Tag: debian

create custom debian buster live

paranoids

download your favourite iso

http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/

wget http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/10.2.0-live+nonfree/amd64/iso-hybrid/debian-live-10.2.0-amd64-standard+nonfree.iso

mount iso

mount -o loop debian-live-10.2.0-amd64-standard+nonfree.iso /mnt/

copy to local workdir

mkdir -p debian-live-custom/workdir

cp -av /mnt/live/filesystem.squashfs debian-live-custom/

unpack squashfs

cd debian-live-custom/workdir

unsquashfs ../filesystem.squashfs

mount binds

mount --bind /dev squashfs-root/dev

mount --bind /sys squashfs-root/sys

mount --bind /proc squashfs-root/proc

chroot

chroot squashfs-root

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

install packages

nano /etc/apt/sources.list

echo "nameserver 8.8.8.8" > /etc/resolv.conf

apt update

dpkg-reconfigure locales

apt install --no-install-recommends vim screen rsync bwm-ng iotop iftop mdadm gddrescue memtester stress openssh-server netrw tcpdump console-data quota ntfs-3g chntpw smbclient testdisk cryptsetup

systemctl disable mdadm

dpkg-reconfigure keyboard-configuration

dpkg-reconfigure console-setup

apt-get clean

sed config files

sed -i /etc/ssh/sshd_config -e s/#PermitRootLogin\ prohibit-password/PermitRootLogin\ yes/

sed -i /etc/ssh/sshd_config -e s/#PasswordAuthentication\ yes/PasswordAuthentication\ yes/

sed -i /etc/vim/vimrc -e s/\"syntax\ on/syntax\ on/

sed -i /root/.bashrc -e s/\#\ export\ LS_OPTIONS=\'--color=auto\'/export\ LS_OPTIONS=\'--color=auto\'/

sed -i /root/.bashrc -e s/\#\ eval\ \"\`dircolors\`\"/eval\ \"\`dircolors\`\"/

sed -i /root/.bashrc -e s/\#\ alias\ ls=\'ls\ \$LS_OPTIONS\'/alias\ ls=\'ls\ \$LS_OPTIONS\'/

sed -i /root/.bashrc -e s/\#\ alias\ ll=\'ls\ \$LS_OPTIONS\ -l\'/alias\ ll=\'ls\ \$LS_OPTIONS\ -l\'/

sed -i /root/.bashrc -e s/\#\ alias\ l=\'ls\ \$LS_OPTIONS\ -lA\'/alias\ l=\'ls\ \$LS_OPTIONS\ -lA\'/

set root password

passwd

exit

umount squashfs-root/dev
umount squashfs-root/sys
umount squashfs-root/proc

create squashfs

mksquashfs squashfs-root/ filesystem.squashfs -comp xz

prepare live iso

copy to local workdir

mkdir debian-live-iso-custom

cp -av /mnt/* debian-live-iso-custom/

cp -av /mnt/.disk debian-live-iso-custom/

cd debian-live-iso-custom

edit disk info corresponding to xorriso -V option

vim .disk/info

Debian 10.1 amd64 custom nonfree

copy custom squashfs

cp ../filesystem.squashfs live/filesystem.squashfs

create iso

xorriso -as mkisofs -V 'Debian 10.1 amd64 custom nonfree' -o ../debian-live-10.1-custom-amd64-nonfree.iso -J -J -joliet-long -cache-inodes -isohybrid-mbr /usr/lib/syslinux/bios/isohdpfx.bin -b isolinux/isolinux.bin -c isolinux/boot.cat -boot-load-size 4 -boot-info-table -no-emul-boot -eltorito-alt-boot -e boot/grub/efi.img -no-emul-boot -isohybrid-gpt-basdat -isohybrid-apm-hfsplus .

debian update i-mscp 1.0 to 1.5

paranoids

Hi

Upgrade i-mscp 1.0 to 1.1 Debian to jessie

cd /usr/local/src
wget https://github.com/i-MSCP/imscp/archive/1.1.21.tar.gz
tar -xzf 1.1.21.tar.gz
cd imscp-1.1.21

