Tuesday 16 December 2014

Comparing Traffic Policing and Traffic Shaping for Bandwidth Limiting - Cisco

Comparing Traffic Policing and Traffic Shaping for Bandwidth Limiting - Cisco:



'via Blog this'

Monday 24 November 2014

Friday 21 November 2014

Tor project key expired in BackBox

I use BackBox Linux quite a lot to check for issues in local systems that I look after.
Went to update it today, after not using it for a while, to find that the signing GPG key for the Tor project had expired and I couldn't download updates for that part.

Found the answer here:
https://trac.torproject.org/projects/tor/ticket/12994

These commands fixed it for me:
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Saturday 15 November 2014

Chrome no longer the quickest browser?

Did some totally unscientific web browser speed testing using Peacekeeper:



I got the following results (best to worst):

  • 4632 Firefox Nightly v36.0a1(2014-11-14)
  • 4379 Firefox Nightly v36.0a1(2014-11-14)
  • 3920 Chrome v39.0.2171.62 
  • 3709 Maxthon v4.4.1.5000
  • 3319 Firefox v33.1 **
  • 3306 Firefox v33.1.1 **
  • 3194 SeaMonkey v2.30
  • 2276 Internet Explorer v11.0.14 *

Totally unscientific means there was no control over that which was running in the background, the tests were only done once with no averaging and some of the browsers are beta or dev versions rather than all being stable versions.

Firefox and Firefox Nightly were tested twice as there were updates waiting, so I carried out one test before the update and one test after.

I was surprised IE11 was last, but it noticeably struggled in the Canvas tests in particular.

The following problems were encountered:

  • * Internet Explorer 11 does not support Theora or WebM videos
  • ** Firefox stopped and issued a script warning on Dcom Tree page and the scripts had to be stopped for the test to continue

Test machine was an HP ProBook 4740s running Windows 8.1 with all current patches.


Thursday 13 November 2014

How to downgrade your Z10 back to the carrier supplied OS

Re: BB10/Z10 OS downgrade - BlackBerry Support Community Forums:



How to downgrade your Z10 back to the carrier supplied OS.



'via Blog this'

Saturday 25 October 2014

How to install Numix GTK Theme and Icons on Ubuntu 14.10 | Ubuntu Tutorial and How To

How to install Numix GTK Theme and Icons on Ubuntu 14.10 | Ubuntu Tutorial and How To:



'via Blog this'

13.10 - Chrome won't start from the launcher - Ask Ubuntu

13.10 - Chrome won't start from the launcher - Ask Ubuntu:

For me in 14.10 using 39.0.2171.36 beta (64-bit), a Chrome extension, Google Mail Checker Plus Classic, had created a google-chrome.desktop entry in ~/.local/share/applications.

I renamed this to google-chrome.mailchecker.desktop, logged out and then in, and my launcher worked again.
'via Blog this'

Ubuntu 14.10 Install VirtualBox Guest Additions

I've had reasonable results with Ubuntu running under VirtualBox by using the repository VirtualBox Guest utilities.

Install Synaptic from a terminal using:
$ sudo apt-get install synaptic
Once installed, run synaptic using:
$ sudo synaptic
Search for the package virtualbox-guest-utils and select it for installation. It will a few other packages for installation, and after a reboot it will be fine.

You can get some more up to date utils by installing from the ISO image, but this requires installing some pre-requisites first.

You can find that info here:
http://virtualboxes.org/doc/installing-guest-additions-on-ubuntu/
I haven't tested this for a while, but you need the following pre-requisite packages:
  • build-essential
  • module-assistant
You also need to prepare the system to build modules using:
sudo m-a prepare
You can also avoid rebuilding modules manually by installing dkms.

Ubuntu 14.10 Fast TSC Calibration Failed

This seems to be a fairly cosmetic issue, and I found a partial answer here:
https://stackoverflow.com/questions/18055593/fast-tsc-calibration-failed

For me, the timer output type was acpi_pm:

$ cat /sys/devices/system/clocksource/clocksource0/available_clocksource
acpi_pm
I edited /etc/default/grub using:
$ sudo vi /etc/default/grub
I changed:
GRUB_CMDLINE_LINUX=""
To:
GRUB_CMDLINE_LINUX="clocksource=acpi_pm" 
I then regenerated the grub.cfg using:
$ sudo grub-mkconfig -o /boot/grub/grub.cfg
After a reboot all was good.

