Classic content dump!

This commit is contained in:
Sivert V. Sæther 2022-08-18 13:39:55 +00:00
parent a32e0736c4
commit 753ac6ca40
9 changed files with 399 additions and 31 deletions

View File

@ -1,4 +1,11 @@
<VirtualHost yowpdomain.example.com:443> <VirtualHost yowpdomain.example.com:443>
AddType text/html .php
DirectoryIndex index.php
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm/www.sock"
</FilesMatch>
# Dotfiles # Dotfiles
<FilesMatch "^\."> <FilesMatch "^\.">
Deny from all Deny from all

31
assets/img/HolyC_Logo.svg Normal file
View File

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="0.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="306px" height="344.35px" viewBox="0 0 306 344.35" enable-background="new 0 0 306 344.35" xml:space="preserve">
<path fill="#C37C2E" d="M302.107,258.262c2.401-4.159,3.893-8.845,3.893-13.053V99.14c0-4.208-1.49-8.893-3.892-13.052L153,172.175
L302.107,258.262z"/>
<path fill="#AB5921" d="M166.25,341.193l126.5-73.034c3.644-2.104,6.956-5.737,9.357-9.897L153,172.175L3.893,258.263
c2.401,4.159,5.714,7.793,9.357,9.896l126.5,73.034C147.037,345.401,158.963,345.401,166.25,341.193z"/>
<path fill="#D6AF46" d="M302.108,86.087c-2.402-4.16-5.715-7.793-9.358-9.897L166.25,3.156c-7.287-4.208-19.213-4.208-26.5,0
L13.25,76.19C5.962,80.397,0,90.725,0,99.14v146.069c0,4.208,1.491,8.894,3.893,13.053L153,172.175L302.108,86.087z"/>
<g>
<path fill="#FFFFFF" d="M153,274.175c-56.243,0-102-45.757-102-102s45.757-102,102-102c36.292,0,70.139,19.53,88.331,50.968
l-44.143,25.544c-9.105-15.736-26.038-25.512-44.188-25.512c-28.122,0-51,22.878-51,51c0,28.121,22.878,51,51,51
c18.152,0,35.085-9.776,44.191-25.515l44.143,25.543C223.142,254.644,189.294,274.175,153,274.175z"/>
</g>
<g>
<polygon fill="#FFFFFF" points="
255,156.508
243.666,156.508
243.666,145.175
232.334,145.175
232.334,156.508
221,156.508
221,167.841
232.334,167.841
232.334,199.175
243.666,199.175
243.666,167.841
255,167.841 "/>
</g>
</svg>

