encrypted backups with secure mysqldump

Posted on by

Flattr this!

It’s convenient and often suggested to cron something like:

/usr/bin/mysqldump -u root -p PASSWORD --all-databases > /path/to/flatfile.sql

Thats for several reasons not a good idea.
Each user on the machine can view with ps your password. You need to write your plain root  password into your shell script or crontab.

ps axw | grep mysql

MySQL documentation has its guidelines for password security .
Store your password in an option file in your home directory instead of pasting it into shell scripts and commands.

Replace root with a single purpose Linux User

So let’s create a different linux user for mysqldump only.

root@mysql:~# useradd mysqldump -d /home/mysqldump/ -s /bin/bash
root@mysql:~# mkdir /home/mysqldump
root@mysql:~# chown mysqldump:mysqldump /home/mysqldump
root@mysql:~# passwd mysqldump
root@mysql:~# su mysqldump
mysqldump@mysql:/root$ cd
mysqldump@mysql:/home/mysqldump$ 
mysqldump@mysql:/home/mysqldump$ mkdir .ssh
mysqldump@mysql:/home/mysqldump$ chmod 0700 .ssh
mysqldump@mysql:/home/mysqldump$ vi .ssh/authorized_keys

Place your SSH-Key id_rsa.pub into ~./ssh/authorized_keys, for ssh|rsync|scp with password-less public key authentication. This way you can run on your foreign host rsync anytime without entering your password.

Read-Only MySQL User for mysqldump

The next improvement is to create a read-only MySQL User for mysqldump. It’s never a good idea to use root for dumping databases.

mysql> GRANT SELECT, LOCK TABLES ON *.* TO dump@localhost IDENTIFIED BY ‘trustno1’;

As always, limit the user to localhost and choose a strong password.

Option File for Password Storage

Now place the option file .my.cnf in your mysqldump home directory.

[client]
password=trustno1

Set strict permissions to the file

mysqldump@mysql:~$ chmod 0400 .my.cnf 
mysqldump@mysql:~$ ls -la | grep .my.cnf
-r-------- 1 mysqldump mysqldump   39 Feb 27 20:21 .my.cnf

And test your mysqldump user

mysqldump@mysql:~$ mysql -u dump
Welcome to the MySQL monitor.

Now your mysqldump User is setup in a good way to prevent some OOOooops!

encrypt all the thingsEncrypted MySQL Dumps

We do not want to have the unencrypted SQL Dumps available on the harddisk, as they maybe contain passwords. And It’s always a good idea to have the files already encrypted, for the possible fact the Backup Storage does not have Full Disk Encryption or is a single USB Stick or external SATA Drive as cold Storage.
For this reason we are going to use asymmetric encryption also known as public-private key encryption. So we do not have to keep care of the symmetric key and key transport between MySQL Server and Backup System.

Create the Key Pair on your Backup System. Do not transport your private Key to any other systems. And of course, keep a good copy of your key available. If you loose the private key, all your Backups are worthless in less than second.

cave@backup:~/mysqlkey$ openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout mysqldump.priv.pem -out mysqldump.pub.pem

And copy the public key to your mysql server.

cave@backup:~/mysqlkey$ scp mysqldump.pub.pem mysqldump@mysql.domain.tld:/home/mysqldump/key/

Verify the keypair if it works as expected. Encrypt a plaintext file on your mysql host, scp it to your backup host, and decrypt it.

mysqldump@mysql:~$ echo "encrypt all the things" > plain.txt
mysqldump@mysql:~$ openssl smime -encrypt -binary -text -aes256 -in plain.txt -out crypted.txt.enc -outform DER /home/mysqldump/key/mysqldump.pub.pem
mysqldump@mysql:~$ ls *.txt*
crypted.txt.enc  plain.txt

Now copy it to your Backup Host and try to decrypt it.

cave@backup:~/mysqlkey$ scp mysqldump@mysql.domain.tld:/home/mysqldump/crypted.txt.enc .
crypted.txt.enc                                                                                                       100%  730     0.7KB/s   00:00    
cave@backup:~/mysqlkey$ ls
crypted.txt.enc  mysqldump.priv.pem
cave@backup:~/mysqlkey$ openssl smime -decrypt -in crypted.txt.enc -binary -inform DEM -inkey mysqldump.priv.pem -out decrypted.txt
cave@backup:~/mysqlkey$ ls
crypted.txt.enc  decrypted.txt  mysqldump.priv.pem
cave@backup:~/mysqlkey$ cat decrypted.txt 
encrypt all the things

If your plain.txt from your mysql host contains the same message as the decrypted.txt on your backup host, all went fine.

This is also the way to decrypt your backups if you ever need them. Keep your private key safe, and do not lose it!