Ubuntu 14.10 Desktop Released

Get it here:
http://www.ubuntu.com/download/alternative-downloads

Release notes:
https://wiki.ubuntu.com/UtopicUnicorn/ReleaseNotes

LibreOffice 4.3.2 Released

Get it here:
https://www.libreoffice.org/download/libreoffice-fresh/?type=win-x86&version=&lang=en-GB

Release notes:
https://www.libreoffice.org/download/release-notes/

LibreOffice 4.3.2 (2014-09-25) - Fresh Branch


This is the third release from the 4.3 branch of LibreOffice which contains new features and program enhancements. As such, the version is stable and is suitable for all users. This version may contain a few annoying bugs which will be fixed in the next bugfix versions to come.

General notes on features and enhancements are contained in this release. For a detailed list, please check our complete release notes here.

The following notes apply:
  • This release is bit-identical to 4.3.2 Release Candidate 2 — you don't need to download or reinstall if you have that version already.
  • This version still contains a few annoying bugs, as listed here.
  • quickstarter on windows has been removed.

General notes/notes from the 4.3 line:
  • Mac version doesn't bundle the MediaWiki extension.
  • The distribution for Windows is an international build, so you can choose the user interface language that you prefer.
  • Help content is available via an online service, or alternatively as a separate install.
  • Our Windows binaries are digitally signed by The Document Foundation.
  • For Windows users that have Apache OpenOffice installed, we advise uninstalling that beforehand. The two programs register the same file type associations and will conflict when the Quickstart feature is installed and enabled.
  • If you run Linux, the GCJ Java variant has known issues with LibreOffice; we advise to use OpenJDK instead.
  • Some menu entries have changed or been added. If something appears to be missing, that may be due to the use of customized menu settings from your previous LibreOffice installation.

Saturday 12 July 2014

Install CentOS 7 Into VirtualBox

1. Create VM
  • 16GB Dynamic Drive
  • 2 vCPU
  • 2GB RAM
  • PAE
  • 128MB Video
  • 3D Acceleration

2. Install OS
  • Attach DVD Image
  • Start VM
  • Right-Ctrl is the default host key (to free mouse and keyboard)
  • Test Media (Optional) or Install
  • Choose Language 
  • Software Selection - Development and Creative Workstation
  • Installation Destination - Select disk and automatic partitioning
  • Network and Hostname - Enable and configure required NIC and Hostname
  • Begin Installation
  • Set root password
  • Create your non-root user (make user administrator)
  • Wait :)
  • Reboot
  • Accept license
  • Finish configuration
  • Configure Kdump
  • Logon

3a. Patch (GUI)
  • You only need to do 3a. or 3b. not both as for all the following (a) and (b) sections.
  • Need to update before compiling Guest Additions else newly downloaded software will not match existing versions
  • Applications > System Tools > Software Update
  • Install Updates
  • Reboot

3b. Patch (CLI)
  • sudo yum update
  • Reboot
Sections 4 and 5 are optional - There are no RHEL\CentOS7 DKMS modules available yet, but I have left these sections in for reference.

4a. Add RPMForge repo (GUI)

4b. Add RPMForge repo (CLI)

5. Install DKMS
  • sudo yum install dkms

6. Install development tools
  • sudo yum groupinstall “Development Tools”
  • sudo yum install kernel-devel

7. Install Guest Additions
  • There appears to be a bug with building the additions from the addition CD
  • Details here: https://www.virtualbox.org/ticket/12638
  • Matthew Casperson has kindly made a patched version in his blog 
  • Download
  • Extract using bunzip2
  • Extract using tar
  • Install using sudo ./install.sh

Friday 13 June 2014

LVM2 file systems on Linux

1. Create a partition to hold the LVM2 file system. You can use the whole disk, but this is not recommended. You can use fdisk on disks smaller than 2TB, but will need to use parted on larger disks.
Make sure you use partition type 0x8e for LVM.

