Posts from 2014-07

Apache, mod_proxy, tomcat, two ip's on Debian
posted on 2014-07-31 13:45:12

To get an apache running to serve different ip's and sites at once, all on port 80, plus handing requests through to tomcat, this guide tries to explain the neccesary steps.

networking

First, set up a second ip for proper networking:

/etc/network/interfaces:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

#allow-hotplug eth0
auto eth0 
iface eth0 inet static
        address 10.0.0.21
        netmask 255.255.255.0
        network 10.0.0.0
        broadcast 10.0.0.255
        gateway 10.0.0.1

auto eth0:1
iface eth0:1 inet static
        address 10.0.0.22
        netmask 255.255.255.0

For security reasons, the actual subnet used was exchanged to 10.0.0.. Use your own. :)

IP 1 is 10.0.0.21, IP 2 is 10.0.0.22 here.

Do not forget to take the interface up afterwards:

$ ifdown eth0
$ ifup eth0

Also do not use service networking restart, it is a deprecated command.
Do not use ip l set eth0 down and ip l set eth0 up for this. It will bring the link back up, but you won't have ip addresses assigned. For more information, the iproute2 tool suite is really mighty, but you may need some more in-depth-knowledge.

Then

$ ip a

should show you something like this:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:25:90:ea:45:ac brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.21/24 brd 10.0.0.255 scope global eth0
    inet 10.0.0.22/24 brd 10.0.0.255 scope global secondary eth0:1

Then eth0 has state UP (not DOWN) and you see both IP's properly assigned. If you do not use a syntax like eth0:1 for the second ip in /etc/network/interfaces, you will only see one ip shown by the deprecated ifconfig command!

tomcat

Tomcat setting should best be left untouched, so it uses localhost and port 8080 to listen on.

/etc/tomcat7/server.xml:

...

   <Connector port="8080" protocol="HTTP/1.1"
              connectionTimeout="20000"
              URIEncoding="UTF-8"
              redirectPort="8443" 
              address="localhost"/>

...

If apache's mod_proxy was not be used, here for address the second ip could be set (10.0.0.22), and port to 80. However you'd need a linux system account, if you want to use a port below 1024. If you do not want this, you have to use either mod_proxy, mod_proxy_ajp, or mod_jk. The latter is the fastest and has most setting, but sure is more complex, too. mod_proxy_ajp is in between both, speed-wise. mod_proxy however works with any backend, not just tomcat or other servlet containers.

apache

ports.conf

/etc/apache2/ports.conf

Listen 80
Listen 443
NameVirtualHost 10.0.0.21:80
NameVirtualHost 10.0.0.21:443

Note that, you may need to drop the 443 lines, if you do not use https. The NameVirtualHost directive tells apache, to enable name-based virtual host support. This is needed, since our apache serves several domains. If the directive were to be omitted, then apache would only ever serve the first domain it would have in it's loading process. (Can be shown via apache2ctl -S.)

Since Tomcat serves only one site, no name-based virtual hosting is needed for it, thus no entry is needed.

virtualhost configs

Further is assumed, that you already have two existing vhost files, which are properly structured, are enabled and work, for each domain. The sites are named firstsite.de, secondsite.de and tomcatsite.org and already reside in /etc/apache2/sites-available.

First IP: 10.0.0.21

/etc/apache2/sites-available/000-firstsite.de

<VirtualHost 10.0.0.21:80>
    ServerName firstsite.de
    ServerAlias www.firstsite.de
    ...

/etc/apache2/sites-available/001-secondsite.de

<VirtualHost 10.0.0.21:80>
    ServerName secondsite.de
    ServerAlias www.secondsite.de
    ...

Second IP: 10.0.0.22

/etc/apache2/sites-available/002-proxy-for-tomcat

<VirtualHost 10.0.0.22:80>
    ServerName tomcatsite.org
    ServerAlias www.tomcatsite.org
    ...

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ...

The 000-, 001- and 002- are just prefixes, to ensure the order of the pages being loaded.

mod_proxy

Enable the apache proxy module.

$ a2enmod proxy
$ a2enmod proxy_http

finish

Enable the vhost configs and restart the web server.

$ a2ensite 000-firstsite.de
$ a2ensite 001-secondsite.de
$ a2ensite 002-proxy-for-tomcat
$ service apache2 restart
ssh tricks links
posted on 2014-07-31 11:30:59

Really nice articles and comments:

  1. https://news.ycombinator.com/item?id=1624010
  2. http://www.symkat.com/ssh-tips-and-tricks-you-need
  3. https://news.ycombinator.com/item?id=1536126
  4. https://pthree.org/2011/07/22/openssh-best-practice/
git remote tag handling
posted on 2014-07-30 17:59:50

Using git tag is easy and good clean fun.

Except when you realize tags have to be handled extra when working with them remotely.

After having created tags locally, to push them to the server:

## all tags
$ git push --tags 

## just <mytag> tag
$ git push --tags mytag

To delete tags:

## only locally, git fetch/pull will get them again!
## a single tag
$ git tag -d <tagname>

## all local tags
## getting all tags again is just a simple push.
## useful if you've tagged a lot and want a clean slate again
$ git tag -l | cut -d' ' -f1 | xargs git tag -d

## remotely
$ git push --delete origin <tagname>

## delete ALL remote tags, BEWARE!
git fetch && git tag -l | cut -d' ' -f1 | xargs -n 1 git push --delete origin

This behaviour of tag ain't overly useful when thinking in terms of subversion. But this way dev's can create all the tags they want/like without polluting the main repo.

git ping / git ls-remote
posted on 2014-07-30 17:58:24

To check, wether a remote git repository exists, use:

git ls-remote <user>@<server>:<repository>
Proxmox - No snapshots?
posted on 2014-07-30 11:38:20

Proxmox can create snapshots.

At least in theory.

Because:

  • only .qcow2 will be work as file format for creating them
  • .raw will not work
  • .vmdk will not work
  • converted images (to .qcow2) will also not work

...

Autonegotiation and Parallel Detection
posted on 2014-07-28 14:57:51

Autonegotiation is the process of determining the duplex mode and speed of a connection between two network devices.

Possible values are:

Speed: 10Mbps, 100Mbps, 1000Mbps/1Gbps, 10Gbps
Duplex: Half-Duplex, Full-Duplex

Half duplex mode means, data can only flow in one direction at a given time.
Full duplex mode tells, data can be sent and received at the same time.

