Recipe¶

OpenConnect for OpenWRT¶

Here: https://github.com/openwrt/packages/tree/master/net/openconnect:

The openconnect client expects to be configured using the uci interface.

To setup a VPN connection, add the following to /etc/config/network:

config interface 'MYVPN'
    option proto 'openconnect'
    option interface 'wan'
    option uri 'https://vpn.example.com:4443'
    option username 'test'
    option password 'secret'
    option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25'
    option defaultroute '0'
    # option proxy 'http://proxy.example.com:8080'
    option authgroup 'DEFAULT'
    # usergroup option, if required by some servers
    # option usergroup 'USERGROUP'

    # Reconnect after a temporary network down time (in seconds)
    #option reconnect_timeout '30'

    # For second factor auth:

    # when a fixed 2FA password can be used
    #option password2 'my-fixed-2fa-password'

    # RSA tokens, must be built with stoken support
    #option token_mode 'rsa'
    #option token_secret 'secret'

    # HOTP/TOTP tokens
    #option token_mode 'hotp'
    #option token_secret '00'

    # tokens from script
    #option token_mode 'script'
    #option token_script '/lib/custom/getocpass.sh'

    # For non-anyconnect vpn protocols
    # Cisco AnyConnect (default)
    #option vpn_protocol 'anyconnect'
    # Juniper Network Connect
    #option vpn_protocol 'nc'
    # Palo Alto Networks GlobalProtect
    #option vpn_protocol 'gp'
    # Pulse Connect Secure
    #option vpn_protocol 'pulse'

    # Authentication form responses
    #list form_entry FORM:OPT=VAL

The additional files are also used:

/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate
/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key
/etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)

After these are setup you can initiate the VPN using ifup MYVPN, and deinitialize it using ifdown. You may also use the luci web interface (Network ⇒ Interfaces ⇒ MYVPN Connect).

Note that you need to configure the firewall to allow communication between the MYVPN interface and lan.

There is a luci plugin to allow configuring an openconnect interface from the web environment; see the luci-proto-openconnect package.

OpenVPN via NetworkManager CLI¶

sudo nmcli connection import type openvpn file ${NAME}.ovpn
nmcli connection up $NAME

Pure bash whois client¶

QUERY=as21416
WHOIS=whois.ripe.net
(exec 5<>/dev/tcp/$WHOIS/43; echo $QUERY>&5; while read -ru5; do echo "$REPLY"; done)

ipset for fail2ban¶

SRC

Use jail.local to provide:

[DEFAULT]
banaction = iptables-ipset-proto6
banaction_allports = iptables-ipset-proto6-allports

Setting and Controlling IP sets using iptables¶

SRC

The ipset utility is used to administer IP sets in the Linux kernel. An IP set is a framework for storing IP addresses, port numbers, IP and MAC address pairs, or IP address and port number pairs. The sets are indexed in such a way that very fast matching can be made against a set even when the sets are very large. IP sets enable simpler and more manageable configurations as well as providing performance advantages when using iptables. The iptables matches and targets referring to sets create references which protect the given sets in the kernel. A set cannot be destroyed while there is a single reference pointing to it. The use of ipset enables iptables commands, such as those below, to be replaced by a set:

~# iptables -A INPUT -s 10.0.0.0/8 -j DROP
~# iptables -A INPUT -s 172.16.0.0/12 -j DROP
~# iptables -A INPUT -s 192.168.0.0/16 -j DROP

The set is created as follows:

~# ipset create my-block-set hash:net
~# ipset add my-block-set 10.0.0.0/8
~# ipset add my-block-set 172.16.0.0/12
~# ipset add my-block-set 192.168.0.0/16

The set is then referenced in an iptables command as follows:

1	`~# iptables -A INPUT -m set --set my-block-set src -j DROP`

If the set is used more than once a saving in configuration time is made. If the set contains many entries a saving in processing time is made.

Debian 10 ⇒ 11 upgrade¶

TFM

Boils down to:

Update the system with apt-get update && apt-get full-upgrade to the most recent state of working version.

Update /etc/apt/sources.list to

deb http://deb.debian.org/debian/ bullseye main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main
deb-src http://security.debian.org/debian-security bullseye-security main
deb http://ftp.debian.org/debian bullseye-backports main contrib non-free

Upgrade the system with apt-get update && apt-get dist-upgrade && reboot to the new version.

2021-08-20 @ fabicon.ru

emmcdl & QDL¶

emmcdl or emmcdl

git clone https://github.com/nijel8/emmcdl.git &&
    cd emmcdl &&
    aclocal &&
    autoconf &&
    automake --add-missing &&
    ./configure &&
    make &&
    ./emmcdl

QDL

When the password was changed?¶

chage -l $USER — show password "aging" status
passwd -S $USER — show user's "status"
zgrep -Fw passwd /var/log/* /var/log/*/* | grep -Fw $USER — look for passwd(1) report

Who has eaten all the swap?¶

for file in /proc/*/status ; do
    awk '
        /VmSwap|Name/   { printf $2 " " $3 }
        END     { print "" }
    ' $file
done |
sort -k 2 -n -r |
less

Remove leading zeroes `${VAR##+(0)}`¶

jno:~$ shopt extglob
extglob         on
jno:~$ a='000000123'
jno:~$ declare -p a
declare -- a="000000123"
jno:~$ shopt -q extglob && echo ${a##+(0)} || { echo $a | sed -e 's/^0\+//'; }
123
jno:~$

Found here.

Mediatomb (hosted by ветеран.su) became gerbera ¶

Since about Ubuntu 20.04 it's gerbera now.

Gerbera is proudly built upon MediaTomb 0.12.1 continuing that projects great legacy.