Dec 282014
 
 December 28, 2014  Posted by at 12:19 am hardware, Tutorial, wireless Tagged with: , , ,  No Responses »

I have many open-mesh OM1P units laying around from failed wireless projects. Needless to say I’m not a big fan of open-mesh and have some other projects in mind for this hardware. It was a painful process but well worth it. Now I have nice little OpenWRT units for any hacking pleasure.

I have made a concise synopsis of the openwrt wiki page for flashing proper firmware on the OM1p/Fon/Fonera/Accton/etc. Please visit http://wiki.openwrt.org/toh/fon/fonera#openwrt for more detail.

Begin with serial access
serial-ttl-om1p
You will need a TTL serial to usb or similar like this https://www.adafruit.com/products/284

Consult the openwrt wiki for pinout of om1p

Use minicom or screen to access it.

We need a tftp server (don’t worry its super easy if your using Debian :-).
I tried with http (apache) and it doesn’t work.

apt-get install atftpd

cd /srv/tftp/
wget http://downloads.openwrt.org/backfire/10.03.1/atheros/openwrt-atheros-vmlinux.lzma
wget http://downloads.openwrt.org/backfire/10.03.1/atheros/openwrt-atheros-root.squashfs

(don’t install anything newer than 10.03.1, this little thing is old)

stop network manager so we can assign static ip:
/etc/init.d/network-manager stop
assign static ip:
ip address add 192.168.0.2/24 dev eth0

connect to the usb serial:
screen /dev/ttyUSB0 9600

a few seconds into the boot you will see the following:

Board: ap51 
RAM: 0x80000000-0x82000000, [0x8003f640-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 3.000 seconds - enter ^C to abort

You have 3 seconds to press ctrl+c to interrupt the boot process and enter into redboot boot loader

On the om1p, in RedBoot, run the following commands.

Set the ip of redboot and the tftp server:
(Don’t forget to connect them with ethernet cable.)

RedBoot> ip_address -h 192.168.0.2 -l 192.168.0.1/24

IP: 192.168.0.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.0.2

download linux onto the om1p:
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma

Using default protocol (TFTP)
Raw file loaded 0x8003f800-0x8011f7ff, assumed entry at 0x8003f800

initialize the current flash partition, this will erase openmesh firmware, yay!:
RedBoot> fis init

About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Now flash the kernel image to memory:
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7

... Erase from 0xa8030000-0xa8110000: ..............
... Program from 0x8003f800-0x8011f800 at 0xa8030000: ..............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Now load the rootfs:
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs

Using default protocol (TFTP)
Raw file loaded 0x8003f800-0x8021f7ff, assumed entry at 0x8003f800

And then flash the rootfs:
RedBoot> fis create rootfs

... Erase from 0xa8110000-0xa82f0000: ..............................
... Program from 0x8003f800-0x8021f800 at 0xa8110000: ..............................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Reboot the om1p:
RedBoot> reset

You will see OpenWRT booting and creating filesystems and such.

...
jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
jffs2_build_filesystem(): unlocking the mtd device... done.
jffs2_build_filesystem(): erasing all blocks after the end marker... done.
mini_fo: using base directory: /
mini_fo: using storage directory: /overlay
BusyBox v1.15.3 (2011-11-24 02:38:24 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Backfire (10.03.1, r29592) ------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua 
  * 1/3 shot Bailey's  on the bottom, then Bailey's, 
  * 1/3 shot Vodka     then Vodka.
 ---------------------------------------------------
root@OpenWrt:/#

Now we need to set a heartbeat for the hardware watchdog otherwise the om1p reboots every 5 minutes.

vi /etc/config/om1pwatchdog

#!/bin/sh
gpioctl dirout 3 ; gpioctl clear 3
sleep 1
gpioctl set 3

Make it executable:
chmod 755 /etc/config/om1pwatchdog

Run every 2 minutes:
crontab -e
add the following and save
*/2 * * * * /etc/config/om1pwatchdog

Start NM again, you will now get an ip from the om1p openwrt dhcp server.
/etc/init.d/network-manager start

connect with firefox at http://192.168.1.1

yay, no more crap open-mesh!

Oct 032013
 
 October 3, 2013  Posted by at 4:15 pm documentation, vpn Tagged with: , , ,  No Responses »

This outlines a typical VPN implementation with server, clients and routing. Using Attitude Adjustment 12.09

Set a password in LuCI web interface to enable ssh access. Then ssh to device and do the following.


opkg update
opkg install openvpn-openssl openvpn-easy-rsa

It is recommended to create the certificate authority on another computer, even one that is not connected to any network! Although, that requires more work than I usually care to do.

Because I have done an upgrade accidentally and overwritten my easy-rsa directory, and thus all keys/certs along with it, I now move this directory into /etc/config/openvpn-config.

mkdir /etc/config/openvpn-config
mv /etc/easy-rsa/ /etc/config/openvpn-config/
cd /etc
ln -s config/openvpn-config/easy-rsa

(this creates a relative symlink)

== CERTIFICATE AUTHORITY FOR OPENVPN ==
edit the following or don’t if you want to enter it manually on certificate creation.
At the end of the /etc/easy-rsa/vars file:

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US" <-*edit*
export KEY_PROVINCE="CA" <-*edit*
export KEY_CITY="SanFrancisco" <-*edit*
export KEY_ORG="Fort-Funston" <-*edit*
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain
export KEY_CN=changeme <-*edit - servers hostname*
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234


clean-all
(run this to ensure your starting with a clean slate)
build-ca
build-dh
build-key-server servername_server
(don’t set a challenge password, Answer yes to sign the certificate and yes to commit.)