After

Width:  |  Height:  |  Size: 1.6 KiB

View File

@ -10,9 +10,16 @@ title: IT Apprentice
description: This part of my blog is a collection of things I've learned as an apprentice working in IT. description: This part of my blog is a collection of things I've learned as an apprentice working in IT.
--- ---
This section of my blog serves as an index of technologies I've learned or became better at as an apprentice working in IT. :grinning: This page on my blog serves as an index of technologies I've learned or became better at while working as an apprentice in IT. :grinning:
It also serves the purpose of the required documentation apprentices in Norway are supposed to do. :flushed: It also serves the purpose of the required documentation apprentices in Norway are supposed to do. :cowboy: :flushed:
It's mostly in relation to stuff learned at [SkyLabs AS](https://skylabs.no) where we run a captive portal service.
But there is also some stuff from [Sircon AS](https://sircon.no).
Those guys run hosting services, with a focus on cPanel/WordPress shared hosting.
That would be "The WHM saga".
Although when it comes to programming there would be some overlap, but don't dwell on that.
Because at Sircon, I feel like they didn't want me working with code, but rather support only...
Here are lists of stuff I'll be writing about here; Here are lists of stuff I'll be writing about here;
:x: marks not started :construction: marks work in progress :white_check_mark: marks complete! :x: marks not started :construction: marks work in progress :white_check_mark: marks complete!
@ -21,28 +28,32 @@ Here are lists of stuff I'll be writing about here;
### Python ### Python
- :x: Flask :baby_bottle: - :x: Flask :baby_bottle:
- :x: SQLAlchemy :sake: - :x: SQLAlchemy :sake:
- :construction: MSAL (Microsoft Authentication Library) :banjo: - [:construction: MSAL (Microsoft Authentication Library) :banjo:](./msal)
### Browser JavaScript ### Browser JavaScript
- :x: jQuery :calling: - :x: jQuery :calling:
- :construction: Handlebars.js :wavy_dash: - [:construction: Handlebars.js :wavy_dash:](./handlebars)
## Programs / Tools ## Programs / Tools
- :construction: Fail2ban :hammer: - [:construction: Fail2ban :hammer:](./fail2ban)
- :construction: Docker :smiling_face_with_hearts: - [:construction: Docker :smiling_face_with_hearts:](./docker)
- :x: FreeRADIUS :crystal_ball: - :x: FreeRADIUS :crystal_ball:
- :x: Postgres :floppy_disk: - :x: Postgres :floppy_disk:
- :construction: Ansible :gun: - [:construction: Ansible :gun:](./ansible)
- [:white_check_mark: tzsp2pcap :chains:](./tzsp2pcap)
## OS / Networking ## OS / Networking
- :x: Debian :dolls: - [:construction: Debian :dolls:](./debian)
- :construction: Mikrotik :package: - [:white_check_mark: Mikrotik :package:](./mikrotik)
- :x: Cisco Meraki :cloud: - [:white_check_mark: Cisco Meraki :cloud:](./meraki)
## Azure ## Azure
- :white_check_mark: App Registration :rocket: - [:white_check_mark: App Registration :rocket:](./azure-app-registration)
- :x: Active Directory :dizzy: - :x: Active Directory :dizzy:
## Etc
- [:white_check_mark: Linux desktop password reset :mage_man:](./linux-password-reset)
## The WHM saga (shortie) ## The WHM saga (shortie)
- :white_check_mark: Wordpress :eyes: - [:white_check_mark: Wordpress :eyes:](./wordpress)
- :white_check_mark: cPanel :shit: - [:construction: cPanel :shit:](./cpanel)
- :white_check_mark: WHM :ok_hand: - [:construction: WHM :ok_hand:](./whm)