Why smime was choosen over rsautlOpenSSL S/Mime can handle large file encryption, where rsautl is limited to smaller files. And some well explained basics about usage of “openssl smime” http://stackoverflow.com/a/12233688.

Automate encrypted dumps with bash/crontab

This little script checks all available databases, excludes some and runs mysqldump for each db. All db’s are encrypted and tar’ed into a single file containing the date in the filename in LE order.

#!/bin/bash
BACKUP_DIR="/home/mysqldump/backup/"
MYSQL_USER="dump"
MYSQL=/usr/bin/mysql
MYSQLDUMP=/usr/bin/mysqldump
DAY=$(date +"%Y%m%d")
 
databases=`$MYSQL --user=$MYSQL_USER -e "SHOW DATABASES;" | grep -Ev "(Database|information_schema|performance_schema)"`
 
for db in $databases; do
  $MYSQLDUMP --force --opt --user=$MYSQL_USER --databases $db | \
  openssl smime -encrypt -binary -text -aes256 -out $BACKUP_DIR/$db$DAY.sql.enc -outform DER /home/mysqldump/key/mysqldump.pub.pem
done
cd $BACKUP_DIR
tar czf mysqldb$DAY.sql.enc.tgz * --remove-files

POwr, Broccoli and Kopimi

Posted on by

Power, Broccoli and Kopimi

/join #kopimi

In the shadow of the culture industry’s final crisis of the 20th-century, grows a larger portrait of the POwr, broccoli and Kopimi. The culture industry’s complete failure is followed by the uncanny success of the diffused structure of an Internet elite, spread the world over. The book you’re about to read has no author, no designer, no typesetter, no distribution channel. Nevertheless, you have it in front of you. How did that happen?

Read the frightening instructions of a loosely coherent core of IT specialists grafted into an unsuspecting generation of youths, and how the group stole the eggs, dollars and jpegs in front of the powerless establishment and strong financial interests. Learn how servers, seeders, trackers, e-mail, company formation, foreign investors, Ikko’s weekly allowance, scandalous advertisements, links and search services, infiltrated and destroyed an entire world that had nowhere to run, no one to consult, and no one to trust...

The machine, which operates under the radar frequency is unhindered from the Cambodian jungle to the gay neighborhoods of San Francisco, via the empty beaches of Tel-Aviv, and into the Internet of plain folks in Jönköping suburbs and Gothenburg harbor. It leaves no one unmoved and mangles everything in its path. Technically superior and physically independent it’s constantly transforming, mutating and reappearing in new guises and under new codenames. With a stranglehold on its opponents it’s completely untouched and even more – incomprehensible.

It has rightly been said that this is the first time Kopimi has freed the world and we can be sure that it’s not the last.

(Releasenotes: Download, share, translate, remix, bend, modify, copy, trash, bash, move, publish, burn, hide, remake, plz KOPIMI!)

