Devuan / Debian renaming ethernet interfaces

Create /etc/udev/rules.d/70-netinterfaces.rules file. Put this inside it:

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="d4:f5:ef:4c:d2:64", NAME="eth0lan"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="d4:f5:ef:4c:d2:65", NAME="eth1wlan"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="d4:f5:ef:4c:d2:66", NAME="eth2"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="d4:f5:ef:4c:d2:67", NAME="eth3inet"

Based on MAC address you can change the name of your network interfaces.

Now udev rules should be put in your initrd image. To do that you need to run:

root@son:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.10.0-15-amd64
root@son:~#

Reboot and you should see your new network names.

Fake DNS with dnsmasq for testing purposes on Debian/Devuan

Install dnsmasq:

apt install dnsmasq

add to your /etc/resolv.conf the following:

nameserver 192.168.0.1

Edit /etc/dnsmasq.conf and add the following at the end of the file:

address=/real-domain-that-we-want-to-fake-for-testing.com/192.168.0.14
address=/horizon9.org/192.168.0.2
address=/google.com/192.168.0.14

The DNS request will ask first dnsmasq for a domain and if it is configured (for instance horizon9.org) it will return answer with 192.168.0.14 IP address. If domain is not found in dnsmasq configuration then it will pass dns request to real dns servers in /etc/resolv.conf file.

Now you can test your webserver by using this 192.168.0.1 for dns queries.

If you are accessing dnsmasq server from different network you will get REFUSED messages on the dns queries. If you want to fix that edit /etc/dnsmasq.conf and find the already commented line starting with 'interface=':

#interface=

and make it like this

interface=eth0

Replace eth0 with the right interface you want then restart dnsmasq.

DHCP server listen on alias interface (eth0:1)

Linux server with more than one IP address on the same interface.

eth0 - 192.168.0.1/24
eth0:1 - 10.1.42.1/24

We want DHCP server to serve IP addresses only from 10.1.42.0/24 . If we do this in config file like this:

 subnet 10.1.42.0 netmask 255.255.255.0 {
                range 10.1.42.30 10.1.42.90;
                option broadcast-address 10.1.42.255;
                option routers 10.1.42.1;
        }

it will fail to start and produce the following error:

dhcpd: No subnet declaration for eth0 (192.168.0.1).

The correct configuration is to use shared-network parameter and define all the networks of the physical interface inside it.

shared-network horizon9net {

        subnet 192.168.0.0 netmask 255.255.255.0 {
        }

        subnet 10.1.42.0 netmask 255.255.255.0 {
                range 10.1.42.30 10.1.42.90;
                option broadcast-address 10.1.42.255;
                option routers 10.1.42.1;
        }
}

xorg.conf ModeLine for VGA connected ViewSonic monitors

Even with latest Linux distributions you can face the problem of Xorg not detecting your monitor.

My monitor is ViewSonic VG2030wm and it is capable of working at 1680x1050 resolution but Xorg can't detect that and highest resolution that I can use is 1024x768.

You need to add ModeLine so the Xorg can recognize it. Here is my Monitor section from xorg.conf:

Section "Monitor"
        Identifier   "ViewSonic"
        VendorName   "ViewSonic"
        ModelName    "VG2030wm"
        HorizSync    24.0 - 92.0
        VertRefresh  50.0 - 85.0
        Option       "DPMS"
        ModeLine "1680x1050" 170.00 1680 1784 1960 2240 1050 1053 1059 1089 +hsync +vsync
EndSection

Probably you will need just the ModeLine row but I am publishing the whole Monitor section.

You can find more ModeLine for certain monitors here: https://www.mythtv.org/wiki/Modeline_Database

How to filter 99.99% of ssh brute force attacks

Recently I've decided to experiment with ssh ciphers / key exchange algorithms to raise the security of my servers. This is the /etc/ssh/sshd_config I've got:

HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org

If you don't have HostKey for Ed25519 generate it:

# ssh-keygen -t ed25519

You need to use recent version of ssh / pyTTY to be able to login to this server.
It seems that using only this Cipher/Kex filters all brute force scanners probably because they do not support it. I see only this kind of messages:

Feb 13 14:41:39 horizon9 sshd[22849]: SSH: Server;Ltype: Version;Remote: xxx.x.xx.xxx-53810;Protocol: 2.0;Client: libssh2_1.7.0
Feb 13 14:41:39 horizon9 sshd[22849]: fatal: ssh_dispatch_run_fatal: no matching cipher found [preauth]

More information about ciphers/algorithms read here:

https://cr.yp.to/ecdh.html#curve25519-paper
https://en.wikipedia.org/wiki/Salsa20
https://en.wikipedia.org/wiki/Poly1305

Mounting bootable image file under linux with offset

Use fdisk to see the partitions and their offset of the image file:

# fdisk -l router-devuan-jessie-diskless-2017.img
Disk router-devuan-jessie-diskless-2017.img: 3.7 GiB, 3980394496 bytes, 7774208 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b19da02

Device                                                 Boot Start     End Sectors  Size Id Type
router-devuan-jessie-diskless-2017.img    *     2048 7772159 7770112  3.7G 83 Linux

According to fdisk each sector of the image has 512 bytes. We need that so we can calculate the right offset when mounting it.

