Raymii.org IEC Resistor logo

Quis custodiet ipsos custodes?
RSS Feed

Latest Items

IPSEC/L2TP VPN on Ubuntu 14.04 with OpenSwan, xl2tpd and ppp

18-04-2014 | Remy van Elst

This is a guide on setting up an IPSEC/L2TP vpn server with Ubuntu 14.04 using Openswan as the IPsec server, xl2tpd as the l2tp provider and ppp or local users / PAM for authentication. It has a detailed explanation with every step. We choose the IPSEC/L2TP protocol stack because of recent vulnerabilities found in pptpd VPNs and because it is supported on all major operating systems by default. More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.

Read more...

FreeBSD 10, Converting from RELEASE to STABLE

17-04-2014 | Remy van Elst

Because of a [bug in mpd][1] which is fixed in 10-STABLE I wanted to move one of my FreeBSD machines from 10.0-RELEASE to 10.0-STABLE. The process to do so is fairly simple. Basically, you check out the new source code, build the world, build the kernel, install the kernel, install the world, merge some stuff and reboot. Read on to see the entire process

Read more...

Linux software raid, rebuilding broken raid 1

14-04-2014 | Remy van Elst

Last week Nagios alerted me about a broken disk in one of my clients testing servers. There is a best effort SLA on the thing, and there were spare drives of the same type and size in the datacenter. Lucky me. This particular data center is on biking distance, so I enjoyed a sunny ride there. Simply put, I needed to replace the disk and rebuild the raid 1 array. This server is a simple Ubuntu 12.04 LTS server with two disks running in raid 1, no spare. Client has a tight budget, and with a best effort SLA not in production, fine with me. Consultant tip, make sure you have those things signed.

Read more...

FreeBSD Ports: remove config options

09-04-2014 | Remy van Elst

Today I wanted to upgrade a few packages on one of my FreeBSD servers. The vim port kept complaining: You must select one and only one option from the UI single. Read on to find out how I fixed this error.

Read more...

OpenSSL: Manually verify a certificate against an OCSP

07-04-2014 | Remy van Elst

This article shows you how to manually verfify a certificate against an OCSP server. OCSP stands for the Online Certificate Status Protocol and is one way to validate a certificate status. It is an alternative to the CRL, certificate revocation list. This article shows you how to manually validate a certificate against an OCSP server.

Read more...

Chef: overwrite templates in wrapper-cookbooks

02-04-2014 | Remy van Elst

This article describes how to use a template in a wrapper-cookbook in Chef. The Chef Cookbook Wrapper Pattern is based upon a design convention where you customize an existing library cookbook by using a separate wrapper cookbook, which wraps the original cookbook with any related configuration changes. a library cookbook is an existing cookbook, typically an open-source contribution from a user in the Chef community, designed for server configuration purposes. A wrapper cookbook is a cookbook that wraps the original library cookbook with custom modifications or additions such as overriding a Chef attribute, changing a Chef template, converting a Chef attribute to a user-definable input, etc. To override a template by just defining it again would result in it being written two times every Chef run, which is not what we want. Using this method, you can override the template from the default cookbook with a template in your wrapper-cookbook. It has an example for the graphite cookbook, where the wrapper ads LDAP login to the Apache server.

Read more...

Chef: chef_gem vs gem_package and ORDER

01-04-2014 | Remy van Elst

This article describes a situation I had at one of my clients with Chef and the steps took to resolve this problem. They have a cookbook which builds a postgresql database node and it installs the pg ruby gem. However, it uses the chef_gem resource to do that, and it keeps failing.

Read more...

Nagios Core 4.0.4 installation on Ubuntu 12.04

17-03-2014 | Remy van Elst

This is a guide on installing the latest Nagios Core (4.0.4) on Ubuntu 12.04. Nagios is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. Nagios offers monitoring and alerting services for servers, switches, applications, and services. It alerts the users when things go wrong and alerts them a second time when the problem has been resolved. The version in the Ubuntu repositories is quite old, it is still the in the 3 branch. This guide helps to fix that by using the latest Nagios version.

Read more...

OS X: Remove all Apple Remote Dekstop settings

14-03-2014 | Remy van Elst

This snippet shows you how to remove all Apple Remote Desktop settings. My ARD installation recently stopped working correctly, having problems discovering new machines and connecting to already set up machines. These commands wipe all settings and the ARD installation is clean again. This solved my problem.

Read more...

3D modeling a real world object in OpenSCAD

02-03-2014 | Remy van Elst

This article shows you how I built a real world object in OpenSCAD and how I got it 3D printed. OpenSCAD is a Solid 3D modeling based on the Computational Geometry Algorithms Library. It is not like Blender, AutoCAD or Maya, who allow you to visually create and manipulate something. OpenSCAD allows you to program the entire thing. Want a cube? Type cube([10,10,10]) and you have a cube. I have no previous experience in 3D modeling or OpenSCAD, however, in about three hours I had my key ready made.

