Pulling a hard disk (or ssd) from one physical machine and putting it in another (as I just did when upgrading my workstation) causes the network to freak out. This is similar to the post below, the operating system keeps a record of the MAC address of it's NICs. I'm guessing this has to do with ARP resolution, but don't quote me on that I've not looked into why.
and delete or comment out the old network settings.
I recently built myself a couple of standard builds to clone, one Centos 6 and one Ubuntu 14.04.
Upon cloning the Centos image to use for something I had a problem bringing up eth0 - with the error message:
"Device eth0 does not seem to be present, delaying initialization."
coming up - instead of the network card!
After some web searches I found it's because the new VM has a new MAC address, the cloned disk, however, still has the old MAC in these files - simply edit with the correct MAC and restart:
This has been troubling me on and off for ages. I finally decided to sit down and make it work, turns out it was a problem with the licensing module and can be fixed with an upgrade to 5.5
I chose to use a USB of the new ESXi 5.5 Rev 1 ISO created with unetbootin (it's on the repos of most distros). This guide from VMware has a video which explains it all. It's pretty much exactly the same as installing it - a half dozen clicks on an OK box.
When it booted up (you'll also be told to upgrade your client) and I logged in I saw all my machines that were set to autoboot
Living the dream :-)
Some people (like me) prefer the old school file manager look to the new Gnome/Ubuntu look. I like having a folder tree in the left pane rather than a bunch of Windows like "Libraries"
It's a simple set of commands to achieve this.
First make sure you have nemo installed
sudo apt-get install nemo
Then change the defaults to nemo:
xdg-mime default nemo.desktop inode/directory application/x-gnome-saved-search
gsettings set org.gnome.desktop.background show-desktop-icons false
gsettings set org.nemo.desktop show-desktop-icons true
Test it with this, it should answer "nemo.desktop"
xdg-mime query default inode/directory
Just a quick post. You might have trouble installing VMware Tools on Kali but these steps should fix it all.
echo cups enabled >> /usr/sbin/update-rc.d
echo vmware-tools enabled >> /usr/sbin/update-rc.d
apt-get install gcc make linux-headers-$(uname -r)
ln -s /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux/version.h /usr/src/linux-headers-$(uname -r)/include/linux/
Having just upgraded my laptop to Ubuntu 14.04 LTS I found VMware wasn't playing nice with the kernel.
The following steps work to fix this.
When you run VMware for the first time it wants to compile the kernel modules, but for some reason VMware don't keep up with the latest kernels, so sometimes you need to apply a patch.
Luckily this is quite easy. Follow the instructions below EXACTLY,
Copy the following text and paste it in a file called /tmp/filter.c.diff
> #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 13, 0)
> VNetFilterHookFn(const struct nf_hook_ops *ops, // IN:
< transmit = (hooknum == VMW_NF_INET_POST_ROUTING);
> #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 13, 0)
> transmit = (hooknum == VMW_NF_INET_POST_ROUTING);
> transmit = (ops->hooknum == VMW_NF_INET_POST_ROUTING);
Next apply the patch with the following commands:
sudo -E -s
cp vmnet.tar vmnet.tar.original
tar xvf vmnet.tar vmnet-only/filter.c
patch vmnet-only/filter.c < /tmp/filter.c.diff
tar -uvf vmnet.tar vmnet-only/filter.c
rm -rf vmnet-only/
Now when you run wither VMware program again it should work fine!
Thanks to the guys that worked this out, I got this from Dan Dar, but he credits Garrett Skjelstad. Cheers!
apt-get install linux-headers-`uname -r`
Master pdf editor seems to be a great simple editor to touch up PDF documents works on Ubuntu, Mint Linux etc.
I've added a chapter on hardening.
More to come!
Build your own secure personal Cloud
It seems at the time of writing there is a problem with detecting some Epson printers on the new Ubuntu.
I found the best way to do it is to download the .deb file from the link below and install the driver using any one of Ubuntu's installers. Then when you try and detect the printer it won't go online searching for the driver it will already have it and all will be good.
It looked to me like there was a problem in converting an rpm version of the driver to .deb format. I'm not sure why the automatic programs try and do this though as Epson release .deb drivers!
First this assumes you have removed all connections from both devices.
This will probably work with other hardware too, I don't know.
