Mar 21

Linux: Mounting file as a partition

Reading time: < 1 minute When we have a file with a 'dd' of a full disk and we want to mount a partition of that disk, we have to use an offset for jumping to the beginning of the partition that we want to mount. Using 'fdisk' command we can find the partitions of that disk copied inside a file.
fdisk -l FILE_WITH_DISK_INSIDE

Once partition table is shown there is a column called ‘Start’ using the corresponding number in this column for the partition that we want we can obtain the offset required for our mounting point. Reasoning behind that is multiply start sector per number of bytes per sector.

# OFFSET = START * 512
mount -o ro,loop,offset=OFFSET FILE_WITH_DISK_INSIDE /mnt

I hope thanks to this technical note next time that I forget how to get the offset I find it fastly.

Jan 24

ngrok – service which solve services behind NAT issues

Reading time: < 1 minute This is another short entry, in this case for recommending a service which we solve typical problem solved using a DNAT. Once we have a service on our laptop, or on a private server and we have to expose that service on the internet for some time or permanently usually we have to go the firewall, or router and create a NAT rule forwarding a port. This is a simple and powerful service which is going to solve that for you. There is a free account for understanding and testing the service, other plans are available and especially affordable for professional requirements.

ngrock.com

I was frogetting to say it’s compatible with Linux, Windows and Mac.

May 05

Spark Post: Mail relay host for mailings

Reading time: 1 – 2 minutes

This is going to be a very short post entry, I just want to refer a very interesting mail relay (smart host) which define itself like:

Email delivery services built for developers, by developers
Combined with your language of choice, using the power of our robust cloud API couldn’t be easier.

Open a SparkPost account today and send up to 100.000 emails per month for free. The best is you can do using SMTP or using a REST API; really nice easy to use an powerful control dashboard simplify externally keys management, statistics, templates for mailings, and many more features.

Personally I love the service because is extremely useful to be configured on SSMTP service of Linux as a default relay host, for personal and professional use. Another use could be to check end-to-end mail services.

Personally I love the service, and if you want to send really big mailings theirs costs are very competitive. 

Apr 28

Upgrading Redmine in a nutshell

Reading time: 1 – 2 minutes

I use Redmine to track my personal projects, and every time that I have to update I have to re-read the full upgrading page which is long and full of exceptions. So I decided to write my own reduced cookbook to solve that. FYI I’m using Ubuntu 16.04, Apache2, MySQL and Passenger for running Redmine. 

Being root user run:

  • backup MySQL database
  • download new redmine package and unpack in /var/www
  • change ‘redmine’ soft link to new folder
  • copy old files and directories overwriting the new ones:
    config/database.yml
    config/configuration.yml
    files/
    plugins/
  • locating work directory on new redmine folder, run:
    bundle install --without development test
    bundle exec rake generate_secret_token
    bundle exec rake db:migrate RAILS_ENV=production
    bundle exec rake redmine:plugins:migrate RAILS_ENV=production
    bundle exec rake tmp:cache:clear tmp:sessions:clear RAILS_ENV=production
  • restart apache server
Apr 25

ncdu: Analyze disk usage in Linux

Reading time: < 1 minute Some time ago I found a ncurses based tool very small easy and useful to get a very fast and easy way to analyze disk usage in linux. This entry is just to remember the name of that tool because I always forget its name.

Ncdu is a disk usage analyzer with an ncurses interface. It is designed to find space hogs on a remote server where you don’t have an entire graphical setup available, but it is a useful tool even on regular desktop systems. Ncdu aims to be fast, simple and easy to use, and should be able to run in any minimal POSIX-like environment with ncurses installed.

A screenshot is always useful:

Aug 29

Internet fail over connection with Mikrotik

Reading time: 2 – 4 minutes

Based on my home configuration I’m going to describe how to set up a Mikrotik to manage fail over Internet connection. Next schema describes a Mikrotik gateway with two internet connections (GUIFI and SS). Assuming GUIFI as a default Internet connection periodic checks on Google DNSes (8.8.8.8 and 8.8.4.4) will allow to know when it’s good to change the default route.
internet-failover

 

If you have some Linux routing background it will be easier to understand the configuration. Main idea is use policy routing tables and mark packets to use one table or other. In my case I have two routing tables GUIFI and SS, and of course, the default gateway of each of those tables is the gateway indicated in the schema.

First step is take care about the routes for hosts to monitor; using GUIFI connection will be checking connectivity to 8.8.8.8 and using SS the monitored host will be 8.8.4.4.

/ip route
add dst-address=8.8.8.8 gateway=172.29.2.1 scope=10
add dst-address=8.8.4.4 gateway=172.29.1.1 scope=10

Second step is configure two routing tables, those routes will check Internet hosts availability. Routes are resolved recursively (more info), and will be active only if any host is pingable.