Instead of using UCI syntax (that I struck out below) we can break this out to be more openvpn standard and troubleshooting friendly. Also, I have added the ability to set static ip’s for the openvpn clients.

== OPENVPN SERVER CONFIG ==
Overwrite /etc/config/openvpn with the following config

config openvpn server_openvpn
option enabled 1
option config /etc/config/openvpn-config/server.conf

config openvpn lan
option enable 1
option port 1194
option proto udp
option dev tun
option ca /etc/easy-rsa/keys/ca.crt
option cert /etc/easy-rsa/keys/servername_server.crt
option key /etc/easy-rsa/keys/servername_server.key
option dh /etc/easy-rsa/keys/dh1024.pem
option ifconfig_pool_persist /tmp/ipp.txt
option keepalive "10 120"
option comp_lzo yes
option persist_key 1
option persist_tun 1
option status /var/log/openvpn-status.log
#option log /tmp/openvpn.log
option verb 3
option server "10.128.241.0 255.255.255.0"
option topology subnet
option client_to_client 1
list push "dhcp-option DOMAIN lan"
list push "dhcp-option DNS 192.168.233.1"
list push "route 192.168.233.0 255.255.255.0"

The following is the openvpn server config (that is called by /etc/config/openvpn) in /etc/config/openvpn-config/server.conf

float
port 1194
proto udp
dev tun
comp-lzo yes
ifconfig-pool-persist /tmp/ipp.txt
status /var/log/openvpn-status.log
mute 5
log /tmp/openvpn.log
keepalive 10 120
persist-key
persist-tun

dh   /etc/config/openvpn-config/easy-rsa/keys/dh2048.pem
ca   /etc/config/openvpn-config/easy-rsa/keys/ca.crt
key  /etc/config/openvpn-config/easy-rsa/keys/server.key
cert /etc/config/openvpn-config/easy-rsa/keys/server.crt

mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.128.241.0 255.255.255.0
route-gateway 10.128.241.1
push "route-gateway 10.128.241.1"
ifconfig-pool 10.128.241.20 10.128.241.254 255.255.255.0
push "route 192.168.233.0 255.255.255.0"
push "dhcp-option DNS 192.168.233.1"
client-to-client

#client-config-dir /etc/config/openvpn-config/clients

If you want to enable the static client ip assignments be sure to uncomment the client-config-dir above and make a directory as such.
mkdir /etc/config/openvpn-config/clients
write a file inside the clients directory with the same name as the common name of the openvpn client certificate.
For example, in a file /etc/config/openvpn-config/clients/jason
ifconfig-push 10.168.84.2 255.255.255.0

/etc/init.d/openvpn enable
/etc/init.d/openvpn restart

cd /etc/config/openvpn-config/
openvpn --config server.config

check for errors
cat /tmp/openvpn.log

Check for errors in the openvpn config syntax using uci show
uci show openvpn
The following will be displayed if there are no syntax issues. Use of the quotes are common mistakes.
openvpn.lan=openvpn
openvpn.lan.enable=1
openvpn.lan.port=1194
openvpn.lan.proto=udp
openvpn.lan.dev=tun
openvpn.lan.ca=/etc/easy-rsa/keys/ca.crt
openvpn.lan.cert=/etc/easy-rsa/keys/servername_server.crt
openvpn.lan.key=/etc/easy-rsa/keys/servername_server.key
openvpn.lan.dh=/etc/easy-rsa/keys/dh1024.pem
openvpn.lan.ifconfig_pool_persist=/tmp/ipp.txt
openvpn.lan.keepalive=10 120
openvpn.lan.comp_lzo=1
openvpn.lan.persist_key=1
openvpn.lan.persist_tun=1
openvpn.lan.status=/var/log/openvpn-status.log
openvpn.lan.verb=3
openvpn.lan.server=10.128.241.0 255.255.255.0
openvpn.lan.topology=subnet
openvpn.lan.client_to_client=1
openvpn.lan.push=dhcp-option DOMAIN lan dhcp-option DNS 192.168.233.1 route 192.168.233.0 255.255.255.0

== NETWORK ==

Now lets setup the tun interface so that we can add zones
networ-interface-vpn0
in /etc/config/network or in LuCI.

config interface 'vpn0'
	option proto 'none'
	option ifname 'tun0'

 

 

== FIREWALL ZONE ==

Create a zone called openvpn_zone with vpn0 network.
openvpn_zone

in /etc/config/firewall

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'openvpn_zone'
	option network 'vpn0'
	option forward 'REJECT'

 

We now explicitly declare the forwards like this.
openvpn_zone to lan zone allow

config forwarding
	option dest 'lan'
	option src 'openvpn_zone'

openvpn_zone to wan allow, if you want openvpn clients to use the wan for example if using redirect-gateway

config forwarding
	option dest 'wan'
	option src 'openvpn_zone'

openvpn_zone to lan allow

config forwarding
	option dest 'openvpn_zone'
	option src 'lan'

 

== FIREWALL TRAFFIC RULE ==

Allow the openvpn server to accept connections from clients out in the world.
openvpn2device

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'
	option name 'openvpn2device'
	option enabled '0'

An overview of traffic rules

openvpn_traffic_rules

 

 

 

 

 

 
** NOTE: Occasionally, I have had to reboot for the above zone’s to work **

== Optional firewall rules to use, instead of using the zones. Not recommended ==
in /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Allow all traffic in and out of the tun interface.
iptables -A input_rule      -i tun+ -j ACCEPT
iptables -A output_rule     -o tun+ -j ACCEPT
# This rule will allow traffic towards internet from tun
iptables -A forwarding_rule -i tun+ -j ACCEPT
iptables -A forwarding_rule -o tun+ -j ACCEPT

 

== USER CONFIGURATION ==
build-key jason
or you can run build-key-pass to issue a key that asks the user to enter the password before it is used (more secure).
Once you have completed the build-key, being sure to answer yes to signing the certificate and commit.

