Boldcore's wiki - New pages [en]

Tyt th258 programming software

2020-07-10T09:05:57Z

Admin: /* TYT TH-258 Programming Software Download link */

= TYT TH-258 Programming Software =
It is very hard to obtain official programming software for that cute little radio.

Programming software for TYT TH-258 is available for download here: https://git.boldcore.eu/jhenzely/pub/raw/branch/master/TYT-TH258_programming.zip

Lvm fsck in rescue mode

2018-05-15T12:39:31Z

Admin:

In rescue mode on RedHat/CentOS LVs are in "INACTIVE" mode. 
To "activate" them enter the following commands:

<pre>
## Scan for LVs
lvm vgscan -v

## Make them "active":
lvm vgchange -a y
</pre>

Allow app in selinux

2018-05-09T22:32:09Z

Admin:

Usually, we just disable SELinux, instead of configuring it --lazy way :D 

I think, that enabling application using the following commands is a bit better approach.

<pre>
ausearch -c "your_application_name" | audit2alllow -M enable-app
semodule -i enable-app.pp
</pre>

Then restart the service and it should work with no issues.

Vapormemo

2018-04-26T10:25:43Z

Admin:

Me was trying to explain to my colleague what is vaporwave.

==Have fun !==

<pre>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
format=flowed
Content-Transfer-Encoding: 8bit
Date: Sat, 06 Jan 2018 00:06:23 +0100
From: Jaroslav Henzely <jaroslav.henzely@boldcore.eu>
To:
Subject: Vaporwave [Fiji bottled water]
Message-ID: <6b45a3196340ac1b81fb75dc961c765e@boldcore.eu>
X-Sender: jaroslav.henzely@boldcore.eu
User-Agent: Roundcube Webmail

Ahoj, tu je celkom pekne napisane, resp. je to mala napoveda k
pochopeniu tej Fiji vody. (pisal som posledny odsek som pre slovensku
wikipediu)

https://sk.wikipedia.org/wiki/Vaporwave

Odoslal si posledny fax a opustas kancelariu. Cestou z prace si pozicias
kazetu, platis kartou. Pri zadavani PINu si vsimnes, ze predavacka je na
nohach uz minimalne 12 hodin. Tak ako ty.
Prides domov, zapnes klimu, vypnes pager, kabel z telefonu si pripojil
do modemu.
Otvoris Cherry Colu a plechovku s ananasom. Zapalis si cigaretu. Byvas
sam vo velkom apartmane na Fifth avenue. V pondelok Ti pride z AT&T
vysoky ucet, pretoze si mal v PC dialer.
Si velmi zaneprazdneny a to neustale pipanie modemu si si pomylil s
kuchynskym radiom. Uvedomis si, ze v konecnom dosledku nemas o nic lepsi
zivot ako ta predavacka zo vcera :D
uups, teda z piatku. Aaaa vikend v pici zas cely tyzden do roboty :D :D

V pondelok rano vidis ako nad Manhattanom stupa husty dym. Mal si tam
kancel.
Cely akciovy trh sa prepadol, prisiel si o vsetko a tak zacinas pracovat
vo videopozicovni.

Ozenis sa s tou predavackou. Pracujes tam. S nastupom Netflixu vsak
videopozicovna skrachuje.
</pre>

Windows install telnet client

2018-04-19T07:56:28Z

Admin: Created page with "Whoooa ! Yes, it is possible. Telnet protocol is now obsolete (or lets say forbidden) because it does not provide any level of security. Data are simply transfered..."

Whoooa ! 
Yes, it is possible. 

Telnet protocol is now obsolete (or lets say forbidden) because it does not provide any level of security. Data are simply transfered in plaintext. Too bad if you want to keep your password safe. 

We are using SSH for UNIX and GNU/Linux and WinRM for Windozes. So, why telnet-client on Windows ? 
It is the way how to check if service is accessible from client side.

=== TL;DR ===

<pre>
Add-WindowsFeature telnet-client
</pre>

That's it. Don't forget to run Powershell with Admin privileges.

Openvswitch vxlan hello world example

2018-04-13T11:33:39Z

Admin:

== Openvswitch VXLAN Hello World example ==
This is very cool. You can create simple and efficient L2 ethernet tunnel between two hosts with L3 (IP) connection. 
Later you can add physical interface to the ovs bridge, connect dumb physical L2 switch and interconnect two sites.

