amd64 Archives - ☩ Walking in Light with Christ - Faith, Computing, Diary ☩ Walking in Light with Christ

Posts Tagged ‘amd64’

How to add Bulgarian language to GCompris Kids education software on Debian 12 GNU / Linux installing gcompris via flatpak next generation package distribution tool

Monday, January 26th, 2026

As I have a small currently 5.5 years old Kid Dimitar at home and i'm doing my best to make him learn new things and advance in different areas of life and knowledge.

Today Decided to introduce him to Linux4Kids gcompris a KDE educational set of games for small children.
Once installed with simple

# apt install gcompris-qt

It works fine and default version installable from default Debian distribution is fine, except it does not support Bulgarian.

That is again not a nice suprise, as even some pseudo languages like Belarusian are there to set but Bulgarian missing on the default installable pack:

# dpkg -l |grep -i gcompris
ii gcompris-qt 3.1-2 amd64 educational games for small children
ii gcompris-qt-data 3.1-2 all data files for gcompris-qt

After some tampering and unable to find a native .deb port of the latest release and my undesire to move from debian 12 (bookworm) Desktop Linux laptop at the moment to Debian 13 Trixie, i've finally found a way to install it via flatpak:

For those who never used snap package ecosystem or flatpak, here is a shortly synthesis on it:

Flatpak is an open-source, next-generation framework for building, distributing, and running sandboxed desktop applications on Linux.
It enables developers to package apps once and run them on any Linux distribution by including all necessary dependencies.
Flatpak improves security by isolating applications from the host system.

Flatpaks are containerized applications. They require more space because the bring along their own versions of their dependencies instead of relying on system versions.

While a single application will have greater space requirements, the base images [and potentially overlays] will get shared between them and each successive flatpak will potentially require less overhead.

The pros to using them is that flatpaks are often more current than their distribution packaged versions and they are somewhat isolated from the base system. The cons are that they're not managed with the rest of your system packages, can have slower start times, occasionally have permissions issues, and take up more space.

In some cases, flatpak is a better choice. Sometimes, it's not, and there's no way we can really determine that for you.

Tried up to my best to install the newest version of gcompris which as of time of writting this blog post is gcompris 25.1

# apt info flatpak|grep -i 'descr' -A8 -B8

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Recommends: ca-certificates, default-dbus-system-bus | dbus-system-bus, desktop-file-utils, hicolor-icon-theme, gtk-update-icon-cache, libpam-systemd, p11-kit, polkitd | policykit-1, shared-mime-info, xdg-desktop-portal (>= 1.6), xdg-desktop-portal-gtk (>= 1.6) | xdg-desktop-portal-backend, xdg-user-dirs
Suggests: avahi-daemon, malcontent-gui
Conflicts: xdg-app
Replaces: xdg-app
Homepage: https://flatpak.org/
Download-Size: 1,400 kB
APT-Manual-Installed: yes
APT-Sources: http://ftp.debian.org/debian bookworm/main amd64 Packages
Description: Application deployment framework for desktop apps
Flatpak installs, manages and runs sandboxed desktop application bundles.
Application bundles run partially isolated from the wider system, using
containerization techniques such as namespaces to prevent direct access
to system resources. Resources from outside the sandbox can be accessed
via "portal" services, which are responsible for access control; for
example, the Documents portal displays an "Open" dialog outside the
sandbox, then allows the application to access only the selected file.

# apt install flatpak

# flatpak remote-add –if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
# flatpak install flathub org.kde.gcompris
# flatpak run org.kde.gcompris

If you have sound glitches of gcompris on Older laptops install all necessery for pipewire run it like that:

# apt install pipewire pipewire-audio-client-libraries pipewire-pulse

Try to run it manually with:

# env PULSE_LATENCY_MSEC=60 ; flatpak run org.kde.gcompris

If still sound glithches are present a workaround is to tune PipeWire buffer/quantum size:

PipeWire buffer/quantum size too aggressive?