skaggetorp

100 roads to #g-d:
001. Obtain the Internet.
002. Start using IRC.
003. Group and birth a site.
004. Experiment with research chemicals.
005. Design a three-step program.
006. Take a powerful stance for something positive and essential.
007. Regulate nothing.
008. Say that you have to move in two weeks, but stay for seven months. Come back a year later and do it all over again.
009. ROTFLOL.
010. Relax, you’re already halfway there.
011. Just kidding.
012. Don’t think outside the box.  Build a box.
013. Support support.
014. Organize and go to parties and fairs.
015. Start 3040 blogs about the same things.
016. Drain the private sector of coders, graphic artists and literati.
017. Create a prize that is awarded.
018. Express yourself often in the media, vaguely.
019. Spread all rumors.
020. Seek out and try carding, and travel by expensive trains. Don’t order sushi.
021. Start a radio station.
022. Everything you use, you can copy and give an arbitrary name, whether it’s a news portal, search engine or public service.
023. Buy a bus.
024. Install a MegaHAL.
025. Make sure that you are really good friends with people who can use Photoshop, HTML, databases, and the like.
026. Read a shitload of philosophy.
027. Give yourself cult status, and act accordingly.
028. Never aim.
029. Pick on everyone.
030. Invent or misuse Kopimi.
031. Do things together as a composition, not as a collective.
032. Make your advertising confusingly similar to that of established ventures.
033. Always act with intent.
034. Assert, in any context, that the establishment is lagging.
035. When criticized, blame others and refer to the cluster formation’s non-linear time-creating swarm hierarchy.
036. Send everything to all media, regardless of niche.
037. Start an anonymous confession venture.
038. Make babies and blog their upbringing.
039. Be sure to closely study and keep abreast with substances.
040. Participate in lively Internet discussions that don’t interest you.
041. Start at least three to four IRC channels about every proje
042. Fight and make up often.
043. Share files with anyone who wants them.
044. Deal often with humor sites.
045. Hang out with the Left, the Right, and the Libertarians.
046. See “23” in everything.
047. Flirt with money.
048. Be AFK very little.
049. Threaten large American culture corporations.
050. Broadcast radio from Skäggetorp.
051. Make a “100 list” for successful projects.
052. Be unsure what the list should be named.
053. Take upon yourself a lot of projects.
054. Make sure to be connected to technical, aesthetical, and philosophical people of world class competence.
055. Sleep over at each others houses regularly.
056. Publish a book about Kopimi.
057. At a trial, deny everything.
058. Cultivate unfounded myths and react to them.
059. Hack sites, e-mail accounts, and more.
060. Continuously mock and ridicule all aspects of copyright.
061. Create an Internet site where people can buy and sell votes in democratic elections.
062. Claim to be true, fair and satisfied.
063. Collect money for fraux’s trip to Iceland.
064. Confidently claim that all disconnected computers are broken.
065. Do NOT go to Kurdistan.
066. Make sure to thoroughly establish the claim that all hardware is overpriced.
067. Affirm all words and signs.
068. Mindfuck each other to appropriate extent.
069. Take care of small animals.
070. Create and spiritualize the concept of “Snel hest.”
071. Start and own a think-tank.
072. Deny magnetism.
073. Start a business school. Drop out.
074. Write press releases often.
075. Use IRC while in your underwear, and eat pizza.
076. Juggle with other people’s balls.
077. Ensure that there is no conclusive evidence of Ikko giving monki advertising money by means of volada’s helicopter.
078. Cause inflation and a global financial crisis.
079. Express yourself vaguely if anyone asks you, “How much is a bandwidth?”
080. Use “dynamic” to mean “completely out of control”.
081. Never mention Hotmail, MSN, or Windows.
082. Have all project meetings on IRC.
083. Claim to receive around 1256 e-mails a day.
084. Force a prosecutor to draw up several thousand pages of drivel.
085. Above all abstract everything.
086. Have a liberal vision of hell.
087. Consider yourself overly qualified for top positions in American film and music industries.
088. Create the world’s largest file-sharing service in a twinkling.
089. Attract international attention by accident.
090. Control the portal and opinion makers in all mediums.
091. Standardize and explain your way of doing things at all levels.
092. Have 3576 anonymous confessions on your hard drive. Including the authors’ IP addresses and personal information.
093. Preserve the Internet.
094. Mention the Internet as a source in serious discussions.
095. Rarely mention reasons for your IT elitism.
096. Dismiss expressions like “from farm to table” as superstition.
097. Follow the yellow fellow.
098. Skip the last points of your 100 point list.
099. Establish social services as a parody of antisocial services.
100. Start from scratch.
100. Be careful of burning kittens.
100. Write a book, but start with the back cover.
100. Use parables in abundance, preferably about “butter” and “snow”.
100. Stop using IRL. Use AFK instead.
100. Cultivate contacts within the powers of state intelligence services.
100. Always define “flat organization” arbitrarily, subjectively, and without common sense.
100. Upload.
100. Take over #g-d.
100. PROFIT.

WE-ARE-KOPIMI

/clear

According to Kopimi all truths can be summarized in one sentence: “The Internet is right.”

Though seeded in prehistory, Kopimi is rooted in the future, and holds together a constantly vibrating avalanche of knowledge that forms the foundation for a discussion indifferent to the rippling changes of time and space. A tumult where no one has the permission to keep silent, and where we must speak to everyone and everything.

In attractive flocks, passionate swarms and boisterous schools, we sow ourselves into new contexts and eras. This book is a spontaneously organizing, clustering community project with a single purpose – Kopimi shall be deepening, propagating, and all-consuming. We want to reach further into ourselves and into Kopimi. We want to penetrate further into you, and into the future.

Our words shall, simultaneously, sound as foolishness upon deaf ears and lovely caresses to those who see and hear, but above all: They should bite firmly into you – and your mom. This is a book for those of you who find yourselves in the moment, but are looking for your way forward through the ages.

powr.broccoli-kopimi.pdf

powr.broccoli-kopimi.tar.gz

https://thepiratebay.se/torrent/4741944/powr.broccoli-kopimi

MySQL Master -> Slave Replication

Posted on by

Flattr this!

This tutorial is about Master-Slave Replication for MySQL Databases. It should also work for MariaDB as well. Replication is useful if you want to have a LIVE backup system, or to scale out and use the Slave as a Read Only DB. It’s also useful when your database is too big to run mysqldump directly on the master and lock the DB at the same time.

Doing backups is still useful on the Master, if the Master drifts out of sync with the Slave silently. Better to be to have a backup than feeling sorry. The other approach is to run regularly checksums between Master and Slave. But that’s not part of this tutorial.