1. Reset your ddwrt router to factory (I don't know what you might have changed that will affect these instructions)
2. Do a factory reset on your cable modem (this seemed to be important)
3. Log into your CG3100 - default username and password is: admin and password
4. The last setting on the side menu is "NAT", uncheck this - your "router/modem" will become a simple dumb modem.
5. After 5 minutes power cycle it - why not.
5. Check this works by plugging a laptop into one of the network ports on the back and check you can access an internet site, choose a simple one like mine, BE CAREFUL - if your operating system asks if you trust this network say NO - your computer is connected to bare internet with no firewall.
6. Unplug from the net if all is good. If not repeat the steps 2-5 until good.
7. Plug your lappy into the ddwrt router, check the light on the front shows this has worked.
8. Log into ddwrt - default username and password is root and admin - default IP is 192.168.1.1
9. Change the WAN connection to Automatic Configuration DHCP
10. Give your router a name and a hostname
11. Set the local address you want, or leave it as is if there is nothing else on your LAN expecting anything here.
12. Leave 0.0.0.0 as it's own gateway.
13. Set your static DNS to OPENDNS, stop your ISP snooping on your browsing- 18.104.22.168 and 22.214.171.124 - http://www.opendns.com/opendns-ip-addresses/
14. Set your NTP server - I used to like the CSIRO's National Measurement Laboratory - until some jerky company decided to make them the default in their devices and then sold thousands of them, flooding their bandwidth, so just use 0.au.pool.ntp.org
15. Set your timezone and DST times, in AU daylight savings is the first Sunday in October to the first Sunday in April. Eastern Standard Time is UTC+10.00
16. Click SAVE
17. go to ADVANCED ROUTING and change operating mode to GATEWAY
18. Click APPLY and the unit will reboot. At this stage you must remember the IP address you gave your router (if you changed it)
19. Log back in, go to WIRELESS and change it to Disabled (or set your security - that's up to you but I prefer to have a separate AP) click APPLY
20. Go to ADMINISTRATION and MANAGEMENT and set a unique username and password - not your firstname and monkey123, but something hard to guess hey! Click apply.
21. That should be working now, if you plug your router's INTERNET connection into one of the ports in the modem it (fingers crossed) will be online.
22. Check this by going to ADMINISTRATION and COMMANDS, enter ping 126.96.36.199 and hit RUN COMMANDS - if this works your router is online.
23. enter ping google.com if this works your DNS is working too.
24. Plug a laptop into one of the other plugs in the router, bring up a shell (windows key, then type cmd) and enter in the same two commands.
25. If this has all worked then you should be online, bring up a webpage on your lappy and pour yourself a glass of milk!
It's quite useful for an attacker to know what OS, Apache and PHP you are running in order to look up known vulnerabilities with the versions you are using.
This method will ensure anyone using a plugin like serverspy or sending raw requests via telnet etc. won't be able to gather this information too easily. It doesn't make it impossible however, as vulnerability scanners can fingerprint your services based on known responses from various versions, but it does make it harder, and can serve as a warning that you're paying attention. Like changing the name of your access point ;-)
These instructions are for Ubuntu. If you're using Red Hat you should be able to translate them yourself.
First install mod_security: apt-get install libapache2-modsecurity
Secondly enable it: a2enmod mod-security
Thirdly edit /etc/apache2/conf.d/security - comment out the ServerTokens directive and swap ServerSignature <blah> for SecServerSignature <whatever_you_like>.
Reload apache and that's done!
Read this on a forum, thought it was a good argument.
# re: Code Signing – It’s Cheaper and Easier than You Thought Monday, December 24, 2007 8:54 PM by BillGoates
It doesn't matter how cheap and easy code signing is, I want to boycott it on principle. Not because of the price, although even 80$ a year is much for a single autogenerated number.
The code signing scheme itself is useless. Anyone can request or share a public a certificate. So mal- and spyware still can destroy your computer, but now 'approved and certified' by Verisign/Microsoft.
The only thing it's good for is annoying end users and (independent) developers.
# re: Code Signing – It’s Cheaper and Easier than You Thought Thursday, December 27, 2007 4:06 PM by Hosebeast
BillGoates, you just don't get it. Why do cars have license plates and police have badges? These don't stop people from speeding thru school zones or impersonating cops. In fact, nothing actually prevents a real cop from going berserk at any moment.