Many crackling issues come from too small quantum. Create ~/.config/pipewire/pipewire.conf.d/99-custom.conf

# vim ~/.config/pipewire/pipewire.conf.d/99-custom.conf
and add:textcontext.properties = {
default.clock.rate = 48000
default.clock.quantum = 1024
default.clock.min-quantum = 512
default.clock.max-quantum = 2048
}

#systemctl –user restart pipewire pipewire-pulse

Create a new wrapper script to run you gcompris easily

# vim /usr/local/bin/gcompris.sh

#!/bin/bash
# little hack script to make music streamed via pulseaudio to not have severe glitches when running gcompris latest release on debian 12
# through flatpak
# if not working run cmd
# systemctl –user restart pipewire
LANG=bg_BG.UTF-8
SDL_AUDIODRIVER=pulseaudio
#flatpak run –device=all –socket=pulseaudio org.kde.gcompris
flatpak override –user –env=SDL_AUDIODRIVER=pulseaudio org.kde.gcompris
flatpak override –user –filesystem=~/.config/pipewire:ro org.kde.gcompris
LANG=bg_BG.UTF-8 flatpak run –socket=pulseaudio org.kde.gcompris

# chmod +x /usr/local/bin/gcompris.sh

Hence I run the wrapper script and let the kid enjoy the nice educational stuff while I enjoyed the nice kiddish peaceful music !

# /usr/local/bin/gcompris.sh

P.S. ! If you get issues with pipewire (if you're using one instead of pulseaudio as I do with my Mate desktop environment you can restart it and relaunch the gcompris nice addition to tux4kids (see my previous article Tux for Kids (Tux Math, Tux Paint, Tux Typing) 3 games to develop your children Intellect):

# systemctl –user restart pipewire

Enjoy Gcompris !

Tags: access, after, again, ALL, allows, amd64, Bulgarian, clock, config, Debian, default, Description Application, gcompris, How to, kde, org, scripts, small, software, system resources
Posted in Educational, Games Linux, Linux, Various | No Comments »

Fix Update KB5060999 Not Installing On Windows 11 Version 23H2/22H2 / Fix windows Update failed

Thursday, July 24th, 2025

fix-Update-KB5060999-Not_Installing_On_Windows_11_Version_23H2_22H2-howto-update-screenshot

Recently I've stumbled across a very annoying issue on my work Laptop. Suddenly windows stopped being upadted it took me really long time of hours of researching to find out how to resolve the error:

Fix Update KB5060999 Not Installing On Windows 11 Version 23H2/22H2 / Fix windows Update failed

After a lot of catch / tries I can manage to Find a fix Thanks God!

Here are the few steps I took to resolve it, first I've taken all the steps pointed at the Complete Guide Windows Problems it took really long time but even thouigh I did not manage to resolve the issue it give a lot of understanding on different ways of how windows components stick together and how to debug and solve errors if such ones occurs. Thus I warmly recommend it to anyone working as HelpDesk support admin within corporation or if you are a Windows specialist who makes a living from resolving weird unexpected Windows errors for some little money.

Once I went through a lot of underwater stones and nothing word finally I managed to solve it by following these concrete steps:

1. Check logs and find error message / problems in CBS.log

C:\> notepad c:\windows\Logs\CBS\CBS.log

The root of the issue I found there as a repeating error messages is:

"InternalOpenPackage failed for Package_for_KB3025096~31bf3856ad364e35~amd64~~6.4.1.0 [HRESULT = 0x800f0805 – CBS_E_INVALID_PACKAGE]"

2. Download from Windows catalog the Update

windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7.msu to C:\User\myuser\Downloads

3. Use Winrar or 7Zip to extract the msu in local Directory

E.g.open Administrator command line cmd.exe extract in lets say in \Users\Username\Downloads\
windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7

C:\Users/a768839/Downloads/windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7 > dir
WSUSSCAN.cab

4. Remove old package existing on the Windows 11 OS with the same name using DISM tool with /online /remove-package options

C:\Users\myuser\Downloads\windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7>DISM /online /remove-package /packagepath:C:\Users\a768839\Downloads\windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7\Windows11.0-KB5049624-x64-NDP481.cab Deployment Image Servicing and Management tool Version: 10.0.22621.2792 Image Version: 10.0.22631.5335 Processing 1 of 1 – Removing package Package_for_DotNetRollup_481~31bf3856ad364e35~amd64~~10.0.9294.1 [==========================100.0%================]
The operation completed successfully.

5. Use DISM /online /add-package to manually insatall windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7\Windows11.0-KB5049624-x64-NDP481.cab

Assuming you have already downloaded previously and exctracted the .msu file and you have the .cab file at hand run again as cmd.exe Admin

C:\Users\myuser\Downloads\windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7>DISM /online /add-package /packagepath:C:\Users\a768839\Downloads\windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7\Windows11.0-KB5049624-x64-NDP481.cab Deployment Image Servicing and Management tool Version: 10.0.22621.2792 Image Version: 10.0.22631.5335 Processing 1 of 1 – Adding package Package_for_DotNetRollup_481~31bf3856ad364e35~amd64~~10.0.9294.1 [==========================100.0%==========================] The operation completed successfully.