Now you need to get the keys for jimmy and the ca.crt (not ca.key!). Each client needs these files to connect.
scp /etc/easy-rsa/keys/jason.* jason@192.168.1.78:jason-vpn
scp /etc/easy-rsa/keys/ca.crt jason@192.168.1.78:jason-vpn

Then create the client config in the same directory as the crt’s and keys. If your installing this on a windows box then you should run unix2dos on all the files.
Create a file called jason.ovpn in jason-vpn directory as such

nobind
comp-lzo
dev tun
remote hostname-to-server 1194 udp
client
tls-exit
ca ca.crt
cert jason.crt
key jason.key
remote-cert-tls server
mute 5
resolv-retry infinite
explicit-exit-notify
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
#redirect-gateway def1

I have a script to help with client config http://jasonschaefer.com/stuff/easyrsa-user-setup-openwrt.sh.txt

Test the server by connecting from off-site.
cd into your local config directory where your certs, keys and .ovpn config are.
sudo openvpn jason.ovpn
enter your sudo password

You should see something like this at the end of the openvpn output:

Fri Feb 28 22:19:01 2014 /sbin/ifconfig tun0 10.128.241.4 netmask 255.255.255.0 mtu 1500 broadcast 10.128.241.255
Fri Feb 28 22:19:01 2014 /sbin/route add -net 192.168.233.0 netmask 255.255.255.0 gw 10.128.241.1
Fri Feb 28 22:19:01 2014 Initialization Sequence Completed

and you will see a tun interface

# ip a
38: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.128.241.4/24 brd 10.128.241.255 scope global tun0
valid_lft forever preferred_lft forever

and the correct route has been pushed to you

# ip r
192.168.233.0/24 via 10.128.241.1 dev tun0

== REVOKING A USERS KEY ==

add the following line to /etc/config/openvpn:
option crl_verify /etc/easy-rsa/keys/crl.pem

run “revoke-full” with users key as argument:

revoke-full [key-to-revoke]

restart openvpn:

/etc/init.d/openvpn restart

Jul 072013
 
 July 7, 2013  Posted by at 12:54 pm firewall, networking, Tutorial, wireless Tagged with: , ,  10 Responses »

In this scenario we will be implementing a openWRT as a wireless access point only. One wireless essid will be LAN accessible and the other will be segregated from the LAN but able to access the WAN. The openWRT in this example will not be the gateway to the network. Another device is the gateway and there is an existing dhcp server.

                            PUBLIC wifi
                         172.16.134.0/24
                                  |
                     public gateway and dhcp server
                            172.16.134.1
                                  \
                   Source NAT to 10.101.101.10
                                              \
ISP <-Gateway-> LAN wired 10.101.101.0/24 <-openWRT-> 
                                              /
                           LAN wifi (wpa2+aes)
                           10.101.101.0/24

1. Add a new wireless access point

wifinogw.1.add-wireless-essid

2. Settings for the new wireless access point. Create a new network interface of “public”. Don’t use any encryption, as this is for general public use.

wifinogw.2.wifi-settings

3. Edit network interface for the public network

wifinogw.3.public-interface-edit

4. Edit PUBLIC interface settings. Set to static address and enable DHCP server for this new network.

wifinogw.4.pub-int-settings

5. Edit the LAN interface. Set the lan interface to an un-used ip of the existing network. Don’t set to “dhcp client” as you will lose connectivity and need to perform a recovery on your openwrt device. Be sure to disabled the DHCP server as the existing network already has one.

wifinogw.5.lan-settings

6. Add a new zone and call it “public_zone”. Masquarade it and put it in the public network. Allow forwarding to and from “lan” zone. We will limit this later with specific firewall rules.

fw_public_zone

7. This is what the general firewall zones should look like

wifinogw.7.fw-general-overview

8. Under the Firewall -> Traffic Rules section add a new Source NAT Rule. Call it “pub2lan“. Set the “Source zone” to “public_zone” and the “Destination zone” to “lan” and set the drop down option “To source IP” to br-lan interface, in this example its 10.101.101.10. Leave “To source port” blank. This SNAT rule will translate all traffic on the public wireless network of 172.16.134.0/24 into the IP of 10.101.101.10. This is the redirect rule from /etc/config/firewall
wifinogw.8.fw-tr-snat

config redirect
option target 'SNAT'
option src 'public_zone'
option dest 'lan'
option proto 'all'
option name 'pub2lan'
option src_dip '10.101.101.10'
option enabled '1'

9. Setup a “New forward rule:” Set name to allow2gw or similar. Source zone to “public_zone” Destination zone to “lan” Click “Add and edit…” Protocols should be “Any”, Destination address is the gateway of the network. In this case 10.101.101.1. The following is the /etc/config/firewall rule for reference. This will allow traffic from the public_zone to reach the gateway of the network.

wifinogw.9.fw-tr-forward-allow2gw

config rule
option target 'ACCEPT'
option proto 'all'
option name 'allow2gw'
option src 'public_zone'
option dest 'lan'
option dest_ip '10.101.101.1'

