Categories

Links

License

Creative Commons License

Unless otherwise expressly stated, all original material of whatever nature created by and included in this weblog is licensed under a Creative Commons License.

25.12.2014

Christmas Run

Run #9 around Centennial Park. Two rounds again, this time during noon with some nice sun and a whopping 30°C :-)

Centennial Midday Run 2x

12:16 | Misc | Permalink

22.12.2014

Advent Run #8

Run #8 around Centennial Park. Two rounds again, and with some rain :-(

Centennial Morning Run 2x

23:35 | Misc | Permalink

19.12.2014

Advent Run #7

Run #7 around Centennial Park. Only one round, but the fastest one so far.

Centennial Morning Run

23:21 | Misc | Permalink

16.12.2014

Advent Run #6

Run #6 around Centennial Park. Two rounds this time, with a slower pace though.

Centennial Morning Run 2x

23:31 | Misc | Permalink

12.12.2014

Advent Run #5

Run #5 around Centennial Park. Didn't have the patience to wait for the GPS to lock onto the signal, thus the late start.

Centennial Morning Run

22:51 | Misc | Permalink

10.12.2014

Advent Run #4

Run #4 around Centennial Park, this time a bit later and thus with more sun:

Centennial Morning Run

23:14 | Misc | Permalink

09.12.2014

Advent Run #3

Another run around Centennial Park, this time counterclockwise:

Centennial Morning Run

22:53 | Misc | Permalink

03.12.2014

Advent Run #2

Next run around the beautiful Centennial Park:

Centennial Morning Run

22:43 | Misc | Permalink

01.12.2014

Advent Run #1

The nice thing of being in Sydney during December is that you can go running during christmas time and it is 22°C :-)

Centennial Morning Run

21:34 | Misc | Permalink

30.11.2014

Regex Crossword

The End | Regex Crossword

Regex Crossword (via)

21:55 | Coding | Permalink

24.11.2014

The UNIX System

The UNIX System: Making Computers More Productive, 1982, Bell Laboratories

23:26 | Linux | Permalink

02.11.2014

SixSpotting

IPv6 - IS FOR REALZ NOWZ, SRUSLY

SixSpotting, a funny little game where you collect points by logging in from as many IPv6 enabled providers as possible.

08:43 | Networking | Permalink

18.10.2014

Show Shellshock the door

Lately the requests trying to exploit the Shellshock vulnerability are getting annoying. Of course my hosts are patched — even before the first such request arrived — and they are using Dash as /bin/sh anyway.
But this does not stop attackers from sending those requests. Some even seem to have programmed a loop which sends request after request even though their exploit is not working.

Since most of the requests are for valid URLs, the webserver just replies with a 200 status code and serves the content. As this gives no indication to the attacker whether his exploit worked or not, he has no reason to remove the host from his target-list and thus continues to send requests.

To break this pattern and signal that the host is not vulnerable to Shellshock, I came up with the nginx config snippet below. It recognizes Shellshock patterns in a request and replies with a '403 Forbidden' status code, thus indicating to an attacker that his request was blocked.

if ( $http_referer ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $http_user_agent ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $http_cookie ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $http_host ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $args ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $content_type ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $remote_user ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $request ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $request_body ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}

18:45 | Networking | Permalink

17.10.2014

Inspect CSR with OpenSSL

Before sending a CSR off to your CA, it is worth checking that all parameters are correct.
Especially you should make sure that the requested signature algorithm is SHA256 and not the deprecated SHA1.

This can be done with the following OpenSSL command:

openssl req -noout -text -in <your_CSR_file>

10:45 | Linux | Permalink

13.10.2014

Blueprint of IKEA

Spot-on representation of every IKEA store's layout:

Blueprint of IKEA

06:38 | Misc | Permalink

05.10.2014

NORWAY - A Time-Lapse Adventure

NORWAY - A Time-Lapse Adventure from Rustad Media on Vimeo. (via)

08:38 | Misc | Permalink

How to enable SNMP on a Cisco SLM2008 Smart Switch

The Cisco SMB SLM2008 Smart Switch does normally not support SNMP and there is also no setting in the configuration interface which would enable SNMP.

But nevertheless the firmware does actually contain a SNMP daemon. Thus it is not surprising that a smart guy on to the Cisco support forum found out how to manipulate the proprietary config file such that it enables the SNMP daemon:

  1. Configure your switch with everything you need
  2. Download enable_snmp.pl
  3. Run # perl enable_snmp.pl <IP of your switch>
  4. Enjoy the SNMP export from the SLM2008 :-)

As this is a non-official hack, there are some limitations:

  • The embedded SNMP daemon only supports read accces and no SNMP Traps.
  • Changing a setting on the 'System' configuration tab disables the SNMP daemon again (thus the script will need to be run again).

