segunda-feira, março 04, 2019

Ubnt unifi lost password

Some commands I used, to catch user and to "add" when needed.

 very important, find your backup, you may needed, even after you reset the password.
/var/lib/unifi/backup/autobackup/*.unf

mkpasswd -m sha-512
Password:
$6$9Ter1EZ9$lSt6/tkoPguHqsDK0mXmUsZ1WE2qCM4m9AQ.x9/eVNJxws.hAxt2Pe8oA9TFB7LPBgzaHBcAfKFoLpRQlpBiX1


password (word password in hash...)
mongo --port 27117 ace --eval 'db.admin.update( { "name" : "admin" }, { $set : { "x_shadow" : "$6$9Ter1EZ9$lSt6/tkoPguHqsDK0mXmUsZ1WE2qCM4m9AQ.x9/eVNJxws.hAxt2Pe8oA9TFB7LPBgzaHBcAfKFoLpRQlpBiX1" } } )'


https://community.ubnt.com/t5/UniFi-Wireless/Controller-not-letting-me-change-admin-password/td-p/1560207/page/2

d = { "name" : "ubnt", "lang" : "en_US", "x_password" : "ubnt" , "time_created" : "", "last_site_name" : "default"}
db.admin.insert ( d )

Execute 'mongod --dbpath /usr/lib/unifi/data/db --repair' (this broke my install)


List users admin's

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

Run windows programs and apps on Linux with Wine

https://wiki.winehq.org/Debian

Debian...

Wine enables Linux, Mac, FreeBSD, and Solaris users to run Windows applications without a copy of Microsoft Windows. Wine is free software under constant development. Other platforms may benefit as well.

Debian Sources List Generator

https://debgen.simplylinux.ch/


This generate lines for repository file on apt

/etc/apt/sources.list

sábado, março 02, 2019

terça-feira, fevereiro 26, 2019

Archlinux my install procedure

https://wiki.archlinux.org/index.php/installation_guide
timedatectl set-ntp true
fdisk -l ...


#OR https://wiki.archlinux.org/index.php/RAID
mdadm --create /dev/md0 --level=6 --raid-devices=4 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
mdadm --create /dev/md1 --level=6 --raid-devices=4 /dev/sdb2 /dev/sdc2 /dev/sdd2 /dev/sde2
mkfs.ext4 /dev/md1
mkswap /dev/md0
swapon /dev/md0
mount /dev/md1 /mnt
pacstrap /mnt base
genfstab -U /mnt >> /mnt/etc/fstab
mdadm --detail --scan >> /mnt/etc/mdadm.conf

arch-chroot /mnt
---
passwd
ln -sf /usr/share/zoneinfo/America/Sao_Paulo /etc/localtime
hwclock --systohc
locale-gen
vi /etc/hostname
vi /etc/hosts
pacman -S grub
cat /etc/mdadm.conf
vi /etc/mkinitcpio.conf
BINARIES=(mdmon)
HOOKS=(base udev autodetect modconf block mdadm lvm2 mdadm_udev filesystems keyboard fsck)
mkinitcpio -p linux
vi default/grub
GRUB_PRELOAD_MODULES="... mdraid09 mdraid1x"
cd /boot/
grub-install /dev/vda
grub-mkconfig -o /boot/grub/grub.cfg
cp /etc/netctl/examples/ethernet-static /etc/netctl/enp0s3
(edit file as needed...) https://www.ostechnix.com/configure-static-dynamic-ip-address-arch-linux/
netctl start ens3
netctl enable ens3
netctl list # (check interfaces)

sábado, fevereiro 23, 2019

archlinux with RAID install error Failed to connect to lvmetad. Falling back to device scanning.

to install grub with raid you need to trick some files before boot...

if using intel platform follow as said in guide

$ edit /etc/mkinitcpio.conf
 change:
BINARIES=(mdmon)
add
HOOKS=(base udev block mdadm filesystems)

save file and run:

$ mkinitcpio -p linux
make sure mdadm in hooks was added, when generating should see output (line above)

run grub-mkconfig -o /boot/grub/grub.cfg (when you get the error above)

If get error warning: failed to connect to lvmetad. falling back to device scanning. raid
instructions
leave chroot /mnt

$ mkdir /mnt/hostlvm
$ mount --bind /run/lvm /mnt/hostlvm
$ arch-chroot /mnt
$ ln -s /hostlvm /run/lvm

-- alternativa --
mkdir /mnt/hostrun
mount --bind /run /mnt/hostrun

Then, we chroot into the guest, and mount our host's /run/lvm in the guest's /run

arch-chroot /mnt
mkdir /run/lvm
mount --bind /hostrun/lvm /run/lvm


rerun grub-mkconfig -o /boot/grub/grub.cfg (when you get the error above)


quarta-feira, fevereiro 20, 2019

PXE Boot setup custom menu default

https://www.syslinux.org/wiki/index.php?title=PXELINUX#Custom_Menu_Example_with_sub-menus



Custom Menu Example with sub-menus

Many advanced options here. Read full documentation on Syslinux to understand it all.
Its password protected from modification during PXE boot, very useful to prevent tampering.
Note: this example uses the legacy way to generate submenus, which is compatible with older Syslinux versions. Syslinux 3.62 supports a slightly different syntax, which is faster and somewhat more flexible.
Directory Structure:
    /tftpboot/
    /tftpboot/memdisk
    /tftpboot/pxelinux.0
    /tftpboot/menu.c32
    
    /tftpboot/pxelinux.cfg/
    /tftpboot/pxelinux.cfg/default
    /tftpboot/pxelinux.cfg/graphics.conf
    /tftpboot/pxelinux.cfg/fixes.menu
    /tftpboot/pxelinux.cfg/setup.menu
    
    /tftpboot/TRK/
    /tftpboot/TRK/chkdsk.trk
    /tftpboot/TRK/initrd.trk
    /tftpboot/TRK/kernel.trk
    
    /tftpboot/Memtest/memtest.x86
    
    /tftpboot/Suse/
    /tftpboot/Suse/initrd92
    /tftpboot/Suse/linux92
    
    /tftpboot/Floppy/
    /tftpboot/Floppy/kbfloppy.img
/tftpboot/pxelinux.cfg/default:
 DEFAULT menu.c32
 PROMPT 0
 
 MENU TITLE PXE Special Boot Menu
 MENU INCLUDE pxelinux.cfg/graphics.conf
 MENU AUTOBOOT Starting Local System in # seconds
 
 LABEL bootlocal
   MENU LABEL ^Boot Point of Sale
   MENU DEFAULT
   LOCALBOOT 0
 TIMEOUT 80
 TOTALTIMEOUT 9000
 
 LABEL FixesMenu
   MENU LABEL ^Fixes Menu
   KERNEL menu.c32
   APPEND pxelinux.cfg/graphics.conf pxelinux.cfg/fixes.menu
 
 LABEL SetupMenu
   MENU LABEL ^Setup Menu
   KERNEL menu.c32
   APPEND pxelinux.cfg/graphics.conf pxelinux.cfg/setup.menu
/tftpboot/pxelinux.cfg/graphics.conf:
 MENU COLOR TABMSG    37;40  #80ffffff #00000000
 MENU COLOR HOTSEL    30;47  #40000000 #20ffffff
 MENU COLOR SEL       30;47  #40000000 #20ffffff
 MENU COLOR SCROLLBAR 30;47  #40000000 #20ffffff
 MENU MASTER PASSWD yourpassword
 MENU WIDTH 80
 MENU MARGIN 22
 MENU PASSWORDMARGIN 26
 MENU ROWS 6
 MENU TABMSGROW 15
 MENU CMDLINEROW 15
 MENU ENDROW 24
 MENU PASSWORDROW 12
 MENU TIMEOUTROW 13
 MENU VSHIFT 6
 MENU PASSPROMPT Enter Password:
 NOESCAPE 1
 ALLOWOPTIONS 0
Change ALLOWOPTIONS to 1 (one) so to be able to edit any of the entries while booted with PXE on the menu system for testing purposes. Also change NOESCAPE to 0 (zero) for the same reasons.
/tftpboot/pxelinux.cfg/fixes.menu:
 MENU TITLE Fixes Menu
 