10. Setup a “New forward rule”. Set the name to drop2lan or similar. Set the Source zone to “public_zone” and Destination zone to “lan”. Click “Add and edit…” Set Protocol to “Any”, Destination address to custom and enter the subnet of the LAN. In this case its 10.101.101.0/24, set “Action” to “drop”. You can add more rules like this one to limit access to other networks or hosts as needed.

drop2lan

config rule
option name 'drop2lan'
option src 'public_zone'
option proto 'all'
option target 'DROP'
option dest 'lan'
option dest_ip '10.101.101.0/24'

 

11. Firewall Traffic Rule overview. There is an error on this view. The following rules have “option proto ‘all'” set and the luci web interface shows “Any TCP+UDP”. This is simply a bug in the luci interface and can be ignored. The order of these rules is very important. In this case you can see we added the “Allow to 10.101.101.1” before the “Drop to 10.101.101.0/24”. If reversed, the lan including the gateway would not be accessible from the public wireless AP. Therefore, you would not be able to reach the Internet.

wifinogw.11.fw-tr-overview

May 232013
 
 May 23, 2013  Posted by at 10:59 am firewall, networking, wireless Tagged with: , ,  No Responses »

In this post I will outline how to use zones to create public firewalled networks. A device that can bring up multiple interfaces per radio is very attractive here. One essid for private wireless and another for open public wireless. The Atheros ath9k chipsets are very well supported in this regard because they are free software.
This post is different than my older post where we have a private LAN behind our WAN interface that we need to protect… In this scenario we have our ISP connected directly to the openWRT WAN port and we need to bring up a public wireless that is segregated from the LAN. Like so:

                                         "public wifi"
                                                 /
ISP <-openWRT fw-> LAN 192.168.1.0/24 <-public_zone-> PUBLIC 172.16.134.0/24
                        \ 
                 "private LAN wifi"

Obviously the zone can be utilized however you like. Another common option would be to firewall a open wireless network from the LAN. And forgo the insecure nature of a “secured” wireless altogether. The OpenWRT could be running openvpn, that you connect to over the “insecure” wireless, now thats secure!

The following steps are done via the web interface (luci).

1. Start by adding a new wireless interface. In this case to the 5ghz radio. You can do this again for the 2.4ghz radio. wireless 1. add

2. Set the essid and network name “public”. This will allow us to use firewall zones to segregate the networks, rather than excluding individual rfc1918 subnets like in the first example.wireless 2. new wifi settings

 

3. Edit the interface “PUBLIC” so that we can set it as a static ip.wireless 3. edit interface

4. Change the protocol to “static address” set a ip for it and a subnet. DO NOT set a gateway. This will write a new default gateway to the routing table and cause the internet to break occasionally. Setup a dhcp server for this network.wireless 4. public interface

5. In the firewall section. Setup a zone called something like “public_zone” and assign it to the “public” network. And allow it to forward to “WAN” zone.wireless 5. firewall zone

6. This is what the general firewall zone’s should look like now.wireless 6. general firewall zone

Be sure to test it. Connect to the public and try and nmap a known host on the private and vice versa. A few times I have needed to reboot the router for everything to start working properly. It could be because I tinkered too much and caused a hickup. Just something to keep in mind..

 

Apr 262013
 
 April 26, 2013  Posted by at 12:45 pm Tutorial, vpn Tagged with: , , ,  4 Responses »

DON”T USE PPTP ITS INSECURE!! USE OPENVPN INSTEAD. HERE IS A TUTORIAL -> http://jasonschaefer.com/openvpn-on-the-openwrt

That said, if you want to setup pptp on the openwrt here is a guide.
The router is Backfire 10.03.1 at address 192.168.11.1/24. This configuration will setup the PPtP VPN server and it should be pointed out that its not a very secure VPN. Basically, it requires that someone capture the authentication handshake of a pptp connection. Then extract the keys and crack the hashes or bruteforce. There is a service that was released last year that will crack these keys and produce the authentication hash, that can auth as the password. This was done to encourage people to stop using this lame technology. Here is a great write up that will answer all questions https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

With the above insecurity disclaimer and a note that this really shouldn’t be used for anything requiring real security. I proceed..

opkg install pptpd kmod-mppe

== /etc/pptpd.conf ==

#debug
option /etc/ppp/options.pptpd
speed 115200
stimeout 10
localip 192.168.11.1
remoteip 192.168.11.40-49

== /etc/ppp/options.pptpd ==

debug
logfile /tmp/pptp-server.log
192.168.11.1:
auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
proxyarp #required to be able to connect to the lan subnet without being directly connected.
#noproxyarp
#nomppc
mppe required,no40,no56,stateless
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
ms-dns 192.168.11.1

== /etc/ppp/chap-secrets ==

#USERNAME PROVIDER PASSWORD IPADDRESS
jason * testypass *

== /etc/firewall.user ==

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Allow all traffic in and out of the ppp interface. No reason to specify nets.
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT

== /etc/config/firewall ==

config 'rule'
option 'target' 'ACCEPT'
option '_name' 'pptpd'
option 'src' 'wan'
option 'proto' 'tcpudp'
option 'dest_port' '1723'
Mar 042011
 
 March 4, 2011  Posted by at 1:33 pm documentation, Tutorial Tagged with: , , , , , , , , , , , , , , ,  No Responses »

Here are some random notes that I find useful. I also tend to forget and use as reference.

