opie keys: One-time Passwords In Everything
OPIE is the initialism of "One time Passwords In Everything". Opie is a mature, Unix-like login and password package installed on the server and the client which makes untrusted networks safer against password-sniffing packet-analysis software like dSniff and safe against Shoulder surfing. It works by circumventing the delayed attack method because the same password is never used twice after installing Opie. OPIE implements a one-time password (OTP) scheme based on S/key, which will require a secret passphrase (not echoed) to generate a password for the current session, or a list of passwords you can print and carry on your person.
OPIE uses an MD4 or MD5 hash function to generate passwords.
OPIE can restrict its logins based on IP address. It uses its own passwd and login modules.
Sources:
ipsec: Authentication Header (AH) and Encapsulating Security Payload (ESP)
The IPsec suite is a framework of open standards. IPsec uses the following protocols to perform various functions:
- Internet key exchange (IKE and IKEv2) to set up a security association (SA) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used by IPsec.
- Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replay attacks.
- Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.
The IPSec headers (AH and ESP) can be used in transport mode or tunnel mode. In transport mode, the original IP header is followed by the AH or ESP header. If ESP is used in transport mode, only the upper-layer (e.g., TCP, UDP, IGMP) is encrypted. The IP header is not encrypted.
Additional Reading:
http://www.networksorcery.com/enp/protocol/esp.htm
http://www.networksorcery.com/enp/protocol/ah.htm
Virtual Private Dialup Network (VPDN)
A VPDN is a network that extends remote access to a private network using a shared infrastructure. VPDNs use Layer 2 tunnel technologies (L2F, L2TP, and PPTP) to extend the Layer 2 and higher parts of the network connection from a remote user across an ISP network to a private network. VPDNs are a cost effective method of establishing a long distance, point-to-point connection between remote dial users and a private network.
Reading:
http://www.cisco.com/en/US/tech/tk801/tk703/tsd_technology_support_protocol_home.html
l2tp: layer 2 tunneling protocol
In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.[1]
Although L2TP acts like a Data Link Layer protocol in the OSI model, L2TP is in fact a Session Layer protocol,[2] and uses the registered UDP port 1701. (see List of TCP and UDP port numbers).
(shamelessly copied from wikipedia)
Additional Reading:
http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/l2tpT.html
http://www.cisco.com/en/US/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml
Iptables : Remove an entry
Sorry it's been a while.
You can either delete by number or by recreating the rule. "iptables -D INPUT 3" will remove the 3rd (counting from 1) rule. Or "iptables -D INPUT -s 65.75.152.40 -j DROP" will remove the corresponding entry independent of location. The rules must match exactly though or you'll get a "Bad rule" error. http://www.plug.org/pipermail/plug/2004-November/010606.html http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-iptables-options.html http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html
xargs and find
xargs is a command on Unix and most Unix-like operating systems. It is useful when one wants to pass a large number of arguments to a command. Until Linux kernel 2.6.23, arbitrarily long lists of parameters could not be passed to a command [1], so xargs will break the list of arguments into sublists small enough to be acceptable.
Additional Reading:
http://en.wikipedia.org/wiki/Xargs
tail -f multiple files
Pass more than one filename to tail -f and it will follow each file and let you know when one changes.
daniel@mycomputer:~$ tail -f /var/log/dmesg /var/log/kern.log
==> /var/log/dmesg <==
[ 14.951256] type=1505 audit(1256945274.318:9): operation="profile_load" name="/usr/sbin/tcpdump" name2="default" pid=2001
[ 16.052417] e1000e 0000:00:19.0: irq 2300 for MSI/MSI-X
[ 16.108300] e1000e 0000:00:19.0: irq 2300 for MSI/MSI-X
[ 16.108533] ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 17.572692] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 17.572694] Bluetooth: BNEP filters: protocol multicast
[ 17.578508] Bridge firewalling registered
[ 18.272754] 0000:00:19.0: eth0: Link is Up 100 Mbps Full Duplex, Flow Control: None
[ 18.272757] 0000:00:19.0: eth0: 10/100 speed: disabling TSO
[ 18.272906] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
==> /var/log/kern.log <==
Nov 2 09:39:21 mycomputer kernel: [231116.479553] [drm] Resetting GPU
Nov 2 09:39:21 mycomputer kernel: [231116.479608] [drm] writeback test succeeded in 1 usecs
Nov 2 09:39:25 mycomputer kernel: [231120.406627] CPU0 attaching NULL sched-domain.
Nov 2 09:39:25 mycomputer kernel: [231120.406630] CPU1 attaching NULL sched-domain.
Nov 2 09:39:25 mycomputer kernel: [231120.407377] CPU0 attaching sched-domain:
Bash Numeric Comparison
Do not use > or < when comparing numbers in BASH. It doesn't work. It tries to redirect output instead of performing the comparison. Use -lt or -gt instead.
Additional Reading:
policy based routing
When a router receives a packet it normally decides where to forward it based on the destination address in the packet, which is then used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria. For example, a network administrator might want to forward a packet based on the source address, not the destination address.