 LABEL MainMenu
   MENU LABEL ^Return to Main Menu
   KERNEL menu.c32
   APPEND pxelinux.cfg/default
 
 LABEL fsck
   MENU LABEL ^File system check
   KERNEL TRK/kernel.trk
   APPEND initrd=TRK/chkdsk.trk ramdisk_size=32768 root=/dev/ram0 vga=0
 
 LABEL memtest
   MENU LABEL ^Memory Test: Memtest86+ v1.65
   KERNEL Memtest/memtest.x86
 
 LABEL trk3
   MENU LABEL ^Trinity Rescue Kit
   KERNEL TRK/kernel.trk
   APPEND initrd=TRK/initrd.trk ramdisk_size=32768 root=/dev/ram0 vga=0 trknfs=IPADDR:/trk ip=::::::dhcp splash=verbose
/tftpboot/pxelinux.cfg/setup.menu:
 MENU TITLE Setup Menu
 
 LABEL MainMenu
   MENU LABEL ^Return to Main Menu
   KERNEL menu.c32
   APPEND pxelinux.cfg/default
 
 LABEL setupkb
   MENU LABEL ^Any floppy disk image
   KERNEL memdisk
   APPEND initrd=Floppy/kbfloppy.img
 
 LABEL linux
   MENU PASSWD yourpassword
   MENU LABEL Install - ^Classic
   KERNEL Suse/linux92
   APPEND initrd=Suse/initrd92 ramdisk_size=65536 vga=0 textmode=1 install=http://IPADDR serverdir=/9.2/install autoyast=http://IPADDR/9.2/scripts/ay92.xml
 
 LABEL trkclone
   MENU PASSWD yourpassword
   MENU LABEL Install - ^Faster
   KERNEL TRK/kernel.trk
   APPEND initrd=TRK/initrd.trk ramdisk_size=65536 root=/dev/ram0 vga=0 install=Y trknfs=IPADDR:/trk ip=::::::dhcp splash=verbose
 
 LABEL linuxfull
   MENU PASSWD yourpassword
   MENU LABEL Install - ^Developer
   KERNEL Suse/linux92
   APPEND initrd=Suse/initrd92 ramdisk_size=65536 vga=0 textmode=1 install=http://IPADDR serverdir=/9.2/install autoyast=http://IPADDR/9.2/scripts/develdesktop.xml




--------
https://forums.fogproject.org/topic/8488/how-to-pxe-boot-cent-os-7/61
:MENU
menu
item --gap -- ---------------- iPXE boot menu ----------------
item mac Macrium Reflect
item clonezilla Clonezilla 2015
item ubuntu6 Ubuntu 16:04.1 x64
item ubuntu6 Ubuntu 16:04.1 x32
item ubuntu Ubuntu 15:10 x64
item ubuntu Ubuntu 15:10 x32
item kubuntu6 Kubuntu 16:04.1 x64 
item kubuntu6 Kubuntu 16:04.1 x32
item kubuntu Kubuntu 15:10 x64 
item kubuntu Kubuntu 15:10 x32
item mint18 Linux Mint 18 "Sarah" - MATE (32-bit)
item Mint18 Linux Mint 18 "Sarah" - MATE (64-bit)
item mint Linux Mint 17.2 "Rafaela" - MATE (32-bit)
item Mint Linux Mint 17.2 "Rafaela" - MATE (64-bit)
item mint Linux Mint 17.2 "Rafaela" - Cinnamon (32-bit)
item Mint Linux Mint 17.2 "Rafaela" - Cinnamon (64-bit)
item BOOTCD Hirens 15.2 BOOTCD
item pgon Paragon Harddisk Manager 12
item ubd Ultimate Boot Disk
item ez  EZ Gig IV Cloning Software
item centos Centos
item centos2 Centos Live
item hostinfo details about this computer
item shell ipxe shell
item return return to previous menu
choose --default return --timeout 5000 target && goto ${target}
:mac
initrd http://${fog-ip}/fog/service/ipxe/mac/mac.iso
chain memdisk iso raw ||
goto MENU