=== Open port on ffiewall ===
L2 Ethernet frames are encapsulated in L4 UDP datagrams. Port is 4789.
<pre>
firewall-cmd --add-port=4789/udp --zone=public --permanent
</pre>

=== Create virtual switch and VXLANs ===
<pre>
ovs-vsctl add-br br0
ovs-vsctl add-port br0 vxlan0 -- set interface vxlan0 type=vxlan options:remote_ip=192.168.80.30
ovs-vsctl add-port br0 vxlan0 -- set interface vxlan0 type=vxlan options:remote_ip=192.168.80.20
</pre>

br0 is the virtual switch (bridge) where you can "plug" virtual and physical interfaces
remote_ip is your server's public IP (private in this case, just for testing in LAB)

=== Create and connect internal virtual interface to vitual switch ===
<pre>
ovs-vsctl add-port br0 vi0 -- set Interface vi0 type=internal
ip addr add 192.168.120.10/24 dev vi0
ifconfig vi0 up
</pre>

<pre>
ovs-vsctl add-port br0 vi0 -- set Interface vi0 type=internal
ip addr add 192.168.120.20/24 dev vi0
ifconfig vi0 up
</pre>

=== Tesing ===
Try to ping each other's IP address of vi0. (192.168.120.10 and 192.168.120.20)

Dns spf record

2018-03-15T11:46:16Z

Admin: Created page with "This one is working so far so good... <pre> v=spf1 a mx ip4:87.236.196.25 ip6:2a01:5f0:c001:106:59:0:2:3 -all </pre>"

This one is working so far so good...

<pre>
v=spf1 a mx ip4:87.236.196.25 ip6:2a01:5f0:c001:106:59:0:2:3 -all
</pre>

Compile git with ssl https support

2018-03-02T13:05:05Z

Admin:

=Compile git with https support=

After installing git from source code, I encountered with the following error when trying to clone (or whatever) repository from https.
<pre>fatal: Unable to find remote helper for 'https'</pre>
Root cause of this issue is, that by default git is not compiled with openssl support.

''Of course, first You need to have gcc, openssl-devel, autoconf, etc...'' But let's get to the point.

==Command==
I found the solution here: 
http://kamituel.tumblr.com/post/40678251617/fix-for-git-error-fatal-unable-to-find-remote 
https://gist.github.com/kamituel/4542056

<pre>
yum install expat expat-devel openssl openssl-devel gcc autoconf
yum remove git

wget https://github.com/git/git/archive/v2.16.2.tar.gz (check for the latest version first !!)
tar xvf v2.16.2.tar.gz
cd v2.16.2
./configure --with-expat --with-openssl --prefix=/usr/local
make
make install
</pre>

Zello android vox

2017-12-31T15:08:46Z

Admin:

=DEPRECATION Warning=
Zello VOX functionality is now supported by default. 
No workaround is required. 

https://support.zellowork.com/hc/en-us/articles/360006287053-Using-VOX-mode-on-Android

Thank You Zello !! 

=Zello Android VOX Support=

==Intro==
Zello is frequently used to link two-way radios with mobile phones or computers via the Internet.
TX and RX is usually controlled using VOX, which is NOT ideal, but very simple to implement. (You just need a passive cable)

Of course, VOX must be supported and configured on both sides; Zello and two-way radio transceiver.

===VOX feature in Zello===
Is only available in desktop PC app, which makes the whole system very complicated, vulnerable and a little more expensive.

For PC setup You need:
* PC w/ Windows
* License for Windows
* UMTS/LTE modem
* Router w/ USB modem support
* Audio Cable
* Two-way transceiver
* Low-noise power supply

Luckily, Zello is available for Android. Unfortunately, VOX feature is NOT available.

For Android phone setup You need:
* Android phone
* Audio Cable
* Two-way transceiver
* Low-noise power supply
* My naughty workaround to enable VOX feature

==TLDR --->> Enable VOX for Zello Android app <<--- ==
Step-by-step:

* Open Android Market and download application "Automate"
* Tap on menu icon (three gray vertical squares), tap "Import"
* [http://subory.boldcore.eu/prod_VOX.flo Import this workflow (click to download)]
* Tap on workflow called VOX, tap start
* Open Zello app, open contact where You want to broadcast. (screen with large MIC button)
* Test it like me on Youtube
* If it works don't touch it. Get away, leave it alone. OR Send me a message, try to fix it ;))

Final setup:
https://www.youtube.com/watch?v=n8xn8kWucDk

==Troubleshooting==
Check these:

* Automatic screen locking
* Insufficient permissions for Zello and Automate
* Automate sleeps in background

==How I managed to make this work ?==

Here is some official documentation:

https://support.zellowork.com/hc/en-us/articles/207385198-Zello-PTT-Button-Partner-Technical-Integration

© Jaroslav Henzely 2017

Pysnmp otheroids

2017-05-31T09:03:04Z

Admin:

==PySNMP do not dive to other OIDs==
I am new to this topic, but lets say, that I want from PySNMP only one OID "tree".
By default, it will jump to another and print all remaining OIDs.