Read more...

KVM add disk image or swap image to virtual machine with virsh

23-02-2014 | Remy van Elst

This tutorial shows you how to create and add a disk image to a KVM vm using virsh. This is useful when you for example want to expand the disk space of your virtual machine when it is using LVM, or if you want to add a swap disk to a virtual machine.

Read more...

KVM convert qcow2 disk images to raw disk images for performance

16-02-2014 | Remy van Elst

This tutorial shows you how to convert KVM qcow2 disk images to raw disk images. The qcow2 disk format has some decent features like encryption, compression and copy to write support. However, the compression and the copy processes make it quite a bit slower than raw disk images. Sometimes you want to convert the disk images so that the VM will perform better.

Read more...

KVM host with bonding and VLAN tagged Virtual Machines setup on Ubuntu 12.04

15-02-2014 | Remy van Elst

This tutorial shows you how to setup Ubuntu 12.04 as a KVM host with multiple virtual machines. The kvm host will have VM's in multiple VLAN's and will handle the VLAN tagging over a bonded interface. It also covers creation of an example virtual machine with the ubuntu vmbuilder tool and shows you how to add a serial console to an ubuntu 12.04 virtual machine for troubleshooting.

Read more...

Bonding / NIC Teaming on Ubuntu 12.04

14-02-2014 | Remy van Elst

This tutorial shows you how to setup NIC bonding / NIC teaming on Ubuntu 12.04. Bonding, also called port trunking or link aggregation means combining several network interfaces (NICs) to a single link, providing either high-availability, load-balancing, maximum throughput, or a combination of these.

Read more...

Install extra software in the VMWare vCenter Appliance (VCSA)

05-02-2014 | Remy van Elst

This tutorial shows you how to install extra software in the VMWare vCenter appliance (VCSA). VMWare provides a vCenter appliance, which is a SUSE Linux Enterprise Server appliance with the VMWare vCenter server software installed. Because this is SUSE, we can add repositories and install software from there. By default it comes without repositories enabled. I needed to do this because I want to use NRPE on the vCenter appliance.

Read more...

OpenSSL: Get all certificates from a website in plain text

04-02-2014 | Remy van Elst

This article shows you how to get all certificates of a website in plain text. With a few OpenSSL commands one can get the website certificate plus intermediate certificates, however, if you feed that output to OpenSSL it only works on the first certificate. Using a bit of sed and bash magic we can feed all certificates one by one to OpenSSL.

Read more...

OCSP Stapling on Apache

03-02-2014 | Remy van Elst

This tutorial shows you how to set up OCSP stapling on Apache. OCSP stapling is an enhancement to the standard OCSP protocol that delivers OCSP responses from the server with the certificate, eliminating the need for relying parties (web users) to check OCSP responses with the issuing CA. This has the effect of reducing bandwidth, improving perceived site performance, and increasing security for everyone involved in establishing the secure session.

Read more...

OCSP Stapling on nginx

03-02-2014 | Remy van Elst

This tutorial shows you how to set up OCSP stapling on nginx. OCSP stapling is an enhancement to the standard OCSP protocol that delivers OCSP responses from the server with the certificate, eliminating the need for relying parties (web users) to check OCSP responses with the issuing CA. This has the effect of reducing bandwidth, improving perceived site performance, and increasing security for everyone involved in establishing the secure session.

Read more...

Ansible - Only if a file exists or does not exist

02-02-2014 | Remy van Elst

This Ansible playbook example helps you execute actions only if a file exists or does not exist. If you for example have a command you need to run to generate a certificate (or Diffie Hellman parameters for nginx) you only want to do that once. The command itself is not convergent so it will run with every ansible run. However, the command creates a file and Ansible is able to check if that file exists. If the file exists, it will not execute the action. The same goes for checking if a file does exist and only executing the action if it exists. (The action you want to do will remove that file).

Read more...

haproxy: intercept all cookies and set secure attribute

01-02-2014 | Remy van Elst

This snippet shows you how to use haproxy to set the secure attribute on cookies. You might have a backend application which is not able to set the secure attribute on cookies or for which haproxy does the ssl offloading. This simple frontend rspirep sets the secure attribute for all cookies.

Read more...

Check if passwordless sudo can be used in a bash script or nagios check

30-01-2014 | Remy van Elst

This is a simple trick to see if you can use passwordless sudo in a script. This for example can be usefull in a Nagios plugin which requires sudo. Instead of putting the sudo line in your README and otherwise having a NRPE Unable to parse result error, you could just give a nice warning message plus the right sudo configuration rule.

Read more...

All Items