ ./build-key-server js-server

Copy the certs and keys into /config/auth

sudo cp /config/easy-rsa2/keys/ca.crt /config/auth/
sudo cp /config/easy-rsa2/keys/dh1024.pem /config/auth/
sudo cp /config/easy-rsa2/keys/js-server.key /config/auth/
sudo cp /config/easy-rsa2/keys/js-server.crt /config/auth/

Now you can build the key for the client and distribute to them
use ./build-key to generate a certificate that will connect to the vpn without a pass-phrase and ./build-key-pass if you want the user to enter a pass-phrase before connecting. ./build-key-pass is more secure in case someone steals your certificate and key they will still need to enter a password to connect.

$ ./build-key jimmy

answer all questions accordingly and be sure to answer yes to “Sign the certificate?” the “1 out of 1 certificate requests certified, commit?”
Now copy the keys and certs and create a config for Jimmy to remote in with. This is how I do it.
first make a directory for the client in /config/easy-rsa2/keys

cd /config/easy-rsa2/keys
mkdir jimmy
cp jimmy* jimmy/
cp ca.crt jimmy/

create a client config with your favorite text editor,

vi jimmy/jsvpnserver.ovpn

and add the following

client
proto udp
remote-cert-tls server
verb 2
dev tun0
cert jimmy.crt
key jimmy.key
ca ca.crt
remote [vpn-server host or ip] 1194

From your local computer download the config directory (jimmy) from the vpn server

$ scp -r vyos@10.101.101.1:/config/easy-rsa2/keys/jimmy .

this copies the jimmy directory into the current directory on your computer (the period designates current directory). If your on MS Windows you will need to use cygwin or putty-scp to do this. Also, if using MS Windows you will need to run unix2dos on those files
from your computer where you downloaded the jimmy folder to.

unix2dos jimmy/*

I wrote a script to do all this for you -> http://jasonschaefer.com/stuff/easyrsa-user-setup-vyos.sh.txt
 

Setting up the OpenVPN Server

The server subnet needs to be a different subnet from your LAN. Set it to something unique that will be unlikely on any remote networks your clients will be on.
The “–push route 10.101.101.0 255.255.255.0” needs to be changed to the subnet on the LAN of the router. The one you will VPN in to reach.

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 10.206.109.0/24
set interfaces openvpn vtun0 server name-server 10.101.101.1
set interfaces openvpn vtun0 server domain-name jasonschaefer.com
set interfaces openvpn vtun0 server push-route 10.101.101.0/24
set service dns forwarding listen-on vtun0
set interfaces openvpn vtun0 tls cert-file /config/auth/js-server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/js-server.key
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem

#Set the firewall to allow openvpn through

set firewall name wan-local rule 40 action accept
set firewall name wan-local rule 40 destination port openvpn
set firewall name wan-local rule 40 protocol udp
commit
save

 

Thats it! Your done!

SITE TO SITE VPN

basic instructions:

generate the passive key for head office from inside the easyrsa folder

source ./vars
./build-key-server site2site_server-passive
scp keys/site2site_server-passive.* user@vpn-server-passive-host:/config/auth/

#active key for branch office, this side initiates the vpn handshakes

./build-key site2site_active
scp keys/site2site_active.* user@vpn-server-active-host:/config/auth/

active site files in /config/auth/
ca.crt,
site2site_active.key,
site2site_active.crt

passive site files in /config/auth/
ca.crt,
site2site_server-passive.key,
site2site_server-passive.crt,
dh1024.pem

==================

#site to site openvpn

set interfaces openvpn vtun9
set interfaces openvpn vtun9 local-address 172.16.9.[1 | 2]
set interfaces openvpn vtun9 remote-address 172.16.9.[1 | 2]
set interfaces openvpn vtun9 remote-host [remote-vpn-host]

#standard openvpn port is 1194, best used for client/server mode. prevents ovpn config from needing port setting

set interfaces openvpn vtun9 local-port 1195
set interfaces openvpn vtun9 remote-port 1195
set interfaces openvpn vtun9 mode site-to-site
set interfaces openvpn vtun9 tls ca-cert-file /root/ca.crt
#the passive site cert/key needs to be signed as a server!
set interfaces openvpn vtun9 tls key-file /root/[passive.key | active.key ]
set interfaces openvpn vtun9 tls cert-file /root/[passive.crt | active.crt]
set interfaces openvpn vtun9 tls role [active | passive]
#dh1024.pem is required on passive host only!
set interfaces openvpn vtun9 tls dh-file /root/dh1024.pem
commit;save

#open firewall for openvpn

set firewall name wan-local rule 20 action accept
set firewall name wan-local rule 20 destination port 1195
set firewall name wan-local rule 20 protocol tcp_udp

#set static routes to networks on other side of vpn, if any

set protocols static route 192.168.7.0/24 next-hop 172.16.9.[1 | 2]
set protocols static route 192.168.8.0/24 next-hop 172.16.9.[1 | 2]
commit;save

 

DYNAMIC DNS

How to reach your vpn server and avoid using a static ip. We will be using afraid.org to automatically update a hostname’s A record with the public ip of your Vyos VPN server.

You will need to register for an account at https://freedns.afraid.org. Then create a subdomain, for this example it will be myvpnserver.mooo.com. Go to the “Dynamic DNS” section and copy the “Direct URL”.

Create a script under /config/scripts on your Vyos.
vi /config/scripts/myvpnserver.mooo.com.sh

#!/bin/bash
/usr/bin/curl -k [paste your direct url here]

Make it executable
chmod 755 /config/scripts/myvpnserver.mooo.com.sh

Now tell Vyos to run this with cron.
set system task-scheduler task dynamicDNS executable path /config/scripts/myvpnserver.mooo.com.sh
set system task-scheduler task dynamicDNS interval 15m

 

REVOKE KEYS ON VYOS

vyos@router:~$ cd /config/easy-rsa2/

vyos@router:/config/easy-rsa2$ ./revoke-full jimmy

Using configuration from /config/easy-rsa2/openssl.cnf
Revoking Certificate 0E.
Data Base Updated
Using configuration from /config/easy-rsa2/openssl.cnf
jimmy.crt: /C=US/ST=NM/L=SantaFe/O=Blah/CN=jimmy/emailAddress=jimmy@localhost.local
error 23 at 0 depth lookup:certificate revoked

The error 23 at 0 … is normal and expected.

