OSX Proxy [on/off] Script

#!/bin/bash

e=$(networksetup -getwebproxy wi-fi | grep "No")

if [ -n "$e" ]; then

  echo "Turning on proxy"

#  sudo networksetup -setstreamingproxystate wi-fi on

#  sudo networksetup -setsocksfirewallproxystate wi-fi on

  sudo networksetup -setwebproxystate wi-fi on

  sudo networksetup -setsecurewebproxystate wi-fi on

else

  echo "Turning off proxy"

#  sudo networksetup -setstreamingproxystate wi-fi off

#  sudo networksetup -setsocksfirewallproxystate wi-fi off

  sudo networksetup -setwebproxystate wi-fi off

  sudo networksetup -setsecurewebproxystate wi-fi off

fi

Extend Windows 7 VirtualBox Disk

1. Use the VirtualBox client to create a new disk of the size you want in the same directory as your guest.
2. Clone the old disk to the new.  Open a command prompt, navigate to the guest directory and run :

VBoxManage clonehd   --existing

3. Attach the new disk to the guest and detach the old disk.  Ensure the new disk is first in the list / SATA 0
4. Guest should now boot up.  If you find it asks you to select a boot disk then the order is incorrect as per step 3
5. Open Windows disk manager, It will currently show the old size with #GB free.  Right click, extend, follow the prompts.
6. Confirm everything is good and you can delete the old disk.

Thats it, you're done ...

Re-enable the Apple-provided Java SE 6 web plug-in and Web Start features

Use this at your own risk as Apple, and most people distrust JAVA.


Taken from http://support.apple.com/kb/HT5559

1. Open Terminal, located in the Utilities folder.
2. Enter this command, then press the Return or Enter key: 

   sudo mkdir -p /Library/Internet\ Plug-Ins/disabled 

3. Enter this command, then press the Return or Enter key:

   sudo mv /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin /Library/Internet\ Plug-Ins/disabled

4. Enter this command, then press the Return or Enter key:

   sudo ln -sf /System/Library/Java/Support/Deploy.bundle/Contents/Resources/JavaPlugin2_NPAPI.plugin /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin 

5. To re-enable Java SE 6 Web Start, enter this command, then press the Return or Enter key:

   sudo ln -sf /System/Library/Frameworks/JavaVM.framework/Commands/javaws /usr/bin/javaws

Additional Information

The following steps will undo the above commands and restore Java 7 in OS X Lion and later.

1. Disable Java SE 6 Web Start opening:
   • Enter this command, then press the Return or Enter key:

   sudo ln -sf /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/javaws /usr/bin/javaws
   

   • When prompted, enter your administrator password, then press the Return or Enter key.
2. Re-enable the Java 7 applet plug-in by downloading and reinstalling the latest version of Oracle Java 7 JRE.

Basic Syslog-NG Install & Config

Ubuntu OS, apt syslog-ng install & added the following lines to get a basic UDP server running.

options { 

<Keep all the default Options>

create_dirs(yes);

dir_perm(0755);

};

source s_net { 

udp(ip(0.0.0.0) port(514));

};

destination d_any_remote {

file("/var/log/syslog-ng/$HOST/$FACILITY.log");

};

log {

source(s_net); destination(d_any_remote);

};

Flash, Chrome & an Atom CPU all walk into a pub

Tried to watch something on 4OD catchup via my HTPC (Zotac ION ATOM 1.6) last week.  Dreadful., choppy and stuttering, in the end I gave up.

Today I decided to debug and see if I could fix it.

Firstly browsing in general also seemed slow.  Hit a well known bandwidth testing site and it was reporting 70-80ms latency.  Odd as no other device in the house showed the same problem, all in the 27-35ms range.

Spent a ton of time looking into this starting with networking\drivers being the source of the problem as it, even started packet tracing!   CLI pings all seemed fine, file download comparisons, all fine.  Finally, and I mean after a day of screwing around and almost a total rebuild, I cleared the cache on Chrome.  Bingo, latency fixed.  WTF! ..

