Category Archives: Work (Computers, Newtorks)

Hostapd with TP-Link TN822N

Hostapd with TN822N (RTL8192cu chipset)

http://forum.odroid.com/viewtopic.php?f=17&t=3028&start=20#p41229
https://github.com/pvaret/rtl8192cu-fixes/blob/master/README.md
http://askubuntu.com/questions/401045/wifi-problems-with-tp-link-wn822n-ubuntu-13-10

Do the following (from the github/pvaret link):

sudo apt-get install linux-headers-generic build-essential dkms
git clone https://github.com/pvaret/rtl8192cu-fixes.git
sudo dkms add ./rtl8192cu-fixes
sudo depmod -a
sudo cp ./rtl8192cu-fixes/blacklist-native-rtl8192.conf /etc/modprobe.d/

then fix / replace the hostapd binary:
1. Download this -> http://www.realtek.com.tw/downloads/downloadsView.aspx?Langid=1&PNid=48&PFid=48&Level=5&Conn=4&DownTypeID=3&GetDown=false&Downloads=true#RTL8192CU (the file is called RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip)
2. Make sure you are running the latest kernel.
3. Unzip that new zip file you download
Go to: RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911/wpa_supplicant_hostapd
4. unpack the hostapd tarball:
tar -zxvf wpa_supplicant_hostapd-0.8_rtw_r7475.20130812.tar.gz
Go to this folder: wpa_supplicant_hostapd-0.8_rtw_r7475.20130812/hostapd
5. Run: make -j5
Install it: cp hostapd /usr/sbin/hostapd_realtek
modify /etc/init.d/hostapd:
DAEMON_SBIN=/usr/sbin/hostapd_realtek

/etc/hostapd.conf
# Define interface
# Select driver
#wlan1 realtek
#driver=r8169
#wlan0 asus/atheros
#driver=ath9k
#wlan0 asus/atheros
# Set access point name
# Set access point harware mode to 802.11g
# Set WIFI channel (can be easily changed)
# Enable WPA2 only (1 for WPA, 2 for WPA2, 3 for WPA + WPA2)
interface=wlan1
auth_algs=3
logger_stdout=-1
logger_stdout_level=2
max_num_sta=5
bridge=br0
channel=5
country_code=US
#driver=nl80211
driver=rtl871xdrv
#dtim_period=1
fragm_threshold=2346
hw_mode=g
ieee80211n=1
rsn_pairwise=CCMP
rts_threshold=2347
#ssid=hp48sx
ssid=test-ssid
wmm_enabled=1
wpa=2
wpa_key_mgmt=WPA-PSK
#wpa_pairwise=TKIP
wpa_pairwise=TKIP CCMP
wpa_passphrase=my-passwd
#ignore_broadcast_ssid=1
macaddr_acl=0

 

Linux AD authentication with transitive trusts…

My big accomplishment for the day was getting Linux authentication working through an Active Directory one-way transitive trust with winbind and kerberos…
Yeah, nobody at work had any idea what I was talking about either. They just heard my maniacal laugh as I ran out of the building…

Browser Test Page for Poodle Vulnerability

https://www.poodletest.com/

 

Reference for configuring xorg-edgers ppa for NVIDIA drivers on Ubuntu

http://www.binarytides.com/install-nvidia-drivers-ubuntu-14-04/

Possible fix for Chrome/Pepperflash/Shockwave crashes on Linux

Found at https://code.google.com/p/chromium/issues/detail?id=410805

## download stable to /tmp/chrome
mkdir -p /tmp/chrome
cd /tmp/chrome
wget http://mirror.pcbeta.com/google/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_37.0.2062.94-1_amd64.deb

## split out the archive
ar vx google-chrome-stable_37.0.2062.94-1_amd64.deb

## extract data
tar --lzma -xvf data.tar.lzma

## copy libpepflashplayer.so & manifest.json to /opt/chrome
cp opt/google/chrome/PepperFlash/* /opt/google/chrome/PepperFlash/

# open chrome and test...

You may want to keep a copy of libpepflashplayer.so & manifest.json  around to replace upgraded versions with until this is fixed. Be sure that you enable click-to-play to help prevent malicious flash programs.

XWindows on EC2

Launch Xming server on local desktop (Windows)
Turn on X11 forwarding in putty.
(I did not have to set any local DISPLAY environment variables)

sudo yum install xorg-x11-xauth.x86_64 xorg-x11-server-utils.x86_64 xterm

I think I logged out and then ssh’d back in at this point (with X11 forwarding on).

Then I just did an “xterm”. That should open a new terminal window. From that you should be able to run commands that need to open new windows without having to set additional environment variables. The window took a bit to open. If it doesn’t pop up, look at your task bar to make sure it didn’t start minimized. I think that may be an Xming thing…

For a really slow browsing experience (or to run an installer that needs a web browser):

sudo yum install firefox

Then run firefox from the xterm….

