SSH key-based authentication

First, generate a key without password:

root@example:~# ssh-keygen -f ~/.ssh/id_rsa -q -P ""

You will see id_rsa and id_rsa.pub

root@example:~# ls -la .ssh
total 20
drwx------ 2 root root 4096 Nov 18 15:19 .
drwx------ 7 root root 4096 Apr 14  2018 ..
-rw------- 1 root root 1679 Nov 18 15:19 id_rsa
-rw-r--r-- 1 root root  401 Nov 18 15:19 id_rsa.pub
-rw-r--r-- 1 root root  444 Sep 22  2017 known_hosts

Read more “SSH key-based authentication”

acgrep.sh

https://github.com/xdth/misc/blob/master/acgrep.sh


#!/bin/bash

######################### acgrep.sh v0.1 ###############################
# This script will grep a given set of strings from a text file (syslog)
# and output the result, excluding lines containing another set of
# strings, to a specified location, with a dated file name.
#
# The script will then delete all files in the destination folder older
# than X days and change the ownership of the resulting files to the
# web server.
#
# It can be used, for example, to generate logs from AssaultCube or
# UrbanTerror servers, one log per server.
#
# author: dth@dthlabs.com
#
# To run daily, add to your cron:
# 0 */1 * * * /root/aclogs/acgrep.sh

# #######################################################################
# ## Parameters

# The file to grep
acgrep_filePath="/var/log/syslog"

# Location where the files will be generated. Keep the trailing slash.
acgrep_destinationPath="/root/aclogs/"

# grep this string
acgrep_string="AssaultCube"

# The AC servers' ports
acgrep_substrings="28763 8000 9000 10000 16000"

# Delete generate files after this amount of days
acgrep_keep_days=7

# Regex to skip lines containing these strings
acgrep_skipline="/xskip\|pwd/d"

# #######################################################################
# ## Functions

function acgrep_init {
# feed $YESTERDAY with the syslog format "Jan 31"
YESTERDAY=$(date -d "yesterday 06:00" '+%b %d')
# feed $YESTERDAY2 with yesterday's date in the format 2018-01-31
YESTERDAY2=$(date -d "yesterday 06:00" '+%Y-%m-%d')
}

function acgrep_finish {
# Make destination folder readable to the web server
chown www-data:www-data -R "$acgrep_destinationPath"

# Delete file older than x days
/usr/bin/find "$acgrep_destinationPath" -mtime +$acgrep_keep_days -type f -delete
}

function acgrep_main {
# initialize date variables
acgrep_init

# main loop
for i in $acgrep_substrings
do
# cat /var/log/syslog | grep "AssaultCube" | grep "$YESTERDAY" | grep 8000 > /home/dth/8000_2018-01-31.txt
sed $acgrep_skipline $acgrep_filePath | grep $acgrep_string | grep "$YESTERDAY" | grep $i > "$acgrep_destinationPath"$i"_"$YESTERDAY2.txt
done

# clean up and finish
acgrep_finish
}

# Execute
acgrep_main

qFirewall (qfw) – a quick iptables firewall script

This is my new basic firewall script. For updates, check my github: https://github.com/xdth

Screenshot

Code

#! /bin/bash

# ######################### qFirewall (qfw) 0.1 ########################
#
# This is a basic iptables firewall script.
#
# Usage:
# ./qfw {start|stop}
#
# Notes:
# 1. Comment or uncomment the firewall rules below according to your
#    needs.
# 2. For convenience, add this script to your /usr/bin or alike with
#    chmod +x permissions.
# 2. License: MIT
# 3. Author: dth at dthlabs dot com
#    Site:   https://dthlabs.com
#    github: https://github.com/xdth
#
# Brussels, Jan 23, 2018
# note: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
# #######################################################################


# #######################################################################
# ## Rules function -- edit this according to your needs

function qfw_rules {
  # Block everything
  iptables -t filter -P INPUT DROP
  iptables -t filter -P FORWARD DROP
  iptables -t filter -P OUTPUT DROP
  echo "     > Block everything"

  # Don't break established connections
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  echo "     > Don't break established connections"

  # Authorize loopback (127.0.0.1)
  iptables -t filter -A INPUT -i lo -j ACCEPT
  iptables -t filter -A OUTPUT -o lo -j ACCEPT
  echo "     > Authorize Loopback"

  # ICMP (ping)
  iptables -t filter -A INPUT -p icmp -j ACCEPT
  iptables -t filter -A OUTPUT -p icmp -j ACCEPT
  echo "     > Authorize ICMP (ping)"

  # SSH in/out
  iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 9000 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 9000 -j ACCEPT
  echo "     > Authorize SSH"

  # DNS in/out
  iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
  echo "     > Authorize DNS"

  # NTP Out
  iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
  echo "     > Authorize NTP outbound"

  # HTTP + HTTPS Out
  iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT

  # HTTP + HTTPS In
  iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
  echo "     > Authorize http and https"

  # FTP Out
  iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT

  # FTP In
  iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  echo "     > Authorize FTP"

  # Mail SMTP
  iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT

  # Mail POP3:110
  iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

  # Mail IMAP:143
  iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

  # Mail POP3S:995
  iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
  echo "     > Authorize mail"

  # OpenVZ Web Pannel
  # iptables -t filter -A OUTPUT -p tcp --dport 3000 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 3000 -j ACCEPT
  # echo "     > Authorize OpenVZ panel"

  # Allow WMs
  # iptables -P FORWARD ACCEPT
  # iptables -F FORWARD
  # echo "WMs ok"
  # echo "     > Authorize WMs"

  # Saltstack
  # iptables -t filter -A OUTPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 4506 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4506 -j ACCEPT
  # echo "     > Authorize Saltstack"