2. Create the physical volume:
sudo pvcreate /dev/sdb1
sudo pvscan 

3. Create the volume group:
sudo vgcreate volume_group_name /dev/sdb1
sudo vgdisplay volume_group_name

5. Create a 500 MB volume:
sudo lvcreate -L500 -nvolume_name volume_group_name
sudo lvdisplay volume_group_name

6. Make a file system:
sudo mkfs -t ext4 /dev/mapper/volume_group_name-volume_name

7. Create a mount point:
sudo mkdir /path_to_mount

8. Mount file system:
sudo mount /dev/mapper/volume_group_name-volume_name /path_to_mount

Tuesday 10 June 2014

Post Heartbleed security advisory

https://www.openssl.org/news/secadv_20140605.txt



6 New Vulnerabilities:



OpenSSL Security Advisory [05 Jun 2014]
========================================

SSL/TLS MITM vulnerability (CVE-2014-0224)
===========================================

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue.  This issue was reported to OpenSSL on 1st May
2014 via JPCERT/CC.

The fix was developed by Stephen Henson of the OpenSSL core team partly based
on an original patch from KIKUCHI Masashi.

DTLS recursion flaw (CVE-2014-0221)
====================================

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

Only applications using OpenSSL as a DTLS client are affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.  This
issue was reported to OpenSSL on 9th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

DTLS invalid fragment vulnerability (CVE-2014-0195)
====================================================

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Only applications using OpenSSL as a DTLS client or server affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Jüri Aedla for reporting this issue.  This issue was
reported to OpenSSL on 23rd April 2014 via HP ZDI.

The fix was developed by Stephen Henson of the OpenSSL core team.

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
=================================================================

A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference.  This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  The fix was developed by
Matt Caswell of the OpenSSL development team.

SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
===============================================================================
 
A race condition in the ssl3_read_bytes function can allow remote
attackers to inject data across sessions or cause a denial of service.
This flaw only affects multithreaded applications using OpenSSL 1.0.0
and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  

Anonymous ECDH denial of service (CVE-2014-3470)
================================================

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

OpenSSL 0.9.8 users should upgrade to 0.9.8za
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

Thanks to Felix Gröbert and Ivan Fratrić at Google for discovering this
issue.  This issue was reported to OpenSSL on 28th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

Other issues
============

OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for
CVE-2014-0076: Fix for the attack described in the paper "Recovering
OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
Reported by Yuval Yarom and Naomi Benger.  This issue was previously
fixed in OpenSSL 1.0.1g.


References
==========

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20140605.txt

Note: the online version of the advisory may be updated with additional
details over time.
'via Blog this'

Saturday 7 June 2014

How to install CentOS into VirtualBox (Including Guest Additions)

1. Create VM
  • 16GB Dynamic Drive
  • 2 vCPU
  • 2GB RAM
  • PAE
  • 128MB Video
  • 3D Acceleration


2. Install OS
  • Attach DVD Image
  • Start
  • Test Media (Optional)
  • Right-Ctrl is the default host key (to free mouse and keyboard)
  • Basic storage devices
  • Use All Space
  • Desktop Install
  • Create your non-root user
  • Put this user in wheel group so they can use sudo
  • Use su - and then visudo to uncomment wheel group in sudoers


3. Configure network
  • Network cards are unconnected by default
  • Connect using network manager (right-click icon at top of screen and edit connection)
  • If you need to clone VM, remove or edit network card entry in /etc/udev/rules.d/70-persistent-net.rules and remove card in Network Manager


4a. Patch (GUI)
  • You only need to do 4a. or 4b. not both!
  • Need to update before compiling Guest Additions else newly downloaded software will not match existing versions
  • System > Administration > Software Update
  • First update to update the updater
  • Second update to update the OS
  • Reboot


4b. Patch (CLI)
  • sudo yum update
  • Reboot


5a. Add RPMForge repo (GUI)


5b. Add RPMForge repo (CLI)


6a. Install DKMS (GUI)
  • System > Administration > Add/Remove Software
  • Search for dkms
  • Install accepting dependencies