 

This Tutorials has been made using two Debian Jessie 8.3 Systems. MySQL  Ver 14.14 Distrib 5.5.47, for debian-linux-gnu (x86_64)

The Replication is done unencrytped, and should be protected with ssh-tunneling, OpenVPN or MySQL over SSL. In my case i am using routed OpenVPN because it’s already running on the server. Otherwise Setting up MySQL SSL Encryption would be the way to go.
I want to replicate the databases tinytinyrss, baikal and wordpress to my Slave.

OpenVPN IPv4 Master: 10.8.0.1
OpenVPN IPv4 Slave: 10.8.0.17

Master Setup

Each Node participating in Replication needs a different server-id. If the server-id is kept at the default 0, its not possible to use it for replication as Master or Slave.
Binary log must be enabled at the Master. It contains all your transactions in binary format. This log is used for replication to the Slave.
So edit the MySQL config file /etc/mysql/my.cnf

server-id               = 1
log_bin                 = /var/log/mysql/mysql-bin.log
#binlog_do_db           = include_database_name
#binlog_ignore_db       = include_database_name

Limit the Bin Log to specific DB’s which should be logged or ignored.

These are my settings, as i do not want phpmyadmin or the system databases to be replicated. If you use binlog_do_db you need to restart your mysql master everytime when you want to add/remove a database from your replication pool.

binlog_ignore_db        = information_schema
binlog_ignore_db        = mysql
binlog_ignore_db        = performance_schema
binlog_ignore_db        = phpmyadmin

For the greatest possible durability and consistency in a replication setup using InnoDB with transactions, you should use in the master my.cnf file following settings:

innodb_flush_log_at_trx_commit=1
sync_binlog=1

By default MySQL is locked to localhost/127.0.0.1 and should be listening to 0.0.0.0 instead to be reachable via VPN or outside.

bind_address = 127.0.0.1

netstat shows the local address where it is listening and the port.

root@master:~# root@master:/etc/mysql# netstat -tulpn | grep mysqld 
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      739/mysqld

The setting needs to be changed to this:

bind_address = 0.0.0.0

After that, we need to restart mysql.

root@master:~# service mysql restart

And now we can see the change in netstat

root@master:~# netstat -tulpn | grep mysqld 
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      20791/mysqld

Please do a quick check on your database if your users are limited to localhost or if there are users allowed for “%”.

root@master:~# mysql -u root -p
Enter password: 

mysql> SELECT user, host FROM mysql.user;
+------------------+-----------+
| user             | host      |
+------------------+-----------+
| root             | 127.0.0.1 |
| root             | ::1       |
| baikal           | localhost |
| debian-sys-maint | localhost |
| phpmyadmin       | localhost |
| root             | localhost |
| tinytinyrss      | localhost |
| wordpress        | localhost |
+------------------+-----------+
11 rows in set (0.00 sec)

The last step on the Master Setup is to create an user for the Slave, which can be used to do the replication. Use the IPv4 address from your Slave, to limit the logins from that account to just your slave. Choose a secure long password with up to 35 characters.

mysql> GRANT REPLICATION SLAVE ON *.* TO 'replicator'@'10.8.0.17' IDENTIFIED BY 'trustno1';

Good, now the master Setup is done.

Slave Setup

First Step is to install mysql-server

root@slave:~# apt-get install mysql-server

Then lets edit /etc/mysql/my.cnf
On each slave that you want to connect to the master, you must configure a unique server ID for each node in the replication pool.

server-id               = 2
read_only               = 1

When the read_only system variable is enabled, the server permits no client updates except from users who have the SUPER privilege. This variable is disabled by default.

Even with read_only enabled, the server permits updates performed by slave threads, if the server is a replication slave. In replication setups, it can be useful to enable read_only on slave servers to ensure that slaves accept updates only from the master server and not from clients.

System variables that apply to slave replication servers:

;replicate-do-db
;replicate-ignore-db

My settings are as followed:

replicate-do-db = baikal
replicate-do-db = tinytinyrss
replicate-do-db = wordpress

replicate-ignore-db        = information_schema
replicate-ignore-db        = mysql
replicate-ignore-db        = performance_schema
replicate-ignore-db        = phpmyadmin

After that, we need to restart mysql.

root@slave:~# service mysql restart

Check if you can login to your master from your slave with the user you have prepared on your master.

root@slave:~# mysql -u replicator -h 10.8.0.1 -p
Enter password: 
Welcome to the MySQL monitor.

Slave setup is also finished.

Data Migration

The databases which are already available on master need to be transferred to the slave and replication needs to be enabled with the exact Master Log File and Master Log Position.
To achieve this, we make the Master Read-Only and write down the log file and position of the Bin Log while we dump the databases we want to replicate.