:clonezilla
kernel http://${fog-ip}/bootimgs/clonezilla/vmlinuz
initrd http://${fog-ip}/bootimgs/clonezilla/initrd.img
imgargs vmlinuz boot=live username=user fetch=http://${fog-ip}/bootimgs/clonezilla/filesystem.squashfs locale=en_US.UTF-8 keyboard-layouts=NONE
boot || echo failed to boot
prompt
goto MENU```

:ubuntu6
kernel http://${fog-ip}/bootimgs/16.04.1_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/16.04.1_64/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/16.04.1_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:ubuntu6
kernel http://${fog-ip}/bootimgs/16.04.1_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/16.04.1_32/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/16.04.1_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:ubuntu
kernel http://${fog-ip}/bootimgs/15.10_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/15.10_64/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/15.10_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:ubuntu
kernel http://${fog-ip}/bootimgs/15.10_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/15.10_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/15.10_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:kubuntu6
kernel http://${fog-ip}/bootimgs/kubuntu6_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/kubuntu6_64/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu6_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:kubuntu6
kernel http://${fog-ip}/bootimgs/kubuntu6_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/kubuntu6_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu6_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed

:kubuntu
kernel http://${fog-ip}/bootimgs/kubuntu5_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/kubuntu5_64/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu5_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:kubuntu
kernel http://${fog-ip}/bootimgs/kubuntu5_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/kubuntu5_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu5_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:mint18
kernel http://${fog-ip}/bootimgs/lm18_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm18_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm18_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:Mint18
kernel http://${fog-ip}/bootimgs/lm18_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/lm18_64/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm18_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:mint
kernel http://${fog-ip}/bootimgs/lm_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:Mint
kernel http://${fog-ip}/bootimgs/lm_64/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm_64/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:mint
kernel http://${fog-ip}/bootimgs/lmc_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lmc_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lmc_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:Mint
kernel http://${fog-ip}/bootimgs/lmc_64/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lmc_64/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lmc_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:centos
initrd http://${fog-ip}/bootimgs/centos/images/pxeboot/initrd.img
chain http://${fog-ip}/bootimgs/centos/images/pxeboot/vmlinuz initrd=initrd.img method=http://${fog-ip}/bootimgs/centos/ devfs=nomount ip=dhcp
boot || goto MENU

:centos2
initrd http://${fog-ip}/bootimgs/centos/images/pxeboot/initrd.img
chain http://${fog-ip}/bootimgs/centos/images/pxeboot/vmlinuz initrd=initrd.img root=live:http://${fog-ip}/bootimgs/centos/LiveOS/squashfs.img ip=dhcp rootflags="loop" rootfstype=auto ro rd.live.image quiet rhgb rd.luks=0 rd.md=0 rd.dm=0 
boot || goto MENU

:BOOTCD
initrd http://${fog-ip}/bootimgs/bootcd/hirensboot.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:pgon
initrd http://${fog-ip}/bootimgs/pgon/phdman12.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:ubd
initrd http://${fog-ip}/bootimgs/ubcd/ubcd535.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:ez
initrd http://${fog-ip}/bootimgs/ez/EZGIG438.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:hostinfo
echo This computer : ||
echo MAC address....${net0/mac} ||
echo IP address.....${ip} ||
echo Netmask........${netmask} ||
echo Serial.........${serial} ||
echo Asset number...${asset} ||
echo Manufacturer...${manufacturer} ||
echo Product........${product} ||
echo BIOS platform..${platform} ||
echo ||
echo press any key to return to Menu ||
prompt
goto MENU

