Nov 16

Get the IP addresses of local Docker containers

Reading time: < 1 minute

We have docker running and the containers have their own private network, thanks to this command we’re going to get the private IP address of all of them:

$ sudo docker inspect $(docker ps -q ) \
--format='{{ printf "%-50s" .Name}} {{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}'
/zerotier
/ntp                                               10.3.10.8
/nodered                                           10.3.10.11
/n8n                                               10.3.10.4
/ssh                                               10.3.10.9
/code                                              10.3.10.7
/semaphore                                         10.3.10.6
/rproxy                                            10.3.10.2
/homer                                             10.3.2.10.10
/pihole                                            10.3.10.27
/pihole_googledns                                  10.3.10.24
/pihole_opendns                                    10.3.10.23

Oct 25

OpenSSH public key fingerprint

Reading time: < 1 minute

Quick and easy, how to get the fingerprint of your SSH RSA key.

# syntax:
openssl pkey -in PATH/PRIVATE_RSA_KEY -pubout -outform DER | openssl md5 -c

# example:
$ openssl pkey -in ~/.ssh/id_rsa -pubout -outform DER | openssl md5 -c
MD5(stdin)= a6:26:23:d9:c1:d3:d5:e5:c0:38:ab:3c:c1:6a:3f:ea

Oct 17

Mikrotik passwordless SSH with public key

Reading time: 2 – 4 minutes

Following the instructions described in the official documentation:

https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login)

The process is as always as easy as:

# upload the id_rsa.pub file
# then import the public key file for the user used for connecting via SSH
user ssh-keys import public-key-file=id_rsa.pub user=admin-ssh
# and it's done.

Everything was OK with my WSL Ubuntu 20.04. (I added WSL at the beginning of the versions because it runs in Windows Subsystem Linux).

But, with the newest WSL Ubuntu 22.04 I was unsuccessful.

Being precise, the SSH versions are:

# WSL Ubuntu 20.04
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f  31 Mar 2020

# WSL Ubuntu 22.04
$ ssh -V
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022

After connecting with verbose details, I found this message, that was the key for solving the problem:

debug1: Offering public key: /home/my_user/.ssh/id_rsa RSA SHA256:2******************************Y agent
debug1: send_pubkey_test: no mutual signature algorithm

Then, I discovered that newest SSH versions aren’t compatible with Mikrotik SSH version. It seems that version isn’t enough newest and are incompatible with how public keys are negotiated at the beginning of the connection.

Finally, the solution was to use an extra parameter for establishing the connection:

ssh -o 'PubkeyAcceptedAlgorithms +ssh-rsa' THE_USER@THE_HOST

Of course, an alternative is using ~/.ssh/config file or the system file: /etc/ssh/ssh_config and add this parameter for everything, or specific hosts. For instance, like this:

Host JUST_A_NAME_OF_THE_CONNECTION
  Hostname THE_IP_ADDRESS_OR_HOSTNAME_OF_THE_TARGET_HOST
  user THE_USER
  PubkeyAcceptedAlgorithms +ssh-rsa

Aug 25

socat: publish a port only available in localhost

Reading time: 1 – 2 minutes

Assume that we have a service only available in localhost (127.0.0.1/8) and we want to expose this port temporarily. Of course, you can use iptables for redirecting the port. But take care, this is not a simple DNAT because packets will not be evaluated by PREROUTING (-t nat) rules.

Another option is using an old-powerful Swiss knife tool: socat (github).

# binds public port to any local interface
socat TCP-LISTEN:<public_port>,fork TCP:127.0.0.1:<internal_port>
# binds only to an IP address
SOCAT_SOCKADDR=<interface_IP> socat TCP-LISTEN:<public_port>,fork TCP:127.0.0.1:<internal_port>

# examples:

# binds to all interfaces:
socat TCP-LISTEN:1880,fork TCP:127.0.0.1:1880
# just for an IP address of one interface:
SOCAT_SOCKADDR=10.2.0.110 socat TCP-LISTEN:1880,fork TCP:127.0.0.1:1880

Aug 24

WSL2: upgrade from Ubuntu 18.04 to 20.04

Reading time: 2 – 4 minutes

I was afraid for missing my files, configurations and much other staff that I had in Linux filesystem of WSL2 (Windows 10). But I had to upgrade because of compatibility with an application that I need. So, finally, I decided to upgrade the Ubuntu 18.04 that I installed in WSL2 to a newer version 20.04. Yes, I know that there is 22.04 available nowadays, but I wasn’t comfortable jumping to many versions.