Chrome and pepperflash were throwing the bandwidth test out, and guess what 4OD, flash site .. I think I have found the issue.

Seems like any flash site on Chrome pushes the CPU, on the ATOM its just too much, 90-100% .. Same on my desktop but its a way faster CPU so copes.  Never really appreciated what a great job flashblock does for me.

Switched to Firefox & Adobe Flash and all is well again .. for now

Billion 7800N & Sky Broadband

Despite my disgust for the Murdoch empire when BE Broadband sold out to Sky I was stuck with a decision, particularly as Hyperoptic have just flooded the area I live in.

The BE service got so bad 1-2Mb that in the end I called to cancel.  I walked away with a 12 month Sky deal, 5Mb estimate and basically nothing to pay until September.  After some teething issues they got me the bandwidth promised and I'm relatively happy.  I will still jump to Hyperoptic when I actually need to start paying for a service.

In the meantime I wanted to get my Billion 7800n working on this line .. Forums answered me here.

And for my own memory :

1. Firmware >1.06h
2. Follow below :

64-bit Linux, 32-bit Chrome & Cisco AnyConnect

Obvious when you think about it but 32Bit Chrome will fail to connect to make the initial the SSL/HTTPs connection and so download/prompt for the client.

Switch to Firefox (Other 64Bit browsers are available) and you'll be good.

Blocking Facebook Connect/Graph

Browsing the web and you hit a site that displays your friends list, or suggests you 'like' this page because xyz of your friends also do.

Never paid that much attention until my g/f today mentioned my friends appear on sites she looks at. Of course they do! WTF did I never consider this.

Not that we have that type of secret relationship but when I started digging into Facebook connect, or now graph as it seems to be the more I hated it.

I'm way late to this party but to block this:

1. Install AdBlock - https://getadblock.com/ & pay this guy money, its a great product!
2. Create some filters to block access to the connect URLs

http://dev.mathiasbaert.be/misc/facebook-connect-opt-out.html

and/or add these to the filter list:

facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

Thats it.

Suunto Vyper PC Transfer RS232/USB Convertor

I can confirm that a Startech RS232 -> USB convertor works with the original Suunto serial cable.

Whats more is I can confirm this setup works with OSX 10.9, VirtualBox 4.3.6 & a Windows 7 guest with DiverManager v3!

This makes me happy!

Chef Cookbook Upload Error : getaddrinfo: nodename nor servname provided, or not known (SocketError)

New Chef build. When I tried to upload a cookbook received the error :

getaddrinfo: nodename nor servname provided, or not known (SocketError)

Some digging and it seems Chef uses the host name of the server its installed on as the default server name. You can over ride this default by creating /etc/chef-server/chef-server.rb and set :

nginx['server_name'] = "<server_name_fqdn>"
nginx['url'] = "https://<server_name_fqdn>"

JIRA Split Regex Mail Hander & Multiple Mail Clients

As a follow up to when I first played with this and my organisation was a Domino shop things have moved on.  Now an Outlook AND Domino shop, and the proliferation of mobile devices meant this simple regex wasn't working for heaps of mail clients.

Atlassian documentation is (currently) sparse on the subject, or maybe my lack of regex fu is the problem.  But found this answer on the 'Answers' site :

https://answers.atlassian.com/questions/54911/jira-comments-from-email

My new regex is :

/From: *|___.*|On .*wrote:|----Orig.*|On .*(JIRA).*/

But the power is now in my hands!

CISSP: Don't hate the cert, hate the way it's abused

It's almost 10 months to the day that I passed the (ISC)2 CISSP exam.  What have I gained? Well if I'm honest not very much.

I updated my Linkedin profile, my website and even told a few friends.  I sat back and waited for the job offers to come flooding in, and I waited, and I waited.  And nothing happened.