:shell
shell ||
goto MENU
:return
chain http://${fog-ip}/${fog-webroot}/bootimgs/boot.php?mac=${net0/mac} ||
prompt
goto MENU
Autoboot

terça-feira, fevereiro 19, 2019

GParted Live on PXE Server

https://gparted.org/livepxe.php

GParted Live on PXE Server

Besides GParted Live CD and Live USB, we can put the GParted Live image on a PXE server so that a client can boot via the network to use GParted. The steps to do this are as follows:
  1. Set up a PXE server. You might refer to documentation, such as setting up a server for PXE network booting, or DRBL (Diskless Remote Boot in Linux) to assist you.
    In these steps we assume the pxelinux config file is /tftpboot/nbi_img/pxelinux.cfg/default, and the image files are in /tftpboot/nbi_img/.
  2. Set up an http service on the PXE server.
  3. Download GParted live zip file. You have to use 0.3.7-2 or later because network drivers are only included after that.
  4. Unzip all the files in a temp dir /tmp/gparted/. You can do this with a command such as:
        mkdir -p /tmp/gparted; unzip gparted-live-*.zip -d /tmp/gparted/
        
    NOTE: Replace gparted-live-*.zip with the file name you just downloaded.
  5. Copy the necessary boot files (vmlinuz and initrd.img) to /tftpboot/nbi_img/. For example:
        cp /tmp/gparted/live/{vmlinuz,initrd.img} /tftpboot/nbi_img/
        
  6. Copy /tmp/gparted/live/filesystem.squashfs to your http server. For example:
        cp /tmp/gparted/live/filesystem.squashfs /var/www/
        
  7. Edit your PXE config file /tftpboot/nbi_img/pxelinux.cfg/default, and append the following:
        label GParted Live
                MENU LABEL GParted Live
                kernel vmlinuz
                append initrd=initrd.img boot=live config components union=overlay username=user noswap noeject ip= vga=788 fetch=http://$webserverIP/filesystem.squashfs
        
    If the GParted live version you are using is <= 0.22.0-1, then the config file is like:
        label GParted Live
                MENU LABEL GParted Live
                kernel vmlinuz
                append initrd=initrd.img boot=live config union=aufs noswap noprompt vga=788 fetch=http://$webserverIP/filesystem.squashfs
        
    NOTE1: Replace $webserverIP with the IP address of your http server.
    NOTE2: Remember to check the boot parameters in syslinux/syslinux.cfg from the zip file. You should replace the above listed parameters with these more recent ones because these newer boot parameters might be different. For example the vmlinuz path might be different.
    NOTE3: Do not use the parameter "ip=frommedia" in your PXE config file.
For more information about pxelinux, refer to the following article on PXELinux.

Change linux password error asking Current Kerberos password:

The error is:
# passwd user1
Current Kerberos password:


This user1 is a local user not an AD or remote user, so why this happens...


Run;
# pam-auth-update



Check if Kerberos is enabled, if is, "disable"

This is done on Linux Debian 8.6

Now the password can be changed via command line using shell

sexta-feira, fevereiro 15, 2019

firebird 3.0 error Statement failed, SQLSTATE = 08004 connection rejected by remote interface

https://stackoverflow.com/questions/30390465/connection-rejected-by-remote-interface-connecting-to-firebird-3-with-pdo

setting to change in firebird.conf

Find firebird.conf, uncomment (if using fbclient 2.x) and change the following parameters to disable WireCrypt and set higher priority for legacy authentication:
WireCrypt = Disabled
AuthServer = Legacy_Auth, Srp, Win_Sspi
AuthClient = Legacy_Auth, Srp, Win_Sspi