==Here's the magic:==

<pre>lexicographicMode=False</pre>

<pre>
for (errorIndication, errorStatus, errorIndex, varBinds) in nextCmd(SnmpEngine(),
UsmUserData(user, authpass, cryptpass,
authProtocol=RetizekProkotol,
privProtocol=NSACrypt1),
Udp6TransportTarget(('2a02:cafe:c001:face:bad:f00d', 161)),
ContextData(),
ObjectType(ObjectIdentity('1.3.6.bla.bla.oid')),
lexicographicMode=False):
</pre>

Then You can print the varBinds, in the way You prefer.

Linux proxy variables

2017-04-26T11:40:00Z

Admin:

==Linux Proxy variables==

If You are connecting to the Internet thru proxy.

<pre>
export http_proxy=http://8.8.8.8:8080/
export https_proxy=https://8.8.8.8:8080/
export ftp_proxy=http://8.8.8.8:8080/

# Start new Shell with new variables defined.
bash

export http_proxy=http://IP:Port/

(Optional)
Add the variables to /etc/environment to make the settings persistent.

</pre>

Fail2ban unban ip

2017-04-26T11:28:17Z

Admin:

==fail2ban unban IP address==

Well, sometimes it happens 

<pre>
fail2ban-client set sshd unbanip 8.8.8.8
fail2ban-client set FILTER_NAME unbanip 8.8.8.8
</pre>

Instead of FILTER_NAME there could be: 
- apache 
- apache-badbots 
- sshd-ddos 
- ... (other FILTERS) 

*Please note, that f2b still does not support IPv6.

Windows putty ssh tunnel

2017-04-25T13:37:24Z

Admin:

==Windows putty ssh tunnel==
This is so far the most POWERFUL feature of SSH.

/etc/ssh/sshd_config

<pre>
AllowTcpForwarding yes
GatewayPorts clientspecified
PermitTunnel yes
</pre>
[[File:Example.jpg]]

Esxi mac error

2017-04-25T12:55:57Z

Admin:

==Intro==
In vmware ESXI You can get some auto-generated address when creating new VM NIC.

==The weird issue==
This works just fine, unless You want to import the VM on different host.
Then, an error message will appear, saying that the MAC address is reserved.

==Solution==

Navigate to .vmx file of the VM.
Add this to the end of file:

<pre>
ethernet0.checkMACAddress = "FALSE"
ethernet1.checkMACAddress = "FALSE"

ethernetX.checkMACAddress = "FALSE"

*WHere X is the eth number.
</pre>

Explicitly set the MAC:

<pre>
ethernet0.address = "00:0c:29:00:00:00"
ethernetX.address = "00:00:00:00:00:00"
</pre>

Update vib
<pre>
esxcli software vib update -v /vmfs/volumes/volume-uuid/Folder/esxui-signed.vib
</pre>

Update or install vibs manually and selectively, and only if there is strong justification or serious reason to do it.

I have experience with installation of vib provided by "certified vendor" which destroyed the whole ESXi host !

Apache https www

2017-03-24T13:32:21Z

Admin:

==Intro==
This is very usefull, I meand, very important for all web servers.

===www to non-www===

Strange convention suggests to use www prefix before all domains.
www.domain.com
www.boldcore.eu

This is purely obsolete, resource, keypress, data and time wasting manner.
Stop that !

===http to https===
Our friends from Google wants to protect our privacy, therefore, https-enabled websites have slightly higher Page-rank.

===The code===
<pre>
<VirtualHost www.boldcore.eu:80>
ServerName www.boldcore.eu
ServerAlias www.boldcore.eu

RewriteEngine On
#RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

</VirtualHost>

<VirtualHost www.boldcore.eu:443>
ServerName www.boldcore.eu
ServerAlias www.boldcore.eu

RewriteEngine On
#RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

</VirtualHost>

<VirtualHost boldcore.eu:80>
ServerName boldcore.eu
ServerAlias boldcore.eu
DocumentRoot /<whatever>

RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

</VirtualHost>

</pre>

Mongodb

2017-03-15T14:54:07Z

Admin:

=MongoDB=

==Nothing useful==
Raised on MySQL, I am new to mongo, and I need to get more familiar with the syntax.
Mongo's NoSQL is very attractive to me.
Just a random pastes from cmdline.

<pre>
/* Insert shit */
> db.pers.insert({"name":"Peter","age":"7","colour":"red"})

/* Retrieve shit */

> db.pers.find({"name":"Peter"}).pretty()
{
"_id" : ObjectId("58c950e7fe9fddf65dd0e8d5"),
"name" : "Peter",
"age" : "7",
"colour" : "red"
}
>

db.createCollection("tabulka")

</pre>

Squid proxy

2017-03-13T15:14:03Z

Admin: Created page with "Another config. This one just for fun ! <pre> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal..."