== LINKS ==
iproute2 cheat sheet by dmbaturin http://baturin.org/docs/iproute2/

Speedtest site that doesn’t require crap software. It only uses html5 SpeedOf.Me or bandwidthplace.com

data transfer calculator
http://techinternets.com/copy_calc

[] Vim reference

:e filename (open filename)
:q! (quit, don’t save)
:w (write/save)
:wq (write and quit)
:x (write if changed, otherwise exit)
a (insert after)
A (insert after line)
h j k l (left, down, up, right)
$ (move to end of line)
^ or 0 (move to beginning of line)
G (move to end of file)
gg (move to top of file)
:n (move to “n” line, n=number)
x (delete to the right)
X (delete to the left)
D (delete to the end of line)
dd (delete current line)
yy (yank/copy current line)
V (begin highlight, up and down to select “y” to yank selection)
vn (yank “n” lines below cursor, n=number)
p (put/paste)
u (undo)
/string (search for “string”)
n (search for next string match)
:s/yellow/green/gc (replace yellow with green on current line, g is for global, each match is replaced in a line, instead of the first match in a line. c is for confirm/ask)
:%s/yellow/green/g (replaces yellow with green on the entire page)
:%s:/usr/local/bin:/opt/users/bin:g (use something other than / as delineation so you don’t have to escape “/”. Like this nasty example: :s/\/usr\/local\/bin/\/usr\/loca\/bin)
:%s#http://jasonschaefer.com#https://jasonschaefer.com#g (Switch the delimiter to # for strings with : and / to avoid annoying escapes!)

[] bash tricks
stop bash history:
unset HISTFILE

[] find command
find . -name "name" -exec [command goes here] {} \;
find . -type d -exec chmod 750 {} \;
recursively changes type directories to user=rwx, group=r-x, other=—
find . -type f -exec chmod 664 {} \;
recursively changes type file user=rw-, group=rw-, other=r– (so that files are not executable)
find /home/BACKUP -mtime +14 -exec rm -fr {} \;
-mtime options:
n exactly n days
+n more than n days
-n less than n days

to convert all backslash \ to forward slash /
find . -type f -iname *.xml -exec sed -i 's:\\:/:g' {} \;

find hard links (directories have multiple links so use type file and not with 1 link)
find /path -type f ! -links 1

[] Image Conversions and Resizing in batch groups
This will resize all jpg’s in the current directory “.” to 1024×768 and put them in the directory small
find . -iname "*.jpg" | xargs -l -i convert -resize 1024x768 {} small/{}
You can replace the “convert -resize” with convert -quality 85% to compress the images instead.
convert is a part of imagemagick

[] Edit EXIF data on images
Using exiftool to shift wrong date caused by a camera with the wrong time. man Image::ExifTool::Shift.pl for a manual.
example:
exiftool "-AllDates+=1:0:21 0:0:0" *.JPG
This adds (+=) 1 year, 0 months and 21 days, 0 hrs, 0 min, 0 sec to all files ending in .JPG

[] tar
tar with various exclude examples
tar zcfv backup-website.tar.gz --exclude=stuff --exclude=path/to/stuff --exclude="more stuff with spaces in the name" --exclude=*.wild /home/website

[] chmod tricks
chmod can be used in a way where it preserves executable permissions, if they are already present. using upper X
chmod -R u=rwX,g=rwX,o=rX /path/to/
This recursively (-R) sets user and group to rw- dirs and files that don’t already have executable permissions (the X is similar to x but preserves executable perms if they were preexisting). If the dir or file has any executable permissions then it sets user and group to rwx. This can be handy if you want to change lots of files and dirs at once but not make files executable. For instance, chmod -R u=rwx,g=rwx would blanket files and dirs making them all executable. Of course, using find with type and exec can more explicitly set permissions. But it will reset any executable files as well. Thus the benefit of chmod and X.
To see what files are executable, if any, do
find /path/ -executable -type f

[] How to recursively force a group permission + umask per user on gnu/linux.
First you can recursively set the desired owner and group. Recursive is optional, only needed if you have sub dirs.
chown -R root.users /path/to/dir
Then force all files and directories created under /path/to/dir to be owned by the creator and the group will be set to “users” group. Notice the chmod g+rwxs is adding the (s)etGID bit for the group.
find /path/to/dir -type d -exec chmod g+rwxs {} \;
You will notice that when a user now creates files or directories under /path/to/dir they come out as (on a typical system)
-rw-r--r-- 1 jason users 0 Aug 29 16:49 this is a file
drwxr-sr-x 2 jason users 6 Aug 29 16:49 this is a directory

You will need to change your umask. You can find it under your home directory in ~/.profile
Uncomment or add umask 002 so that the group “users” will be able to read your files and execute your directories.

[] changing default new file or directory permissions, umask on debian wordaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646692
change /etc/login.defs
UMASK 022 (equivalent to 644/rw-r–r– files and 755/rwxr-xr-x directories)
to
UMASK 002 (equivalent to 664/rw-rw–r– files and 775/rwxrwxr-x directories)

If that doesn’t work. Enable the pam_umask module like this.
echo "session optional pam_umask.so usergroups" >> /etc/pam.d/common-session
[] Rename multiple files

remove space from all files ending in .mp3
rename 's/ //'g *.mp3
rename all files ending in .ZIP to .zip
rename 's:\.ZIP:\.zip:' *.ZIP

[] search and replace text within a group of files

find /etc/NetworkManager/system-connections/ -exec sed -i "s/mac-address=0:1e:4c:27:40:00/mac-address=EC:55:F9:0F:5D:00/g" {} \;
use -name, -type to refine the match if you need.

jedit is a gui program that can do this.