The process usually goes like this:

  • If the NIC is not set to a speed and transfer mode explicitly (i.e. 100Mbps Full-Duplex), autonegotiation is being tried.
  • In case of the other network tool being set to autonegotiation, too, auto negitiating is tried and will succeed.
  • If the other side is not running in autonegotiation mode, auto negotiating will fail.
  • Then parallel detection is tried. Problem here is, this will only determine the link speed, not the duplex mode.
  • So in case of both sides not running the same detection mode, the speed will be determined and duplex mode will be set to the default one for the connection speed.

Which is for 10Mbps and 100Mbps only half-duplex.

Most 10Base-T Ethernet devices do only support half-duplex mode, so be careful when using 'full'. Most 100Base-T hardware supports full-duplex, but default is also only half-duplex.

In other words, when troubleshooting 'slow' networks, double check the settings on both sides to be the same for speed and duplex mode. Because even when autonegotiate seems to work, it actually may be parallel detection kicking in and setting slower speeds/connections than actually be possible.

SSH multiplexing
posted on 2014-07-27 11:59:57

SSH creates a new connection, upon each new session you are trying to establish. Every time time the SSH handshake has to be repeated.

Wait, what?

Ok again: If you want to connect to another server with four terminals simultaneously, you will establish four SSH connections. Why not reuse the connection for all sessions, so the handshake becomes obsolete?

SSH provides this:
A control master connection is created, which will in turn be used by the other session initiations. (The latter are not control masters, of course.)

Easy, add this to your ~/.ssh/config:

Host *
    ControlMaster auto
    ControlPath ~/.ssh/conn-%u-%r@%h:%p
    ControlPersist 600

And it will be enabled for all the connections you make (Host *). Also there is no need to specify session/connection type (auto).

The path to the control socket can be freely specified via the ControlPath directive, too.

%u = local user
%r = remote user
%h = remote host
%p = port

600 are 600 seconds, for which timespan the master connections stays open without getting any input.

To spot the difference:

[sjas@beckett ~/.ssh]% time ssh sjas@sjas.de date
Sun Jul 27 01:02:01 CEST 2014
ssh sjas@sjas.de date  0.16s user 0.03s system 14% cpu 1.282 total
[sjas@beckett ~/.ssh]% time ssh sjas@sjas.de date
Sun Jul 27 01:02:05 CEST 2014
ssh sjas@sjas.de date  0.02s user 0.01s system 14% cpu 0.204 total
[sjas@beckett ~/.ssh]% time ssh sjas@sjas.de date
Sun Jul 27 01:02:06 CEST 2014
ssh sjas@sjas.de date  0.01s user 0.02s system 14% cpu 0.217 total
[sjas@beckett ~/.ssh]%

See how the time to run the complete command (date on the remote machine via ssh, measured by time) decreases?

From 0.16s to 0.01s/0.02s, it will stay like that. (As long as the socket is kept open.) It feels just so much nicer.

FTP vs. FTPS vs. SFTP vs. FTPs, and FXP
posted on 2014-07-26 18:59:26

For file transferring, there exists three protocols that are usually used. All these have in common that a FTP daemon (ProFTPd, vsftpd, ServU, ...), or in case of SFTP, an SSH daemon (i.e. OpenSSH), has to run on the server. (For FTPs you'd need even both of them.) To daemon/service the user can then connect with a FTP client (i.e. Filezilla) running from his machine.

First some comments on authentication, because this topic often causes confusion. Although this is mostly due to users' misunderstanding SSH, having no idea what their firewall is doing and them trying wildly all the options they can find in their client. ;)

Authentication methods

There exist several 'logon modes' that can be used:

For FTP/FTPs:
- anonymous FTP: The server provides an anonymous account, with which the connection can be established. No authentication is done.
- password: user credentials in terms of a username and password have to be supplied

For SFTP:
- password: here also user credentials in terms of username:password have to be supplied
- public-key: having exchanged public key halves out-of-band before, these can be used for encryption later

Technically, SFTP can be set up to provide an anonymous account, too. How much use this idea is, having no user access control present but securing the data transmission channel, is left as a thought exercise to the reader. But if id Software can use FTPS for its anonymous account, so why should you not use SFTP for your own server? :)

For anonymous SFTP make sure to use rssh (a restricted secure shell), to prevent shell access but provide sftp access to the user. Then just creating a user named 'anonymous' without a password will do the trick. rssh is usually available through the package manager of your linux distribution.

In Filezilla (the most-used FTP client AFAIK), these options are available:

anonymous:          no user credentials are submitted, to be used for anonymous logins
normal:             user:pw credential combination
ask for password:   just the user is provided, the pw will be asked for once
interactive:        just the user is provided, the pw will be asked for every time
account:            if the server uses the ACCounT command, it can be passed here

FTP

Standard protocol, but no encryption is used. All data is sent unencrypted over the network. This includes user credentials as well as the data being sent.

First a visual representation I stole from RFC 959:

                                        -------------
                                        |/---------\|
                                        ||   User  ||    --------
                                        ||Interface|<--->| User |
                                        |\----^----/|    --------
              ----------                |     |     |
              |/------\|  FTP Commands  |/----V----\|
              ||Server|<---------------->|   User  ||
              ||  PI  ||   FTP Replies  ||    PI   ||
              |\--^---/|                |\----^----/|
              |   |    |                |     |     |
  --------    |/--V---\|      Data      |/----V----\|    --------
  | File |<--->|Server|<---------------->|  User   |<--->| File |
  |System|    || DTP  ||   Connection   ||   DTP   ||    |System|
  --------    |\------/|                |\---------/|    --------
              ----------                -------------

              Server-FTP                   USER-FTP

Channels

Two kinds of connections are opened. One is the command, one the data channel. The data channel is solely used for payload transfers, and is opened when needed and closed when transfers are completed. Whereas the command channel stays open all the time, and handles things like authentication, starting transfers, closing the connection. FTP uses the TELNET protocol for exchanging control messages.

Ports

The command channel is an established TCP connection between a random port on the client (Port N, where N is an available port number.) and by default on port 21 of the server. "Random" usually means a port above 1023.

The data channel is established on port 20 on the server and channel N+1 on client side, as soon as one is needed for data exchange. Once the transfer is done, the channel is closed. It will be reopened, in case it is needed again.

ACTIVE vs. PASSIVE mode

This is just a matter of direction. Since usually ingres connections are filtered by the firewall, but egress traffic not so, passive mode can be used to work your way around restrictive firewalls on the client's side.

In short: (standard ports are used in this example.)