The idea to remove and install the failing package found in the CBS.log was initially found on
http://datadump.ru/windows-update-error-800f0831/

6. Force a Windows chkdsk (Check disk on next restart) to make sure no physical hard drive or some other inode Windows Filesystem errors are there

Within same Admin cmd.exe

C:\Users\myuser\> chkdsk /f C:\

Once command executes reboot the PC and wait for the chkdsk scan to complete and PC to Boot as usual

7. Stop / start wuauserv and do sfc /scannow to refresh some Windows update components

Run following set of commands within Admin cmd

C:\> net stop wuauserv
C:\> command prompt in admin mode
C:\> dism /online /cleanup-image /startcomponentcleanup
C:\> sfc /scannow
C:\> restart
C:\> sfc /scannow
C:\> net start wuauserv

8. Download Manually failing update from Windows catalog download site:

As of time of writting this article the URL to download is https://catalog.update.microsoft.com/Search.aspx?q=KB5049624%20%20

C:\Users\myuser\Downloads> dir *.msu
windows11.0-kb5060999-x64_99e39c1cf8a8976d9b3313efb38069876c417f70.msu

9. Run Manually again failing Update from command line

Run cmd as Administrator and exec the file:

C:\Users\myuser\Downloads\windows11.0-kb5060999-x64_99e39c1cf8a8976d9b3313efb38069876c417f70.msu

Wait for the install to complete The computer will need to restart

10. Resync the device to the Computer Domain (mandatory step) only if your PC is part of large organizational Domain

Open Microsoft Store / Company Portal and Sync the device (if necessery)

Settings -> Sync

11. Force the PC to sync itself with remote Global Domain policies (mandatory only if PC is part of Domain)

C:\Users\myuser> gpupdate /force
C:\Users\myuser> repadmin /showrepl

Wait for Synchronization and wait for some time for computer compliancy to get back to normal (Computer compliancy might not be an issue if this is a Personal Windows installation) but for computers part of Larger Windows Domains, where a Domain policy requires a compliancy to set of rules)

To come up with this guide and better understand what is going on to resolve it I have to thank my colleague Eduard for assisting me to read the CBS.log and analyze it and also the following forum thread reading explaining what causes the mysterious windows update Update KB5060999 Not Installing On Windows 11 Version 23H2/22H2 to fail.

Tags: amd64, aspx, cmd, command, command prompt, download, exec, forum thread, hard drive, issue, log, logs, long time, lot, make, Management, net, online, OS, Pc, refresh, resolve, run, sync, update, Users Username Downloads, wait, Windows
Posted in Everyday Life, Hacks, System Administration, Windows | No Comments »

How to use gocryptfs to encrypt directory to secure data on Linux / BSD / Unix and Windows

Tuesday, July 22nd, 2025

Cryptography - gocryptfs

If you have sensitive data concentrated in single folder like plain text files with some important data or files that needs to be visible only after decrypted GoCryptFS is a very elegant way to be able to both have the data encrypted but be able to access it at times with a password.

gocryptfs – simple. secure. fast encryption.

gocryptfs uses file-based encryption that is implemented as a mountable FUSE filesystem. Each file in gocryptfs is stored one corresponding encrypted file on the hard disk. The screenshot below shows a mounted gocryptfs filesystem (left) and the encrypted files (right).

The encrypted files can be stored in any folder on your hard disk, a USB stick or even inside the Dropbox folder. One advantage of file-based encryption as opposed to disk encryption is that encrypted files can be synchronised efficiently using standard tools like Dropbox or rsync. Also, the size of the encrypted filesystem is dynamic and only limited by the available disk space.

To use gocryptfs to encrypt a directory on Linux (or macOS), follow these steps. gocryptfs is a FUSE-based encrypted file system that encrypts files on-the-fly and presents a decrypted view when mounted.