[] SSH stuffs

copy your ssh public key to remote hosts ~/user/.ssh/authorized_keys file
ssh-copy-id user@host

Use ‘ssh-add’ to add your private key to the ssh-agent, so you don’t need to type your passphrase each time you ssh someplace.

create a listen socket on your local computer, that redirects port to a host on remote network (10.9.8.2)
ssh -L localhost:3389:10.9.8.2:3389 user@host
-L [bind_address:]port:host:hostport
(now you can rdesktop to localhost and it will connect to the remote 10.9.8.2)
rdesktop -g90% localhost

create a remote socket that forwards port 2222 on localhost of server to port 22 on initiating host.
Useful for remote support sessions.
ssh -R localhost:2222:localhost:22 user@hostname
-R [bind_address:]port:host:hostport
(now you can ‘ssh -p2222 localhost’ from the server and reach the host)

create a socks4/5 proxy over ssh
ssh -D8080 user@hostname
(now you can configure your browser to use socks5 proxy at localhost:8080 and you can reach the remote networks web servers, or just use it to securely proxy your web traffic through the remote hosts internet connection)

[] Sending mail with telnet:
telnet hostname 25
helo me
mail from:myaddress@mydom.com
rcpt to:youraddress@yourdom.com
data
This is a test
.

(thats a newline [enter] – period – and another newline [enter])

[] Fix MBR for windows
http://ms-sys-free.sourceforge.net/

from gnulinux:
ms-sys -m /dev/hda

from msdos or nt recovery console:
fdisk /mbr

[] Batch and snippets (yuck)
http://www.allenware.com/icsw/icswidx.htm

echo Cleanup .bak files older than 7 days
forfiles /p d:\backup /m *.bak /d -7 /c "cmd /c del /q @path"

echo Set variable date as yyyymmdd
set date=%date:~-4,4%%date:~4,2%%date:~-7,2%
echo %date%

[] Filesystem stuff

make clone image of sda
dd if=/dev/sda of=/dev/sdb bs=4096 conv=notrunc,noerror

notrunc or ‘do not truncate’ maintains data integrity by instructing dd not to truncate any data.
noerror instructs dd to continue operation, ignoring all input errors. Default behavior for dd is to halt at any error. Useful when imaging damaged drives.
bs=4096 sets the block size to 4k, an optimal size for hard disk read/write efficiency and therefore, cloning speed.

backup mbr
dd if=/dev/sda of=mbr.backup bs=512 count=1

check status of dd transfer (use pgrep to find process id, kill to send user define signal 1, dd progress will be displayed on terminal where dd was run)

kill -USR1 $(pgrep ^dd)

mount image
losetup /dev/loop0 sda.img
mount /dev/loop0 /mnt

xfs filesystem and xfsprogs
Determine the amount of fragmentation on sda2
xfs_db -c frag -r /dev/sda2

Filesystem re-organizer, by default, with no arguments. It re-organizes files in mounted partitions for 2 hours. Use -t to change the time.)
xfs_fsr
These tools reside in the xfsdump package

[] Recover Files
testdisk (recover lost partitions)

photorec (part of the testdisk suite)

foremost sda.img
-t (type doc,jpg,exe etc. all is default)
-a (no error detection, recovers partial files)
-d (indirect block, use for nix filesystems)
-o (output dir)
-T (timestamp output dir)

extundelete /dev/sda1 –restore-directory /home/jason

https://help.ubuntu.com/community/DataRecovery
https://wiki.archlinux.org/index.php/File_Recovery#Working_with_Raw_Disk_Images

[] KVM Virtualization

Interface config for bridging to virtualized client /etc/network/interfaces
wireless interfaces rarely ever support bridging.

# The primary network interface
iface eth0 inet manual
auto br0
  iface br0 inet dhcp
  bridge_ports eth0
  bridge_stp off
  bridge_waitport 0
  bridge_fd 0

Resize/Add storage to kvm image:
dd if=/dev/zero of=myvirtualhost.img bs=1M count=78k oflag=append conv=notrunc
notrunc MUST be used or else append will overwrite beginning of image.

Alternately, creates a sparse file which suffers from fragmentation and possible corruption if host system doesn’t provide proper space for the sparse image to fill into. So its not recommended.
truncate -s +10G image.raw
Alternate method sparse:
qemu-img create -f raw addon.img 10G
be sure to make a backup of original.img
now you can append addon.img to original.img
cat addon.img >> original.img

Now, boot the .img vm and use cfdisk to partition the new space. Reboot, and build a filesystem OR boot the instance with a live distro that has gparted and merge/resize the new partition with the old.

Convert a qcow2 image to raw image and remove the sparsity (-S 0 is non-sparse).
qemu-img convert -p -O raw -S 0 win7pro.qcow2 win7pro.img

Also, fallocate is a great way to allocate non-sparse file images. “preallocation is done quickly by allocating blocks and marking them as uninitialized, requiring no IO to the data blocks. This is much faster than creating a file by filling it with zeroes”
fallocate -l 128GiB virtualhost.img

Backup virtual images into a sparse file to save space
cp --sparse=always winblows7.img SNAPSHOTS/winblows7.img_oct06-2017
Be sure to unsparsify the file if you need to restore it!
cp --sparse=never SNAPSHOTS/winblows7.img_oct06-2017 winblows7.img

[] KVM with Windows

The best way to get virtio is on install. Download the block driver floppy image and attach it, I use virt-manager. Set your hard drive to type virtio and start your windows install. It will will prompt you to press f6 to install third party drivers. Then press S (you have a disk from a third party manufacturer, your floppy image)

If you already have a disk type IDE and want it to be virtio (better). Then do this:
1. Create a temporary image
kvm-img create -f qcow2 temp-virtio.img 1G
2. Shutdown your virtual machine and attach temp-virtio.img as a hard drive, as type virtio.
3. Attach the virtio-win-x.x.x.vfd (i used the one from fedoraproject.org, see below) to you virtual machine
4. Boot up and install the drivers
5. Shutdown, remove the old hard drive image and re-add it as type virtio
6. Boot up and since you already installed the drivers it will boot. Otherwise, you get BSOD..
(You can remove the temp-virtio.img and floppy image).. All done.