This is not right! Why am I not lording it up in an InfoSec role being paid an extortionate salary, angels playing harps and beautiful people feeding me peeled grapes?  I tell you why, because a CISSP is not a free ticket to paradise, its a qualification from an exam you (hopefully) pass.  It shows an ability to understand the content and apply it, in lets be honest, a bloody difficult exam.  But when/if you pass you don't become an InfoSec rock star over night! It's your experience and knowledge are that make you good, or bad.

I can see why some the CISSP gets a hard time.  I ran a few job searches for CISSP and the spread of roles that 'require' CISSP is nuts.  Network Engineers, Security Analysts - which when you read the details were just dealing with AV deployments, patching, Pen Testers etc.  These are not roles that the cert brings anything.

I remember my instructor saying on day 1.

"This is a business cert, not a technical one"

HR, recruitment, and I think a great deal of the industry miss that and so abuse the cert by making it an obligatory requirement for technical roles.  This is where I think the issue lies.

So don't blame the cert, I think theres a place for it.  Blame the way industry uses it.

SuSE 12.2 UDP SNMP & Firewall

Zabbix appliance is built on SuSE 12.2 which by default runs SuSEfirewall2.  Problems with allowing UDP SNMP return traffic.

New to SuSE so an introduction to YAST and creating a custom firewall rule resulted in this change in  /etc/sysconfig/SuSEfirewall2 :

FW_SERVICES_ACCEPT_EXT="10.2.0.0/8,udp,,161"

Changing an OSX Icon

Your going to copy an image to the clipboard and then past it into the object properties that you want to change.

So how ever you want to get the image into the clipboard, eg using 'preview'.

Then on the object you wish to change the icon for:

1. Right click | Get Info
2. Click the Icon image in the top left of the properties box (blue border) and from the filer menu 'paste'

You can use this technique for any object, apps, folders etc ..

vSphere 5.1 Client Install & Windows 8

Install requires .net 3.5 which Windows 8 doesn't seem to have. Easiest way I found to fix this was open an elevated permissions command prompt and run :

dism /online /enable-feature /featurename:NetFX3 /all /Source:d:\sources\sxs /LimitAccess

/Source: should reflect the Windows 8 DVD path.

Recovering Windows 7 'updates' Space

Redundant files left over from Windows updates can eat your space.  Not such a problem with the massive disks you get these days but every GB counts when your virtualising.

Running against my daily Windows 7 VM I recovered 2.5GB.

To clean these up run an elevated permissions command prompt :

dism /online /cleanup-image /spsuperseded /hidesp

Nested ESXi Install & Second VMKernel Communication Issues

Attempting to build myself a small lab using a MAC Mini.  Bigger post to follow on that.

If your running nested ESXi, multiple interfaces and multiple VMKernel vNICS on the second hypervisor layer then do yourself a favour and enable Promiscuous mode on the vSwitch.

The upstream switch only ever learns the first VMKernel MAC (ESXi uses the actual physical interface MAC) and not the subsequent vNIC interfaces so L3 comms will never work to the vNIC, even between devices on the same subnet/vlan.

This probably demands a picture, which it's not going to get right now but this post is about the same problem.

http://communities.vmware.com/message/2091597

Ubuntu, Minicom & Cisco

Install Minicom

Find the name of your serial port
Next, you need to find out is which device your serial (including the USB adapter) ports are mapped to. The easiest way to do this is to connect the console cable to a running Cisco device. Now open up a Terminal using "Applications > Accessories > Terminal" and type this command:

dmesg | grep tty

The output will look something like one of these:

[    0.788856] serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[    0.789144] 00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[94023.461242] usb 2-1: pl2303 converter now attached to ttyUSB0
[107561.131086] type=1503 audit(1260922689.994:33): operation="open" pid=27195 parent=27185 profile="/usr/sbin/cupsd" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/dev/ttyUSB0

Look in this output for words that contain "tty". In this case, it is "ttyS0". That means the name of the device that corresponds to your serial port is "ttyS0". The name of your device that corresponds to your USB port has a definition of name="/dev/ttyUSB0" (make sure it's plugged in). Now we are ready to configure Minicom to use this information.