Step-by-step: Encrypting a Directory with gocryptfs

# apt-cache show gocryptfs

Package: gocryptfs
Version: 2.3.1-1
Priority: optional
Section: utils
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Architecture: amd64
Depends: libc6 (>= 2.34)
Description-en: Encrypted overlay filesystem written in Go
gocryptfs implements an encrypted overlay filesystem that is similar
to EncFS, but uses FUSE and Go. Encryption is done per-file, and directory
structure is preserved. This allows incremental backups and deduplication.
Homepage: https://github.com/rfjakob/gocryptfs

1. Install gocryptfs

On Debian/Ubuntu:

# apt install gocryptfs

On Arch Linux:

# pacman -S gocryptfs

On macOS (install via Homebrew tool):

# brew install gocryptfs

2. Create Two Directories

One for the encrypted data (encrypted_dir)
One to mount the decrypted view (decrypted_mountpoint)

# mkdir ~/encrypted_dir mkdir ~/decrypted_mountpoint

3. Initialize Encrypted Directory

This sets up the encryption config:

# gocryptfs -init ~/encrypted_dir

You will be prompted to create a password. This is needed to mount/decrypt the filesystem.

4. Mount the Encrypted Directory

Now mount the encrypted directory into the decrypted mount point:

# gocryptfs ~/encrypted_dir ~/decrypted_mountpoint

It will ask for the password you created during initialization.

An ls of the directory would look unencrypted like so:

# ls -1 /encrypted_dir/
├── notes.txt
├── photo.jpg
└── projects/
└── report.docx

5. Use the Decrypted View

Now anything you put inside ~/decrypted_mountpoint is automatically encrypted and stored in ~/encrypted_dir. For example:

# echo "secret" > ~/decrypted_mountpoint/secret.txt

You'll see secret.txt encrypted in ~/encrypted_dir as a file with a scrambled name.

6. Unmount When Done

When finished seeing the data or adding new data into the mounted directrory,
to unmount the decrypted view:

On Linux

# fusermount -u ~/decrypted_mountpoint

On macOS or alternative other Unix compatible OS like Free OpenBSD

# umount ~/decrypted_mountpoint

# ls -1 /decrypted_dir/
├── gocryptfs.conf
├── 2YI8IfnpP6qThZUE1Mo-YA
├── 8o8TUS3LgI6K0WZjaPAjkg
└── WmJyYmAKoLJINkWyXr3UAw/

7. AutoMount on boot

To automount on boot or login, consider using systemd or a shell script with your password securely managed.

To mount / unmount encrypted directory you can create a tiny shell script like this:

# cd /usr/local/bin/
# cat mount_crypted.sh
#!/bin/bash
gocryptfs /directory/encrypted/info /directory/encrypted/info-decrypted/
cd /directory/encrypted/info-decrypted/

8. Use Case Example for gocryptfs -reverse

You can use gocryptfs -reverse to create a read-only encrypted mirror of an existing plaintext folder.

Lets say You have this:

/home/user/documents/ ← your plaintext files

You want to create an encrypted view of it at:

/mnt/encrypted_view/

First, create a gocryptfs config:

This can be anywhere, just not inside your plaintext folder.

mkdir ~/.gocryptfs-reverse-config gocryptfs -init ~/.gocryptfs-reverse-config

Mount in reverse mode:

# gocryptfs -reverse -config ~/.gocryptfs-reverse-config/gocryptfs.conf /home/user/documents /mnt/encrypted_view

Now

/mnt/encrypted_view

contains encrypted versions of your documents.

!!! You must not edit or write to

/mnt/encrypted_view

– it's read-only. !!!

9. Create Archive or Sync Backup

For example, make a secure encrypted backup:

rsync -avz /mnt/encrypted_view/ /backup/encrypted/

Or upload to cloud storage (Dropbox, Google Drive, etc.).

Decrypt later on another machine:

Mount the encrypted copy in normal mode:

# gocryptfs /backup/encrypted/ /mnt/decrypted_view

You'll be prompted for the password used when creating the config.

10. Few more Tips

You can also mount with

-ko allow_other

if you want other users to see the encrypted view.

To avoid storing the password, use

–passfile FILE

or integrate with

gopass

10. Use gocryptfs cppcryptfs (native Windows port)

To use on Windows there are different ways to make gocryptfs work on windows:

Option 1: Use gocryptfs via WinFsp + Cygwin or WSL
Option 2: Use gocryptfs with WSL (Windows Subsystem for Linux)
Option 3 (recommended) one – use the native cppcryptfs

Just download the app and install it as any normal Windows app and you're done:

cppcryptfs

It's a native Windows version of gocryptfs
100% compatible with gocryptfs (same encryption format)
Supports drag-and-drop, File Explorer, etc.
No need for WSL or Cygwin