Now copy the updated CRL (certificate revocation list) to /config/auth
vyos@router:/config/easy-rsa2$ cp keys/crl.pem /config/auth/

If this is the first revocation you need to add it to the config as well:

vyos@router:~$ configure
vyos@router# set interfaces openvpn vtun0 tls crl-file /config/auth/crl.pem
vyos@router# save; commit; exit
Saving configuration to ‘/config/config.boot’…
Done
No configuration changes to commit
exit

 

VERIFY REVOKED CERTIFICATES

You can verify the revoked keys with the openssl command
vyos@router:~$ openssl crl -in /config/auth/crl.pem -text

Revoked Certificates:
    Serial Number: 08
        Revocation Date: Jan 30 00:19:24 2016 GMT
    Serial Number: 0E
        Revocation Date: Jul 13 22:51:50 2016 GMT

In the above example keys 08 and 0E have been revoked
vyos@router:~$ cat /config/easy-rsa2/keys/index.txt

V	230804225528Z		        02	unknown	/C=US/ST=NM/L=SantaFe/O=SITC/CN=jason/emailAddress=jason@local
R	230806213443Z	160130001924Z	08	unknown	/C=US/ST=NM/L=SantaFe/O=Blah/CN=john/emailAddress=john@localhost
R	260711225142Z	160713225150Z	0E	unknown	/C=US/ST=NM/L=SantaFe/O=Blah/CN=jimmy/emailAddress=jimmy@localhost.local

From this file index.txt, you can ascertain which serial numbers belong to which users!

Oct 032013
 
 October 3, 2013  Posted by at 4:15 pm documentation, vpn Tagged with: , , ,  No Responses »

This outlines a typical VPN implementation with server, clients and routing. Using Attitude Adjustment 12.09

Set a password in LuCI web interface to enable ssh access. Then ssh to device and do the following.


opkg update
opkg install openvpn-openssl openvpn-easy-rsa

It is recommended to create the certificate authority on another computer, even one that is not connected to any network! Although, that requires more work than I usually care to do.

Because I have done an upgrade accidentally and overwritten my easy-rsa directory, and thus all keys/certs along with it, I now move this directory into /etc/config/openvpn-config.

mkdir /etc/config/openvpn-config
mv /etc/easy-rsa/ /etc/config/openvpn-config/
cd /etc
ln -s config/openvpn-config/easy-rsa

(this creates a relative symlink)

== CERTIFICATE AUTHORITY FOR OPENVPN ==
edit the following or don’t if you want to enter it manually on certificate creation.
At the end of the /etc/easy-rsa/vars file:

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US" <-*edit*
export KEY_PROVINCE="CA" <-*edit*
export KEY_CITY="SanFrancisco" <-*edit*
export KEY_ORG="Fort-Funston" <-*edit*
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain
export KEY_CN=changeme <-*edit - servers hostname*
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234


clean-all
(run this to ensure your starting with a clean slate)
build-ca
build-dh
build-key-server servername_server
(don’t set a challenge password, Answer yes to sign the certificate and yes to commit.)

Instead of using UCI syntax (that I struck out below) we can break this out to be more openvpn standard and troubleshooting friendly. Also, I have added the ability to set static ip’s for the openvpn clients.

== OPENVPN SERVER CONFIG ==
Overwrite /etc/config/openvpn with the following config

config openvpn server_openvpn
option enabled 1
option config /etc/config/openvpn-config/server.conf

config openvpn lan
option enable 1
option port 1194
option proto udp
option dev tun
option ca /etc/easy-rsa/keys/ca.crt
option cert /etc/easy-rsa/keys/servername_server.crt
option key /etc/easy-rsa/keys/servername_server.key
option dh /etc/easy-rsa/keys/dh1024.pem
option ifconfig_pool_persist /tmp/ipp.txt
option keepalive "10 120"
option comp_lzo yes
option persist_key 1
option persist_tun 1
option status /var/log/openvpn-status.log
#option log /tmp/openvpn.log
option verb 3
option server "10.128.241.0 255.255.255.0"
option topology subnet
option client_to_client 1
list push "dhcp-option DOMAIN lan"
list push "dhcp-option DNS 192.168.233.1"
list push "route 192.168.233.0 255.255.255.0"

The following is the openvpn server config (that is called by /etc/config/openvpn) in /etc/config/openvpn-config/server.conf

float
port 1194
proto udp
dev tun
comp-lzo yes
ifconfig-pool-persist /tmp/ipp.txt
status /var/log/openvpn-status.log
mute 5
log /tmp/openvpn.log
keepalive 10 120
persist-key
persist-tun

dh   /etc/config/openvpn-config/easy-rsa/keys/dh2048.pem
ca   /etc/config/openvpn-config/easy-rsa/keys/ca.crt
key  /etc/config/openvpn-config/easy-rsa/keys/server.key
cert /etc/config/openvpn-config/easy-rsa/keys/server.crt

mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.128.241.0 255.255.255.0
route-gateway 10.128.241.1
push "route-gateway 10.128.241.1"
ifconfig-pool 10.128.241.20 10.128.241.254 255.255.255.0
push "route 192.168.233.0 255.255.255.0"
push "dhcp-option DNS 192.168.233.1"
client-to-client

#client-config-dir /etc/config/openvpn-config/clients

If you want to enable the static client ip assignments be sure to uncomment the client-config-dir above and make a directory as such.
mkdir /etc/config/openvpn-config/clients
write a file inside the clients directory with the same name as the common name of the openvpn client certificate.
For example, in a file /etc/config/openvpn-config/clients/jason
ifconfig-push 10.168.84.2 255.255.255.0

/etc/init.d/openvpn enable
/etc/init.d/openvpn restart

cd /etc/config/openvpn-config/
openvpn --config server.config

check for errors
cat /tmp/openvpn.log

Check for errors in the openvpn config syntax using uci show
uci show openvpn
The following will be displayed if there are no syntax issues. Use of the quotes are common mistakes.
openvpn.lan=openvpn
openvpn.lan.enable=1
openvpn.lan.port=1194
openvpn.lan.proto=udp
openvpn.lan.dev=tun
openvpn.lan.ca=/etc/easy-rsa/keys/ca.crt
openvpn.lan.cert=/etc/easy-rsa/keys/servername_server.crt
openvpn.lan.key=/etc/easy-rsa/keys/servername_server.key
openvpn.lan.dh=/etc/easy-rsa/keys/dh1024.pem
openvpn.lan.ifconfig_pool_persist=/tmp/ipp.txt
openvpn.lan.keepalive=10 120
openvpn.lan.comp_lzo=1
openvpn.lan.persist_key=1
openvpn.lan.persist_tun=1
openvpn.lan.status=/var/log/openvpn-status.log
openvpn.lan.verb=3
openvpn.lan.server=10.128.241.0 255.255.255.0
openvpn.lan.topology=subnet
openvpn.lan.client_to_client=1
openvpn.lan.push=dhcp-option DOMAIN lan dhcp-option DNS 192.168.233.1 route 192.168.233.0 255.255.255.0