Additional Reading:
http://en.wikipedia.org/wiki/Policy-based_routing
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html
multilink ppp or mlppp
Additional Reading:
http://www.tcpipguide.com/free/t_PPPMultilinkProtocolMPMLPMLPPPPPPMP-2.htm
Output to Screen and Append to a File
There are a few occasions when you might want to display the output of a command and then capture its output to a file at the same time. Here is an example below.
File capture_file is created and then appended to by the tee command.
# date > capture_file; ls -l /etc | tee -a capture_file
Here is another example of output going to the screen and then appended to a file.
# echo " " >> capture_file
# echo " " >> capture_file
# cat myfile1 | tee -a capture_file
# cat myfile2 | tee -a capture_file
linux iptables port forwarding (PAT)
# Forward an external port to a different internal port on a NAT'd IP # 1.2.3.4 is the Linux WAN IP # 10029 is the opened WAN port on the Linux Router # 192.168.0.12:22 is the private IP and port number to forward port 10029 traffic to # iptables -I PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 10029 -j DNAT --to 192.168.0.12:22 iptables -I POSTROUTING -t nat -p tcp -s 192.168.0.12 --sport 22 -j SNAT --to 1.2.3.4:10029 iptables -I OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 10029 -j DNAT --to 192.168.0.12:22 iptables -I INPUT -p tcp -d 192.168.0.12 --dport 22 -j ACCEPT iptables -I FORWARD -p tcp -d 192.168.0.12 --dport 22 -j ACCEPT iptables -I FORWARD -p tcp -s 192.168.0.12 --sport 22 -j ACCEPT
Additional Reading:
pam_tally lockout
PAM can cause a user account to get locked. You will need to log in with superuser privileges to fix this.
pam_tally --user username --reset=0
User username (32222) had 12
wpa encryption and bridge-utils
As far as I can tell, my wireless NICs do not allow bridging to happen alongside WPA encryption. Something about how frames leaving the radio have to have spoofed MACs when they come from the bridge does not work with wpa_supplicant.
I just want a wireless bridge with WPA. I tried this:
<get wlan0 associated w/ encryption>
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 wlan0
<association via wpa_supplicat immediately drops and fails to re-auth>
xbmc video plugins
Plugins are a special type of source that is powered by a python script automatically run by XBMC in the background. A plugin source is typically used to represent the online content of a website as a hierarchical file-system, but it can also be used to represent non-online stored content (such as accessing files from third-party multimedia management software database, like for example iTunes).
Plugins present an easy way for normal XBMC users to add new content sources to XBMC themselves (using the easy to learn Python programming language, without knowledge of the more complex C/C++ programming language).
XBMC currently supports four types of plugin sources; video, music, pictures, and programs. In Linux, they go in your home folder inside the hidden directory .xbmc.
- ~/.xbmc/plugins/music/
- ~/.xbmc/plugins/pictures/
- ~/.xbmc/plugins/programs/
- ~/.xbmc/plugins/video/
Some good plugins:
There are many ways to grab a column
There are lots of utilities available when writing scripts to parse various data. A few of them can perform the same tasks. Here we will look at awk, colrm, and cut, and look at how they can all grab columns of data. I'll use 'ps aux' as the data source.
daniel@twilight:~$ ps aux|grep apache
root 5504 0.0 1.0 28092 11372 ? Ss Oct11 0:04 /usr/sbin/apache2 -k start
www-data 14227 0.0 2.4 44076 25736 ? S Oct14 1:33 /usr/sbin/apache2 -k start
www-data 14695 0.0 2.2 41644 23448 ? S Oct14 1:14 /usr/sbin/apache2 -k start
www-data 15563 0.0 2.5 44864 26572 ? S Oct14 1:16 /usr/sbin/apache2 -k start
www-data 18452 0.0 2.3 42780 24524 ? S Oct15 1:12 /usr/sbin/apache2 -k start
www-data 18770 0.0 2.1 41036 22456 ? S Oct15 0:46 /usr/sbin/apache2 -k start
www-data 18836 0.0 1.9 38520 20176 ? S Oct15 0:46 /usr/sbin/apache2 -k start
www-data 19174 0.0 1.8 37712 19080 ? S Oct15 0:47 /usr/sbin/apache2 -k start
www-data 20953 0.0 2.2 41152 22868 ? S 05:45 0:16 /usr/sbin/apache2 -k start
www-data 21882 0.1 1.4 34580 14612 ? S 11:42 0:00 /usr/sbin/apache2 -k start
www-data 21887 0.1 1.1 32112 12200 ? S 11:43 0:00 /usr/sbin/apache2 -k start
daniel 21929 0.0 0.0 3008 756 pts/0 R+ 11:47 0:00 grep apache
daniel@twilight:~$ ps aux | grep apache | awk '{print $1}'
root
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
daniel
daniel@twilight:~$ ps aux | grep apache | colrm 10
root
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
daniel
daniel@twilight:~$ ps aux | grep apache | cut -d" " -f1
root
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
daniel
Additional Reading:
http://www.shell-fu.org/lister.php?tag=colrm
http://linux.die.net/man/1/colrm
http://www.grymoire.com/Unix/Awk.html
http://sparky.rice.edu/awk.html