For network drivers.. Shutdown, set the “device model” to virtio. Attach the NETKVM-xxxx.iso as a cdrom. Bootup and install drivers. yay!

virtio network drivers, quamranet
http://sourceforge.net/projects/kvm/files/kvm-driver-disc/

virtio block device drivers (aka, hard drive)
http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/ or
http://sourceforge.net/projects/kvm/files/kvm-guest-drivers-windows/

[] Windows Policy

run gpedit.msc to edit policy

to backup or move to new host, copy the following
%systemroot%\system32\GroupPolicy\Machine and User dirs

to apply changed policy’s
gpupdate /force

[] RDP tricks

plain old vnc is no more, not to say its not useful but xrdp is a super combo rambo pack. when it comes to ease of use, autostart scripts in debian, built in encryption, performance and cross platform the xrdp project rules the roost. Follow these simple steps.
on server: apt-get install xrdp
done;
on client: rdesktop -g95% [server name or ip]
-g is for geometry, look it up in man rdesktop
done; wow!
obviously, you will need rdesktop or some other remote desktop protocol installed on the client.
If you have issues with the arrow up and down keys minimizing and maximizing your X terminal do the following:
In gnome, use gnome-control-center -> Go to keyboard ‘Shortcuts’ tab, ‘Windows’ on the left pane -> select super+up and super+down shortcuts -> press backspace to disable these shortcuts on these actions.

SeamlessRDP http://www.cendio.com/seamlessrdp/
rdesktop -A -s "c:\seamlessrdp\seamlessrdpshell.exe c:\program files\internet explorer\iexplore.exe" -u username -p password hostname
uhhh, for the record I have NEVER gotten this to work properly. Please contact me if you have!

[] Self Signed certificate on debian, the easiest way possible
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/hostcert.crt
This script will ask for a domain and write the certificate. to /etc/ssl/private/hostcert.crt

https://www.ssllabs.com/ssltest/analyze.html

[] OpenVPN reference
analyze a certificate
openssl x509 -text -in jason.crt
openssl x509 -noout -in jason.crt -subject
recommended ovpn:

remote [host] 1194 udp
float
client
dev tun
mute 5
nobind
comp-lzo
tls-exit
remote-cert-tls server
resolv-retry infinite
explicit-exit-notify
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
#redirect-gateway def1
ca ca.crt
cert [user].crt
key [user].key

[] tshark and tcpdump packet capture

To run tshark remotely and pipe results back to wireshark locally. Can be tcpdump instead of tshark. Needs root access..

ssh root@server 'tshark  -w -' | wireshark -k -i -

Examples of filter
also check the man page for pcap-filter
man pcap-filter
Common uses —
tshark -i eth0 host 10.0.1.10
tshark -i eth0 net 10.0.1.0/24
tshark -i eth0 port 80
tshark -i eth0 port 80 and host 10.0.1.10 and not port 22
tshark -i eth0 tcp port 80 or tcp port 443 -V -R “http.request || http.response”

 
[] OpenWRT Notes

OpenWRT failsafe recovery mode
http://wiki.openwrt.org/doc/howto/generic.failsafe

flashing with atftp (follow the instuctions for particular device at http://wiki.openwrt.org/toh/start)
curl -T openwrt-xxxx-xxxxx-squashfs-factory-xxxx.img tftp://192.168.1.1
or the more complicated annoying way
atftp --trace --tftp-timeout=1 --put --local-file openwrt-xxxxx-xxxxx.img 192.168.1.1

Setup SSL/TLS (https) for Luci web interface and disable insecure plaintext (http)
opkg install luci-ssl
be sure the following is commented out in /etc/config/uhttpd
# HTTP listen addresses, multiple allowed
# list listen_http 0.0.0.0:80
# list listen_http [::]:80

Also change the cert px5g options to be more unique and add more days to the self signed certificate.
/etc/init.d/uhttpd restart


Disable/Enable Wireless on a schedule, automatically

The first line will use bridge control to remove the wireless interface (wlan0-1) from the lan bridge (br-lan) at 22:30. The next cron will add the interface back at 6:00. Redirect (>) all output to dev null. Substitute wlan0-1 for whichever interface you need to. Add this to crontab:
30 22 * * * brctl delif br-lan wlan0-1 >/dev/null 2>&1
0 6 * * * brctl addif br-lan wlan0-1 >/dev/null 2>&1

use “brctl show” to see which interfaces are in the bridge:

root@OpenWRT:~# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.c6031578e51d	no		eth0.1
							wlan0
							wlan0-1

[] Cron and wget with Afraid free DNS
Its best to use curl. Install curl with opkg update and then opkg install curl or apt or yum, etc.
*/10 * * * * /usr/bin/curl -k https://freedns.afraid.org/dynamic/update.php?[random string]

wget is overly complicated… but if its all you got, then its great.
*/10 * * * * /usr/bin/wget --no-check-certificate -O - https://freedns.afraid.org/dynamic/update.php?[random string] > /dev/null 2>&1

add to /etc/rc.local so that it updates immediately on bootup. This doesn’t always work if the wan interface isn’t operational at time of execution.