== NETWORK ==

Now lets setup the tun interface so that we can add zones
networ-interface-vpn0
in /etc/config/network or in LuCI.

config interface 'vpn0'
	option proto 'none'
	option ifname 'tun0'

 

 

== FIREWALL ZONE ==

Create a zone called openvpn_zone with vpn0 network.
openvpn_zone

in /etc/config/firewall

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'openvpn_zone'
	option network 'vpn0'
	option forward 'REJECT'

 

We now explicitly declare the forwards like this.
openvpn_zone to lan zone allow

config forwarding
	option dest 'lan'
	option src 'openvpn_zone'

openvpn_zone to wan allow, if you want openvpn clients to use the wan for example if using redirect-gateway

config forwarding
	option dest 'wan'
	option src 'openvpn_zone'

openvpn_zone to lan allow

config forwarding
	option dest 'openvpn_zone'
	option src 'lan'

 

== FIREWALL TRAFFIC RULE ==

Allow the openvpn server to accept connections from clients out in the world.
openvpn2device

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'
	option name 'openvpn2device'
	option enabled '0'

An overview of traffic rules

openvpn_traffic_rules

 

 

 

 

 

 
** NOTE: Occasionally, I have had to reboot for the above zone’s to work **

== Optional firewall rules to use, instead of using the zones. Not recommended ==
in /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Allow all traffic in and out of the tun interface.
iptables -A input_rule      -i tun+ -j ACCEPT
iptables -A output_rule     -o tun+ -j ACCEPT
# This rule will allow traffic towards internet from tun
iptables -A forwarding_rule -i tun+ -j ACCEPT
iptables -A forwarding_rule -o tun+ -j ACCEPT

 

== USER CONFIGURATION ==
build-key jason
or you can run build-key-pass to issue a key that asks the user to enter the password before it is used (more secure).
Once you have completed the build-key, being sure to answer yes to signing the certificate and commit.

Now you need to get the keys for jimmy and the ca.crt (not ca.key!). Each client needs these files to connect.
scp /etc/easy-rsa/keys/jason.* jason@192.168.1.78:jason-vpn
scp /etc/easy-rsa/keys/ca.crt jason@192.168.1.78:jason-vpn

Then create the client config in the same directory as the crt’s and keys. If your installing this on a windows box then you should run unix2dos on all the files.
Create a file called jason.ovpn in jason-vpn directory as such

nobind
comp-lzo
dev tun
remote hostname-to-server 1194 udp
client
tls-exit
ca ca.crt
cert jason.crt
key jason.key
remote-cert-tls server
mute 5
resolv-retry infinite
explicit-exit-notify
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
#redirect-gateway def1

I have a script to help with client config http://jasonschaefer.com/stuff/easyrsa-user-setup-openwrt.sh.txt

Test the server by connecting from off-site.
cd into your local config directory where your certs, keys and .ovpn config are.
sudo openvpn jason.ovpn
enter your sudo password

You should see something like this at the end of the openvpn output:

Fri Feb 28 22:19:01 2014 /sbin/ifconfig tun0 10.128.241.4 netmask 255.255.255.0 mtu 1500 broadcast 10.128.241.255
Fri Feb 28 22:19:01 2014 /sbin/route add -net 192.168.233.0 netmask 255.255.255.0 gw 10.128.241.1
Fri Feb 28 22:19:01 2014 Initialization Sequence Completed

and you will see a tun interface

# ip a
38: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.128.241.4/24 brd 10.128.241.255 scope global tun0
valid_lft forever preferred_lft forever

and the correct route has been pushed to you

# ip r
192.168.233.0/24 via 10.128.241.1 dev tun0

== REVOKING A USERS KEY ==

add the following line to /etc/config/openvpn:
option crl_verify /etc/easy-rsa/keys/crl.pem

run “revoke-full” with users key as argument:

revoke-full [key-to-revoke]

restart openvpn:

/etc/init.d/openvpn restart

Jul 112012
 
 July 11, 2012  Posted by at 4:48 pm documentation, scripts Tagged with: , , , ,  No Responses »

I have a Dreamhost VPS account and have been running out of memory and experiencing the dreaded forced reboots dh impose. I found it difficult to identify the offending sites that take up all that memory on my server. Every time I login and run top it was too late or I would find a website being crawled by a search bot. How to find a trend over time, without getting too complicated? My solution was to track the memory usage with ps and write that to individual files, then sort all those files and derive the top offenders in one list. Which is web accessible (or not) for easy viewing later. If my VPS reboots, I can go back to the individual files before the forced reboot and get details of whats causing the problem.

#!/bin/bash

#no trailing slash. Be sure this dir exists.
path=/home/jason/jasonschaefer.com/memusages

logfile=index.txt

#how many days to keep files, remove after..
removeafter=5

# ps -[e]everything, [o]format
# rss is resident set size in kilobytes
# user:20 username with 20 char space so it won't revert to uid on usernames longer than 8 chars
# cmd:40 running command with 40 char column, stime=start time of cmd
# [h]hide headers, --sort=rss sorts on rss column
/bin/ps -eo rss,user:20,cmd:40,stime,pid h --sort=rss > $path/mem`date +"%F_%k-%M"`.txt

# sort unique, numeric on column 5 the pid, so we don't show duplicate processes.
# then sort numeric, reverse on column 1 the memory usage, write the top 200 lines to our logfile.
/usr/bin/sort -u -n -k 5 $path/mem*.txt | /usr/bin/sort -n -r -k 1 | head -n 200 > $path/$logfile

#find files older than $removeafter days and remove them
/usr/bin/find $path -mtime $removeafter -exec rm -fr {} \;

Don’t forget to make it executable
chmod 755 /home/jason/memusages.sh

Then setup to run in cron, to run every ten minutes of every hour, every day, every month and every day of week. Change as needed.. I have it running every minute right now. Depending on your setup you may need to run this as root to see all system processes.
crontab -e
*/10 * * * * /home/jason/memusages.sh

Mar 042011
 
 March 4, 2011  Posted by at 1:33 pm documentation, Tutorial Tagged with: , , , , , , , , , , ,  No Responses »

Here are some random notes that I find useful. I also tend to forget and use as reference.