Lets lock the Master:

mysql> FLUSH TABLES WITH READ LOCK;
mysql> SET GLOBAL read_only = ON;

Get the logfile and bin position from the master while he is locked.

mysql> SHOW MASTER STATUS;
+------------------+----------+--------------+--------------------------------------------------------+
| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB                                       |
+------------------+----------+--------------+--------------------------------------------------------+
| mysql-bin.000001 |    19766 |              | information_schema,mysql,performance_schema,phpmyadmin |
+------------------+----------+--------------+--------------------------------------------------------+
1 row in set (0.00 sec)

The important information is mysql-bin.000001 and 19766 which should be saved in a textpad.

Dump the databases

mysqldump -u root -p --databases baikal tinytinyrss wordpress  > /root/replicated.sql

For safety reasons check again the Master Status. It should be the same like before the dump. Otherwise something went wrong.

Unlock the master

mysql> SET GLOBAL read_only = OFF;
mysql> UNLOCK TABLES;

If you check the Master Status now, it doesn’t matter anymore if it changes.

Now tar and scp the sql file to your slave

root@master:~# tar -czf replicated.sql.tgz replicated.sql
root@master:~# scp replicated.sql.tgz root@slave:/root/

Log on to your slave:

untar and import the databases to mysql

root@slave:~# tar xzf replicated.sql.tgz  
root@slave:~# cat replicated.sql | mysql -u root -p

Designate the Slave

mysql> CHANGE MASTER TO MASTER_HOST='10.8.0.17', MASTER_USER='replicator', 
MASTER_PASSWORD='trustno1', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=19766

It enslaves the current server to his master, provides login credentials and tells the slave where to start replicating from. The master log file and log position have been written down previously.

Start Replication on the Slave Server

mysql> START SLAVE;

Check for Status of Replication process.

mysql> SHOW SLAVE STATUS\G;
*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: 10.8.0.1
                  Master_User: replicator
                  Master_Port: 3306
                Connect_Retry: 60
              Master_Log_File: mysql-bin.000001
          Read_Master_Log_Pos: 1252259
                          ...: ...

If the state is “Waiting for master to send event” all is fine.

You can now check if the Master_Log_File and Read_Master_Log_Pos are in Sync with the Master Status.

In the next tutorial i will cover how to add new databases to the Slave replication process without stopping and locking the master.

MySQL

unrar * files from directory

Posted on by

Flattr this!

unrar all *.rar from directory

find . -name "*.rar" -exec unrar x -o+ {} \;

unzip all *.zip files from directory

unzip \*.zip

unzip into directory named like the zip file

for f in *.zip; do unzip -d "${f%*.zip}" "$f"; done

unrar all files from splitted rar archives

find . -type f -name "*.part01.rar" -exec unrar e -pPASSWORD {} \

unrar

How to create TUN/TAP devices for LXC in ProxmoxVE 4.1

Posted on by

Flattr this!

LXC Container

First stop your container via webinterface or CLI. replace with your ContainerID whenever i write $CTID

root@proxmox:~# pct shutdown $CTID

and create a file autodev in the config directory of your LXC Container in /var/lib/lxc/$CTID

root@proxmox:/var/lib/lxc/$CTID# cat autodev 
#!/bin/bash

cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun 

root@proxmox:/var/lib/lxc/$CTID# ls
autodev  config  rootfs

Append two lines in /etc/pve/lxc/$CTID.conf

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: /var/lib/lxc/$CTID/autodev

This should be enough.

Start your container via CLI or WebInterface

root@proxmox:~# pct start $CTID

When you start your openVPN you should see in ifconfig your tun device:

root@container:~# ifconfig | grep tun
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

This was tested with Proxmox VE 4.1 – pve-manager/4.1-13/cfb599fb

polite as usual

Posted on by

Flattr this!

Anakata

anakata

To Whom It May Concern:
 >
 > This letter is being written to you on behalf of our
 > client, DreamWorks SKG (hereinafter “DreamWorks”).
 > DreamWorks is the exclusive owner of all copyright,
 > trademark and other intellectual property rights in
 > and to the “Shrek 2” motion picture. No one is
 > authorized to copy, reproduce, distribute, or
 > otherwise use the “Shrek 2” motion picture without
 > the express written permission of DreamWorks.
 […] > As you may be aware, Internet Service Providers can
 > be held liable if they do not respond to claims of
 > infringement pursuant to the requirements of the
 > Digital Millennium Copyright Act (DMCA). In
 > accordance with the DMCA, we request your assistance
 > in the removal of infringements of the “Shrek 2”
 > motion picture from this web site and any other sites
 > for which you act as an Internet Service Provider.
 > We further declare under penalty of perjury that we
 > are authorized to act on behalf of DreamWorks and
 > that the information in this letter is accurate.
 > Please contact me immediately to discuss this matter
 > further.