#use build
perl imscp-autoinstall -c -a -d -f

rm -fR /var/www/imscp/{daemon,engine,gui}
cp -fR /tmp/imscp/* /
rm -fR /tmp/imscp

#i-mscp bug (error with external packages pma roundcube etc)
vim /var/www/imscp/engine/setup/imscp-setup-methods.pl
#[\&setupPreInstallAddons,           'Addons pre-installation'],
#[\&setupInstallAddons,              'Addons installation'],
#[\&setupPostInstallAddons,          'Addons post-installation'],

mkdir -p /var/www/imscp/gui/public/tools/filemanager/data
mkdir /var/www/imscp/gui/public/tools/pma
mkdir -p /var/www/imscp/gui/public/tools/webmail/logs

perl /var/www/imscp/engine/setup/imscp-setup -a -d

sed -i /etc/apt/sources.list -e s/wheezy/jessie/
apt-get update
apt-get dist-upgrade

Upgrade i-mscp 1.1 to 1.2 Upgrade Debian to stretch

cd /usr/local/src/
wget https://github.com/i-MSCP/imscp/archive/1.2.17.tar.gz
tar -xzf 1.2.17.tar.gz
cd imscp-1.2.17

#use build
perl imscp-autoinstall -d

rm -fR /var/www/imscp/{daemon,engine,gui}
cp -fR /tmp/imscp/* /
rm -fR /tmp/imscp

#i-mscp bug (error with external packages pma roundcube etc)
vim /var/www/imscp/engine/setup/imscp-setup-methods.pl
#[ \&setupPreInstallPackages,         'Packages pre-installation' ],
#[ \&setupInstallPackages,            'Packages installation' ],
#[ \&setupPostInstallPackages,        'Packages post-installation' ],

mkdir -p /var/www/imscp/gui/public/tools/ftp/data

perl /var/www/imscp/engine/setup/imscp-setup -d

sed -i /etc/apt/sources.list -e s/jessie/stretch/
apt update
apt dist-upgrade

Upgrade i-mscp 1.2 to 1.5

cd /usr/local/src
wget https://github.com/i-MSCP/imscp/archive/1.5.3-2018120800.tar.gz
tar -xzf 1.5.3-2018120800.tar.gz
cd imscp-1.5.3-2018120800

#use manual
perl imscp-autoinstall -d

rm -fR /var/www/imscp/{daemon,engine,gui}
cp -fR /tmp/imscp/* /
rm -fR /tmp/imscp

perl /var/www/imscp/engine/setup/imscp-reconfigure -d

Debian dist-upgrade changes mysql default charset to utf8

In this case we want latin1 as our default charset. Due to the fact that on this server runs very old software.

sed -i /etc/mysql/mariadb.conf.d/50-client.cnf -e s/utf8mb4/latin1/

sed -i /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf -e s/utf8mb4/latin1/

sed -i /etc/mysql/mariadb.conf.d/50-server.cnf -e s/utf8mb4_general_ci/latin1_swedish_ci/

sed -i /etc/mysql/mariadb.conf.d/50-server.cnf -e s/utf8mb4/latin1/

Have fun!

Raspbian Jessie f2fs Raspberry PI 3

paranoids

Hi

Short howto:

* install f2fs utils

pacman -S f2fs-tools

* create working directory

mkdir /root/raspbian
cd /root/raspbian

*Download and unzip your raspbian image

dd if=2017-04-10-raspbian-jessie-lite.img of=/dev/sdX bs=512k status=progress

* Put your SD-Card into your PI
* Let it setup everything

* install on your pi f2fs-tools

apt-get install f2fs-tools

* Shutdown your PI
* Insert your SD-Card to you PC
* Create directories

mkdir mnt
mkdir mnt/boot
mkdir mnt/root
mkdir boot
mkdir root

* mount raspbian SD-Card

mount /dev/sdX1 mnt/boot
mount /dev/sdX2 mnt/root

* make backup

rsync -av --numeric-ids mnt/boot/* boot/
rsync -av --numeric-ids mnt/root/* root/