== LINKS ==
iproute2 cheat sheet by dmbaturin http://baturin.org/docs/iproute2/

Speedtest site that doesn’t require crap software. It only uses html5 SpeedOf.Me or bandwidthplace.com

data transfer calculator
http://techinternets.com/copy_calc

[] Vim reference

:e filename (open filename)
:q! (quit, don’t save)
:w (write/save)
:wq (write and quit)
:x (write if changed, otherwise exit)
a (insert after)
A (insert after line)
h j k l (left, down, up, right)
$ (move to end of line)
^ or 0 (move to beginning of line)
G (move to end of file)
gg (move to top of file)
:n (move to “n” line, n=number)
x (delete to the right)
X (delete to the left)
D (delete to the end of line)
dd (delete current line)
yy (yank/copy current line)
V (begin highlight, up and down to select “y” to yank selection)
vn (yank “n” lines below cursor, n=number)
p (put/paste)
u (undo)
/string (search for “string”)
n (search for next string match)
:s/yellow/green/gc (replace yellow with green on current line, g is for global, each match is replaced in a line, instead of the first match in a line. c is for confirm/ask)
:%s/yellow/green/g (replaces yellow with green on the entire page)
:%s:/usr/local/bin:/opt/users/bin:g (use something other than / as delineation so you don’t have to escape “/”. Like this nasty example: :s/\/usr\/local\/bin/\/usr\/loca\/bin)
:%s#http://jasonschaefer.com#https://jasonschaefer.com#g (Switch the delimiter to # for strings with : and / to avoid annoying escapes!)

[] bash tricks
stop bash history:
unset HISTFILE

[] find command
find . -name "name" -exec [command goes here] {} \;
find . -type d -exec chmod 750 {} \;
recursively changes type directories to user=rwx, group=r-x, other=—
find . -type f -exec chmod 664 {} \;
recursively changes type file user=rw-, group=rw-, other=r– (so that files are not executable)
find /home/BACKUP -mtime +14 -exec rm -fr {} \;
-mtime options:
n exactly n days
+n more than n days
-n less than n days

to convert all backslash \ to forward slash /
find . -type f -iname *.xml -exec sed -i 's:\\:/:g' {} \;

find hard links (directories have multiple links so use type file and not with 1 link)
find /path -type f ! -links 1

[] Image Conversions and Resizing in batch groups
This will resize all jpg’s in the current directory “.” to 1024×768 and put them in the directory small
find . -iname "*.jpg" | xargs -l -i convert -resize 1024x768 {} small/{}
You can replace the “convert -resize” with convert -quality 85% to compress the images instead.
convert is a part of imagemagick

[] Edit EXIF data on images
Using exiftool to shift wrong date caused by a camera with the wrong time. man Image::ExifTool::Shift.pl for a manual.
example:
exiftool "-AllDates+=1:0:21 0:0:0" *.JPG
This adds (+=) 1 year, 0 months and 21 days, 0 hrs, 0 min, 0 sec to all files ending in .JPG

[] tar
tar with various exclude examples
tar zcfv backup-website.tar.gz --exclude=stuff --exclude=path/to/stuff --exclude="more stuff with spaces in the name" --exclude=*.wild /home/website

[] chmod tricks
chmod can be used in a way where it preserves executable permissions, if they are already present. using upper X
chmod -R u=rwX,g=rwX,o=rX /path/to/
This recursively (-R) sets user and group to rw- dirs and files that don’t already have executable permissions (the X is similar to x but preserves executable perms if they were preexisting). If the dir or file has any executable permissions then it sets user and group to rwx. This can be handy if you want to change lots of files and dirs at once but not make files executable. For instance, chmod -R u=rwx,g=rwx would blanket files and dirs making them all executable. Of course, using find with type and exec can more explicitly set permissions. But it will reset any executable files as well. Thus the benefit of chmod and X.
To see what files are executable, if any, do
find /path/ -executable -type f

[] How to recursively force a group permission + umask per user on gnu/linux.
First you can recursively set the desired owner and group. Recursive is optional, only needed if you have sub dirs.
chown -R root.users /path/to/dir
Then force all files and directories created under /path/to/dir to be owned by the creator and the group will be set to “users” group. Notice the chmod g+rwxs is adding the (s)etGID bit for the group.
find /path/to/dir -type d -exec chmod g+rwxs {} \;
You will notice that when a user now creates files or directories under /path/to/dir they come out as (on a typical system)
-rw-r--r-- 1 jason users 0 Aug 29 16:49 this is a file
drwxr-sr-x 2 jason users 6 Aug 29 16:49 this is a directory

You will need to change your umask. You can find it under your home directory in ~/.profile
Uncomment or add umask 002 so that the group “users” will be able to read your files and execute your directories.

[] changing default new file or directory permissions, umask on debian wordaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646692
change /etc/login.defs
UMASK 022 (equivalent to 644/rw-r–r– files and 755/rwxr-xr-x directories)
to
UMASK 002 (equivalent to 664/rw-rw–r– files and 775/rwxrwxr-x directories)

If that doesn’t work. Enable the pam_umask module like this.
echo "session optional pam_umask.so usergroups" >> /etc/pam.d/common-session
[] Rename multiple files

remove space from all files ending in .mp3
rename 's/ //'g *.mp3
rename all files ending in .ZIP to .zip
rename 's:\.ZIP:\.zip:' *.ZIP

[] search and replace text within a group of files

find /etc/NetworkManager/system-connections/ -exec sed -i "s/mac-address=0:1e:4c:27:40:00/mac-address=EC:55:F9:0F:5D:00/g" {} \;
use -name, -type to refine the match if you need.

jedit is a gui program that can do this.

[] SSH stuffs

copy your ssh public key to remote hosts ~/user/.ssh/authorized_keys file
ssh-copy-id user@host

Use ‘ssh-add’ to add your private key to the ssh-agent, so you don’t need to type your passphrase each time you ssh someplace.

create a listen socket on your local computer, that redirects port to a host on remote network (10.9.8.2)
ssh -L localhost:3389:10.9.8.2:3389 user@host
-L [bind_address:]port:host:hostport
(now you can rdesktop to localhost and it will connect to the remote 10.9.8.2)
rdesktop -g90% localhost

create a remote socket that forwards port 2222 on localhost of server to port 22 on initiating host.
Useful for remote support sessions.
ssh -R localhost:2222:localhost:22 user@hostname
-R [bind_address:]port:host:hostport
(now you can ‘ssh -p2222 localhost’ from the server and reach the host)

create a socks4/5 proxy over ssh
ssh -D8080 user@hostname
(now you can configure your browser to use socks5 proxy at localhost:8080 and you can reach the remote networks web servers, or just use it to securely proxy your web traffic through the remote hosts internet connection)

[] Sending mail with telnet:
telnet hostname 25
helo me
mail from:myaddress@mydom.com
rcpt to:youraddress@yourdom.com
data
This is a test
.