View File

@ -2,12 +2,88 @@
date: 2022-06-20T14:10:48Z date: 2022-06-20T14:10:48Z
draft: true draft: true
aliases: [] aliases: []
categories: ['various'] categories: ['documentation']
series: [] series: ['apprentice']
tags: ['various'] tags: ['linux', 'os']
chroma: false chroma: false
toc: true toc: true
title: Debian title: Debian
description: Systems administration stuff relevant to Debian spesifically description: All about ye ol' relaiable Debian Linux distribution!
docs:
- url: https://debian-handbook.info/browse/stable/
name: Debian Administrator's Handbook
--- ---
Debian is a classic free and open source Linux distribution.
It's one of the oldest Linux OSes and the basis of many other distros.
Most notably Ubuntu.
Debian has three foundational documents.
The [Debian Social Contract](https://www.debian.org/social_contract)/[OG Version](https://lists.debian.org/debian-announce/1997/msg00017.html),
the [Debian Constitution](https://www.debian.org/devel/constitution) and
the [Debian Free Software Guidelines](https://wiki.debian.org/DebianFreeSoftwareGuidelines).
Debian version code-names are famously named after characters from the [Toy Story](https://en.wikipedia.org/wiki/Toy_Story_(franchise)) films.
It's unstable rolling release branch is named Sid, who in the Toy Stories regularly destroys his toys.
## Early History
The first ever Debian release was on September 15th, 1993.
It was an internal release of version 0.01.
The first public release, version 0.90, included the "[Debian Linux Manifesto](https://www.debian.org/doc/manuals/project-history/manifesto.en.html)".
That document outlining, the Debian founder, Ian Murdock's view for the Debian OS.
Calling for Debian to become an openly maintained distribution, in the spirit of GNU/Linux.
During 1994 and 1995 Debian released 0.9x versions and was sponsored by the [Free Software Foundation](https://fsf.org).
During this time Ian Murdock would delegate the base system and core package management to Bruce Perens, while Murdock focused on the management of the growing project.
In 1996 dpkg was already an essential part of Debian and Bruce Perens got the project leadership.
He was a controversial leader and drafted the Debian Social Contract.
During this time the Free Software Foundation would pull their sponsorship for the project.
And Perens would go on to create the organization "[Software in the Public Interest](https://spi-inc.org)".
He also wrote BusyBox to make it possible to have a Debian installer on a single floppy drive.
From 1999, the project leader was elected yearly.
The number of applicants was overwhelming, and the project established the new member process.
After this Debian slowly evolved into what it is today.
## Packages, Branches and Branding
Package management on Debian is done mainly through APT, the "Advanced Packaging Tool".
Although there are loads of alternative methods and apt GUI frontends.
APT uses dpkg under the hood, and this dpkg is the program responsible for managing all installed packages.
As long as snap, flatpak, (home)brew or any other alternative package manager isn't installed beside it.
Those examples however are often installed in conjunction with whatever package manager your distro of choice is.
Because they install either in their own segregated environment.
Or with all dependencies bundled and binaries that are statically linked.
The official Debian repos have several "areas" and only the free one is enabled by default.
The DFSG/Debian Free Software Guidelines define what is and isn't free software in this context.
But it's pretty trivial to add the *non-free* and *contrib* areas for installing official packages that may not be entirely free and open source.
The non-free contains packages that doesn't comply with the DFSG.
And contrib contains packages that do comply, but fail other requirements, like depending on non-free packages.
The Debian "swirl" logo is said to represent [magic smoke](https://en.wikipedia.org/wiki/Magic_smoke).
## Development and Features
Debian is available in 75 languages with widely varying support.
The installer itself is available in 76 languages.
As of 2022 anyway.
## Derivative works
As of writing, Aug. 18th 2022, [DistroWatch](https://distrowatch.com) lists 118 active Debian based distros.
And 404 also counting discontinued Debian based distros.
Debian GNU/kFreeBSD only had one official stable port with the release of Debian 7.0 (Wheezy).
That would of course be Debian with GNU user land utilities using the FreeBSD kernel.
And Debian GNU/Hurd using the GNU Hurd microkernel.
It has been developed since 1998, but has never had an official Debian release.
Still it's maintained and developed as an unofficial port.
In my opinion [Devuan](https://devuan.org) is the best Debian fork, but that may just be the systemd hate speaking.
It has been mirroring Debian since 2017, but with systemd removed and sysvinit, runit or openrc as supported init system alternatives.

View File

@ -0,0 +1,66 @@
---
date: 2022-08-18T03:10:27Z
draft: false
aliases: []
categories: ['documentation', 'various']
series: ['apprentice']
tags: ['various', 'useful']
chroma: true
toc: true
title: Linux Desktop Password Reset
description: Simple guide to reset the password on Linux machines to which you have physical access to the disk.
---
Hacking stuff is usually pretty trivial.
As long as you've got physical access that is.
And here I'll instruct you on how to reset passwords on a Linux installation.
Either by booting a live ISO.
Or by plugging the drive with the installation you'd like to reset some password(s) on into another Linux machine.
Realistically, repairing a broken installation is pretty similar.
Although be aware that setting up the chroot may require additional steps.
And actually fixing it would be harder than just running passwd in chroot on the installation.
## Setup
For passwd we don't need any fancy setup, we just need the rootfs mounted, chroot into it and run passwd.
Run "lsblk" to identify the disk you'll need to mount.
Then mount it to /mnt.
Some distros have software that can mount drives automatically to some media folder.
This is fine for passwd, but for system repair operations you'd want to unmount that if it happens and do the whole setup manually.
For a system repair chroot setup use these additional mounts to make sure tools interacting with the system work.
Assuming you mounted the rootfs and potentially the boot/EFI partition to /boot or /boot/efi.
{{< highlight sh >}}mount -R /sys /mnt/sys
mount -R /dev /mnt/dev
mount -B /run /mnt/run
mount --make-rslave /mnt/sys
mount --make-rslave /mnt/dev
mount --make-slave /mnt/run
mount --types proc /proc /mnt/proc
{{< /highlight >}}
The options -R and -B for mount are short hands for \-\-rbind and \-\-bind.
## Fixing
For doing the password reset or other operations on the installation other than simple file edits, you just chroot into the installation.
{{< highlight sh >}}chroot /mnt /bin/bash{{< /highlight >}}
You may also specify a new shell or one command with options to run in the new root after the path of the root.
Also \-\-groups with group names and \-\-userspec with names or IDs of the main user and group to use during the chroot.
Usually you'd want to just chroot using the root user.
And to all the stuff you need to.
Like the password reset!
{{< highlight sh >}}passwd{{< /highlight >}}
And then exit the chroot shell and proceed with the cleanup before rebooting into the fixed installation.
{{< highlight sh >}}exit{{< /highlight >}}
## Cleanup
Run "umount \-\-recursive" on the rootfs mount point as root.
{{< highlight sh >}}umount -R /mnt{{< /highlight >}}