What they do, however, is act as deterrents which form part of a larger security process. A car without plates will draw suspicion; a car with plates which appears suspicious can be checked to see if the plates were stolen. From insurance ID cards to voter registration cards, forms of official identification exist to provide "reasonable" assurance that someone is who you expect them to be, no more and no less.
That's not "useless" because it's a far cry from total anonymity. Why do you suppose that for 99.999% of all spam, the true sender is obscured? It's a simple fact that malicious parties don't like to be identifiable. Sure, there will always be suicide bombers who don't mind letting you know their name, right before they blow you up, but how many suicide bombers exploded today? On the other hand, how many hot checks were written today? Is it totally "useless" for Wal-Mart to ask for ID?
Code signing tells you that you are executing code from someone whose identity has been checked. More importantly, it tells you that the code has not been corrupted since it was signed, neither by virus infection nor by faulty file transfer. Change a single byte in a signed file and it immediately renders the signature broken.
Non-malicious software could be buggy and "destroy your computer" the same as malware, but even if you don't trust a signature to represent the author's identity upon initial receipt of some code, once you have verified for yourself that the code is safe, the signature tells you later that the code hasn't been tampered with.
10 years ago, the industry was skeptical of code signing. Today, code signing is widely used in Java, Linux, and other non-Microsoft environments. Apple's latest Mac OS X (Leopard) fully supports code signing and delivers virtually all of its components as signed by Apple. Certificate issuers from Thawte to VeriSign have repeatedly demonstrated prompt and responsible revokation of certificates obtained for fraudulent purposes. From Safari to Firefox and Opera (all shipped signed), the entire industry has embraced code signing -- not as a total solution to anything, but as part of the solution to many things.
If you're a small developer (which implies you're working with a relatively small user population), you can always self-sign for $0. The catch is that your users must install your certificate authority in their trusted store, a one-time step. Presumably they would do this if they trust you, and presumably they would only trust you if they are satifisfied that they can identify you. The $80 saves them a little hassle by having Comodo do a reasonable check of your identity and issue a certificate from an authority which is pre-trusted by the default installation of common operating systems.
Sure, this system hasn't stopped people from forming malicious companies which were actually and legally named "Click Yes to Continue" but how long do you think they got away with it? About as long as it would take to notice a car without plates or a cop without a badge.
I've just published a Puppet config file editor for Netbeans, my first contribution to the Open Source community. Those of you that know me know I've been a Linux evangelist for nearly two decades now, but have never had the chance to use my programming ability to contribute back - either someone else had already written the programs I'd thought of, or the programs I've made are for clients and therefore not open-source.
Hopefully some other Linux sysadmin out there that likes Netbeans will find this useful. There is more to add as of writing this, but I'm getting the modules put together piece by piece.
Don't worry, if all that doesn't mean anything to you, you aren't going to need the program (but you should learn about it - just sayin). Also probably not much of this page means much to you - go check out the photos!
This is about the standard 3g modem card - un2400 – for an Elitebook. I found setting this up surprisingly simple, after I found the right information on the blogosphere of course!
This is very easy with the right commands, just use the diskpart tool to make a USB stick bootable, then copy the files right off the install DVD! Later on I’ll post about imaging your own windows system with installed software to use as a OEM install.
1. Run the command “diskpart” from the command line (<windows key> + r)
2. Select the USB key you want
select disk <number of your USB>
3. Erase the USB and reformat it
create partition primary
format fs=ntfs quick
4. Now you have a USB ready to run! Just copy all the files from a windows install DVD onto this USB and you should be able to boot from it, isn’t that unusually simple for a MS product!
This is fun, and worked for me on Ubuntu 11.10. Used my laptops inbuilt bluetooth, the bluetooth discovery tool (next to the clock) confirmed that the wiimote was talking to it, but connection with this gui failed to work. 1. Install software
sudo apt-get install wminput wmgui lswm
2. add the following line to /etc/modules
4. Get the address of the wiimote, press the 1 and 2 buttons on the wiimote when asked. I had to do this twice before getting a response.
5. Use the following command to discover the wiimote and start using it as a mouse. NB: Press 1 +2 on the wiimote when it asks, and substitute your address from the command above. Once the steps above have been completed once this will be the only command you will need.
sudo wminput xx:xx:xx:xx:xx:xx
That’s it! You should now have mouse control with your wiimote. Use tilt for left and right and up and down for, well, up and down.