sábado, fevereiro 02, 2019

Stopping DNS leakage with pfSense - avoid dns leak on pfsense

Stopping DNS leakage with pfSense - ZenCoffee Blog





Stopping DNS leakage with pfSense

I’ve recently changed my core router over from OpenWRT to pfSense.  I was pretty happy with OpenWRT, but I wanted something more powerful since it was running in a VM anyway.
A few days ago, CloudFlare announced their new 1.1.1.1 service.  This is a public DNS service very much like Google’s 8.8.8.8 DNS service, with a notable difference.  It supports TLS.
Why should you care?  Because DNS requests are normally not encrypted, and therefore visible to your ISP to record, use for research / marketing purposes, or even (in the case of some nefarious actors) manipulate or change.  Running DNS over TLS prevents that, by encrypting your DNS traffic so that it can’t be manipulated or collected.
In this post, we’ll be configuring pfSense to do three things – provide a local standard unencrypted port 53 DNS resolver which uses CloudFlare’s 1.1.1.1 encrypted service on the WAN end, and then set up a NAT redirect so any attempts on the internal network to use port 53 DNS servers outside the network instead are intercepted and resolved by the internal resolver.  Lastly, it will also make sure that it blocks any outbound requests to port 53 just to be sure.
NOTE:  There’s one piece here I haven’t figured out yet.  How to pin a cert for the DNS endpoints listed here, so it’s not perfect.  When I figure that out, I’ll edit this post.
Let’s get started.

Configuring the pfSense Local Resolver

In pfSense, go to Services -> DNS Resolver, then put the following block into Custom Options:
server:
ssl-upstream: yes
do-tcp: yes
forward-zone:
    name: "." 
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    forward-addr: 2606:4700:4700::1111@853
    forward-addr: 2606:4700:4700::1001@853
You will also need to make sure that the DNS Query Forwarding option is NOT selected, otherwise the above settings will conflict.  It’s OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway.  Follow the prompts, then test it with something like;
dig www.google.com @yourrouter.local
You should see a resolve against your router’s local DNS resolver that works.  If you really want, use Diagnostics -> Packet Capture, and capture port 853 to verify that requests are being triggered.

Redirect all DNS requests to outside DNS servers to pfSense

Follow the article you can find here.  You will need to do this once for each of your interfaces (in my case, LAN, DMZ, and VPN).  Obviously don’t configure this for the WAN interface.  This then causes any requests to addresses that are not on your internal network to be resolved through the local pfSense resolver (which goes out to port 853 anyway).
To test this, try and dig something against an IP that you know is not internal and is not a DNS server.  It should work, since the request will be NATted.  Something like;
dig www.google.com @1.2.3.4
Assuming that’s all fine, you should now be able to configure a broad block rule to bar all outbound port 53.

Block all outbound non-encrypted DNS

This shouldn’t really be required if the NAT rule is working, but we’ll do it anyway to be sure we’re stopping any DNS leaks.
In pfSense, go to Firewall -> Rules, and for the WAN interface, define a new rule at the top of the list.  This rule should use these settings;
Action: Block
Interface: WAN
Address Family: IPv4+IPv6
Protocol: TCP/UDP
Source: any
Destination: any
Destination Port: DNS (53)
Description: Block outbound insecure DNS
After doing this, verify that you can still resolve against the local resolver (your router’s IP), and that you can still resolve against what seems to be external resolvers (eg, 8.8.8.8).  You should also check that when you do so that nothing passes on the WAN interface on port 53.
If that all passes, you’re done.   It’s up to you if you use the ‘Block’ target or the ‘Reject’ target.  Block causes a simple timeout if something hits 53 (which shouldn’t happen anyway), Reject causes an immediate fail.

terça-feira, janeiro 29, 2019

JAVA JVM APPLICATIONS AS A SERVICE WITH SYSTEMD

linux service java application
JAVA JVM APPLICATIONS AS A SERVICE WITH SYSTEMD


Let’s say you have written a Java application that exposes an HTTP service. For example by using Spring Bootor Spark. During development you can probably start your application by running some main class. But when you finally deploy it to a server (and are not using containers like Docker) you need some way to run the application automatically.
On Linux servers you can either create an init.d script or use systemd. In this post we will take a look at the latter. I know there’s a lot of debate about which system is superior. I can’t really comment on that.