View File

@ -1,12 +1,59 @@
--- ---
date: 2022-06-07T07:14:28Z date: 2022-06-07T07:14:28Z
draft: true draft: false
aliases: [] aliases: []
categories: ['various'] categories: ['documentation', 'networking']
series: [] series: ['apprentice']
tags: ['various'] tags: ['net', 'os']
toc: true toc: true
title: Meraki title: Meraki
description: Cisco Meraki basics and captive portal setup description: Cisco Meraki basics and captive portal setup
--- ---
Meraki is Cisco's cloud managed networking solution.
It has everything and more than what most people would need.
But of course me being me, I don't like my infrastructure being managed by cloud services.
I did however work a little with Meraki at SkyLabs, and was pleasantly surprised.
After having a couple very bad experiences with our Mikrotik setup script.
Setting up a Meraki access point with our captive portal service was super easy!
## Captive portal setup
As mentioned the captive portal setup on Meraki is relatively simple.
And with a little luck the only 100% necessary configuration options would be just a "splash page URL" and RADIUS.
And if the captive portal ain't responsible for authenticating people you could probably get away with just the splash page URL.
But RADIUS is needed for actual captive portal authentication.
### Access control
Even having a captive portal setup makes it incompatible with certain other options.
And I think Meraki is a bit excessive with the limitations here.
##### Network access
For the "Network access" you'd likely want it to be "Open", but if not.
PSK, aka normal password is your only option for adding additional auth requirements.
##### Splash page
Set security to; Sign-on with "my RADIUS server".
###### Advanced splash
In here there are a few options you may want to change that changes the behavior of the captive portal hot-spot.
Such as limiting users to being logged in with one device only.
If users are allowed through if the box/access point can't connect to Meraki Cloud.
The "Captive portal strength", this lets you allow non-HTTP traffic before captive portal login.
And last, but definitely not least.
The Walled garden, walled garden lets you have a list of allowed IPs that may be connected to before authorization.
##### RADIUS
For RADIUS you'll need the IP and RADIUS secret for the server.
Default RADIUS ports are 1812 for authentication and 1813 for RADIUS accounting.
### Other options
There is also a separate Meraki dashboard page specific for "Splash page" options.
In there you'd put your "Custom splash URL", although you may also manage a Meraki provided captive portal there.
## Caveats
One thing that's kinda annoying about Meraki however is its RADIUS client.
Meraki uses cloud based RADIUS clients, so from our side, we can only differentiate between them by the data that's sent.
This has caused us to add some extra limitations on Meraki setups using our captive portals.
Ain't too bad, but for RADIUS accounting to work it kinda gets ugly.
And we would need RADIUS accounting for our paid SMS login.

