Mikrotik SSTP 100% CPU Load

Hi

I’ve seen that due to some https requests the mikrotik SSTP server uses 100% of CPU
Here some nice script with scheduler which reenables the SSTP server. I’ve seen the bug with the latest ROS 5.20.

/system script
 add name=cpuload policy=ftp,read,write,winbox,api source=":local cpuload [ /system resource get cpu-load ]\r\
 \nif ( \$cpuload = 100 ) do {\r\
 \n/interface sstp-server server set enabled=no\r\
 \n/interface sstp-server server set enabled=yes\r\
 \n:log warning \"CPU Load \$cpuload reenabled sstp service\"\r\
 \n}"

Here the scheduler:

/system scheduler
add disabled=no interval=5m name=cpuloadsstp on-event="/system script run cpuload" policy=ftp,read,write,winbox,api start-date=\
    sep/28/2012 start-time=07:00:33

Have fun!

Get Austrian subnets from Ripe database

Hi
Need from the ripe database the subnets in cidr of some specific country?
Here my nooby approach to get this done.

wget ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
vim ripeconvert.pl

Paste the following code:

#!/usr/bin/perl

%subnet =();
$subnet{'4'} = "30";
$subnet{'8'} = "29";
$subnet{'16'} = "28";
$subnet{'32'} = "27";
$subnet{'64'} = "26";
$subnet{'128'} = "25";
$subnet{'256'} = "24";
$subnet{'512'} = "23";
$subnet{'1024'} = "22";
$subnet{'2048'} = "21";
$subnet{'4096'} = "20";
$subnet{'8192'} = "19";
$subnet{'16384'} = "18";
$subnet{'32768'} = "17";
$subnet{'65536'} = "16";
$subnet{'131072'} = "15";
$subnet{'262144'} = "14";
$subnet{'524288'} = "13";
$subnet{'1048576'} = "12";
#special ripe database
$subnet{'768'} = "22";
$subnet{'1280'} = "21";
$subnet{'1536'} = "21";
$subnet{'2560'} = "20";
$subnet{'2816'} = "20";
$subnet{'3072'} = "20";
$subnet{'9216'} = "18";
$subnet{'12288'} = "18";
$subnet{'13312'} = "18";

open(INFO,"<delegated-ripencc-latest");
        @ripe = <INFO>;
close(INFO);

sort(@ripe);

foreach $data (@ripe) {
    chomp($data);
    if ( $data =~ /ipv4/ && $data =~ /AT/ ) {
        @sdata = split('\|',$data);
        print @sdata[3]."\/".$subnet{"@sdata[4]"}."\n";
    }
    if ( $data =~ /ipv6/ && $data =~ /AT/ ) {
        @sdata = split('\|',$data);
        print @sdata[3]."\/".@sdata[4]."\n";
    }
}
perl ripeconvert.pl

Have fun!

Spam the Spammers

Hi

Just for fun, here some nice php snippet which I built into my wordpress Blog with some nice plugin called “Executable PHP widget”.
I’ve got some good sources of spam mails from which I use the “Envelope From” domains as source for the script. Hopefully the harvesters would eat up the shit and spammers would spam themselves :-).

<?php

$ii = 0;

while ($ii < 200) {
        $email = createRandomKey(15)."@".getSpammerDomain();
        echo '<font color="#FFFFFF">'.$email."</font>"."<br>"."\n";
        $ii++;
}

function createRandomKey($amount) {
        $keyset = "abcdefghijklmnopqrstuvwxyz0123456789";
        $randkey = "";
        for ($i=0; $i<$amount; $i++)
        $randkey .= substr($keyset, rand(0, strlen($keyset)-1), 1);
        return $randkey;
}
function getSpammerDomain() {
        $domains =array('domain1.tld','domain2.tld','domain3.tld');
        shuffle($domains);
        return $domains[0];
}
?>

Have fun!

sogo auth with mysql and mysql(view) against ispconfig database

hi

fist step let mysql listen on: 0.0.0.0
therefore verify your /etc/mysql/my.cnf

cat /etc/mysql/my.cnf | grep bind
#bind-address		= 127.0.0.1

(should be done @ispconfig install)

create a mysql database and a user and grant all privileges to that user

CREATE USER 'sogo'@'1.1.1.1' IDENTIFIED BY  '***';
GRANT USAGE ON * . * TO  'sogo'@'1.1.1.1' IDENTIFIED BY  '***' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE DATABASE IF NOT EXISTS  `sogo` ;
GRANT ALL PRIVILEGES ON  `sogo` . * TO  'sogo'@'1.1.1.1;

use mysql database as root and create special view

use sogo;
CREATE VIEW sogo_auth_view AS
SELECT  email AS c_uid,
             email AS c_name,
             password AS c_password,
             name AS c_cn,
             email AS mail
FROM dbispconfig.mail_user
WHERE disableimap='n' AND postfix ='y';

in your sogo config set the following lines:

<key>userPasswordAlgorithm</key>
<string>crypt</string>
<key>viewURL</key>
<string>mysql://sogo:yourpass@1.1.1.2:3306/sogo/sogo_auth_view</string>

Have Fun!

bind9 ispconfig dnssec inline signing ubuntu 12.04

hi

here some nice howto:

install ispconfig as shown on howtoforge:
http://www.howtoforg … -dovecot-ispconfig-3

install bind9.9 from ubuntu ppa because bind9.8 does not support inline-signing.
add to your sources list:

deb http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main 
deb-src http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main
aptitude install bind9

create directory for your zone keys and create em:

[code]mkdir /var/cache/bind/keys/
cd /var/cache/bind/keys/
dnssec-keygen -r /dev/urandom -f KSK domain.tld
dnssec-keygen -r /dev/urandom domain.tld
chown bind:bind *

(this should be patched too in ispconfig) hadn’t got the time for it

patch the ispconfig template as following:
/usr/local/ispconfig/server/conf/bind_named.conf.local.master

--- a/usr/local/ispconfig/server/conf/bind_named.conf.local.master
+++ b/usr/local/ispconfig/server/conf/bind_named.conf.local.master
@@ -4,6 +4,8 @@
 zone "<tmpl_var name='zone'>" {
         type master;
 <tmpl_var name='options'>        file "<tmpl_var name='zonefile_path'>";
+       auto-dnssec maintain;
+       inline-signing yes;
 };
 </tmpl_if>
 </tmpl_loop>

add to your named.conf.options following line:

key-directory "/var/cache/bind/keys/";
service bind9 restart

you must push your DS-RR to your registrar
in my case nic.at
how to extract it out of your public key:

cd /var/cache/bind/keys/
dnssec-dsfromkey -1 Kdomain.tld.KSK#

here some nice links:
https://kb.isc.org/a … -9.9.0-Examples.html
http://fanf.livejournal.com/112476.html
http://wiki.debian.org/DNSSEC
http://dnscheck.iis.se/

have fun!