September 27, 2017

run X program headless in Linux

On remote server:
1. run "xvfb-run xterm" (replace xterm with your program). The runs a virtual frame-buffer/X server. The default display is :99. You can change that.
2. find out where the X auth file is written. Default iat /tmp/xvfb-run.XXXX/Xauthority.
3. x11vnc -display :99 -nopw -auth /tmp/xvfb-run.o3K0jQ/Xauthority

 on your local desktop, run vnc viewer to connect to the remote server. You can set up password in the server if you want to.

September 25, 2017

Linux L2tp client setup for Mac OS X vpn server

Instructions below are based on the work at https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux
Commands must be run as root on your VPN client.
To set up the VPN client, first install the following packages:
# Ubuntu & Debian
apt-get update
apt-get -y install strongswan xl2tpd

# CentOS & RHEL
yum -y install epel-release
yum -y install strongswan xl2tpd

# Fedora
yum -y install strongswan xl2tpd
Create VPN variables (replace with actual values):
VPN_SERVER_IP='your_vpn_server_ip'
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username'
VPN_PASSWORD='your_vpn_password'
Configure strongSwan:
cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn myvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=$VPN_SERVER_IP
  rightid=%any
EOF

cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF

chmod 600 /etc/ipsec.secrets

# For CentOS/RHEL & Fedora ONLY
mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null
mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null
ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets
Configure xl2tpd:
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF

cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD
EOF

chmod 600 /etc/ppp/options.l2tpd.client
The VPN client setup is now complete. Follow the steps below to connect.

Note: You must repeat all steps below every time you try to connect to the VPN.
Create xl2tpd control file:
mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control
Restart services:
service strongswan restart
service xl2tpd restart
Start the IPsec connection:
# Ubuntu & Debian
ipsec up myvpn

# CentOS/RHEL & Fedora
strongswan up myvpn
Start the L2TP connection:
echo "c myvpn" > /var/run/xl2tpd/l2tp-control
Run ifconfig and check the output. You should now see a new interface ppp0.
Check your existing default route:
ip route

September 12, 2017

Compile GoLang for AR9341

Golang support for MIPS 32 has been added since version 1.8. However, Soft FPU is not added, making chipsets like AR9341 not able to run Go program. "vstafanovic" has submitted the patch but
it has not been accepted yet in 1.9.0. Hopefully it will make to 1.10

At the same time, you can apply the patch yourself to version 1.8.3:

1. Download the patch
2. Download Golang 1.8.3 source code and apply the patch
3. cd src; ./bash.all

If everything goes well, you will have a compiled go toolchain.

To compile your application to MIPS, do:
GOOS=linux GOARCH=misp GOMIPS=softfloat go build

July 31, 2017

automatically set gnu screen window title

http://scie.nti.st/2008/8/19/1-minute-post-hostname-as-screen-window-title/

In short, add this line to the remote host's .bashrc:

[ "$TERM" = "screen" ] && PROMPT_COMMAND='echo -ne "\033k$HOSTNAME\033\\"'

July 20, 2017

Setting ssh server to an user to only SFTP to the user's home directory

Here is a guide for setting up SFTP users who’s access is restricted to their home directory.

Add the following to the end of the /etc/ssh/sshd_config file:
Subsystem sftp internal-sftp

# This section must be placed at the very end of sshd_config
Match Group sftponly
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

This means that all users in the ‘sftponly’ group will be chroot’d to their home directory, where they only will be able to run internal SFTP processes.

Now you can create the group sftponly by running the following command:
$ groupadd sftponly
Set a user’s group:
$ usermod steve -g sftponly
To deny SSH shell access, run the following command:
$ usermod steve -s /bin/false
And set the user’s home directory:
$ sudo chown root /home/steve
$ sudo chmod go-w /home/steve
$ sudo mkdir /home/steve/writable
$ sudo chown steve:sftponly /home/steve/writable
$ sudo chmod ug+rwX /home/steve/writable


Finally, you probably need to restart SSH
$ service ssh restart

The SSH part should now be in order, but you should make sure that file permissions also are correct. If the chroot environment is in a user’s home directory both /home and /home/username must be owned by root and should have permissions along the lines of 755 or 750.
In other words, every folder leading up to and including the home folder must be owned by root, otherwise you will get the following error after logging in:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

June 15, 2017

xxd reverse with an offset

When using xxd to reverse a hex dump file, if you hexdump file has a non-0 offset like this:

bc000000: 01 02 03 04 05 06 07 08  ........

You would need to use the "-s offset" option of the xxd. However, there is a bug in the code that makes this options only works as the FIRST option. Otherwise, it wouldn't work.

You want to do this:

xxd -s -0xbc000000 -r -g 1 test.dump test.bin

Basically the xxd is hardcoded to look for the offset at argv[2].

Another alternative:
https://github.com/pheehs/hexdump2bin/blob/master/hexdump2bin.py