6b. Install DKMS (CLI)
  • sudo yum install dkms


7a. Install development tools (GUI)
  • System > Administration > Add/Remove Software
  • Expand Development and then expand Development tools
  • Select all packages and then apply


7b. Install development tools (CLI)
  • sudo yum groupinstall “Development Tools”


8a. Install Guest Additions (GUI)
  • Insert Guest Additions CD image (Devices > Insert Guest Additions CD Image…)
  • Click Open Autorun Prompt > OK > Run
  • Eject CD
  • Reboot


8b. Install Guest Additions (CLI)


  • Insert Guest Additions CD image (Devices > Insert Guest Additions CD Image…)
  • Cancel pop-up
  • cd /media/VBOXADDITIONS_4.x.xx_xxxxx/
  • sudo ./VBOXLinuxAdditions.run
  • cd /
  • Eject CD

  • Reboot

Fun with file systems

I've identified a need to replicate some file system information in Linux for a number of reasons:

  1. Primary to secondary site for DR purposes
  2. As above but with file locking for limited live-live operation
  3. As above but with record locking for full live-live operation (thinking SAMBA shares here)
I've identified a number of file system features that will let me do this, so I'm going to have a geeky day looking at them:
  1. B-tree file system (BTRFS)
  2. Logical volume manager (LVM)
  3. A. N. Other cluster file system
I think BTRFS is going to be to slow for virtual machines, and LVM has the advantage of running different file systems inside the container sysyem. The might be other options such as rsync but I would really like the solution to be as independent of the applications being replicated as possible (don't want to run rsync in a virtual machine for example).

Any suggestions greatly received, but I'm off to get CentOS in Oracle VM VirtualBox installed for a starting point.

Saturday 10 May 2014

Maxthon Labs Private Beta

I've been test Maxthon browser for quite some time and I find it feature rich with some good Desktop to Mobile synchronisation capabilities. Apparently they are working on a new product in prvate beta. Want a chance to try it? http://lnc.hr/x6WaV

Sunday 13 April 2014

0000430: OpenVAS GreenBone Security Assistant (webUI) - MantisBT

0000430: OpenVAS GreenBone Security Assistant (webUI) - MantisBT: "texlive-latex-extra"

Had problems getting Greenbone Security Assistant OpenVAS in BackLinux v3.13 producing reports in PDF format.

Found a Kali Linux bug indicating that the package texlive-latex-extra had to be installed in order to produce PDF reports.

It's an extra 650MB+ of stuff to install but it did fix the PDF report issue.

'via Blog this'

How to change the port and IP for Greenbone OpenVAS on BackLinux

By default, Greenbone OpenVAS on BackLinux v3.13 listens on port 9293 on the loopback address (127.0.0.1).

To change this, edit the /etc/default/greenbone-security-assistant and change the GSA_ADDRESS and GSA_PORT lines.

Changing these to 0.0.0.0 and 443 respectively, will make the GUI available on the standard HTTPS port. You'll only be able to do this as long as your have nothing else listening on that port.

You can confirm what ports are in use by using netstat -ant.

Wednesday 9 April 2014

BASH script to wrap around Heartbleed scanner

The following script wraps around the Heartbleed scanner talked about in the previous post to scan all IP addresses within a file and output the results to a log.
I know it's basic, but it works - I'd be very happy if someone could come up with a script that would accept a subnet in CIDR format and scan all IP's with that subnet. Something like "hbscan 172.16.1.0/24"

Step-by-step:

  1. Create a ~/heartbleed
  2. Copy the Heartbleed binary into the folder created at (1)
  3. Copy the script below into the ~/heartbleed direcotry and call it something like hbscan
  4. Make hbscan runnable (chmod 755 hbscan)
  5. Copy file(s) containing the IP addresses you wish to scan into ~/heartbleed
  6. Create a ~/heartbleed/scans directory
  7. Scan the networks using './hbscan filewithips'
Here's the script I used:

#!/bin/bash
E_BADARGS=65
logs=~/heartbleed/scans
today=`date +%F`
if [ -z "$1" ]; then
  echo " Usage: `basename $0` list"
  exit $E_BADARGS
fi
if [ ! -d $logs/$today ]; then
  echo "[*] Creating $logs/$today"
  mkdir $logs/$today
fi
hosts=$1
touch $logs/$today/$hosts
while read -r host
do
  echo "[*] Scanning $host..."
  ~/heartbleed/Heartbleed $host 2>> $logs/$today/$hosts
done < $hosts
echo "[*] Scans completed."