  • ACTIVE: client to server control connection onto port 21, server to client data connection from 20 to the port the client told the server to connect to. Connections change direction.
  • PASSIVE: client to server control connection onto port 21, client to server data connection to a port from the passive port range the server told the client. Connections always go from client to server.

The connections are build up in a different order, control channels (---) and data channels (===) shown below:
(ports above 1024 are arbitrary ones, depending on settings and current OS state.)

ACTIVE
======
client (1027) connects to server (21), establishing control channel
- client sends PORT command with its ip and opened port 1028 through control channel
- other commands may follow
SERVER (20) connects to CLIENT (1028), establishing data channel.


        CLIENT                                SERVER

port  1028  1027                            21     20
        |     |                              |      |
        |     |------ 1: PORT 1028     ----->|      |
        |     |                              |      |
        |     |<----- 2: ACK           ------|      |
        |     |                              |      |
        |     |                              |      |
        |     |                              |      |
        |<=========== 3: data transfer =============|
        |     |                              |      |
        |     |                              |      |
        |============ 4: ACK           ============>|
        |     |                              |      |
        |     |                              |      |


PASSIVE
=======
client (1027) to server (21), establishing control channel
- client sends PASV command through control channel
- server answers which port is has available for data channel through control channel
- other commands may follow
CLIENT (1028) connects to SERVER (2033), establishing data channel.


        CLIENT                                SERVER

port  1028  1027                            21     20     2033
        |     |                              |      |      |
        |     |------ 1: PASV          ----->|      |      |
        |     |                              |      |      |
        |     |<----- 2: PORT 2033     ------|      |      |
        |     |                              |      |      |
        |     |                              |      |      |
        |     |                              |      |      |
        |============ 3: data transfer ===================>|
        |     |                              |      |      |
        |     |                              |      |      |
        |<=========== 4: ACK           ====================|
        |     |                              |      |      |
        |     |                              |      |      |

Digits in brackets denoted ports, of course.

So while in passive mode the server admin has to open the high ports in his firewall, in active mode to client admin has to do so in his. Pretty simple stuff, one might guess. Real world tells: 'not so much'.

Further there can problems arise when FTPS/FTPES is used. This is also firewall-related, see the FTPS section at its end.

Commands, specification vs. actual implementation

Available commands are, according to RFC 959:
Note, not all these are implemented in all FTP clients/servers. Still all of them are listed, to get a better grasp on FTP and what happens beside what you see during its usage.

USER <username>             pass username to server
PASS <password>             pass password to server
ACCT <account-information>  pass account information to the server
CWD  <pathname>             change working directory
CDUP                        change working directory to parent
SMNT <pathname>             Structure MouNT, allow mounting of a different file system
QUIT                        quit connection
REIN                        REINitialize connection to state immediatly after opening control channel, prior to USER
PORT <host-port>            data port on host, can be several, comma-delimited
PASV                        enable passive mode
TYPE <type-code>            ascii or ebcdic plaintext, image (bytestream), local proprietary format for data during network transfer
STRU <structure-code>       set file, record, page for file structure
MODE <mode-code>            choose transfer mode (stream, block, compressed)
RETR <pathname>             download data
STOR <pathname>             STORe / upload data
STOU                        STORe Unique, save data under unique filename in CWD
APPE<pathname>              upload and APPEnd data
ALLO<decimal-integer> [<SP> R <SP> <decimal-integer>]
                            sometimes needed to ALLOcate space on server prior to upload
REST <marker>               restart, only works for block and compressed modes
RNFR <pathname>             old name to be renamed
RNTO <pathname>             new name, old name to be renamed to
ABOR                        abort currently running operation and associated data channels
DELE <pathname>             delete file on server
RMD  <pathname>             delete directory
MKD  <pathname>             create directory
PWD                         show current directory
LIST [<pathname>]           transfer filename list or file information from server
NLST [<pathname>]           Name LiST, transfer filename list
SITE <string>               send specific commands to remote server
SYST                        return system type of server
STAT [<pathname>]           show ftp status
HELP [<string>]             show help

Often you also find custom ones, ones that are not listed here. That is all dependant on the actual implementation of the client you use:

After all, RFC's are just specifications. These describe, how software/systems should look like.

Specifications are not Documentations, which describe how systems actually are shaped in reality. (In case the documentation is up-to-date...)

So you very likely might encounter these:

BYE                         same as QUIT
LS                          same as LIST
DIR                         same as LIST

Another command actually is the !. It runs local commands, see:

[sjas@beckett ~]% ftp
ftp> help !
!           escape to the shell
ftp>

There are also other commands specified (There exists more than one RFC for FTP stuff.), that take on encryption or other functionalities. In case you really are curious, see:

RFC 697 - CWD Command of FTP
RFC 959 - File Transfer Protocol (FTP)
RFC 1639 - FTP Operation Over Big Address Records (FOOBAR)
RFC 2026 - UTF-8 Option for FTP (Draft 2002) [1] - draft-ietf-ftpext-utf-8-option-00.txt
RFC 2228 - FTP Security Extensions
RFC 2389 - Feature negotiation mechanism for the File Transfer Protocol
RFC 2428 - FTP Extensions for IPv6 and NATs
RFC 2640 - Internationalization of the File Transfer Protocol
RFC 3659 - Extensions to FTP
RFC 5797 - FTP Command and Extension Registry

A list on all its return codes (200, ...) can be found here.

FTPS / FTPES (FTP over SSL, implicit or explicit)

Here the transfers are encrypted using certificates within a public key infrastructure (PKI), see X.509 certificates.

Implicit and explicit modes are possible:

Implicit: forces TLS, or quits the connection.
Explicit: uses TLS if possible, but works unencrypted in case encryption is not possible.

Implicit forces encryption for all commands/data being transferred.
Explicit lets the client choose, what he wants to have encrypted. (data channel? control channel? both? none?)

Usually implicit is not used anymore, if I am not mistaken.

Besides having SSL/TLS encryption, FTPS/FTPES is standard FTP.

FTPS firewall problems

There are occasions where FTPS will fail between two computers, whereas FTP works. This is usually due to 'intelligent' firewalls, watching out for FTP control messages. Upon finding these (PORT command!), they know which of their ports they have to open up for data exchange.

If however the connection is encrypted, this packet analysis will no longer work. So the needed ports for the data channel stay closed, causing SFTP to fail.

SFTP (Secure FTP, uses SSH)

Since SSHv2, SFTP is available. (SSHv1 implementations only provided 'secure copy'.)