(thats a newline [enter] – period – and another newline [enter])

[] Fix MBR for windows
http://ms-sys-free.sourceforge.net/

from gnulinux:
ms-sys -m /dev/hda

from msdos or nt recovery console:
fdisk /mbr

[] Batch and snippets (yuck)
http://www.allenware.com/icsw/icswidx.htm

echo Cleanup .bak files older than 7 days
forfiles /p d:\backup /m *.bak /d -7 /c "cmd /c del /q @path"

echo Set variable date as yyyymmdd
set date=%date:~-4,4%%date:~4,2%%date:~-7,2%
echo %date%

[] Filesystem stuff

make clone image of sda
dd if=/dev/sda of=/dev/sdb bs=4096 conv=notrunc,noerror

notrunc or ‘do not truncate’ maintains data integrity by instructing dd not to truncate any data.
noerror instructs dd to continue operation, ignoring all input errors. Default behavior for dd is to halt at any error. Useful when imaging damaged drives.
bs=4096 sets the block size to 4k, an optimal size for hard disk read/write efficiency and therefore, cloning speed.

backup mbr
dd if=/dev/sda of=mbr.backup bs=512 count=1

check status of dd transfer (use pgrep to find process id, kill to send user define signal 1, dd progress will be displayed on terminal where dd was run)

kill -USR1 $(pgrep ^dd)

mount image
losetup /dev/loop0 sda.img
mount /dev/loop0 /mnt

xfs filesystem and xfsprogs
Determine the amount of fragmentation on sda2
xfs_db -c frag -r /dev/sda2

Filesystem re-organizer, by default, with no arguments. It re-organizes files in mounted partitions for 2 hours. Use -t to change the time.)
xfs_fsr
These tools reside in the xfsdump package

[] Recover Files
testdisk (recover lost partitions)

photorec (part of the testdisk suite)

foremost sda.img
-t (type doc,jpg,exe etc. all is default)
-a (no error detection, recovers partial files)
-d (indirect block, use for nix filesystems)
-o (output dir)
-T (timestamp output dir)

extundelete /dev/sda1 –restore-directory /home/jason

https://help.ubuntu.com/community/DataRecovery
https://wiki.archlinux.org/index.php/File_Recovery#Working_with_Raw_Disk_Images

[] KVM Virtualization

Interface config for bridging to virtualized client /etc/network/interfaces
wireless interfaces rarely ever support bridging.

# The primary network interface
iface eth0 inet manual
auto br0
  iface br0 inet dhcp
  bridge_ports eth0
  bridge_stp off
  bridge_waitport 0
  bridge_fd 0

Resize/Add storage to kvm image:
dd if=/dev/zero of=myvirtualhost.img bs=1M count=78k oflag=append conv=notrunc
notrunc MUST be used or else append will overwrite beginning of image.

Alternately, creates a sparse file which suffers from fragmentation and possible corruption if host system doesn’t provide proper space for the sparse image to fill into. So its not recommended.
truncate -s +10G image.raw
Alternate method sparse:
qemu-img create -f raw addon.img 10G
be sure to make a backup of original.img
now you can append addon.img to original.img
cat addon.img >> original.img

Now, boot the .img vm and use cfdisk to partition the new space. Reboot, and build a filesystem OR boot the instance with a live distro that has gparted and merge/resize the new partition with the old.

Convert a qcow2 image to raw image and remove the sparsity (-S 0 is non-sparse).
qemu-img convert -p -O raw -S 0 win7pro.qcow2 win7pro.img

Also, fallocate is a great way to allocate non-sparse file images. “preallocation is done quickly by allocating blocks and marking them as uninitialized, requiring no IO to the data blocks. This is much faster than creating a file by filling it with zeroes”
fallocate -l 128GiB virtualhost.img

[] KVM with Windows

The best way to get virtio is on install. Download the block driver floppy image and attach it, I use virt-manager. Set your hard drive to type virtio and start your windows install. It will will prompt you to press f6 to install third party drivers. Then press S (you have a disk from a third party manufacturer, your floppy image)

If you already have a disk type IDE and want it to be virtio (better). Then do this:
1. Create a temporary image
kvm-img create -f qcow2 temp-virtio.img 1G
2. Shutdown your virtual machine and attach temp-virtio.img as a hard drive, as type virtio.
3. Attach the virtio-win-x.x.x.vfd (i used the one from fedoraproject.org, see below) to you virtual machine
4. Boot up and install the drivers
5. Shutdown, remove the old hard drive image and re-add it as type virtio
6. Boot up and since you already installed the drivers it will boot. Otherwise, you get BSOD..
(You can remove the temp-virtio.img and floppy image).. All done.

For network drivers.. Shutdown, set the “device model” to virtio. Attach the NETKVM-xxxx.iso as a cdrom. Bootup and install drivers. yay!

virtio network drivers, quamranet
http://sourceforge.net/projects/kvm/files/kvm-driver-disc/

virtio block device drivers (aka, hard drive)
http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/ or
http://sourceforge.net/projects/kvm/files/kvm-guest-drivers-windows/

[] Windows Policy

run gpedit.msc to edit policy

to backup or move to new host, copy the following
%systemroot%\system32\GroupPolicy\Machine and User dirs

to apply changed policy’s
gpupdate /force

[] RDP tricks

plain old vnc is no more, not to say its not useful but xrdp is a super combo rambo pack. when it comes to ease of use, autostart scripts in debian, built in encryption, performance and cross platform the xrdp project rules the roost. Follow these simple steps.
on server: apt-get install xrdp
done;
on client: rdesktop -g95% [server name or ip]
-g is for geometry, look it up in man rdesktop
done; wow!
obviously, you will need rdesktop or some other remote desktop protocol installed on the client.
If you have issues with the arrow up and down keys minimizing and maximizing your X terminal do the following:
In gnome, use gnome-control-center -> Go to keyboard ‘Shortcuts’ tab, ‘Windows’ on the left pane -> select super+up and super+down shortcuts -> press backspace to disable these shortcuts on these actions.

SeamlessRDP http://www.cendio.com/seamlessrdp/
rdesktop -A -s "c:\seamlessrdp\seamlessrdpshell.exe c:\program files\internet explorer\iexplore.exe" -u username -p password hostname
uhhh, for the record I have NEVER gotten this to work properly. Please contact me if you have!