# routing table for GUIFI
/ip route
add distance=1 gateway=8.8.8.8 routing-mark=GUIFI check-gateway=ping
add distance=2 gateway=8.8.4.4 routing-mark=GUIFI check-gateway=ping
# routing table for SS
/ip route
add distance=1 gateway=8.8.4.4 routing-mark=SS check-gateway=ping
add distance=2 gateway=8.8.8.8 routing-mark=SS check-gateway=ping

Routing table looks like that:

routing-table

Next step will be create marking rules in the firewall:

# next rule mark all LAN traffic (10.2.0.0/26) before routing
# it'll be processed by routing table GUIFI
# it makes GUIFI the default Internet connection 
/ip firewall mangle
add action=mark-routing chain=prerouting comment="All LAN traffic" dst-address=\
    !10.0.0.0/8 new-routing-mark=GUIFI passthrough=no src-address=10.2.0.0/26

If any specific host, service or whatever want to use specific routing table, then you can create new rules with proper mark to redirect the traffic to that Internet connection. But if that path fails other Internet connection will be used.

In my case I have a more complicated scenario, internal VoIP server uses a IP Telephony service only available through GUIFI connection. The way to force that is forbidding traffic to SS connection. A simple firewall rule will help to do that:

# X.X.X.X = IP address of the IP telephony provider
/ip firewall filter
add action=reject chain=forward dst-address=X.X.X.X in-interface=\
    bridge-lan out-interface=SS-eth2

I hope previous simple notes are useful for you, they are inspired by Advanced Routing Failover without Scripting.

Aug 01

Extracting private and public keys from a p12 file

Reading time: 1 – 2 minutes

PKCS#12 is a container for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. This is a fast and simple summary about how to extract your keys from those kind of files:

#Private key:
openssl pkcs12 -in file_name.p12 -nocerts -out private.key
#Certificates:
openssl pkcs12 -in file_name.p12 -clcerts -nokeys -out public.crt

Recurrently I have to access to a usuful guide about those kind of openssl parameters, let me refer that guide:

The Most Common OpenSSL Commands (local copy)

Update 2016/09/19
Usefull links for SSL:

Jun 06

Remove old kernels when there is no space in /boot

Reading time: 1 – 2 minutes

The first step is get some space in the partition “/boot” because without that it’s impossible to do anything.

So go to /boot and remove some “initrd” files as they are the biggest ones. A few of them will be enough.

After that a good point is to ensure there is no partial installation pending to finish:

apt-get -f install

Now it’s a good idea to purge all kernels except the running one:

dpkg -l 'linux-*' | sed '/^ii/!d;/'"$(uname -r | sed "s/\(.*\)-\([^0-9]\+\)/\1/")"'/d;s/^[^ ]* [^ ]* \([^ ]*\).*/\1/;/[0-9]/!d' | xargs sudo apt-get -y purge

To avoid that in future before filling the partition, it’s a good idea to install and run periodically: purge-old-kernels. Installation and example of use are:

# installation
apt-get install bikeshed
# keep three old kernels:
purge-old-kernels --keep 3
# if you want to put that in the crontab use that command
purge-old-kernels --keep 3 -qy

If you’re a Grub user don’t forget to run:

update-grub2

Personally I have a nightmare with that problem and Ubuntu, especially with version 12.04 which is installed in a lot of servers that I manage. I repeated the previous process a lot of times and in the end, I decided to document it because I always have to go to Google and find the proper steps to solve that problem.

Apr 12

Sniffing traffic in a Linux box and streaming in real-time to Wireshark on Windows

Reading time: 1 – 2 minutes

Sniffing and inspect complex protocols on “tcpdump” is usually painful. Of course, “tcpflow” is a very useful tool but is not always enough to sniff in a console. Wireshark is always a better option when it’s time to debug and troubleshooting communication problems.

But it’s not always easy to plug a Network TAP where you want to sniff. If at that point we have a Linux box with “ssh” and “tcpdump”. An interesting option is stream sniffed traffic to another box with Wireshark and dissect packet octets in their layers, fields, etc.

When Wireshark box is based on Windows you need “plink.exe“, and you can do thinks like that:

plink.exe -ssh -pw LINUX_BOX_PASSWORD root@LINUX_BOX_IP "tcpdump -n -i INTERFACE_TO_SNIFF -s 0 -w - not port 22" | "%PATH_TO_WIRESHARK\Wireshark.exe" -k -i -

Next you have a screenshot with a real life example of that:

tcpdump_streams_to_wireshark_secure