View File

@ -1,16 +1,104 @@
--- ---
date: 2022-06-08T10:34:42Z date: 2022-06-08T10:34:42Z
draft: true draft: false
aliases: [] aliases: []
categories: ['various'] categories: ['documentation', 'networking']
series: [] series: ['apprentice']
tags: ['various'] tags: ['net', 'os']
chroma: false
toc: true toc: true
title: Mikrotik title: Mikrotik
description: Mikrotik routers has a lot of wierd stuff builtin, here is some of that description: Mikrotik routers has a lot of wired stuff builtin, here is some of that
--- ---
# Full disk problem Mikrotik produces networking equipment and software.
In 2021, they were the 3rd largest and first private company to reach a value above 1B EUR in their home country Latvia.
While their RouterOS has a terrible track record of getting hacked.
It has a load of cool and useful features built right in.
And all those ROS devices that constantly get hacked do so because of known vulnerabilities that would have been patched if only the devices where being updated on a regular basis.
## SkyLabs Mikrotik misadventures
Since Mikrotiks are the most used and best supported equipment for our services.
I got to work a lot with them when I wasn't programming or managing servers.
So here is a collection of some problems I encountered along the way working with SkyLabs Mikrotik boxes.
### Status script
The one story of me messing up big time as an apprentice is related to this piece of :poop: Mikrotik script.
It works quite simple, it's supposed to run every 5 minutes, although I've seed boxes that used to run it every single minute until I came and updated the things.
For each time it runs it collects all sorts of information about the box that runs it and then reports it to our API.
The thing that went wrong tho is a perfect example of how unpredictable simple changes can be.
It was upgrading nginx from 1.18 to 1.22.
That caused requests not properly URL encoded to get a 400 response.
As you'd expect, right?
But, as it turned out these status scripts on all the boxes didn't do so...
And when all our servers run fail2ban it meant those boxes got IP banned.
Causing the whole captive portal to stop working on those affected.
Interestingly a whole partners setup was fine, and the reason was a slight difference in the script.
The way those boxes got their RouterOS version, it got just the number.
While the standard version of the script also got the "branch", stable/long-term/beta.
I had two drafts of solution scripts so that we could upgrade nginx.
The first one had an inline for loop that would URL encode the string for the URL path with all the parameters the script sends to the API.
The other one just passed all the parameters in the HTTP body instead of the HTTP head of the request.
Completely bypassing the need for URL encoding.
Of course the second option there is the best for several reasons.
But the biggest one for us would have to be the fact that hotspot name is passed.
And that would be user input.
Never trust it.
### Full disk problem
The built-in drive on the boxes may get filled up by hidden files... The built-in drive on the boxes may get filled up by hidden files...
There exists an official [fix_space](https://www.mikrotik.com/download/share/fix_space.npk) package, but finding that was a little adventure in itself reading through old forum threads from 2018... There exists an official [fix_space.npk](https://www.mikrotik.com/download/share/fix_space.npk) package, but finding that was a little adventure in itself reading through old forum threads from 2018...
I also managed to mess up a SkyLabs box using that package.
Probably just because we did it remote.
It's kinda funny, actually.
That "fix_spacke.npk", if you look at it in a hex editor.
You'll see that it's got a crazy amount of null bytes, and the most interesting.
A bash script.
This whole problem actually happened to several SkyLabs managed Mikrotiks over the summer of 2022 as we needed to upgrade the SSL certificates on them.
But with the disk full the new certificate would either not even get onto the disk of the boxes or corrupted as the whole certificated could not be written to the disk.
In hindsight, I wonder how the guy updating the certs did it.
As I've updated the status script on all boxes without issue.
## Sniff-sniff!
The first Mikrotik "/tool/sniffer" pcap file I ever inspected was named "sniffsniff".
I found it on a SkyLabs box, it's likely ancient and only had DHCP data if I remember correct.
But that's neither here nor there.
You see I got this interesting task after one of our customers wanted logging and blacklisting.
This was after it was discovered on their end that somebody was using their guest network for hacking attempts.
Specifically SQL injection against a bunch of servers, supposedly mostly Oracle and Amazon ones.
### Skrrting our efforts
So for this I got to see for myself how powerful the Mikrotik sniffer tool actually is.
The plan would be to use the built-in sniffer, find the mac of whoever is doing the naughty stuff.
And then just blacklist by MAC.
Any hacker should be able to just use bogus macs tho.
And if they're extra clever they might even impersonate legitimate users.
That would for sure mess up our blocking efforts big time.
If you ask me the only solution then would be to require captive portal authentication with SMS code.
Or some other one where you have to put in some personal info.
### Implementation
Mikrotik routers or anything running RouterOS have that built-in /tool/sniffer thing.
It can directly output pcap files to a disk, but it also has a streaming option.
But that stream would be using a protocol called [TZSP](https://en.wikipedia.org/wiki/TZSP) or TaZmen Sniffer Protocol.
So I found a neat open source tool written in C called "[tzsp2pcap](https://github.com/thefloweringash/tzsp2pcap)".
It does exactly as the name would imply.
You may read my little guide on it [here](../tzsp2pcap).
So for the capture setup I used this streaming option, so we could store a bunch more packets than directly on the box.
After fiddling around with the filtering options of the /tool/sniffer I ran the tzsp2pcap with screen on our production VPN server with options to write to a new file whenever the current file would reach 1 GB.
Then I just manually moved them to my work computer and the backup server.
If this were going to continue, I'd make some script to automagically move stuff and run that with a cron job once or twice a week.
### Conclusion
I ran the thing over a weekend and then some, but it was all useless.
As the customer in question wanted to resign our services the Monday after we started sniffing...
Was still a fun learning experience tho.
And I got to use Wireshark during work! :grin:

View File

@ -0,0 +1,42 @@
---
date: 2022-08-18T09:57:34Z
draft: true
aliases: []
categories: ['documentation', 'networking']
series: ['apprentice']
tags: ['net', 'os']
chroma: true
toc: true
title: Tzsp2pcap
description: TaZmen Sniffer Protocol to Packet CAPture utility program.
---
This is a very useful tool when working with Mikrotiks.
As their built-in sniffer tool has support for TZSP (TaZmen Sniffer Protocol) streaming.
This will send all packets that match the filtering options to some destination over TZSP/UDP.
This destination may be some machine running this tzsp2pcap.
Allowing you to get a pcap remotely from a Mikrtoik without touching the Mikrotiks disk.
This is super useful if the box has traffic as the Mikrotik routers usually has a disk with a size in megabytes.
## Using tzsp2pcap
The program has all the options it should.
Allowing you to specify listening port, output file, receive buffer size, output file rotation and some more.
{{< highlight sh >}}# tzsp2pcap -h
tzsp2pcap: receive tazmen sniffer protocol over udp and
produce pcap formatted output
Usage tzsp2pcap [-h] [-v] [-f] [-p PORT] [-o FILENAME] [-s SIZE] [-G SECONDS] [-C SIZE] [-z CMD]
-h Display this message
-v Verbose (repeat to increase up to -vv)
-f Flush output after every packet
-p PORT Specify port to listen on (defaults to 37008)
-o FILENAME Write output to FILENAME (defaults to stdout)
-s SIZE Receive buffer size (defaults to 65535)
-G SECONDS Rotate file every n seconds
-C FILESIZE Rotate file when FILESIZE is reached
-z CMD Post-rotate command to execute
{{< /highlight >}}

View File

@ -49,5 +49,5 @@ Then it's up to the hosting provider to configure the web server and potentially
Nginx site for hardened WordPress; Nginx site for hardened WordPress;
{{< highlight nginx >}}{{% asset "apprentice/wordpress/nginx.conf" %}}{{< /highlight >}} {{< highlight nginx >}}{{% asset "apprentice/wordpress/nginx.conf" %}}{{< /highlight >}}
Apache virtual host directives for a simillar setup; Apache/LiteSpeed virtual host directives for a simillar setup;
{{< highlight aconf >}}{{% asset "apprentice/wordpress/apache.conf" %}}{{< /highlight >}} {{< highlight aconf >}}{{% asset "apprentice/wordpress/apache.conf" %}}{{< /highlight >}}