Not much left to explain (except maybe SSH in depth, which is no use here.), so it will be cut short:

FTP/FTPs is an entirely different protocol from SFTP.
I.e. where FTP needs two connections (1x command, 1x data channel), SFTP only needs one. Which is from a random port on the client side, to port 22, the SSH port, on the server side. All data exchange is done through ssh specific commands. These may be similar to the ones specified above. But besides similarities they have nothing in common, they don't stem from the same specification.

On a sidenote, scp uses sftp internally.

FTPs (FTP over SSH)

This one is a rare occurance and usually seldom used. (Except by these notorious people that will do things, just because they can.)

Comparisons for easier understanding, spot the differences:

=======================================================
FTP
=======================================================

                     |  plain        |  encrypted
---------------------+---------------+-------------
   control channel   |  FTP          |
   data channel      |  FTP          |

=======================================================
FTPs, FTP-over-SSH
=======================================================

                     |  plain        |  encrypted
---------------------+---------------+--------------
   control channel   |               |  FTP-over-SSH
   data channel      |  FTP-over-SSH |

=======================================================
FTPS / FTPES, FTP-over-SSL
=======================================================

                     |  plain        |  encrypted
---------------------+---------------+--------------
   control channel   |               |  FTP-over-SSL
   data channel      |               |  FTP-over-SSL

=======================================================
SFTP, Secure FTP (only one channel!)
=======================================================

                     |  plain        |  encrypted
---------------------+---------------+--------------
control+data channel |               |  SFTP

Instead of using the regular FTP (the 'plaintext' version, if I may say so), where both control and data channel are unencrypted, a SSH tunnel is established prior to FTP usage and its encryption is used for the control channel. The data is transmitted without encryption.

So USER and PASS commands cannot be read in plain text anymore, which makes FTPs better than regular FTP.
Since the initial overhead of creating the SSH tunnel is to complicated, people stick to FTP/FTPS/SFTP instead of FTPs. Also as noted at the beginning, you'd need both a ftp server and a ssh server running and and a tunnel previously and properly set up.

But why bother and not just either go the easy way with FTP or the secure with SFTP or FTPS?

FXP (File Exchange Protocol)

This one has nothing at all to do with encryption, at least per se. It's also only possible with the FTP variants, not the SFTP one.

Scenario: Say you have a client, and two servers. (Instead of regular FTP where you just have a client and a single server.)

With regular FTP used, to get files from server1 to server2, the transfer would have to work over the client (and it's possible bad connection). No direct connection is possible from server1 to server2 over the 'good'/fast network.

With an FXP client, direct transfers are possible, if the FTP servers support this functionality. It is achieved by exchanging the ip and ports of server1 to server2 via the client machine.

Basically, the client connects to both servers at once. He negotiates connection between himself and server1 in passive mode, to know which port server1 has open for data exchange. He tells server2, and calls for data transmission. server1 will be contacted by server2, data channel is established, and files will flow directly.

The first server here was contacted via passive mode. The second was passed the first servers ip and port.

Of course this should also work with active/passive switched, but the client has to have to know the second server's open ports prior, without being told by the server, which complicates things. Without this information, passing the first server in the first step the ip of the second server and a wrong port makes just no sense.

Lastly two sidenotes:
Usually when customers are unable to use SFTP/FTPS it's due to them forgetting to adjust the protocol in their FTP client (i.e. Filezilla). Or they miss the proper port. Or they changed encodings/transfer modes/passive while trying to get things to run...

Bash dollar sign shell variables
posted on 2014-07-25 11:51:54

Cheatsheet shamelessly stolen from here.

VARIABLE    MEANING
$0          Filename of script
$1          Positional parameter #1
$2 - $9     Positional parameters #2 - #9
${10}       Positional parameter #10
$#          Number of positional parameters
"$*"        All the positional parameters (as a single word) ***
"$@"        All the positional parameters (as separate strings)
${#*}       Number of positional parameters
${#@}       Number of positional parameters
$?          Return value
$$          Process ID (PID) of script
$-          Flags passed to script (using set)
$_          Last argument of previous command
$!          Process ID (PID) of last job run in background

*** Must be quoted, otherwise it defaults to $@.
Proxmox remove subscription message
posted on 2014-07-23 12:23:45

Nowadays proxmox will nag you with an annoying popup message window, since they want to sell subscriptions. (The one telling you 'You do not have a valid subscription for this server. Please visit www.proxmox.com to get a list of available options.'...) See here, in case you ponder buying something.

For all the others like us, connect to your proxmox instance (i.e. ssh), and do this:

$ cd /usr/share/pve-manager/ext4/
$ cp pvemanagerlib.js pvemanagerlib.js.bu   ## creating backups is good style

Then open the pvemanagerlib.js in an editor of your choice, and edit line 519 (currently thats where the change has to be made as of 7/2014):

The code in question looks like this:

 1      checked_command: function(orig_cmd) {
 2          PVE.Utils.API2Request({
 3              url: '/nodes/localhost/subscription',
 4              method: 'GET',
 5              //waitMsgTarget: me,
 6              failure: function(response, opts) {
 7                  Ext.Msg.alert(gettext('Error'), response.htmlStatus);
 8              },
 9              success: function(response, opts) {
10                  var data = response.result.data;
11  
12                  if (data.status !== 'Active') {
13                      Ext.Msg.show({
14                          title: gettext('No valid subscription'),
15                          icon: Ext.Msg.WARNING,
16                          msg: PVE.Utils.noSubKeyHtml,
17                          buttons: Ext.Msg.OK,
18                          callback: function(btn) {
19                              if (btn !== 'ok') {
20                                  return;
21                              }
22                              orig_cmd();
23                          }
24                      });
25                  } else {
26                      orig_cmd();
27                  }
28              }
29          });
30      },

Change line 12 in the above example:

if (data.status !== 'Active') {

to

if (false) {

and things are fixed.

useradd cheatsheet
posted on 2014-07-23 11:38:55

This topic is already covered in more depth in an earlier post here, but now I figured a cheatsheet would help.