To which, The Pirate Bay responded:

As you may or may not be aware, Sweden is not a state in the United Statesof America. Sweden is a country in northern Europe. Unless you figured it out by now, US law does not apply here. For your information, no Swedish law is being violated.
Please be assured that any further contact with us, regardless of medium, will result in

 a) a suit being filed for harassment
 b) a formal complaint lodged with the bar of your legal counsel, for sending frivolous legal threats.

It is the opinion of us and our lawyers that you are ……. morons, and that you should please go sodomize yourself with retractable batons.

Please also note that your e-mail and letter will be published in full on http://www.thepiratebay.org.
Go fuck yourself.

Polite as usual,
 anakata

 

The Pirate Bay – Away From Keyboard

tpb afkhttps://thepiratebay.se/torrent/8118457/TPB.AFK.2013.1080p.h264-SimonKlose

                            .                                                  
                             x                                                  
                            .X,                                                 
                           cNMk             .                                   
                         ,OMWdO.          ',                                    
                        0MMd  'l      .:Oc                                      
                       'MMM.   x   ..xMMK           .                           
                     .oWMWo    cl'';OMMMW,        ;o'                           
             l    .lkWMKc.    .;x:0MMMMMMMOl;'.'oXl    '            .           
            cMc     :W:      ';xMMMMMMMMWKkockWMX.     l          ;'            
           oN;d.    o.      xKWMMMMMNx:.  .dNMMK.      o        ld              
          .M; ,x     ;    ,XMMMMMMW;       ':     .dNk               
          oO  '.o..xW;  ,kMMMMMWNMM' :OMMMMMMW'       o'   '0MMk                
          0;  . dxOMMO   OMMMMk..xWkWMMMMMMMMl       0MW..kWMM0                 
         .d  . 'dMMMMMx  oMMW: .oNMMMMMMMMMMN        lWdcNMMMN.                 
             ..XMMMMMMMX; kMl'kMMMMMMMMMMMMMx        :MMMMMMM;                  
             xNMMMMMMMMMMXo0WMMMMXd;.lMMMMMMl      .dNMMMMMMk                   
             NMMMMMWXlccxWMMMXx:. .. .MMMMMMo    .d0MMMMMMMM'                   
            .XMMM0:XMNoKMMMMW..'c.d.  OMMMMMx   dMMMMMMMMMMX                    
            ;.NMk .KMMMMMMMMW.c  ....;0N.,WMN :NMMMMMMMMMMMK                    
            : ,W' OMMMMMMMMMM:.odkXNkdd,.;OMMNMMMMMMMMMMMMMM.                   
    ;;.     :  lXWMMMMMMMMMMM0ddlkdclkx..MMMMMMMMMMMMMMMMMMMk                   
      :l;   :,NWWMMMMMMMMMMMMMoXMMMMMMMMWMMMMMMMMMMMMMMMMMMMMx                  
        .lddO0WMMMOMMMMMMMMMMMMXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMM0.                
        .cKMMMMMMMdMMMMMMMMMMMMMXkXK,cK0kkklxkkxWMMMMMMMMMMMMMMMx.              
       .MMMMMMWMMM0NMMN0KMNkxxxONNXk. xxlkddccdOdMMMOolNk:;::coxOXO:            
        KMMx:K0xxOWMMMNXNNWXWXNXOKMMd.,0.:ooxOKNWMMN   kd          .,'.         
         dN:  .;kNXNWWOMMMMM00XOXKWKMklKk lNX0k0XMMO,ooMXk:                     
           ,;'...'l0MMMMMMMN:ld0cokllxXXW0OKKXWNN0O0KkKMxkc;l;                  
                   kOKMMXdc;;cdlldxO,:lOKXOkKOKXNMWXNXKK0N. .,d:                
                   XolMMk:lcc;',:,;oKKWMNWMMWMNWNXXWMMMWWWNKdx0;                
               .l0ONNcOMWOcc:xxdx0XMMMMWWNNNMX0WMMMMMMMMNXWWWW0;.      .;;.     
       .   d' ,oWMMMMWNMMMX00WMMMMMMMMMMMMMMMMMMMMMMMMMMMMXNMMMWMWKd;. kkcdX.   
      ,MkkWMMNKNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWK0ONN.   
 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
 ³                                                                            ³
 ³       ÛÛÛÛÛ Û  Û ÛÛÛÛ  ÛÛÛÛ Û ÛÛÛÛ ÛÛÛÛ ÛÛÛÛÛ ÛÛÛÛ  ÛÛÛÛ ÛÛÛÛ Û   Û        ³
 ³         Û   Û  Û Û     Û  Û Û Û  Û Û  Û   Û   Û     Û  Û Û  Û Û   Û        ³
 ³         Û   ÛÛÛÛ ÛÛÛ   ÛÛÛÛ Û ÛÛÛÛ ÛÛÛÛ   Û   ÛÛÛ   ÛÛÛÛ ÛÛÛÛ  ÛÛÛ         ³
 ³         Û   Û  Û Û     Û    Û Û Û  Û  Û   Û   Û     Û  Û Û  Û   Û          ³
 ³         Û   Û  Û ÛÛÛÛ  Û    Û Û  Û Û  Û   Û   ÛÛÛÛ  ÛÛÛÛ Û  Û   Û          ³
 ³                                                                            ³
 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
 ³ Û Û  Û ÛÛÛÛ ÛÛÛÛ ³                                                         ³
 ³ Û ÛÛ Û Û    Û  Û ³                                                         ³
 ³ Û Û ÛÛ ÛÛÛ  Û  Û ³                                                         ³
 ³ Û Û  Û Û    ÛÛÛÛ ³                                                         ³
 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ                                                         ³
 ³                                                                            ³
 ³                                                                            ³
 ³                                                                            ³
 ³                      TPB.AFK.2013.1080p.h264-SimonKlose                    ³
 ³                                                                            ³
 ³                           			                              ³
 ³                                                                            ³
 ³                                                                            ³
 ³    Dear Internets! 							      ³
 ³                                                                            ³
 ³  My name is Simon and I am the director/producer of the film TPB AFK:      ³
 ³  The Pirate Bay Away From Keyboard. After 5 years of hard work, it's a     ³
 ³  great pleasure to finally upload a torrent about this great website       ³
 ³  onto the site itself. In a way, I guess TPB AFK has finally come home.    ³
 ³  This is not just a film about the founders of TPB, but also a film        ³
 ³  about all of you who use the site. Please convert this film into all      ³
 ³  possible formats and share it as much as you can!          		      ³
 ³                                                                            ³
 ³  English subtitles are embedded into the movie.         		      ³
 ³  I've also made two folders with .srt and .sub subtitles.                  ³
 ³  Feel free to translate them into whatever language you know!              ³
 ³  Will there be a hindi, japanese, swahili or a 1337 sp33k subtitle?        ³
 ³                                                                            ³
 ³                                                                            ³
 ³  Thank you!         							      ³
 ³                                                                            ³
 ³  your peer,         							      ³
 ³  Simon Klose         						      ³
 ³                                                                            ³
 ³                                                                            ³
 ³                                                                            ³
 ³         Check out our site for more info and exta material:                ³
 ³                                                                            ³
 ³                       http://www.tpbafk.tv                                 ³
 ³                                                                            ³
 ³                                                                            ³
 ³                                                                            ³
 ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij

restricted user for ssh reverse port forward

Posted on by

Flattr this!

Forwarding a service §foo from my homeserver to a public server with a poor mans VPN was already described here. This is the followup to restrict the user which is in use on the server which runs the subdomains and the publishing webserver.

Create User on the VPS

root@vps:~# useradd foo -d /home/foo/ -s /bin/bash
root@vps:~# mkdir /home/foo
root@vps:~# chown foo:foo /home/foo
root@vps:~# su foo
foo@vps:/root$ cd
foo@vps:/home/foo/
foo@vps:/home/foo$ mkdir .ssh 
foo@vps:/home/foo$ chmod 0700 .ssh 
foo@vps:/home/foo$ cd .ssh 
foo@vps:/home/foo/.ssh$ ssh-keygen -t rsa -b 4096 
foo@vps:/home/foo$ exit
root@vps:~# usermod -s /usr/sbin/nologin foo
root@vps:~# passwd -d foo

 

openssh

enable Public-Key Authentication && disable Passwords

as explained in my previous post

AuthorizedKeysFile
Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. The default is ''.ssh/authorized_keys''.
PasswordAuthentication
Specifies whether password authentication is allowed. The default is ''yes''.

Applying the restrictions

The server configuration file is in the directory /etc/ssh/sshd_config. User specific settings can be added at the end of the file.

Match User foo
  AllowTcpForwarding yes
  X11Forwarding no
  PermitTunnel no
  GatewayPorts no
  AllowAgentForwarding no
  PermitOpen localhost:62222
  ForceCommand echo 'This account can only be used for reverse tunnel only'
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The default is ''yes''. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
X11Forwarding
Specifies whether X11 forwarding is permitted. The argument must be ''yes'' or ''no''. The default is ''no''.
PermitTunnel
Specifies whether tun(4) device forwarding is allowed. The argument must be ''yes'', ''point-to-point'' (layer 3), ''ethernet'' (layer 2), or ''no''. Specifying ''yes'' permits both ''point-to-point'' and ''ethernet''. The default is ''no''.
GatewayPorts
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be ''no'' to force remote port forwardings to be available to the local host only, ''yes'' to force remote port forwardings to bind to the wildcard address, or ''clientspecified'' to allow the client to select the address to which the forwarding is bound. The default is ''no''.
AllowAgentForwarding
Specifies whether ssh-agent(1) forwarding is permitted. The default is ''yes''. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
PermitOpen
Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
Multiple forwards may be specified by separating them with whitespace. An argument of ''any'' can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted.
ForceCommand
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of ''internal-sftp'' will force the use of an in-process sftp server that requires no support files when used with ChrootDirectory.