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/usr/bin/curl -k https://freedns.afraid.org/dynamic/update.php?[random string]
exit 0

 

[] MYSQL

mysql> create database newdb;

mysql> CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
mysql> GRANT ALL PRIVILEGES ON newdb . * TO 'newuser'@'localhost';

(GRANT ALL PRIVILEGES ON [database name].[table name] TO ‘[username]’@’localhost’;)

mysql> SET PASSWORD FOR 'newuser'@'localhost' = PASSWORD('newpassword');

mysql> DROP USER 'newuser'@'localhost';

update table g2_PluginMap and set column g_active to 0 where column g_pluginID is captcha. This disables the captcha plugin in gallery2
UPDATE g2_PluginMap SET g_active = '0' WHERE g_pluginId = captcha;
DELETE FROM g2_FactoryMap WHERE g_implModuleId='captcha';

(unrelated to mysql, you will need to clear the cache to fully disabled this plugin -> http://your-domain.tld/gallery/lib/support/index.php

[] RSYNC
rsync highlights:
typical use —
rsync -av --delete --stats --exclude media/* /home/ /mnt/usb/rsync-home-mirror
copy [a]rchive, [v]verbosely, –delete any files on the destination that don’t exist in source (mirror), show transfer [stat]istics, [exclude] any files inside directory media, copy contents of /home/ into /mnt/rsync-home-mirror

advanced use — useful for copying entire OS
rsync -aAHXi --super --numeric-ids /source/ /destination
-a archive, -A copy ACL, -H copy hard links, -X copy extended attributes, -i show changes, –numeric-ids preserves uid and gid numerically instead of by name.

Use -n to do a dry run! Especially valuable when using –delete switch.

You can think of a trailing / on a source as meaning “copy the contents of this directory” as opposed to “copy the directory by name”

rsync over ssh
rsync -aiz /source/path username@192.168.1.10:/remote/destination/path
rsync -aiz user@host:/remote/source /local/destination

[] fstrim
fstrim one-liner for cron. every sunday at 12:30 timestamp the log and include two partitions, / and /home.
30 12 * * 0 /bin/date +\%c > /tmp/fstrim.log && /sbin/fstrim -v / >> /tmp/fstrim.log 2>&1 && /sbin/fstrim -v /home >> /tmp/fstrim.log 2>&1

[] wget

for range in {1..7};do wget http://URL/Episode$range.mp3 ; done
for range in {{1..3},{5..7}};do wget http://URL/Episode$range.mp3 ; done
Mirror entire site with wget
wget --mirror -p --convert-links http://URL
or
wget --recursive --no-clobber --page-requisites --html-extension --convert-links --no-parent --domains website.org http://website.org
[] ffmpeg

convert video to webm
ffmpeg -i be-hose.mp4 -acodec libvorbis -aq 5 -ac 2 -qmax 25 -threads 2 be-hose.webm

[] encrypted partitions
#to open
cryptsetup luksOpen /dev/sdd1 [devmappername]
#to close
cryptseup luksClose [devmappername]
#dump hd encrypted headers (if drive fs is damaged, you can restore from this dump)
cryptsetup luksHeaderBackup /dev/sdd1 > file.bk
#to restore header
cryptsetup luksRestore /dev/sdd1 –header-backup-file file.bk

Oct 072009
 
 October 7, 2009  Posted by at 7:14 pm firewall, wireless Tagged with: , , ,  No Responses »

The updated and more flexible way to do this is outlined here. It also requires updated hardware. The wrt54gl only supports openwrt v10 (backfire). I would like to add that despite the wrt54gl literally being ancient, its still a rock solid device today. Of course, only if openwrt is installed!

A while ago Second Street Brewery asked for a good stable public wireless internet connection. Of course, the solution was obvious, openwrt! In this case a linksys wrt54gl. The office, point of sale and public networks all share the same gateway. The problem was segregating the public wireless network from the private office lan. Sam (http://thepromisedlan.org) and I set out to setup a firewall to protect them. This is what we came up with:

         "secured office wifi"
                /
ISP <-fw-> office LAN 10.1.10.0/24 <-fw-> (linksys) "open public wifi" 
(clients on public wifi cannot reach 10.1.10.0/24 or any other private subnet)

check if the following is in /etc/config/firewall otherwise, add it

config include
option path /etc/firewall.user

and in /etc/firewall.user we put:

#Insert this into the chain, so 10.1.10.0/24 (office) can connect to public 192.168.10.0/24.
#This rule gets repeated by the setup script /etc/init.d/firewall.
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

#block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*)
iptables -I FORWARD 2 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 2 -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 2 -d 10.0.0.0/8 -j DROP

If you would like to have remote administration on the openwrt so you can access the luci web interface and ssh from the wan side of the router, you can change /etc/config/firewall wan zone to allow it. !!WARNING!! If you are directly connected to the internet, this will expose your open ports to the world. You should take precautions to secure them before changing this firewall rule.

config 'zone'
  option 'name' 'wan'
  option 'input' 'REJECT' #

or if you just want to allow remote ssh access

config rule
  option target 'ACCEPT'
  option src 'wan'
  option proto 'tcp'
  option dest_port '22'
  option name 'ssh'