[] Self Signed certificate on debian, the easiest way possible
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/hostcert.crt
This script will ask for a domain and write the certificate. to /etc/ssl/private/hostcert.crt

https://www.ssllabs.com/ssltest/analyze.html

[] OpenVPN reference
analyze a certificate
openssl x509 -text -in jason.crt
openssl x509 -noout -in jason.crt -subject
recommended ovpn:

remote [host] 1194 udp
float
client
dev tun
mute 5
nobind
comp-lzo
tls-exit
remote-cert-tls server
resolv-retry infinite
explicit-exit-notify
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
#redirect-gateway def1
ca ca.crt
cert [user].crt
key [user].key

[] tshark and tcpdump packet capture

To run tshark remotely and pipe results back to wireshark locally. Can be tcpdump instead of tshark. Needs root access..

ssh root@server 'tshark  -w -' | wireshark -k -i -

Examples of filter
also check the man page for pcap-filter
man pcap-filter
Common uses —
tshark -i eth0 host 10.0.1.10
tshark -i eth0 net 10.0.1.0/24
tshark -i eth0 port 80
tshark -i eth0 port 80 and host 10.0.1.10 and not port 22
tshark -i eth0 tcp port 80 or tcp port 443 -V -R “http.request || http.response”

 
[] OpenWRT Notes

OpenWRT failsafe recovery mode
http://wiki.openwrt.org/doc/howto/generic.failsafe

flashing with atftp (follow the instuctions for particular device at http://wiki.openwrt.org/toh/start)
curl -T openwrt-xxxx-xxxxx-squashfs-factory-xxxx.img tftp://192.168.1.1
or the more complicated annoying way
atftp --trace --tftp-timeout=1 --put --local-file openwrt-xxxxx-xxxxx.img 192.168.1.1

Setup SSL/TLS (https) for Luci web interface and disable insecure plaintext (http)
opkg install luci-ssl
be sure the following is commented out in /etc/config/uhttpd
# HTTP listen addresses, multiple allowed
# list listen_http 0.0.0.0:80
# list listen_http [::]:80

Also change the cert px5g options to be more unique and add more days to the self signed certificate.
/etc/init.d/uhttpd restart


Disable/Enable Wireless on a schedule, automatically

The first line will use bridge control to remove the wireless interface (wlan0-1) from the lan bridge (br-lan) at 22:30. The next cron will add the interface back at 6:00. Redirect (>) all output to dev null. Substitute wlan0-1 for whichever interface you need to. Add this to crontab:
30 22 * * * brctl delif br-lan wlan0-1 >/dev/null 2>&1
0 6 * * * brctl addif br-lan wlan0-1 >/dev/null 2>&1

use “brctl show” to see which interfaces are in the bridge:

root@OpenWRT:~# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.c6031578e51d	no		eth0.1
							wlan0
							wlan0-1

[] Cron and wget with Afraid free DNS
Its best to use curl. Install curl with opkg update and then opkg install curl or apt or yum, etc.
*/10 * * * * /usr/bin/curl -k https://freedns.afraid.org/dynamic/update.php?[random string]

wget is overly complicated… but if its all you got, then its great.
*/10 * * * * /usr/bin/wget --no-check-certificate -O - https://freedns.afraid.org/dynamic/update.php?[random string] > /dev/null 2>&1

add to /etc/rc.local so that it updates immediately on bootup. This doesn’t always work if the wan interface isn’t operational at time of execution.

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/usr/bin/curl -k https://freedns.afraid.org/dynamic/update.php?[random string]
exit 0

 

[] MYSQL

mysql> create database newdb;

mysql> CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
mysql> GRANT ALL PRIVILEGES ON newdb . * TO 'newuser'@'localhost';

(GRANT ALL PRIVILEGES ON [database name].[table name] TO ‘[username]’@’localhost’;)

mysql> SET PASSWORD FOR 'newuser'@'localhost' = PASSWORD('newpassword');

mysql> DROP USER 'newuser'@'localhost';

update table g2_PluginMap and set column g_active to 0 where column g_pluginID is captcha. This disables the captcha plugin in gallery2
UPDATE g2_PluginMap SET g_active = '0' WHERE g_pluginId = captcha;
DELETE FROM g2_FactoryMap WHERE g_implModuleId='captcha';

(unrelated to mysql, you will need to clear the cache to fully disabled this plugin -> http://your-domain.tld/gallery/lib/support/index.php

[] RSYNC
rsync highlights:
typical use —
rsync -av --delete --stats --exclude media/* /home/ /mnt/usb/rsync-home-mirror
copy [a]rchive, [v]verbosely, –delete any files on the destination that don’t exist in source (mirror), show transfer [stat]istics, [exclude] any files inside directory media, copy contents of /home/ into /mnt/rsync-home-mirror

advanced use — useful for copying entire OS
rsync -aAHXi --super --numeric-ids /source/ /destination
-a archive, -A copy ACL, -H copy hard links, -X copy extended attributes, -i show changes, –numeric-ids preserves uid and gid numerically instead of by name.

Use -n to do a dry run! Especially valuable when using –delete switch.

You can think of a trailing / on a source as meaning “copy the contents of this directory” as opposed to “copy the directory by name”

rsync over ssh
rsync -aiz /source/path username@192.168.1.10:/remote/destination/path
rsync -aiz user@host:/remote/source /local/destination

[] fstrim
fstrim one-liner for cron. every sunday at 12:30 timestamp the log and include two partitions, / and /home.
30 12 * * 0 /bin/date +\%c > /tmp/fstrim.log && /sbin/fstrim -v / >> /tmp/fstrim.log 2>&1 && /sbin/fstrim -v /home >> /tmp/fstrim.log 2>&1

[] wget

for range in {1..7};do wget http://URL/Episode$range.mp3 ; done
for range in {{1..3},{5..7}};do wget http://URL/Episode$range.mp3 ; done
Mirror entire site with wget
wget --mirror -p --convert-links http://URL
or
wget --recursive --no-clobber --page-requisites --html-extension --convert-links --no-parent --domains website.org http://website.org
[] ffmpeg

convert video to webm
ffmpeg -i be-hose.mp4 -acodec libvorbis -aq 5 -ac 2 -qmax 25 -threads 2 be-hose.webm

[] encrypted partitions
#to open
cryptsetup luksOpen /dev/sdd1 [devmappername]
#to close
cryptseup luksClose [devmappername]
#dump hd encrypted headers (if drive fs is damaged, you can restore from this dump)
cryptsetup luksHeaderBackup /dev/sdd1 > file.bk
#to restore header
cryptsetup luksRestore /dev/sdd1 –header-backup-file file.bk

Oct 282010
 
 October 28, 2010  Posted by at 12:20 pm documentation, Tutorial, vpn Tagged with: , ,  No Responses »

These are the manual instructions for installing and configuring OpenVPN client.