Configure Minicom

Open a terminal using "Applications > Accessories > Terminal". Now type this command to enter the configuration menu of Minicom:

sudo minicom -s

Use the keyboard arrow keys to select the menu item labeled "Serial Port Setup" and then hit "Enter". Here is what I had to change:

Change the line speed (press E) & change to "9600"

Change the hardware flow control (press F) & change to "No"

Change the serial device (press A) & change to "/dev/ttyS0"

Or to use your USB port, change the serial device to "/dev/ttyUSB0"

Be sure to use the device name that you learned with the grep output.
Once your screen looks like mine, you can hit "Escape" to go back to the main menu. Next, you need to select "Save setup as dfl" and hit "Enter" to save these settings to the default profile. Then select "Exit Minicom" to exit Minicom...

To find out if you have configured Minicom correctly, type this command in the terminal:

sudo minicom

After entering your sudo user password, you should be connected to your Cisco device.

Once inside, press Ctrl+A, to access minicom commands. Press 'Ctrl+A', then 'Z' to access help. Ctrl-A, then another letter, like 'X' & you will eXit. Help will show a list of available commands.

JIRA Jelly script - Transition to Closed

Over the past year or so I've become a big fan of Atlassians JIRA. I've managed to frig around and get a pretty neat ticket/request solution in place for my company but in doing so I've also become the defacto goto person.

A new project needed to just receive emails, create an issue and then close it. Steps 1 & 2 are simple with IMAP & Mail listeners. But I wasn't aware of a way to carry out 3.

Enter stage left Jelly Scripts. Scripting language supported within JIRA. Turned out to be rather simple and a couple of hours work turned out :

<!-- This script will parse all tickets matching "${filterNum}" and transition them to Closed state. -->
<!-- Paul Regan 27/2/2013 (Thats a UK Date people !) -->
<JiraJelly xmlns:jira="jelly:com.atlassian.jira.jelly.enterprise.JiraTagLib" xmlns:core="jelly:core" xmlns:log="jelly:log">
<!-- Login as automation user  -->
      <jira:Login username="<jira-user>" password="<password>">

<!-- Set Some variables  -->
      <!-- 2 = Close Issue Transition (NB//TRANSITION NOT STATUS).  Can be seen on the transition URL -->
      <core:set var="workflowStep" value="2" />
      <core:set var="workflowUser" value="<jira-user>" />
      <core:set var="comment" value="This topic has been closed by jelly script automation" />
      <!-- Run the SearchRequestFilter Against a filer.  15231 = All Tickets -1 Day or 15232 = All Open Tickets-->
      <!--The numeric comes from the filters URL -->
      <core:set var="filterNum" value="15232" />
      
<!--Run the search using filter defined above -->
<jira:RunSearchRequest filterid="${filterNum}" var="issues" />

<!-- Build array of issues matching filter & run through it -->
      <core:forEach var="issue" items="${issues}">
      <!-- Log updates are written to /opt/atlassian/jira/data/log/atlassian-jira.log. -->
                <log:warn>Closing issue ${issue.key}</log:warn>
                <jira:TransitionWorkflow key="${issue.key}" user="${workflowUser}" workflowAction="${workflowStep}" comment="${comment}"/>
                
                <!-- Useful debugging aid.  Remark the actions and just use this to write a comment in results -->
                <!-- <jira:AddComment comment="This would be closed" issue-key="${issue.key}"/> -->
                <!-- Useful debugging aid.  Remark the actions and just use this to display results -->
                <!-- ${issue.key} -->

      </core:forEach>
      </jira:Login>
</JiraJelly>

Raspberry PI & OpenVPN

The majority of these instructions come from : blog.remibergsma.com and have been reproduced with kind permission.