SYSTEM USER
    system user privileges? (UID below 1000)
    -r

HOME FOLDER
    create home folder in /home/<username>?
    -m
    no home folder creation:
    -M
    add existing folder as home:
    -d <folder>

    add contents to created home?
    -k <'skeleton' folder containing data>

GROUPING
    create new user group?
    -U
    add to existing group?
    -g <id or groupname>
    add several groups?
    -G <groups separated by comma's>
    don't create group? (user will be added to group with id 100 usually, see manpage)
    -N 

SHELL
    shell access? (use appropriate shell, /bin/sh for system users if login is needed)
    -s /bin/bash
    no shell access?
    -s /bin/false
    no shell access, with notification?
    -s /sbin/nologin

COMMENT
    -c 'comment explaining user usage'
linux: cat to clipboard
posted on 2014-07-21 11:13:46

To put the contents of a file directly into the clipboard, there exist several different ways. One possibility is to mark, CTRL-C or SHIFT-DEL, or whatever is used in you application for copying.

Applications like Klipper, besides providing the functionality of having a memory, also enable the system to copy every selection you make (with your mouse) into the clipboard.

All this is helpful, but once you have content that spans several screen pages, this gets old pretty fast.

Solution on debian: xclip

$ sudo apt-get install xclip

Usage:

$ echo test | xclip     ## clipboard contains now string 'test'
$ cat file.txt | xclip  ## clipboard contains content of file 'test.txt'
Plesk Hacker Plesk reference
posted on 2014-07-11 14:13:30

The best Plesk 11 reference you can find is here.

URL encoding
posted on 2014-07-11 11:29:42

URL encoding (or 'percent encoding') describes encoding special characters in Uniform Resource Identifiers (URI's). On the difference why it is called URL encoding but is used for URI's, well... just accept it. Or read here.

Most likely you just want to know this:

!   #   $    &   '   (   )   *   +   ,   /   :   ;   =   ?   @   [   ]
%21 %23 %24 %26 %27 %28 %29 %2A %2B %2C %2F %3A %3B %3D %3F %40 %5B %5D

or this:

        newline        space     "   %   -   .   <   >   \   ^   _   `   {   |   }   ~
%0A or %0D or %0D%0A    %20     %22 %25 %2D %2E %3C %3E %5C %5E %5F %60 %7B %7C %7D %7E
Certificates, OpenSSL in depth and GnuTLS
posted on 2014-07-10 14:37:52

This post should give an overview on the most used OpenSSL commands, and how SSL/TLS/X.509 in general works.

EDIT:
Since this post was written a long time ago, it might get revisited in the future. But this will be a major overhaul, so this will not happen in the near future either.

But there will come some ascii art on a schematic PKI in general, the section about the filenames will get cleaned up as well as the openssl section.

post vocabulary and some notes

The most used terms are abbreviated in the following.

PK = Private Key
C = Certificate
CSR = Certificate Signing Request
CA = Certificate Authority

Usually this seems way harder than it is in reality, once you get the hang of it. Hardest part is to understand which file belonging to which server is needed for the current step.

Certificates...

Some more abbreviations first:

SSL : Secure Sockets Layer
TLS : Transport Layer Security
X.509 : Public Key Infrastructure (PKI) and Priviledge Management Infrastructure (PMI) standard by the "International Telecommunication Union Telecommunication Standardization Sector" (ITU-T).

SSL and its successor TLS, which includes SSL, are protocols for encrypting internet communication. The C infrastructure setup is defined in the X.509 standard. That is why these acronyms are popping up in any discussion about this topic.

On a sidenote, a more general equation:

HTTPS = HTTP + SSL/TLS + TCP

Since this post is focused on usability, the techniques in question that are used in a PKI or PMI are of no concern here.

The C chain looks usually like this: (intermeadiates can, but need not exist)

  1. Root C
  2. Intermediate C
  3. C

The last C is the one issued by the CA where you subitted your CSR to.

Only if all C's are present and used correctly, SSL checking tools (See here or here.) will tell you your C's are set up accordingly.

File types

There exist a bunch of file types, you have to be able to differentiate.

file types

.key : private key file (PK), but that's just a convention
.csr : certificate signing request (CSR)
.crt : certificate (C)
.cer : certificate (C), Microsoft used this naming scheme earlier

For .pem and .der files, see next section.

PK.key, CSR.csr, C.crt are kind of placeholders for your actual filenames in the following sections. A good naming scheme would be subdomain_domain_tld-year, without dots. Dots happen to either not work or cause other problems. Appending the year your C was issued helps with distinguishing in case you renew a certain certificate.

containers and encodings

Containers are used for grouping together C's (and) into a single file.

.pem: ascii / base64 encoded container
.der: container in binary format

The extension hints at the encoding being used, for the container. A container usually consists of the set of all C's (the entire trust chain), and can optionally also contain the PK.

All the files from the section before can be in PEM or DER format, IIRC!

For more information on the Distinguished Encoding Rules (DER) or the Privacy-enhanced Electronic Mail (PEM), just click these links.

OPENSSL

PK / CSR generation

For usage with Certificate Authorities (CA's)

Generate a PK and a CSR:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout PK.key

If you already have an existing PK and just need a CSR:

openssl req -out CSR.csr -key PK.key -new

Create a new CSR for an existing C:

openssl x509 -x509toreq -in C.crt -out CSR.csr -signkey PK.key

Complete self-signed certificate

Generation of a self-signed (ss) C, based on a newly generated PK with a term of validity of one year (365 days):

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout PK.key -out C.crt

ss-C's for https are still better than traffic over plain http, but for private websites for example, StartSSL Certificates provide C's for free. Free as in 'no money needed'.

convert PEM to DER

openssl x509 -in C.crt -outform der -out C.der

convert DER to PEM

openssl x509 -in C.crt -inform der -outform pem -out C.pem

viewing PEM encoded files containing a C

For debugging reasons, this might actually be the most used command.

openssl x509 -in C.pem -text -noout
openssl x509 -in C.crt -text -noout
openssl x509 -in C.cer -text -noout

This will not work on a single PK file.

GNUTLS

Get it:

apt-get install gnutls-bin -y

Use:

certtool

Instead of the openssl tool suite, this is actually self-explanatory.