 

How to create a second location for an existing user account

Posted on by

Flattr this!

If you want to use your RetroShare User account accross different Devices, for example on your PC, Laptop, NAS, Raspberry Pi , …  its not necessary to create different Accounts for each device. It’s possible to create with the same user different locations, which are recognized by your friends as owned by your User automatically. This avoids the additional Key Exchange with all your friends when you use RetroShare on a new device. Each location can connect to friends where your User account is already in the friended.

 

Creating a new location with the same user is easy, if you know how.

Let’s start with a small example between Bunny, Alice and the RedQueen.

Bunny owns his first location “hole” and is connected with Alice/Wonderland and RedQueen/Hive. On Bunny’s new PC he creates a new RetroShare node and imports his contacts from the first node. Bunnys friends do not need to take care to add the new location, it just gets listed at Bunny’s nodes in their contact list.

 

If you want to do it similar to bunny, Its now explained in a Step by Step Guide.

 

On your Fist Node, Go to Settingssettings_button Submenu Mode -> Tab Certificate -> Create New Nodesettings_n

 

Select the Identity to export in the Profile Manager

profile_managerExport it and save it with *.asc file ending.

This file contains the private GPG Key belonging to your RetroShare UserID. We are now able to create new nodes belonging to the same User with this file.

 

Switch to your Second System where you want to create your new Node.

Copy the .asc file to your new system and start RetroShare.

new_nodeOpen “Manage profiles and nodes…”

shelterand Generate new Node

Now you are done, your new node is basically working. Though the Contact List is empty.

 

Next Step is moving your Contacts from your first node to your second node.

Export your Contact List from your first Node into a .xml file.

export

Copy the File to your new node and import it there.

importdoneYour friends from your first location are now available on your second location. Your first node and your second node are also friended.

finished

 

Alice and RedQueen are now able to see the new location of Bunny.

friendview

Thanks to sehraf for implementing the Export/Import Tool.

The Principles Of Datalove

Posted on by

Flattr this!

 

datalove-heart

datalove_principles

Love data
Data is essential
Data must flow
Data must be used
Data is neither good nor bad
There is no illegal data
Data is free
Data can not be owned
No man, machine or system shall interrupt the flow of data
Locking data is a crime against datanity
Love data

monitoring local lan server on main munin server

Posted on by

Flattr this!

I want to monitor my hostname.cavebeat.lan servers on my main server on the internet, to have from everywhere access to the monitoring. My internet connection at home is with dynamic ip so opening a port is not a good solution. DynDNS is also not the best thing and stable.

Searched the net for an easy setup without the need of openVPN or other tunnel software.

SSH Reverse proxy

one of the best tutorials out there is from http://www.vdomck.org/2005/11/reversing-ssh-connection.html

and more advanced with autossh: http://www.vdomck.org/2009/11/ssh-all-time.html

#!/bin/sh
# ------------------------------
# autossh reverse tunnel on boot
# ------------------------------

# This is the username on your local server who has public key authentication setup at the middleman
USER_TO_SSH_IN_AS=username

# This is the username and hostname/IP address for the middleman (internet accessible server)
MIDDLEMAN_SERVER_AND_USERNAME=root@domain.tld

# The following two numbers can be whatever you want, but need to be unique if you have multiple reverse ssh tunnels
# Port that the middleman will listen on (use this value as the -p argument when sshing)
PORT_MIDDLEMAN_WILL_LISTEN_ON=20005

# Connection monitoring port, don't need to know this one
AUTOSSH_PORT=27554

# Ensures that autossh keeps trying to connect
AUTOSSH_GATETIME=0

export AUTOSSH_PORT AUTOSSH_GATETIME

su -c "autossh -f -N -R *:${PORT_MIDDLEMAN_WILL_LISTEN_ON}:localhost:4949 ${MIDDLEMAN_SERVER_AND_USERNAME} -p 22 -oLogLevel=error -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no" $USER_TO_SSH_IN_AS

When i start this script, the Server domain.tld is able to access port 4949 via 20005 from my local lan munin monitored node.

[hostname.cavebeat.lan]
    address 127.0.0.1
    use_node_name yes
    port 20005

 

Odin_hrafnar

easy as that