The + pad will also act as scroll in web browsers etc.
Not terribly useful, but kind of fun to try. The tilt for L+R isn’t great, I guess that’s what the bar on top of the TV is for.
Just tried Photaf on my Droid, awesome stuff, this was taken with absolutely no knowledge, you can see where they have been joined, but this is pretty much exactly what this part of the world looks like. I’m sure some practice and tweaking, attention to the light etc would improve these heaps. This shot was taken just before the sun went down, I’d say that sun overhead would help quite a bit with colour balance. Still (no pun intended) if you want a quick and dirty panorama, for free this thing is awesome!
They’ve changed it a little, still, press “a” at grub to get the append kernel parameters line, still add ” single” to the end of it.
BUT instead of using passwd (this really confused us) which just returns to the next line without asking for a password use:
passwd -d root
This blanks root’s password so when you reboot it doesn’t ask for a password! Freaky stuff!
Probably my favourite new thing in tech this year has been Google’s Authenticator.
It provides a one time passcode for logging into stuff, you enter as well as your normal password. This is extremely secure because it means no one can copy it. Every 30 seconds of every day it’s replaced with a brand new one. Interestingly if it only uses the same number once in the cycle, it will take about a year to use them all and start again.
If you’ve been given an RSA Token, OATH Token, Gold Card etc. at work it’s the same kind of thing, but instead of being geek bling to hang around your neck or on your keyring, Google make it easy to carry in the form of an app for your Android, BlackBerry or iPhone. Interestingly midway through this yead RSA also introduced an app to replace their tokens. Anyone that has had to carry a bunch of those things around knows what a pain it is, and will warmly welcome the phone version. No doubt the corporate solution will continue to cost $100-$200 per person per year however. Google’s is free.
With this app installed on your phone you enable two step authentication on your Google accounts (gmail, apps etc) This video from Google explains it all pretty well.
That’s awesome in itself, almost eliminates the concern that your email account might get hacked, but for Linux admins it gets much much better. Oh yeah, this is REALLY cool.
Google have also released a PAM (Pluggable Authenticaton Module) for Linux, so you can use this technology on any of your PAM enabled services (Login, SSH, VPN, Email, you name it). This effectively brings two factor authenticaton out of the expensive corporate security world into the Linux Free as in Beer, Free as in Speech world. Google you ROCK.
How To Install It on CentOS 5. There’s plenty of doco out there that made this look easy, I did not find it so easy. I think that many of the writers assume the reader is using the latest bleeding edge Ubuntu or Fedora, the conservative among us using RedHat, Centos or Ubuntu LTS are left out in the dark a bit. It took me a weekend, but here are my findings.
Getting the Code. This was the weirdest thing for me, it seems the repo uses a combination of Subversion and Mercurial, so you’ll need both.
Install Subversion and Mercurial. yum install subversion python-devel docutils
You must install the latest version of Mercurial, the one on the Centos repo is too old to work properly. Download latest mercurial from http://mercurial.selenic.com/downloads/
untar it (tar -xvf <filename>), change into the directory tar creates and “make install”
Mercurial is a bunch of python scripts, so make install is all that’s needed to put it into place.
Now you should be OK to download the actual source code for this CompSci epic. One command is all that’s needed here. Took days to work out why this didn’t work (solution above). Let me know if you have any more issues with it.
hg clone https://code.google.com/p/google-authenticator/
As root change into the directory you get +/libpam and run
For ssh logins edit /etc/pam.d/ssh and add the line
auth required pam_google_authenticator.so
as the first rule, just under the #%PAM-1.0 line and you’re ready to rock.
Restart sshd (not sure if this is needed, but might as well)
service sshd restart
Now login as your regular ssh user and run the command
You’ll get asked a few questions and get a link to a QR code that the app on your phone can scan to set you up in seconds. Copy all the output to a text file on your laptop for safefy. When you log in again you’ll be asked for a code, then your password and you’re in.
I’ll be looking into how this works, and any security concerns going forward, and will post anything else interesting here. Have fun securing your systems!
Sign up with this link and we'll both get an extra 5GB.
Best cloud storage for the security minded, and works best with Linux too!