Examples

In the following, keyfiles are called .key extension-wise, but that is just a name differentiation. They are in reality just .pem files, too, but with this practice files are easier to differentiate.

generate PK's (private keys)

certtool --generate-privkey --outfile PK.key --rsa

Use --dsa or --ecc flags if you want to change the used cryptosystem.

generate CSR's (certificate signing requests)

certtool --generate-request --load-privkey PK.key --outfile CSR.pem

generate C (certificate) from CSR (certificate signing request)

Usually this is a CA_C.pem, a CA certificate.

certtool --generate-certificate --load-ca-privkey CA_PK.key --load-ca-certificate CA_C.pem --load-request CSR.pem --outfile C.pem

generate C (certificate) from PK (private key), lacking a CSR

certtool --generate-certificate --load-ca-privkey CA_PK.key --load-ca-certificate CA_C.pem --load-privkey PK.key --outfile C.pem

generate a self-signed C (certificate), the fast way

certtool --generate-privkey --outfile CA_PK.key --rsa
certtool --generate-self-signed --load-privkey CA_PK.key --outfile CA_C.pem

Here's a one-liner to copy-paste:

certtool --generate-privkey --outfile CA_PK.key --rsa && certtool --generate-self-signed --load-privkey CA_PK.key --outfile CA_C.pem

create a .p12 / pkcs #12 container file

A .p12 file includes all three part usually needed on the server side:

  • CA certificate

  • server PK

  • server C

    certtool --to-p12 --load-ca-certificate CA_C.pem --load-privkey PK.key --load-certificate C.pem --outfile CONTAINER.p12 --outder

show certificate information

certtool --certificate-info --infile C.pem
Downgrading packages in Debian / Ubuntu
posted on 2014-07-09 16:50:55

Downgrading packages can become important once an apt-get update && apt-get upgrade breaks something.

Most of the following must be done as root. Since you need to be for

Logs on what got upgraded

To find out the packages in question, look here:

/var/log/apt/term.log
/var/log/dpkg.log
/var/log/apt/history.log

Beware of the logrotating, in case you do not find anything. Use zgrep, zless, zcat on these .bz2 files.

A handy script to gather all information into on single place:

cd /var/log/apt && cat history.log > ~/apthistory.log && zcat history.log*gz >> ~/apthistory.log

That you all your logs get aggregated into apthistory.log in your homefolder.

If you are using synaptic, you can check the logs through it, too.

Find out which version to use

apt-cache showpkg <package>

Package is the name you usually use when using apt-get.

In the last section, you may find info on the version to use. It doesn't help that the manpage tells you to look at apt's source code for more information. (Yes, it does that for real...)

If you can't help but feeling lost, that's normal.

The other approaches are skimming through the aforementioned logs with grep and more grep. Or using google, which is harder than one might imagine.

Actual downgrading

apt-get install <packagename>=<version number>

Beware you might need the :amd64 or :i386 extension for the package name, too.

Preventing future upgrades from killing your changes

echo '<packagename> hold' | dpkg --set-selections

To undo this:

echo '<packagename> install' | dpkg --set-selections

To show what currently gets upgraded or not:

dpkg --get-selections | grep 'install'
dpkg --get-selections | grep 'hold'

Keep in mind that things might break in a later update & upgrade, if you do not fix the cause of your problem. The package you downgraded might be needed in a newer version by a lot of other packages, it's just a question of time.

Plesk mail spam fixes
posted on 2014-07-09 13:46:10

mail notifying

When receiving a mail like this:

 1  Hi Abuse Team,
 2  
 3  This is an RBL nomination for the following lists of IP addresses that
 4  are in the process of being listed to the RBL as a spam source
 5  and/or is an originating spam source in progress.
 6  
 7  -- IPs listed to the RBL --
 8  here.is.your.ip
 9  -- End of IPs listed to the RBL --
10  
11  Please refer to below information for representative spam samples.
12  Additional samples are available upon request from an authoritative
13  requestor.
14  
15  Filename: CTR-NET.zip
16  Password: novirus
17  
18  -- Example of spam mail --
19  Spam Sample #1 - [here.is.your.ip]
20  
21  Received: from [here.is.your.ip] by <removed> via sendmail with smtp;
22  for 1 recipient; Fri, 04 Jul 2014 07:24:14 -0000
23  Received: by <removed> (Postfix, from userid 10335)
24  id 8D55D7E2640; Fri,  4 Jul 2014 09:24:15 +0200 (CEST)
25  To: <removed>
26  Subject: [20140704] Dear Customer! We received your July 1st payment of $2579 which brings
27  your balance to $0.
28  X-PHP-Originating-Script: 10335:yysfgfo.php
29  Message-Id: <removed>
30  Date: Fri,  4 Jul 2014 09:24:15 +0200 (CEST)
31  From: <removed>
32  
33  -- End of Example of spam mail --
34  
35  -- Network Information --
36 
37 ...

The important information is in line 28.

Do:

$ grep 10335 /etc/passwd

which will give you the user in question.

Then clean the yysfgfo.php file from his account and the spam issue is fixed. (find <dir_of_webspace> -iname yysfgfo.php will show you where it lies.)

The UID and filename may differ, these are just examples.

Of course the site was hacked, and you/the customer still has to fix and secure it, so future hacks are prevented.

Usually setting a new password, for the users' ftp account (so new malicious scripts cannot be uploaded again) is enough. In case that you use Plesk, you might consider setting a new password for the login to the Websitepanel, too.

spamming just started

If you have not yet blacklist mail or other form of notification and the spamming takes place right at the moment, use these:

# first have a look on the current mail queue
mailq

Then you are shown the queue file id (first character sequence at the beginning of the line), sender and other information. Have a look at some of the suspicious looking emails, using the queue is and postcat:

# show mail header and body
postcat -q 252977E27B0

There you watch out for entries like X-PHP-Originating-Script like described in the beginning of the post.

brute force in case nothing helps

If the mailheader does not provide an X-...-Originating-Script entry, try this:

for i in $(find /var/www/vhosts -type f -name access_log); do COUNT=$(fgrep -c POST "$i"); if [ "$COUNT" -gt 0 ]; then echo "$i"; echo "$COUNT"; fi; done

This approach works due to the most hackers using HTTP POST request to trigger the spam dispatch.

The commands will scan the apache httpd access logs of all webhostings, and have a look at the count of POST commands of sent to a each hosting. You should then have a look at the recently changed files in the folder with the most hits. Keep in mind, that due to the I/O load this might post on the system, it might take a while until this command sequence will be finished.

To have a look on the I/O load, use top:

top - 10:20:37 up 27 days,  3:09,  2 users,  load average: 0.00, 0.01, 0.00
Tasks: 130 total,   1 running, 129 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.3%us,  0.0%sy,  0.0%ni, 99.3%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st

...

The wa percentage given above is the average value of all cpu wait times for the I/O subsystem. 0.0% is no wait, if its like 40 percent or higher the command will take ages to finish.

Python via Apache
posted on 2014-07-07 11:39:12

Use mod_wsgi instead of mod_python.

An example can be found here.