After having many problems over the years with openvpn gui breaking, I have devised a reliable work around. Create the following batch script, name it something like ovpnConnect.bat, and right click to “Run as Administrator”. This does require the openvpn gui from openvpn.net to be installed. It calls the openvpn.exe. You can also add multiple vpn client connections!

@echo off

net session >nul 2>&1
if %errorLevel% == 0 (
    echo Success: Administrative permissions confirmed.
) else (
    echo Failure: Please right click and "Run as administrator"
pause
exit 0
 )

cd "c:\Program Files\OpenVPN\config\" && "c:\Program Files\OpenVPN\bin\openvpn.exe" [userconfig].ovpn

Download openvpn gui at http://openvpn.net/index.php/open-source/downloads.html#latest-stable

Run installer

Leave the components section as default.

Accept the TAP driver install

Right click on OpenVPN GUI and select properties

Go to Compatibility tab and select “run this program as administrator”
(It requires admin priviledges because it needs to write routes for the new VPN tunnel. Without, it will connect but won’t know how to reach the other network.)

Get your OpenVPN configuration files from the system administrator. Copy and paste them into C:\Program Files\OpenVPN\config


ca.crt (certificate authority)
jason.crt (client certificate)
jason.key (client secret key)
jason.ovpn (client configuration). Here are the contents of jason.ovpn:

client
dev tun0
cert jason.crt
key jason.key
ca ca.crt
remote vpn.server 1194

Now you can launch OpenVPN GUI by double clicking the icon on the desktop (the one we just set to run as admin). This will launch the OpenVPN GUI into the system tray.

Click on system tray, right click on OpenVPN GUI, left click “Connect”.

If all goes well, you will successfully connect. The OpenVPN GUI systray icon turns green. Now you are on the Virtual Private Network!

Mar 122010
 
 March 12, 2010  Posted by at 1:52 am documentation, hardware Tagged with: , , , , , ,  No Responses »

The wonderful world of motherboard BIOS updates, is still old fashioned. Updates are often still built for Microsoft Windows environments. Often requiring MS DOS. Those of us who don’t have DOS, a floppy drive, an install of Windows 98 to create a bootable floppy, cheesy Pâté, or MS Windows for that matter ….. Here is a way one can flash that BIOS of your mobo using, our favorite free software licensed, operating systems and tools.

DISCLAIMER: Don’t attempt this unless you know what you are doing. I have never had problems doing this, BUT many things can go wrong and you CAN easily “brick” your hardware. Proceed at your own risk!!

We will be using FreeDOS, a wonderfully free and royalty exempt Microsoft DOS compatible operating system. Licensed under the General Public License (GPL).
Note: As usual, my posts require some knowledge of the command line.

wget http://www.fdos.org/bootdisks/autogen/FDOEM.144.gz
gunzip FDOEM.144.gz
mkdir floppy
sudo mount -o loop FDOEM.144 floppy/
ls floppy

you should see these files:
AUTOEXEC.BAT COMMAND.COM CONFIG.SYS KERNEL.SYS README sys.com

Download your BIOS update file from the manufacturer or vendor.
Note: Sometimes, the update will be distributed as a .exe (Windows Executable) file. Most likely it will actually be a compressed zip archive. You can use unzip to extract the .exe file.

Download the update using wget, then unzip the resulting image file “FDOEM.144” into the mounted folder: “floppy/”

wget http://path-to-your-bios-update/BIOS_UPDATE.zip
sudo unzip BIOS_UPDATE.zip -d floppy/

In this case, the following files are extracted from the BIOS_UPDATE.zip file:
inflating: BIOS.WPH
inflating: OEMPHL.EXE
inflating: OPTIONS.BAT
inflating: PHLASH16.EXE
inflating: releasenotes.txt
inflating: 1.BAT

now, move to the previous directory (cd ..), and un-mount the FDOEM.144 image:

cd ..
sudo umount floppy/

generate an el torito bootable iso image:

genisoimage -o flashboot.iso -b FDOEM.144 FDOEM.144

Now burn flashboot.iso to CD using wodim:

wodim flashboot.iso

Now you can boot from that cd and run your flash utility!! Read the BIOS update instructions on how to do this..

Feb 182010
 
 February 18, 2010  Posted by at 11:44 pm documentation, hardware Tagged with: , , , , , , , ,  1 Response »

Recently, I was installing debian on a new server and grub2 would not install gave me this error:

“This GPT partition label has no BIOS Boot Partition; embedding won’t be possible! grub-setup: error: Embedding is not possible, but this is required when the root device is on a RAID array or LVM volume.”

Of course, it being grub2, I jumped to the conclusion that grub2 was the problem. I installed legacy grub and got nowhere.
Doing the usual
grub> root (hd0,0)
grub> setup (hd0)
produces this error:
“file /boot/grub/stage1 not read correctly”

No matter what I did, it would not install. So, I went back to the original message and gave grub2 its due process. Turns out this Dell T410 uses GPT (GUID Partition Table) which is an extension of EFI. The “BIOS Boot Partition” is an actual partition on the hard drive. Grub2 embeds the core.img (multiboot boot kernel) into this BIOS boot partition instead of the MBR.
Here are two great resources on this subject:
http://www.rodsbooks.com/gdisk/index.html and
http://grub.enbug.org/BIOS_Boot_Partition

So, the solution:
I had to re-install Debian with a small partition. Apparently it can be under a few hundred KiB. Space is cheap and I didn’t want to have more problems, so I made mine 5MB and put it at the beginning of the disk. In the Debian partitioner, set the partition under “use as:” to “Reserved BIOS boot area“. Then continue with the rest of your partitions and install. Grub2 installed with no problems this time!

If using an older version of Debian, lenny (v5) or older. The “use as:” does not have an option for Reserved BIOS boot area. So, I booted into expert install mode, when you get to “Load installed components from CD” select parted. This will install parted in the install environment. Before you get to detect disks, do ctrl+alt+f2. On the command line you can manually create a bios boot area.

The following parted commands.

parted -a optimal /dev/sda mkpart 1 1 6

The above command creates the first (1) partition from 1MB of the drive to 6MB. -a optimal sets the block alignment for best performance. If you start the partition at 0 the alignment is wrong and parted will Warn: “The resulting partition is not properly aligned for best performance. Ignore/Cancel?”

parted /dev/sda set 1 bios_grub on

This sets /dev/sda1 as GPT grub bios partition. This partition will be found and used by grub on install.