The image has one linux partition starting at offset of 2048. The right offset is 512*2048.

Here is how to mount it:

# mount -o loop,offset=$((2048*512)) router-devuan-jessie-diskless-2017.img /mnt/

Build netqmail-1.06 with TLS support Devuan / Debian package

Before you start you need libssl-dev and  qmail-uids-gids packages installed (or you can create qmail users/groups manually according to qmail README.

Make the debian package:

$ git clone https://github.com/devane/netqmail-1.06-tls
$ cd netqmail-1.06-tls
$ dpkg-buildpackage -uc

Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from http://inoa.net/qmail-tls/)

Install the package:

# dpkg -i ../qmail_1.06-6_amd64.deb

Make the package 'hold' so it won't be updated in next qmail update.

# echo "qmail hold" |dpkg --set-selections

To generate certificates for TLS change to netqmail-1.06-tls directory and then:

$ make cert

Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:

# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-PIPELINING
250 8BITMIME

If there is correct pem file in control dir EHLO will show STARTTLS support:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-STARTTLS
250-PIPELINING
250 8BITMIME

When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.

Generate DH file:

# openssl genrsa -out /var/qmail/control/rsa2048.pem

That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:

Received: from unknown (HELO mail.superhosting.bg) (195.191.148.117) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000

You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):

$ openssl s_client -connect google.com.s9a2.psmtp.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mx.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGoTCCBYmgAwIBAgIIYOJxdtm1IIIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzEyMTIyNjQ1WhcNMTcxMDA0MTE1NzAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoxfLCz
daupDLdRGgdWDoaRQyGcMBSfAocOmRu1lqUZsyi0lpahF5wwu3p07QUY5TFfGkmh
K3vM8MRwDYsUYicromAsbknZiPjYJyHHrZE/XzmLkcPI+bBHGvE+O+iJDpwvGk3Z
Yfs3/GIBywP+CPUAnDSkPNumvY6A4gWLKzFTVtBCnOFMxD9KMwJvFi3PfLIgavn8
sLlpZZf6RAsZB5zskMpaMvjsl4ta83eTO4MAkAQmBN5xQIXtCHtt6atyIcy1i+sA
PKqtwb4wuAaPLGl90BFdb7F357R4Vb53UThr7k/3yt8kyCwfp0Y9/m3M2Pc5ZWdC
pKvRmwkhhnqB/WECAwEAAaOCA20wggNpMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAjkGA1UdEQSCAjAwggIsgg1teC5nb29nbGUuY29tghdhbHQxLmFz
cG14LmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNv
bYIdYWx0MS5nbXItc210cC1pbi5sLmdvb2dsZS5jb22CF2FsdDIuYXNwbXgubC5n
b29nbGUuY29tgh9hbHQyLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQy
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIXYWx0My5hc3BteC5sLmdvb2dsZS5j
b22CH2FsdDMuZ21haWwtc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDMuZ21yLXNt
dHAtaW4ubC5nb29nbGUuY29tghdhbHQ0LmFzcG14LmwuZ29vZ2xlLmNvbYIfYWx0
NC5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0NC5nbXItc210cC1pbi5s
Lmdvb2dsZS5jb22CEmFzcG14LmwuZ29vZ2xlLmNvbYIVYXNwbXgyLmdvb2dsZW1h
aWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29nbGVtYWls
LmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tghpnbWFpbC1zbXRwLWluLmwuZ29v
Z2xlLmNvbYIRZ21yLW14Lmdvb2dsZS5jb22CGGdtci1zbXRwLWluLmwuZ29vZ2xl
LmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29v
Z2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5n
b29nbGUuY29tL29jc3AwHQYDVR0OBBYEFI3zlxPuB6qYk5LY0mZT0tGcvNP1MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYD
VR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ah
hh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQADKHpAjici5XzZXXaTzfFsOe0Kmib+FI+TECQVS4qBgvZ4hRhG3robiSyR
0RJBadT+swzTu96nE7Np9pAgZ6VT7fapCWnxR9ETslqo237X+6v6Jbuv3/EqHUey
43VGs+10cZPGC5+zZ/hOlizwM5mSjtv/8byp7MFiGEBpIvyub+dLHVh6C3OgRmd3
REC/ta8FmQ2mWieTr/iCoY2+ywwKmvfw/04KaBTosUt9Ah8jtcTIjkK2tUl8ZrCE
/0ezZXGYO+C7CReDLjQWDDdUOPntx7AcjhkPf3V6BhTjWXhwF5Z2EFkFgGbJMOJC
q6hLiGRQPeo3e2OQ5uxk5gY6qO2H
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4598 bytes and written 294 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 9C4C99B3836290C5DF1F7375390EE4D827601E06A0E05B7BCBA863610722895E
    Session-ID-ctx:
    Master-Key: 92BFA180AE310D72FF0A94F1D56DAF802FB37FB78EAC9EB91D7909949AE53E943A593DCDC314FFB01F923B9EC1906D6B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 36 a0 e1 35 64 47 64-26 f7 d9 dc d5 0f cc 03   .6..5dGd&.......
    0010 - 18 b1 15 ed 44 ba 2a 20-01 9c b2 d7 9a d0 f2 07   ....D.* ........
    0020 - 21 7c 03 a0 13 b8 ec 5d-d4 a5 6d 44 48 db d3 02   !|.....]..mDH...
    0030 - ef 3e d5 64 80 b6 a6 e2-dd 1a 74 15 b0 9d e8 d2   .>.d......t.....
    0040 - d0 da 18 4a a1 86 40 df-4a 8f 53 41 1c 85 20 08   ...J..@.J.SA.. .
    0050 - b5 f9 c3 3c 8a b9 99 c9-a2 9c df 8b f4 02 34 65   ...<..........4e
    0060 - 28 4e 30 71 fe c7 7b b1-cc ee 21 32 c5 c9 77 f2   (N0q..{...!2..w.
    0070 - 7e 6d 6d fe f2 5c 1e fb-bf 12 23 8c 08 18 c3 46   ~mm..\....#....F
    0080 - 15 40 7a 16 3a d1 48 24-06 f5 84 fa b9 4e eb c3   .@z.:.H$.....N..
    0090 - 39 d2 22 9b ec 31 10 f9-69 29 0b 9c cb 87 a1 22   9."..1..i)....."
    00a0 - f9 68 58 fa 4e 53 e1 e3-03 e2 44 e2 17 6e 56 d2   .hX.NS....D..nV.
    00b0 - a4 83 b0 a4 7f 7b ca dc-78 7d 51 dd 3d 1c 8f 86   .....{..x}Q.=...
    00c0 - 36 4d 30 47 e6 6e cf 96-fb 96 9a d0 d3 e3 06 a5   6M0G.n..........
    00d0 - 00 60 b0 12 97 e9 a3 de-28 cf                     .`......(.