Certificate content viewed with OpenSSL
posted on 2014-07-07 11:27:04

To show the contents of a ssl/tls certificate with openssl, do:

openssl x509 -in C.crt -text -noout

where C.crt is the name of your actual certificate. Should work for .pem, .cer and .key files as well.

Cygwin sshd
posted on 2014-07-06 18:31:27

To set up ssh access on a windows box via cygwin, do yourself a favor and read the oracle docs:

http://docs.oracle.com/cd/E24628_01/install.121/e22624/preinstall_req_cygwin_ssh.htm

Fix Cygwin nodosfilewarning
posted on 2014-07-05 19:53:08

Edit your Cygwin.bat file (located in your Cygwin install folder) to look like this:

@echo off

C:
chdir C:\cygwin\bin
set CYGWIN=binmode ntsec nodosfilewarning
bash --login -i

After a clean install, the file should already contain all lines except the one containing the 'nodosfilewarning' part.

VirtualBox SSH access
posted on 2014-07-05 19:08:08

When using virtual machines with VirtualBox, it can be helpful to have proper SSH access configured.

Theory up front

Virtualbox networking modes and Host Adapters

Since most people have trouble figuring this one out on themselves, some basics before, in case you do not just use 'NAT Mode'.

'Bridge Mode' of virtual box maps the physical NIC (network interface card) of your host OS (operating system) to the VNIC / virtual networking interface card / virtual adapter of your VM (virtual machine). That way all traffic is passed from extern to the VM directly, transparently to to the host OS. It will not have to fiddle with any packets flowing between VM and the/an internet.

'Host-only Mode' works on an IF (interface) of the host OS, similarily to the loopback device which is used by linux in case you have network-based application (i.e. TCP/IP based) running locally, on the localhost. The loopback interface sports the famous 127.0.0.1 address but it can have any one from the 127.0.0.0/8 subnet, which spans up to 127.255.255.254 actually. Also you can have several loopback interfaces, in case you want to run several webservers locally and all on port 80. (I just made that example up from the top of my head, to provide a more plastic explanation, but I disgress.) The virtualbox Host-only adapter works similar in that, that virtualbox will use the virtual adapter to transfer all traffic among the vm's through this adapter.

There can be quite a bit more said, but just head over to the VirtualBox Manual and do the reading yourself, I am about to becoming lazy as this post grows quite a bit longer than I ever intented it to.

Virtual NIC's of the VM

This are the actual network cards being present in your virtual system.

To have internet as well as communication between host and guest (or among guests), you have to setup a two NIC's. To have two NIC's, you have to enable those in the settings of your VM, that is what the 'Adapter 1' to 'Adapter 4' tabs in the Network settings of the VM in question are for.

Short answer, if you do not have a NIC, you cannot assign ip's to it.

Of course, in the real world you can set several ip addresses on one NIC. Although I have not tried this, I doubt it to work since the VNIC's that virtualbox provides are different to each other, depending on the mode which they are set to I bet.

Actual IP configuration of the guest

Once the VNIC is enabled for your VM (which is like you just built in a physicalNIC into your desktop), you can configure it so linux will know about it.

So first you have to create a new entry in the networking config, followed by an ip configuration you make.

This should have you covered on the basics (so you got at least a small idea what you are actually doing next.), hopefully this will serve you good.

Without more words, easiest the ssh setup is done like this:

Setup VirtualBox

  1. Open the settings page of the VM in question from within virtualbox.
  2. Menupoint Network >> Tab Adapter 2.
  3. Checkbox Enable Network Adapter to create a new virtual Network Interface Card (NIC).
  4. Set 'Attached to:' to Host-only Adapter. The name of the adapter is not of interest, there just has to exist a vbox specific one already. If this is not the case, go to your virtualbox preferences (the ones of the hypervisor, not the ones of the individual vm's), choose "Network" in the left frame and then the tab "Host-only Networks". Add a network and edit the newly created adapter if you need a specific ip network or DHCP.
  5. Start the VM, and open a shell.
  6. $ ip addr and hit enter.
  7. Maybe you already have an ip then, otherwise you will have to set up networking with the ip network that is used in the vbox adapter in step 4. The 192.168.56.0 one is a likely network, in case you did not change the default settings in step 4.
  8. Depending on if you have a RHEL-based distro in use (RHEL, CentOS, Fedora, ...), or Debian-based (Ubuntu, Debian), this step varies.

Setup guest VM, possibility one: static networking (recommended)

RHEL

Open /etc/sysconfig/network-scripts/ifcfg-eth1 (Or whatever IF you looked up in step 6.) with root privileges and add the following code:

DEVICE=eth1
BOOTPROTO=static
IPADDR=192.168.56.101
NETMASK=255.255.255.0
ONBOOT=yes

Fix IPADDR and DEVICE to the values in step 6.

Debian

Open /etc/network/interfaces as root and change/add this:

allow-hotplug eth1
iface eth1 inet static
address 192.168.56.101
netmask 255.255.255.0

As with the RHEL part, fix IF and IP accordingly, if these differ in step 6.

Setup guest VM, possibility two: dynamic networking (not recommended)

After you have set the additional NIC in your guest OS as described below, run ifup eth to activate the new interface and do dhclient eth1 afterwards to get an ip address from the dhcp server.

RHEL

Open /etc/sysconfig/network-scripts/ifcfg-eth1 (Or whatever IF you looked up in step 6.) with root privileges and add the following code:

DEVICE=eth1
BOOTPROTO=dhcp
ONBOOT=yes

Debian

Open /etc/network/interfaces as root and change/add this:

allow-hotplug eth1
iface eth1 inet dhcp

Usage

For easiest usage, add a shorthand on your host OS into your ssh config. (/home/<username>/.ssh/config) If the file does not exist, create it.

Add this:

Host vbox
    User root #change this to the user as which you want to login
    Hostname 192.168.56.101
    StrictHostKeyChecking no

Which will make it possible to connect like this from your host OS:

$ ssh vbox

The strict hostkey check was turned off since you certainly know the machine you are connecting to and do not care when you use another vm with the same setting. (Which has very likely a different hostname.)

Of course, this step happens to be of little use if you use just DHCP ip's. Static network adresses are preferred as they will stay the same and you will not have to fix the config if you use several hosts and ip's get mixed up.

bash emacs shell shortcuts
posted on 2014-07-04 13:19:19

Linux comes around usually with the bash shell. By default bash comes with the possibility to enable vi or bash shortcuts. (Google set -o emacs vs. set -o vi for more info.)