00:31 | Networking | Permalink

01.10.2014

The Cyborgs

The Cyborgs is a two man 'elektrock' boogie band.
Thank you Sat Rocks for showing me their music :-)

00:10 | Music | Permalink

28.09.2014

CVS and SVN repositories moved to Git

Today I did some cleanup of my legacy infrastructure. The repositories formerly located at cvs.x-way.org and svn.x-way.org have been converted to Git and are now available at git.x-way.org.

Also is git.x-way.org now no longer served by the old gitweb.cgi but by the fantastic GitBucket (a lightweight, self-contained GitHub clone written in Scala).

20:01 | Misc | Permalink

23.09.2014

Netflix in Switzerland via IPv6

Since last week Netflix is also available in Switzerland. The future has arrived one could say.
Not only gives this easy access to TV shows and movies but also is this access provided via IPv6.

As you can see on the graph below, this brings IPv6 out of slumber and into primetime :-)
Swiss providers are probably seeing quite an increase in IPv6 traffic this month.

Netflix IPv6 traffic

18:32 | Networking | Permalink

18.09.2014

Octave Minds

Octave Minds (via)

11:42 | Music | Permalink

12.09.2014

Fancy blog statistics

The about page now features some fancy blog statistics, check it out :-)

The statistics are created with the help of Cal-Heatmap which allows to easily create calendar heatmaps similar to the activity heatmap of GitHub.

Update: couldn't stop playing around and thus added another chart, this time with the help of C3.js (a D3.js based reusable chart library).

14:48 | Webdesign | Permalink

04.09.2014

Sipura/Linksys/Cisco SPA901 SPA3102 reboot phone

SPA901 and SPA3102 phones can be rebooted by calling the following URL (which triggers an automatic config resync after the reboot):

http://<PHONEIP>/admin/reboot

10:42 | Networking | Permalink

30.08.2014

Sipura/Linksys/Cisco SPA901 SPA3102 download current configuration

The current configuration of an SPA901 phone can be downloaded like this:

http://<PHONEIP>/admin/spacfg.xml

For SPA3102 devices the URL is different:

http://<PHONEIP>/admin/config.xml

22:16 | Networking | Permalink

25.07.2014

Native IPv6

Yesterday I switched our DSL Link to green.ch. Now we not only have a higher bandwidth (thanks to VDSL) but also native IPv6 connectivity!
Especially nice is that it all works out of the box. After plugging in the pre-configured FritzBox, it automatically gets an IPv6 prefix via Prefix Delegation and announces it to the clients in the LAN.

08:05 [ aj @ actuarius : ~ ] % mtr -rc5 www.open.ch
Start: Fri Jul 25 08:06:42 2014
HOST: actuarius.fritz.box         Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- fritz.box                  0.0%     5    0.8   0.8   0.7   0.8   0.0
  2.|-- 2a01:2a8::121              0.0%     5    8.6   8.7   8.5   9.2   0.0
  3.|-- 2a01:2a8:0:5a::1           0.0%     5    8.4   8.2   8.0   8.4   0.0
  4.|-- 2a01:2a8:1:7::4            0.0%     5    8.1   8.6   8.1   9.6   0.0
  5.|-- 2a00:db0:9:a06::5          0.0%     5    8.8   8.6   8.3   8.8   0.0
  6.|-- www.open.ch                0.0%     5    8.9   8.7   8.6   8.9   0.0

08:08 | Networking | Permalink

03.06.2014

12 Years

12 years ago I started this weblog with a link to www.2advanced.com.
It's now 555 posts later and I think what is most unexpected (besides that this weblog is still existing 12 years later), is that this first link from my first post is still valid (and still pointing to some Flash-only website...).

So far this weblog has survived 2 different domains, 3 different servers, multiple versions of a self-made blogging-engine, about 6 different layout designs, a database-crash, recovery via archive.org and a migration to Jekyll.

No guarantee that it will last another 12 years, but for the meantime: Cheers, and enjoy the ride!

12 years, Cheers!

08:50 | Misc | Permalink

28.05.2014

It's alive!

Wandtelefon Modell 50 with SIP ATA

Wandtelefon Modell 50 from January 1970 now talks SIP (and it only took two converters, a bit of cable-fiddling and some luck :-)

23:19 | Networking | Permalink

22.05.2014

Stop BÜPF!