I followed simple steps that I found at:

How To Upgrade Existing WSL/WSL2 Ubuntu 18.04 to 20.04

The steps in a nutshell were:

sudo apt update
sudo apt upgrade -y
sudo apt --purge autoremove
sudo apt install update-manager-core
sudo do-release-upgrade

When I answered all the questions and after stopping the WSL2 VM with:

# command that I ran from 'cmd.exe' (Windows console)
wsl --shutdown 

I had and issue rebooting, WSL2 didn’t boot and it gave this message:

wsl/usr/sbin/enter-systemd-namespace: line 10: /usr/sbin/daemonize: No such file or directory

I resolved the problem, shutting down the WSL and running the command:

wsl -u root -e bash --noprofile --norc

It gave me a root console where I could modify the file:

/usr/sbin/enter-systemd-namespace

specifically, in line 10, I changed:

/usr/sbin/daemonize
to
/usr/bin/daemonize

And when I accessed to WSL2 everything worked perfectly. I used to access WSL2 from Windows Terminal which uses the command:

C:\WINDOWS\system32\wsl.exe -d Ubuntu-18.04

But it has small issues with bybou, finally I changed this command to:

C:\WINDOWS\system32\bash.exe ~ -login

I love to use a console with byobu enabled when access the shell, but with my former command, the command ‘byobu-enable’ was ignored. I didn’t find why, in the end the solution was to change the command that I use for accessing Linux console (WSL2).

Likewise, I hope these notes can help someone.

Jul 12

Windows 10: Internal Virtual Switch with NAT

Reading time: 2 – 4 minutes

When you are playing with Windows Hyper-V and you want to create a completely virtual internal network with private virtual machines inside your Windows 10 machine virtual switch are mandatory.

Then it’s the time to connect that virtual switch with the host machine using a virtual network interface. All those steps can be done using Hyper-V manager user interface, but you cannot control 100% of parameters like enable, or not, the NAT of the virtual internal network.

Using PowerShell the steps are:

New-VMSwitch -SwitchName NATSwitch -SwitchType Internal
New-NetIPAddress -IPAddress 10.46.1.1 -PrefixLength 24 -InterfaceAlias "vEthernet (NATSwitch)"
New-NetNAT -Name NATNetwork -InternalIPInterfaceAddressPrefix 10.46.1.0/24

Of course, change “NATSwitch” for your switch name and “10.46.1.1” for the IP address of the host virtual network card. Finally “NATNetwork” is another arbitrary name for referring to the NAT rule, and “10.46.1.0/24” is the network address of the virtual internal host network.

Running the commands looks like:

For removing what you did:

Remove-VMSwitch -Name "NATSwitch"
Remove-NetIPAddress -InterfaceAlias "vEthernet (NATSwitch)"
Remove-NetNAT -Name NATNetwork

In Windows 10 IP forwarding is not enabled and packets between interfaces are not routed. According to the Microsoft forums, you can enable IP forwarding (routing) using the following steps:

Go to Start and search on cmd or command. Right click on either cmd or command then select Run as administrator. At the command prompt type regedit. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\IPEnableRouter setting, right click and select Modify. Change 0 to 1 and exit the editor.

When your back at the command prompt type services.msc and navigate to the Routing and Remote Access service. Right click and select Properties. Change to Automatic and click on Start to start the service.

I had to research a long time until I found all this information, but in my case leverage my proofs of concepts to another level.

Jul 07

rp_filter Linux kernel feature

Reading time: 1 – 2 minutes

It’s just an IP spoofing protection which is by default enabled on Linux kernels. When it’s value is ‘1’ means that all IP address which are not directly routable and received form a network interface they are directly discarded.

So, if you want to scan a range of IP address in your LAN which not belong to that interface address space when packets from IP addresses are received they are going to be discarded by the kernel. So, take that into account when you have those “unusual” requirements.

It can be enable/disabled by all interfaces or just one:

root@mini9:/proc/sys/net/ipv4# cat ./conf/all/rp_filter
1
root@mini9:/proc/sys/net/ipv4# cat ./conf/ztly5q4n37/rp_filter
1

Jul 05

Zerotier peers monitored on Windows PowerShell

Reading time: < 1 minute

No words just a simple an powerful .ps1 script:

while (1) { Start-Process -NoNewWindow -FilePath 'C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe' -ArgumentList "-q","peers"; sleep 5; cls }

Or just a command, even equally useful.

May 27

DRY DHCP Client: request and IP address to the DHCP server without a DHCP Client

Reading time: < 1 minute

When you want to discover LAN metadata without being part of that network. So, when you want to discover network address range, gateway, DNS IPs, DHCP server IPs, etc. this simple nmap parameter will help you so much.

# nmap --script broadcast-dhcp-discover

Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-19 15:07 CEST
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.1.127
|     DHCP Message Type: DHCPOFFER
|     Subnet Mask: 255.255.255.0
|     Renewal Time Value: 4d00h00m00s
|     Rebinding Time Value: 7d00h00m00s
|     IP Address Lease Time: 8d00h00m00s
|     Server Identifier: 192.168.1.1
|     Router: 192.168.1.1
|_    Domain Name Server: 8.8.8.8, 8.8.4.4
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.43 seconds