Another config.

This one just for fun !

<pre>
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 10-65535 # unregistered ports
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname proxy.boldcore.eu
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 9999 days
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
</pre>

Wordpress obvious workaround

2017-03-08T09:44:32Z

Admin:

= Wordpress obvious workaround =

== Intro ==
By default, I don't know why on the f****** world, Wordpress wants to use FTP to write content. 
Don't worry, this stupid behaviour can be easily overriden. 

== The code ==
* Add this in to wp-config.php 
<pre>
define('FS_METHOD','direct');
</pre>

Change apache umask for modified files

2017-03-08T08:34:33Z

Admin:

= Change umask (privileges) for files modified by Apache =

== Intro ==
By default, umask is set to 022, which means 755 for folders and 644 for non-executable files. 
In this case, only owner can change the contents of the file. 

So let's imagine, that You've uploaded some stuff. By default, only You will be able to change the content, and apache will be shooting error messages. 

== Solution ==
* Create special user for web content management (for example admin) 
* Change his umask 
<pre>
echo "umask 002" >> /home/admin/.bashrc
echo "umask 002" >> /home/admin/.bash_profile
</pre>
Here comes systemd part :)) 

* vim /usr/lib/systemd/system/httpd.service
* Paste UMask=0002 in to [Service] section 
* <ESC>, : , write <ENTER> , quit <ENTER> :)) 
* systemctl daemon-reload
* systemctl restart httpd.service
* Test !
<pre>
[Unit]
...
[Service]
UMask=0002
...
[Install]
...
</pre>

== Test of solution ==
* Create php file 
<pre>
<?php
$file = fopen("testfile.text", "w") or die("ERROR !");
$text = "Check privileges now !\n";
fwrite($file, $text);
fclose($file);
sleep(1); // Simple DDoS protection
?> 
</pre>
*2. Check if privileges of testfile.text are correct 
<pre>-rw-rw-r-- 1 apache apache 23 Mar 8 08:41 testfile.text</pre>

Firewalld rich rule

2017-03-07T10:31:46Z

Admin:

= Firewalld rich rule example=

Allow connection to IP address and specific port only from specified source IP.

<pre style="white-space: pre-wrap;">
firewall-cmd --add-rich-rule='rule family="ipv6" source NOT address="2a01:5f0:c001:106:59:0:2:6" destination address="2a01:5f0:c001:106:59:0:2:30" port port="443" protocol="tcp" reject' --permanent --zone="public"
</pre>

NOTE: This rule is actually used here in Boldcore for communication between Web server and reverse proxy.
So, only reverse proxy can access the web server.

Where: 
Address 2a01:5f0:c001:106:59:0:2:6 is source address (reverse proxy) 
Address 2a01:5f0:c001:106:59:0:2:30 is destination address (web server)

Add this to Your vimrc

2017-02-17T09:33:16Z

Admin:

= My favorite addition to vimrc =

1. Line numbering 
2. Smaller Tab size 
3. Syntax 
4. Clear search leftovers

<pre>
set softtabstop=4 shiftwidth=4 expandtab
set number
syntax on
nohlsearch
</pre>

I like 3 spaces more, but because of Python, use four (according to PEP).

VirtualHost reverse proxy

2017-02-17T09:18:27Z

Admin:

= Working VirtualHost config for reverse proxy =

...working on my servers.

== Frequent mistakes ==

=== Hosts file ===
Include all vhost addresses in /etc/hosts

=== VHosts on reverse proxy server ===
Virtual hosts where the webs are actually located must be IP based. 
Each on different IP with different domain name (optional) 
With IPv6, this is easy ;))

<pre>
<VirtualHost address.tld:443>
ServerName address.tld
ServerAlias address.tld
ProxyPass / https://web.server.address/
ProxyPassReverse / https://web.server.address/

ProxyRequests Off
ProxyPreserveHost On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

## For letsencrypt
Include /etc/letsencrypt/options-ssl-apache.conf ## For letsencrypt
SSLCertificateFile /etc/letsencrypt/live/address.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/address.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/address.tld/chain.pem
SSLProxyEngine On

</VirtualHost>
</pre>

Main Page

2017-02-17T08:27:50Z

Admin:

= Welcome to Boldcore's wiki ! =

I am using this wiki on my server to store useful information. 
When I was poor, young ang nice (now I am 24), without server in DC, simple paper notebook was sufficient,
by the time, the amount of information and knowledge increased. 

Group of hard drives connected in RAID is just better storage device than a human brain :))

Maybe You found information stated here useful. 
Have fun !

Contacts: 
Jaroslav Henzely 
jaroslav.henzely@boldcore.eu 
Slovakia (Europe) 
My CV: [https://boldcore.eu/ boldcore.eu]