Stop BÜPF!

19:55 | Networking | Permalink

18.04.2014

Load PKCS#8 SSH key files in Mac OS X 10.9

There is currently a bug in Mac OS X 10.9 which causes that ssh-add is no longer able to read SSH key files in PKCS#8 format.

Fortunately ssh-add still reads PKCS#8 keys when provided through STDIN and openssl is able to decrypt PKCS#8 keys.

Thus the following workaround so that PKCS#8 SSH keys can be loaded again:

openssl pkcs8 -in ~/.ssh/id_rsa | ssh-add -

14:36 | Networking | Permalink

23.03.2014

Facebook: The Road To IPv6

Great presentation by Paul Saab about the IPv6 introduction at Facebook: The Road To IPv6

(via)

15:09 | Networking | Permalink

13.02.2014

Moving a KVM guest to another machine

  1. Properly shutdown the guest:
    guest# poweroff
  2. Create an LVM volume of the same size on the new machine:
    newmachine# lvcreate -L 120G -n myguest myvolgroup
  3. Copy the disk from the old machine over to the new one:
    oldmachine# dd if=/dev/vg_foo/lv_bar | ssh newmachine dd of=/dev/volgroup/myguest
  4. Wait for the transfer to complete (on a 100Mbit/s connection it took about 3.5 hours to transfer the 120GB).
  5. Copy /etc/libvirt/qemu/myguest.xml from the old machine over to the new machine and adapt the LVM path for the disk.
  6. Reload the libvirt configuration:
    newmachine# /etc/init.d/libvirt-bin reload
  7. Start up the guest on the new machine:
    newmachine# virsh start myguest

20:02 | Linux | Permalink

Shrinking a LVM root partition

  1. Boot from a helper system and get a root shell (I used the rescue mode of the Debian installer)
  2. Check the filesystem of the partition to resize:
    e2fsck -f /dev/vg_foo/lv_bar
  3. Resize the filesystem (make it a bit smaller than the target size, to have a safety margin when resizing the logical volume):
    resize2fs /dev/vg_foo/lv_bar 180G
  4. Reduce size of the logical volume:
    lvreduce -L 190G /dev/vg_foo/lv_bar
  5. Grow the filesystem to the new size of the logical volume:
    resize2fs /dev/vg_foo/lv_bar
  6. For good measure run another filesystem check:
    e2fsck -f /dev/vg_foo/lv_bar

19:02 | Linux | Permalink

19.01.2014

Verify that an SSL certificate matches the private key

When renewing certificates it is a good idea to verify that the newly installed SSL certificate matches the newly installed private key (eg. to make sure no mixup between the new and old files occurred).
This can be done by comparing the modulus of the two files:

openssl x509 -in <certificatefile> -noout -modulus|sha1sum
openssl rsa -in <privatekeyfile> -noout -modulus|sha1sum

13:32 | Networking | Permalink

12.01.2014

Sipura/Linksys/Cisco SPA901 Provisioning and Upgrade

Loading the configuration from http://config.server/configfile.xml (provisioning has to be enabled on the phone):

http://<PHONEIP>/admin/resync?http://config.server/configfile.xml

Upgrading the firmware with the image from http://upgrade.server/firmware.bin:

http://<PHONEIP>/upgrade?http://upgrade.server/firmware.bin

21:02 | Networking | Permalink

01.01.2014

Publish GPG Keys in DNS

Create the PKA DNS record:

# localpart=andreas domain=jaggi.info url=http://andreas-jaggi.ch/1C6AC951.asc
# LANG=C gpg --fingerprint ${localpart}@${domain}|awk -v local=$localpart -v domain=$domain -v url=$url \
'/fingerprint/{printf("%s._pka.%s. TXT \"v=pka1;fpr=%s;uri=%s\"\n",local,domain,$4$5$6$7$8$9$10$11$12$13,url)}'
andreas._pka.jaggi.info. TXT "v=pka1;fpr=1073501542F38352FC85788207A32EAB1C6AC951;uri=http://andreas-jaggi.ch/1C6AC951.asc"

Test DNS resolution:

# dig +short -t txt andreas._pka.jaggi.info.
"v=pka1\;fpr=1388580990F38352FC85788207A32EAB1C6AC951\;uri=http://andreas-jaggi.ch/1C6AC951.asc"

Test with GPG:

# gpg --auto-key-locate pka -ea -r ${localpart}@${domain}

Detailed explanation of the different DNS publication mechanisms for PGP Keys:
Publishing PGP Keys in DNS

(via)

13:52 | Networking | Permalink