Like most things with Linux my working solution was actually a culmination of information from various places.

sudo apt-get install openvpn

After the install finishes, you need to generate keys for the server and the client(s). OpenVPN ships with the ‘easy-rsa’ tool. It’s easiest to copy the example folder and work from there.

sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn
sudo chown -R pi:pi *
cd /etc/openvpn/easy-rsa/2.0

The ‘easy-rsa’-tool has a file called ‘vars’ that you can edit to set some defaults. That will save you time later on but it’s not required to do so.

Load the vars like this (note the two dots):

. ./vars
(dot space dot/vars)

Generate the keys:

./clean-all
./build-ca
./build-key-server <server>
./build-key <client-name>
./build-dh

The first line makes sure we start from scratch. The second generates a key for the Certificate Authority. The key for the server itself is generated on the third line. Repeat the forth line for each client that needs to connect. Finally, we need the Diffie Hellman key as well, which is generated on the fifth line and will take a few mins to complete.

Copy the keys to the OpenVPN folder.

sudo cp ca.crt ca.key dh1024.pem <server>.crt <server>.key /etc/openvpn

Last step is to configure the server. You can copy the example config and make sure it points to the certs you just created.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
sudo gunzip /etc/openvpn/server.conf.gz
sudo nano /etc/openvpn/server.conf

Change any settings (dchp scope, OpenVPN port etc) that are particular to your install in server.conf

When you’re done, start OpenVPN like this:

sudo /etc/init.d/openvpn start

The first time I started OpenVPN it failed with :

/etc/var/log/syslog
<snip>
raspberrypi ovpn-server[22119]: OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 28 2012
raspberrypi ovpn-server[22119]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
raspberrypi ovpn-server[22119]: Diffie-Hellman initialized with 1024 bit key
raspberrypi ovpn-server[22119]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
raspberrypi ovpn-server[22119]: Socket Buffers: R=[163840->131072] S=[163840->131072]
raspberrypi ovpn-server[22119]: ROUTE default_gateway=192.168.99.1
raspberrypi ovpn-server[22119]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
raspberrypi ovpn-server[22119]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
raspberrypi ovpn-server[22119]: /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
raspberrypi ovpn-server[22119]: Linux ifconfig failed: external program exited with error status: 1
raspberrypi ovpn-server[22119]: Exiting
</snip>

Another VPN app I have which also uses /dev/net/tun failed with the same error.  Reboot fixed this and so far its not come back.

Check the state of the TUN0 interface

ifconfig tun0

All being well you’ll see:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
 RX packets:49 errors:0 dropped:0 overruns:0 frame:0
 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:100
 RX bytes:3772 (3.6 KiB) TX bytes:1212 (1.1 KiB)

You should now be able to connect to the OpenVPN server with a client. Which ever client you choose you will need the client.crt, client.key and ca.crt files plus the ip-address of your Raspberry Pi.

I chose TunnelBlick which after a rather convoluted profile setup seems to work well on OSX 10.8.2 (ML)

Have a look at ‘/var/log/syslog’ to access the logfiles. You’d be able to see which client connects:

Jan 5 22:07:56 raspberrypi ovpn-server[14459]: 1.2.3.4:64805 [client-name] Peer Connection Initiated with [AF_INET]1.2.3.4:64805

From the VPN client check that you can ping the LAN IP address of your RPi, assuming that works then you just need to push some routes around and you should be set.

VPN Client----VPN Subnet---RPI---LAN Subnet

To enable traffic from the VPN network to your local subnet you will need routes on each end to tell devices how and where to send traffic. To enable this on the VPN site :

sudo nano /etc/openvpn/server.conf

Find the push routes section and add a 'push route' statement which reflects your local network address.

You will also need to add a route back to the VPN Subnet, probably by adding a static route to your internet edge device.

Finally, enable routing on the Rasperry Pi:

There are a couple of ways suggested for this but what worked for me :

sudo nano /etc/sysctl.conf
uncomment : net.ipv4.ip_formward=1

Reboot your device.  You should now be able to connect to the VPN and ping other devices on your local network and vice-a-versa to VPN clients.