That script was frankenstiened from:
http://www.commondork.com/2013/07/06/bash-script-to-scan-subnets-with-nmap/

Heartbleed scanner on Ubuntu

This works for Ubuntu.

1.Install Bazaar and Go v1.0 (required for godeb):
sudo apt-get install bzr
sudo apt-get install golang

2. Install godeb (required for Go 1.2):
mkdir ~/gopath
GOPATH=~/gopath
export GOPATH
cd $GOPATH
go get launchpad.net/godeb
sudo apt-get remove golang
sudo apt-get autoremove

3. Install godeb (required forGo 1.2)
sudo bin/godeb install

3. Get and compile Heartbleed:
go get github.com/FiloSottile/Heartbleed
go install github.com/FiloSottile/Heartbleed

4. Run it:
bin/Heartbleed serverip[:port]

Here is a BASH script you can use to scan a list of IP addresses instead of a single one:
http://blog.thefoleyhouse.co.uk/2014/04/bash-script-to-wrap-around-heartbleed.html

Thursday 20 March 2014

Upgrade Bitcoin to v0.9.0

Bitcoin v0.9.0 is out, now with an x64 version for Windows. You should probably upgrade if you don't want to lose your billions in Bitcoins?
https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-0.9.0.md

Monday 24 February 2014

Brightness control from Linux using grub parameter

Brightness on my HP Probook 4740s requires a Grub parameter to work properly.
Edit /etc/defaults/grub to add "acpi_backlight=vendor acpi_osi=Linux" to the GRUB_CMDLINE_LINUX_DEFAULT line.
Then run "grub-update".
Thanks:
http://forums.opensuse.org/showthread.php/485869-OpenSUSE-brightness-control-problem-on-HP-ProBook-4740s

Thursday 6 February 2014

Securing SQL Server connections with a certificate

I had an issue trying to get a SQL server to use a certificate to secure a connection with SSL.
The certificate was selected in SQL configuration manager but when the SQL service was restarted, it would fail with an EventID 26104 indicating it couldn't read find the certificate.

After a bit of googling, I found this:
http://nickstips.wordpress.com/2010/09/08/sql-ssl-and-sql-server-2008-service-doesnt-start-error-code-2146885628/

Turns out, if you run your SQL server under a non-privileged account as per best practice, the account can't read the private key of the certificate.

Altering the certificate permissions to allow your SQL server to read the certificate private key allows the SQL server to start.

Sunday 26 January 2014

Citrix Receiver 13 on Linux

Seems to be quite broken on any form of Ubuntu, but I have managed to install on Fedora 20 i686 (Mate) with some success:
sudo yum install libpng12 xerces-c
sudo rpm -Uvh ICAClient-13-0.0.256735-0.i386.rpm ctxusb-2.4.256735-1.i386.rpm
cd /opt/Citrix/ICAClient
./selfservice

Saturday 25 January 2014

Backup or move your Google data

https://www.google.com/takeout allows you to backup or move your Google data. Visit the site, sign-in and then choose what to archive and in what format.

I was surprised to learn that I've got 8GB, but that is all my emails, attachments, videos etc.

The data will be available as a downloadable archive, but you can visit the site again in the future as required.

Java 7 update 51 blocks Citrix receiver for Java

Reports of users being unable to use the Java client for Citrix from Citrix Access Gateway (CAG) are caused by a security update Oracle have applied to Java.

Information available from the Citrix forums here:
http://discussions.citrix.com/topic/346128-java-7-update-51-due-for-release-in-january-2014-will-block-receiver-for-java-101/

Citrix have release a patched version (v10.1.007) which is available here:
http://www.citrix.com/downloads/citrix-receiver/other-platforms/receiver-for-java-101.html