    Start Time: 1500646890
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 SMTPUTF8

Teach apt-get not to use IPv6 addresses

Create a file in /etc/apt/apt.conf.d/ starting with 90 or higher.
Example /etc/apt/apt.conf.d/90ipv6only

Put inside the following:

Acquire::ForceIPv4 "true"; 

and the do apt-get update.

This works on Debian Jessie/Devuan Jessie.

Running JBOSS with Daemontools / Runit

JBOSS is installed in /usr/local/jboss
Jboss user is created for that purpose with home directory = /usr/local/jboss

daemontools/runit run script for jboss server:

#!/bin/sh

# clean the working dirs
/bin/rm -fr /usr/local/jboss/server/app1/work
/bin/rm -fr /usr/local/jboss/server/app1/tmp

JBOSS_HOST="10.10.0.25"

# next lines are fix for cyrillic letters inserted in database
# with AMERICAN_AMERICA.WE8ISO8859P1
NLS_LANG="AMERICAN_AMERICA.WE8ISO8859P1"
export LNS_LANG
LANG="bg_BG"
export LANG

exec /usr/bin/chpst -u jboss:jboss -U jboss:jboss /usr/lib/jvm/java-1.7.0-openjdk-i386/bin/java -Xms512m -Xmx1536m -XX:PermSize=256m -XX:MaxPermSize=512 -XX:+CMSClassUnloadingEnabled -XX:StackShadowPages=20 -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=30 -Djava.net.preferIPv4Stack=true -Djava.endorsed.dirs=/usr/local/jboss/lib/endorsed -classpath /usr/local/jboss/bin/run.jar:/usr/lib/jvm/java-1.7.0-openjdk-i386/lib/tools.jar org.jboss.Main -c app1 -b $JBOSS_HOST

daemontools/runit script for logging:

#!/bin/sh
exec setuidgid jboss /usr/bin/svlogd -tt n35 s511048576 /var/log/jboss-app1