Since vi mode is a bit strange to use (No possibility to see which mode you are in, maybe with zsh this could be changed?) I stick to emacs bindings.

Most useful are:

# CHOOSING
CTRL - P    previous command (previous line)
CTRL - N    next command (next line)

# SEARCHING
CTRL - R    incremental search in command history

# MOVING
CTRL - A    beginning of line
CTRL - E    end of line
ALT - B     backward one word
ALT - F     forward one word
CTRL - B    backward one character
CTRL - F    forward one character
ALT - A beginning of sentence
ALT - E end of sentence

# DELETING / CUTTING / "KILLING"
CTRL - D    next char
CTRL - H    previous char
ALT - D     next word
ALT - BSPC previous word
CTRL - W    previous word (not preferred, as it won't work in emacs with evil-mode enabled :o))
CTRL - K    from cursor to end of line
CTRL - U    from cursor to beginning of line

# INSERTING / "YANKING"
CTRL - Y    put paste buffer contents back at cursor location

# UPPERCASE
ALT - U     uppercase next word
ALT - L     lowercase next word

# TRANSPOSE
CTRL - T    last two characters
ALT - T     last two words

# AUTOCOMPLETION
ALT - *     insert all possible completions
ALT - ?     show all possible completions
Wireshark and tcpdump cheatsheet
posted on 2014-07-03 22:14:34

Wireshark and tcpdump are essential tools when analyzing network traffic. These may help:

Wireshark

tcpdump

More tcpdumpinfo here.

Tcpdump is helpful to know, even if you use just wireshark, since capture filters use tcpdump syntax, not the one wireshark uses for its display filters. See here or here.

Plesk turn php error display off
posted on 2014-07-03 13:11:21

To turn php error display off in Plesk 11, do this:

  1. Login to the panel.
  2. Open the domain in question.
  3. Tab Websites and Domains.
  4. Show 'extended options'.
  5. Open 'website-scripting and security'.
  6. Tab 'PHP settings'.
  7. Set 'display_errors' to 'off'.

This might be needed when clients do not update their web presence, using an old php version for development. On the server the php install gets an update, and lot of functions in their code are shown as deprecated at once. To have a proper viewable site, this option helps. Still the code has to be updated, in case sooner or later deprecated functions are removed from the php language. TBH I have no idea if such things happen in the php landscape, but it happens in other programming languages.

PFSense IPsec VPN problems
posted on 2014-07-03 10:37:51

When running a PFSense as Firewall and VPN Gateway, trouble might arise. (See here.)

From personal experience, using version 2.1.4 and running like a dozen different tunnels, random connection breaks occurred.

It did not matter which interface was used, which hardware the other tunnel endpoint/gateway was on.

Only helpful solution so far was this:

System >> Advanced >> Tab Miscellaneous >> Section IP Security >> Checkbox Prefer older IPsec SAs

VirtualBox shared folders
posted on 2014-07-01 23:18:08

When using VirtualBox for toying around with VM's, you usually need a possibility to exchange files. This can either happen through version control, shared folders, Dropbox and the shared filehosters would be another option.

Here the shared folder approach will be described, in Ubuntu 14.04:

  1. Create a folder to be used on your host OS.
  2. Include the folder you just created in Virtualbox. Choose VM, Settings >> Shared Folders and add the new one. Transient is just temporary, you will very likely not want that. Choose a persistant approach, auto-mount and persistent. Plus the folder you just created in your Host OS. The 'label' (What you choose as 'Folder Name') you will need as mount position at the end.)
  3. Check your vbox version, Help >> About VirtualBox... will show it.
  4. Get the 'Guest Additions' ISO from here, the one fitting your vbox version.
  5. As root you have to prepare some things. In particular: apt-get install update, apt-get install upgrade, apt-get install dkms -y. This will make the changes to the kernel modules persistant across updates. The 'upgrade' part can maybe be skipped, IIRC.
  6. Mount the GuestAdditions ISO: Choose VM, Settings >> Storage >> choose IDE controller >> click on the CD icon on the right (not the one in the tree overview!).
  7. Either your VM will tell you to auto-run the ISO (easy).

Or you will have to use the supplied installer script (a little harder):

$ mkdir /mnt/iso
$ sudo mount /dev/cdrom /mnt/iso

Open the mounted ISO (cd to there), and do as root:

$ sh ./VBoxLinuxAdditions.run

If the mount fails due to 'bad superblock' or such, do cd /media && cd /cdrom && eject and reload the iso in the VirtualBox Manager. If the 'bad superblock' error still persists, this may be related to 14.04 or just me being dumb. Once all this is done, the folder chosen in VirtualBox needs to be mounted in the guest OS. sudo mkdir /mnt/share and sudo mount -t vboxsf <label-you-chose-in-step-2.> /mnt/share

So basically, there are several steps:

  • You need to have the Guest Additions installed in your guest OS.
  • In VirtualBox there has to be a linked folder to your host OS.
  • The folder linked in VirtualBox has to be mounted by its label into your guest OS.

Should be easy, but everytime I have to do it, it takes me ages. Or at least feels like.

PFSense CLI commands
posted on 2014-07-01 15:34:00
CLI command                     Description
===========================================

pfctl -d                        Deactivate Firewall completely
pfctl -e                        Activate Firewall Rules again
pfctl -sn                       Show current NAT rules
pfctl -sr -vv (or pfctl -vvsr)  Show current filter rules with rule numbers
pfctl -ss                       Show the current state table
pfctl -sa                       Show everything it can show
viconfig                        Edit the actual config file in /conf/config.xml.

When editiing is finished the /tmp/config.cache file will be deleted, so the changes will be activated in the firewall after finishing editing.

/etc/rc.reload_all              Reload the Firewall with all the configuration.

Restarting sshd (keeping actual ssh session) and restarting webgui. It seems the rc.reload_all is also keeping the sessions up and running.

rm /tmp/config.cache
Remove the running config and reuse the /cf/config.xml (Firewall will reload the /cf/config.xml after delete)

There are also php scripts that can be used...

#!/usr/local/bin/php -q

## Manual Restart OpenVPN Processes.

<?php
require_once('openvpn.inc');

openvpn_resync_all();
?>


#!/usr/local/bin/php -q

## Manual Restart IPSEC VPN Tunnels>

<?php
require_once('vpn.inc');
require_once('util.inc');

vpn_ipsec_force_reload();
?>

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

View posts from 2017-03, 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10


Unless otherwise credited all material Creative Commons License by sjas