Now, ctrl+alt+f1, and continue the install. Select manual partitioning and be sure not to delete the primary partition (gpt, grub bios) when creating your new partitions.

Do this to all drives in a raid!

After you boot into the fresh install, you can manually install to the other disks.

grub-install /dev/sdb

Now its installed on sda and sdb. In case sda fails, it should be able to boot from sdb.

 

Dec 192009
 
 December 19, 2009  Posted by at 4:50 pm documentation Tagged with: , , , , , ,  No Responses »

.
Automatic email setup add-on: Gmail IMAP Account Setup THUNDERBIRD VERSION 3 HAS NATIVE SUPPORT FOR GMAIL.

Manual email instructions: Setup Thunderbird according to gmail’s imap instructions

At the bottom of gmail’s instructions you will see “recommended settings“. Don’t follow the first recommendation, regarding deleting. Instead of actually (permanently) deleting email we can have it moved to the Trash folder, as if you were using the gmail web interface. Gmail has strange folders structure in imap. Here are a few steps to work with gmail folders (Of course, they call them labels :-)

Under Account settings -> Copies and Folders
1. un-check “place a copy in… sent”
2. change  “drafts and templates” to Other -> [your gmail address] -> [Gmail] -> Drafts
Note: Sent and Drafts will automatically show up in their respective folders, as long as you send mail through smtp.gmail.com.
3. Go to Options/Preferences (under tools or edit menu). Go to Advanced -> Config Editor. In the Filter box, type “mail.server.server” and look for the gmail address. Whichever number is in the X place of mail.server.serverX, is what you want to use for the new value.
Right click New -> String “enter mail.server.serverX.trash_folder_name” (X is the number that correlates to your gmail account, from above). Next enter “[Gmail]/Trash”. Restart Thunderbird. Delete something, if it does not go into the [Gmail]/Trash folder restart again. It should work after that. Now you can delete the Trash folder (represented as [Imap]/Trash in gmail)

Contact syncing: A few options.
A very popular and stable add-on Zindus Its great but does not support the address field syncing. (Enter your user/pass under Tools -> Zindus)
gContactSync has support for the address field but is very early in development. If any contacts have an empty email field it adds a @nowhere.invalid email address in Tbird. Thankfully this is not synced to your gmail account!
Also, This looks promising but does not work with Tbird3 Google Contacts.
BACKUP CONTACTS BEFORE SYNCING!

Calendar Sharing: Use the add-on Lightning (aka sunbird as a Tbird add on).  Lightning 1.0b1 does not integrate with Thunderbird 3 toolbar layout very well. It messed up the “file” “edit” and “view” menus. Although, they aren’t really missed by anyone and are sort of accessible if you really need them. Try it for yourself, its not too bad.
For native support follow the Google sunbird instructions for CalDav (recommended)
There is also another plugin called Provider for Google Calendar that can be used..

Oct 132009
 
 October 13, 2009  Posted by at 2:25 pm documentation, networking, wireless Tagged with: , , , , , , ,  No Responses »

start -> run -> regedit
make a backup, if you want.
goto:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}

look through the list of subkeys (0000, 0001, etc)
DriverDesc keyword will tell you which network adapter. For example, “NVIDIA nForce Networking Controller”
when you find it, right click and add -> new -> string value

new keyword:

Value Name: = NetworkAddress
Value Data: = your new MAC, with no space or : For example, 0019DB71C830

then type:

ipconfig /release
ipconfig /renew
ipconfig /all   (to verify the new mac took)

Now your a l33t Winblows H4|<3r! If you want to go back to your hardware MAC, remove the NetworkAddress key and restart the interface. FYI, in gnu/linux follow these simple steps to change your MAC address

ifconfig eth0 hw ether 00:19:DB:71:C8:30

if you get this error

SIOCSIFHWADDR: Device or resource busy - you may need to down the interface

do this

ifconfig eth0 down

and try to change the MAC again.

Oct 112009
 
 October 11, 2009  Posted by at 2:48 pm documentation, music Tagged with: , , , , , , , , ,  No Responses »

I wanted to share some notes on patching the Linux Libre kernel with realtime capabilities. The Linux-Libre project pulls out all the un-free bits from standard Linux. Contrary to popular belief, Linux has many non-free parts, small binary or obfuscated pieces of code for various hardware. I have a Lenovo T61 laptop. I removed the Intel wireless pci express card and put in a Atheros AR5008 wifi card using ath9k completely free wireless driver. Now my system (as far as I can tell:-) is completely free.

I make music and the realtime patch makes the latency of my system and soundcard very low. This is a unique advantage that the gnu/linux operating system gives its users. I highly recommend a realtime patch for anyone working with audio and video on gnu/linux.

Start by getting the rt patch http://www.kernel.org/pub/linux/kernel/projects/rt/ for the kernel version you want to compile.
Then get the corresponding Linux-Libre version http://www.linux-libre.fsfla.org/pub/linux-libre/releases/

tar xfvj linux-2.6.29.6-libre1.tar.bz2
cd linux-2.6.29.6
bzcat ../patch-2.6.29.6-rt23.bz2 | patch -p1

Now Linux is patched with realtime
now its time for

make menuconfig

from the RT How to:
* enable CONFIG_PREEMPT_RT
* activated the High-Resolution-Timer Option (Attention, the amount of supported platforms by the HR timer is still very limited. Right now the option is only supported on x86 systems, PowerPC and ARM Support are however in queue.)
* disabled all Power Management Options like ACPI or APM (not all ACPI functions are “bad”, but you will have to check very carefully to find out which function will affect your real time system. Thus it’s better to simply disable them all if you don’t need them. APM, however, is a no-go.) NOTE: Since rt patch 2.6.18-rt6 you will probably have to activate ACPI option to activate high resolution timer. Since the TSC timer on PC platforms, as used in the previous versions, are now marked as unsuitable for hrt mode due to many lacks of functionalities and reliabilties, you will need i.E. pm_timer as provided by ACPI to use as clock source. To activate the pm_timer, you can just activate the ACPI_SUPPORT in menuconfig and deactivate all other sub modules like “fan”, “processor” or “button”. If you have an old pc, which lacks ACPI support, you migh have problems using the high resolution timer.

I personally have not removed my power management options, as I use a laptop and want these features. I don’t notice any problems but have not tried it without them to know what I’m missing.

then compile the kernel, the debian way

fakeroot make-kpkg kernel_image
sudo dpkg -i linux-image-2.6.29.6-libre1-lapkah_2.6.29.6-libre1-lapkah-10.00.Custom_i386.deb

Here is my latest config and the debian package for libre realtime for lenovo t61

~ May your kernel build and your modules have your back ~