* unmount raspbian SD-Card

umount mnt/boot
umount mnt/root

* recreate filesystems

mkfs.vfat /dev/sdX1
mkfs.f2fs /dev/sdX2

* mount raspbian SD-Card again

mount /dev/sdX1 mnt/boot
mount /dev/sdX2 mnt/root

* copy files to SD-Card

rsync -av --numeric-ids boot/* mnt/boot/
rsync -av --numeric-ids root/* mnt/root/

* edit cmdline.txt

sed -i 's/rootfstype=ext4/rootfstype=f2fs/' mnt/boot/cmdline.txt

* edit etc/fstab

sed -i 's/ext4/f2fs/' mnt/root/etc/fstab

* umount filesystemc

umount mnt/boot
umount mnt/root

Youre Done :-)

Have fun!

Mikrotik RouterOS 6.38 IKEv2 Strongswan RSA Auth howto

paranoids

Hi there,

a) setup clock of your routerboard

/system ntp client set primary-ntp=192.168.223.2
/system clock set time-zone-name=Europe/Vienna

b) generate certificates

/certificate add common-name="paranoids.at Root CA" name=ca     
/certificate sign ca ca-crl-host=192.168.223.106
/certificate add common-name=test.paranoids.at subject-alt-name=IP:test.paranoids.at key-usage=tls-server name=server1
/certificate sign server1 ca=ca
/certificate add common-name=client1@test.paranoids.at key-usage=tls-client name=client1
/certificate sign client1 ca=ca

c) configure your server

/export compact                                                      
# jan/06/2017 12:21:49 by RouterOS 6.38
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.33.0/27
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=test
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns static
add address=192.168.223.106 name=test
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 \
    mode-config=test passive=yes
/ip ipsec policy
set 0 dst-address=192.168.33.0/27 src-address=0.0.0.0/0

d) export client certificates

/certificate export-certificate ca
/certificate export-certificate client1 export-passphrase=1234567890

e) import client certificates to strongswan (file ending is important)

 scp admin@192.168.223.106:/cert_export_client1.crt .
 scp admin@192.168.223.106:/cert_export_client1.key .
 scp admin@192.168.223.106:/cert_export_client1.key .
 mv cert_export_ca.crt /etc/ipsec.d/cacerts/cert_export_ca.pem
 mv cert_export_client1.crt /etc/ipsec.d/certs/cert_export_client1.pem
 mv cert_export_client1.key /etc/ipsec.d/private/cert_export_client1.pem

f) configure strongswan properly

/etc/ipsec.conf

conn test
 keyexchange=ikev2
 ike=aes256-sha256-modp2048
 esp=aes256-sha256-modp2048
 ikelifetime = 24h
 lifetime = 30m
 dpddelay = 120s
 left=%defaultroute
 leftsourceip=%config
 leftcert=cert_export_client1.pem
 leftid=client1@test.paranoids.at
 leftfirewall=yes
 right=192.168.223.106
 rightsubnet=192.168.99.0/24
 rightid="CN=test.paranoids.at" 
 auto=add

/etc/ipsec.secrets

: RSA cert_export_client1.pem "1234567890"

g) fire up your vpn

:~# systemctl restart strongswan
:~# ipsec up test

Resources:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ikev2_Server_Setup

Hint:
For strongswan under Debian Jessie you have to remove the passphrase from the private key!
For Android set Server-Identity: CN=test.paranoids.at!

Have fun!

Debian on Barracuda NG F10 Firewall

paranoids

Hi

While I was tearing down the firewall the CF-Slot jumped right into my eyes. Every Linux guy might think the same. :-)

So i debootstraped a CF-card made it bootable and right after the first try, bam, working.
The Hardware got freed from the propritary Linux OS and crappy tools and … Yes the backdoors, bugs and security holes, because you won’t get any free downloadable firmware updates. This is really annoying on Barracuda firewalls. It’s a shitty firewall. Every crappy TP-Link does the same things in production.

Have fun!