Using systemd With Spring Boot’s Embedded Script

For some time now it is possible to build a Spring Boot app with an embedded shell script to start it. It basically puts a shell script at the start of the JAR file and most shells have no problem calling this, even if there is all the binary JAR stuff after it. Java itself also has no problem starting it with java -jar even if there is a ASCII script at the start of the file.

Enabling the Embedded Script With Spring Boot

To enable this script you can use the Spring Boot plugin for either Maven or Gradle. It’s just a matter of adding some configuration.
apply plugin: 'spring-boot'
springBoot {
executable = true
}
.. or for Maven.
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<executable>true</executable>
</configuration>
</plugin>
</plugins>
</build>
Now after a gradle build or mvn package you can start the application in a shell (like bash) by just running ./my-app.jar.
The embedded script can be used as an init.d service. This section of the Spring Boot documentation describes how to do that.

Creating a systemd Unit

The next section of the documentation also shows how to use the JAR with the embedded script with systemd. I want extend this documentation a little bit and also show how to use systemd without the embedded script later.
Let’s take a look at a longer example. This file is /etc/systemd/system/myapp.service.
[Unit]
Description=MyApplication web interface
After=syslog.target
[Service]
SyslogIdentifier=MyApplication
ExecStart=/home/myapp/application/my-app.jar
User=myapp
Type=simple
[Install]
WantedBy=multi-user.target
Let’s go over it.
Line 3: We define that our unit must run after syslog is available. Since all stdout and stderr output will be saved in syslog this is important.
Line 6: If you look at logs from your application in syslog (e.g. with journalctl) this will be the visible name of the application.
Line 7: Since no further arguments are added this will start the run target of the script. This means the script does not take care of pid and log files which makes sense when using systemd.
Line 8: It is good practice to let applications run with their own user, so we tell systemd to use our app user (of course it has to be created before).
Line 9: The type simple tells systemd that our executable from ExecStart is the main process (e.g. it doesn’t use fork()). This is also the default value.
Line 12multi-user.target defines that this service will only be started when the system boots up to this target (a non-graphical multi-user environment).
Setting WorkingDirectory in the Service section has no effect since the embedded script will change the directory anyway (see this line). The working directory will always be the one of the JAR file.
After the file is created, the service needs to be enabled with systemctl enable myapp.service and then can be started with systemctl start myapp.service. It will also be started when the machine reboots.

Looking at the Logs With journalctl

If you want to use the systemd logging facilities to log, your application needs a console appender. If you didn’t change the logging configuration in your Spring Boot app it will log to the console by default, otherwise configure your logging system (log4j, logback, …) to do so.
The output of journalctl is quite large. Luckily you can filter it easily! Just use journalctl -u myapp.serviceand only entries from your app will be shown. If you want to follow new entries as they come in, use the -fflag, like so journalctl -f -u myapp.service.

Using systemd Without the Embedded Script

If you don’t want to embed the script from Spring Boot or don’t use Spring Boot at all it is still very easy to use systemd. Since the embedded script doesn’t add much when only the run target is called I actually would recommend not using it when you use systemd.
For this section I will assume a Spark application. Our blog post shows an example on how to create a JAR file for a Spark application.
Now we modify the systemd unit a little.
[Unit]
Description=MyApplication web interface
After=syslog.target
[Service]
WorkingDirectory=/home/myapp/application
SyslogIdentifier=MyApplication
ExecStart=/bin/bash -c "java -jar /home/myapp/application/my-spark-app.jar"
User=myapp
Type=simple
[Install]
WantedBy=multi-user.target
It is now possible to override the working directory (see line 6). The part ExecStart now calls Java directly. In this case it is not really necessary to use a shell, but if you might want environment variable substitution somewhere this is the way to go.

Conclusion

Using systemd to register a JVM application as a service is really easy. Personally, without having too many stakes in the init.d vs. systemd debate I prefer it. The scripts in /etc/init.d always seemed a bit clunky to me. While they might allow a little bit easier debugging I like the declarative approach of systemd.