Bash Vulnerability Disscussion

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

AWS Linux EC2 Instance Creation Checklist

This is intended to be an ongoing check list of tasks (with implementation notes) to perform when creating a new Linux instances on AWS

  1. Choose OS (I am trying to use Ubuntu for instances that don’t specifically require RHEL )
  2. Create the instance with desired root volume size.  RHEL seems to create a volume with the specified size, but then allocates a 6GB root partition.
  3. Choose appropriate VPC, subnet (considerations: public, private, AZ, what RDS or other instances need to communicate with it)
  4. Select the appropriate Key (will create additional accounts and assign keys as needed)
  5. Select or Configure Initial security rules
  6. Start instance
  7. Resize root partition if necessary (currently only necessary for RHEL 7 instances)
    1. Stop the instance
    2. If you have done any configuration already, take a snapshot of the volume to protect your work (only if restoring the snapshot would be worthwhile should something go wrong)
    3. Note the mount point and volume name of the root volume
    4. detach the volume and attach it to another instance (preferable running the same OS – spin a temporary one up if needed).  You do not need (nor want) to mount it.
    5. See: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/storage_expand_partition.html#prepare-linux-root-part  (read this to verify the next steps still hold – and to see example output)
    6. make sure that the filesystem is OK BEFORE you resize it.  (the URL above skips this step):   xfs_repair /dev/xvdf1  (for xfs used by RHEL 7) OR for ext4: sudo e2fsck -f /dev/xvdf1  (or whatever device you attached the volume as)
    7. parted /dev/xvdf (or whatever device you attached it as)
    8. (parted) unit s
    9. (parted) print
    10. (parted) rm 1
    11. (parted) mkpart primary 2048s 100% OR (for gpt partitions) (parted) mkpart Linux 4096s 100%
    12. (parted) print
    13. (parted) set 1 boot on
    14. (parted) quit
    15. xfs_repair /dev/xvdf1  (for xfs used by RHEL 7OR for ext4: e2fsck -f /dev/xvdf1  (or whatever device you attached the volume as)
    16. detach the volume and reattach it in the proper place on the new instance
    17. start the instance
  8. Allocate desired swap space as a swap file
    1. This example will assume an 8 GB swap file (/var/swap.1)
    2. sudo  /bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=8000
    3. chmod 600 /var/swap.1
    4. sudo /sbin/mkswap /var/swap.1
    5. sudo /sbin/swapon /var/swap.1
    6. To enable it by default after reboot, add this line to /etc/fstab: /var/swap.1 swap swap defaults 0 0
  9. Configure hostname
    1. hostnamectl set-hostname <hostname.FQDN>
    2. add hostname and FQHN to /etc/hosts
    3. modify /etc/cloud/cloud.cfg and comment out the set_hostname, update-hostname, and update_etc_hosts lines
  10. Set timezone
    1. (RHEL 7)  timedatectl set-timezone America/Chicago
    2. ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime    (verify that timedatectl did this for RHEL 7 – if not, do it!)
  11. Create additional accounts
    1. groups ubuntu (or ec2-user)
    2. useradd -s /bin/bash -m -d /home/newuser -G adm,cdrom,floppy,sudo,audio,dip,video,plugdev,netdev newuser
    3. edit /etc/sudoers:
      newuser ALL=(ALL) NOPASSWD:ALLOR change%sudo ALL=(ALL:ALL) NOPASSWD:ALL  (put NOPASSWD: into existing line – for some reason this works for ubuntu but not for the second user without spec’ing this)
    4. mkdir ~newuser/.ssh
    5. vi ~newuser/.ssh/authorized_keys
    6. add in the contents of the newuser.pub file from the my repository
    7. chmod 700 ~newuser/.ssh
    8. chmod 600 ~newuser/.ssh/authorized_keys
    9. chown -R newuser:newuser ~newuser/.ssh
    10. test logging into the account from another machine and verify that “sudo bash” works.
  12. Allow passwords for SSH (ONLY if required/desired)
    1. edit /etc/ssh/sshd_config and set PasswordAuthentication yes
    2. restart sshd
  13. Create and mount additional volumes
  14. Configure automatic backups
    1. set the Autosnapshot tag to True for all volumes that you want backed up automatically
  15. Install additional software
  16. Do initial software update
    1. apt-get update && apt-get dist-upgrade
    2. yum update
  17. Configure automatic updates
    1. RHEL: yum install yum-cron
      1. for RHEL < 7, edit /etc/sysconfig/yum-cron
      2. /etc/init.d/yum-cron start
      3. chkconfig yum-cron on
      4. For RHEL >= 7, edit /etc/yum/yum-cron.conf
      5. if you only want security updates => update_cmd = security
      6. apply_updates = yes (also download_updates)
    2. Ubuntu:
      1. apt-get install unattended-upgrades
      2. dpkg-reconfigure -plow unattended-upgrades
      3. verify /etc/apt/apt.conf.d/20auto-upgrades
      4. verify /etc/apt/apt.conf.d/50unattended-upgrades (verify reboot time and that automatic reboot is true)
  18. Tag volumes for automatic backup
    1. set the Autosnap tag to True
  19. Configure and test additional security rules
  20. Create a restore AMI!  (Since this creates a snapshot, I don’t <think> this will take up a lot of extra space for instances that we plan to backup anyway.)  This is a REALLY good idea since restoring a snapshot relies on you to first create a new instance based off the same AMI as the original and then replace or attach the volume on that instance.  We can’t guarentee that the original instance will still be available.

Test bash vulnerability for new remote expoit

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

This should give an error if the system is patched.  Otherwise, it will echo vulnerable\n this is a test

Virt-Manager and Autostart

virsh autostart instancename
virsh autostart instancename –disable