  # Block UDP attack
  # iptables -A INPUT -m state --state INVALID -j DROP
  # echo "     > Block UDP attack"

}


# #######################################################################
# ## Other functions

function qfw_help {
  echo "qFirewall usage: ./qfw {start|stop}"
  exit 1
}

function qfw_seeya {
  echo "     > Thanks for using qFirewall (qfw) v1. Have a good day."
  echo ""
  echo ""
}

function qfw_separator {
  echo ""
  echo ""
  echo "===================== qFirewall (qfw) v0.1 ====================="
  echo ""
}

function qfw_reset {
  iptables -F
  iptables -X
  iptables -t nat -F
  iptables -t nat -X
  iptables -t mangle -F
  iptables -t mangle -X
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -t filter -F
  iptables -t filter -X
}

function qfw_start {
  qfw_separator
  echo "     > Starting qFirewall..."
  qfw_clean
  echo "     > Loading the rules..."
  qfw_rules
  echo "     > Rules loaded"
  echo "     > qFirewall started"
}

function qfw_clean {
  echo "     > Cleaning rules..."
  qfw_reset
  echo "     > Rules cleaned"
}

function qfw_stop {
  qfw_separator
  echo "     > Stopping qFirewall..."
  qfw_clean
  echo "     > qFirewall stopped"
}


# #######################################################################
# ## Main

case "$1" in
  start)
  qfw_start
  ;;
  stop)
  qfw_stop
  ;;
  *)
  qfw_help
  exit 1
  ;;
esac

qfw_seeya

exit 0

Symfony and Doctrine ORM – Many to many bidirectional relation

The classes below illustrate a many to many bidirectional relation with Doctrine ORM, Symfony3 and FOSUserBundle.

Entity User

<?php
// src/AppBundle/Entity/User.php

namespace AppBundle\Entity;

use FOS\UserBundle\Model\User as BaseUser;
use Doctrine\ORM\Mapping as ORM;
use Doctrine\Common\Collections\ArrayCollection;

/**
 * @ORM\Entity
 * @ORM\Table(name="fos_user")
 */
class User extends BaseUser
{
    /**
     * @ORM\Id
     * @ORM\Column(type="integer")
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    protected $id;

    /**
     * @ORM\ManyToMany(targetEntity="UserGroup", inversedBy="users")
     * @ORM\JoinColumn(name="usergroup_id", referencedColumnName="id")
     */
    private $usergroups;

    public function __construct()
    {
        parent::__construct();
        $this->usergroups = new ArrayCollection();
    }
}

Read more “Symfony and Doctrine ORM – Many to many bidirectional relation”

Intel NUC D34010WYK – Accessing and updating the BIOS

For some reason my USB3 external HD wasn’t being recognized by my NUC. I had a very old BIOS version, so I tried updating it, which solved the problem. Here’s how:

Search for the latest bios:
https://downloadcenter.intel.com/search?keyword=D34010WYK

In my case, it was this one. Download and save the .bio file in an USB key.
https://downloadcenter.intel.com/download/26632/NUCs-BIOS-Update-WYLPT10H-86A-

Open your NUC and look for the BIOS security jumper:


Read more “Intel NUC D34010WYK – Accessing and updating the BIOS”

dthUSART – C library for AVR microcontrollers (beta) and example code

I decided to create a simple C library for USART and AVR microcontrollers for the purpose of studying the USART serial interface.

This library is likely to be often updated. Open source code on my github:
https://github.com/xdth/AVR_dthUSART

Below is an example application. It will echo back strings received via serial at 9600 bit rate (defined in dthUSART.h), using the internal oscillator at 1 Mhz.
Read more “dthUSART – C library for AVR microcontrollers (beta) and example code”

Interfacing attiny2313 AVR with HD44780 LCD

We will use an attiny2313 AVR microcontroller to display strings on an HD44780 LCD (4-bit mode).

482 bytes of flash written. Using internal oscillator.

## Connections

+-----------------------------------+----------------+
|            HD44780 LCD            | attiny2313 MCU |
+-----------------------------------+----------------+
| PIN 1 (GND)                       |                |
| PIN 2 (+5V)                       |                |
| PIN 3 (contrast/GND)              |                |
| PIN 4 (reg select)                | PIN 2 (PD0)    |
| PIN 5 (R/W)                       | PIN 3 (PD1)    |
| PIN 6 (Enable)                    | PIN 6 (PD2)    |
| PIN 7                             |                |
| PIN 8                             |                |
| PIN 9                             |                |
| PIN 10                            |                |
| PIN 11                            | PIN 12 (PB0)   |
| PIN 12                            | PIN 13 (PB1)   |
| PIN 13                            | PIN 14 (PB2)   |
| PIN 14                            | PIN 15 (PB3)   |
| PIN 15 (220 Omhs resistor to +5V) |                |
| PIN 16 (GND)                      |                |
+-----------------------------------+----------------+

Read more “Interfacing attiny2313 AVR with HD44780 LCD”

Linux LAN domain – BIND9 and Debian

Disclaimer :: the information in this post was altered in order to avoid disclosing the real details of our internal network.

I wanted to change my LAN domain to srv.dth. All devices connected to my network must resolve this domain automatically and certain devices will have their own FQDN, like: printer.srv.dth.


domain:  srv.dth
network: 10.0.0.0
host:    hs.srv.dth       // "home server", machine where the DNS server will run
host IP: 10.0.0.10

devices:
router.srv.dth            // ISP router
router1.srv.dth           // Home network
router2.srv.dth           // Lab 
hs.srv.dth                // DNS server
printer.srv.dth           // Printer
cam0.srv.dth              // Security cameras
cam1.srv.dth
cam2.srv.dth

Read more “Linux LAN domain – BIND9 and Debian”