For more details on how gocryptfs works and how to install it on multiple platforms check out the original site https://nuetzlich.net/gocryptfs/

Tags: amd64, Arch Linux, bash, boot, config, created, Decrypted View, encrypted data, encryption, filesystem, How to, Initialize Encrypted Directory, Install, login, machine, mnt, password, sensitive data, shell script, stored, Supports, use
Posted in Computer Security, Curious Facts, Debian, Linux | No Comments »

All Debian Linux package repository apt sources.list file for Debian versions 6, 7, 8, 9, 10, 11 and 12

Friday, May 31st, 2024

debian-package-management-repositories-for-all-distributions

If you have to administrate legacy Debian servers, that keeps hanging either for historical reasons or just because you didn't have time to upgrade it up to latest versions, machines that are hanging in the hangar or a mid office building Old server room, doing nothing but simply NAT (Network Address Translation), Proxying, serving traffic via Squid / Haproxy / Apache / Varnish or Nginx server but you still want to have the possibility to extend the OS even though it is out of date / End of Life reached and out of support as well as perhaps full of security holes, but due to its unvisibility on the Internet hanging in a Demilitarized network the machine stayed on the Local (DMZ)-ed network and still for example you need to install simple things for administration reasons locally on the machine, for example nmap or netcat or some of the network tools for monitoring such as iftop or iptraf etc. you might find out unfortunately that this is not possible anymore, because the configured /etc/apt/sources.list repository mirror is no longer available at its URL. Thus to restore the functioning of apt and apt-get pkg management tools on Debian you need to correct the broken missing package mirrors due to resructurings on the network with a correct ones, originally provided by Debian or eventually if this doesn't work a possible Debian package archive URL.

In this article, I'll simply provide such URLs you might use to correct your no longer functioning package manager due to package repositoriy unavailibility, below are the URLs (most of which that should be working as of year 2024). To resolve the issues edit and place the correct Debian version you're using.

1. Check the version of the Debian Linux

# cat /etc/debian_version
…

or use the universal way to check the linux OS, that should be working on almost all Linux distributions

# cat /etc/issue
Debian GNU/Linux 9 \n \l

2. Modify /etc/apt/sources.list and place URL according to Debian distro version

# vim /etc/apt/sources.list

3. Repositories URL list Original and Archived for .deb packages according to Debian distro release
Debian 6 (Wheezy)

Original repostiroes (Not Available and Not working anymore as of year 2024)

Old Archived .deb repository for 6 Squeeze

deb http://archive.debian.org/debian squeeze main
deb http://archive.debian.org/debian squeeze-lts main

Debian 7 (Wheezy)

Original repostiroes (Not Available and Not working anymore as of year 2024)

Old Archived .deb repository for Jessie (still working as of 2024) :

deb http://archive.debian.org/debian wheezy main contrib non-free
deb http://archive.debian.org/debian-security wheezy/updates main

( Security updates are not provided anymore.)

NOTE: If you get an error about keyrings, just install it

# apt-get install debian-archive-keyring

Debian 8 (Jessie)
Original .deb package repository with non-free included for Debian 8 "Jessie"

deb http://deb.debian.org/debian/ jessie main contrib non-free
deb http://ftp.debian.org/debian/ jessie-updates main contrib
deb http://security.debian.org/ jessie/updates main contrib non-free

Old Archived .deb repository for 8 Jessie (still working as of 2024):

deb http://archive.debian.org/debian/ jessie main non-free contrib
deb-src http://archive.debian.org/debian/ jessie main non-free contrib
deb http://archive.debian.org/debian-security/ jessie/updates main non-free contrib
deb-src http://archive.debian.org/debian-security/ jessie/updates main non-free contrib

# echo "Acquire::Check-Valid-Until false;" | tee -a /etc/apt/apt.conf.d/10-nocheckvalid

# apt-get update

# apt-get update && apt-get upgrade

If you need backports, first be warned that these are archived and no longer being updated; they may have security bugs or other major issues. They are not supported in any way.

deb http://archive.debian.org/debian/ jessie-backports main

Debian 9 (Stretch)
Original .deb package repository with non-free included for Debian 9 "Stretch":

deb http://deb.debian.org/debian/ stretch main contrib non-free
deb http://deb.debian.org/debian/ stretch-updates main contrib non-free
deb http://security.debian.org/ stretch/updates main contrib non-free

Archived old repository .deb for Stretch :

deb http://archive.debian.org/debian/ stretch main contrib non-free
deb http://archive.debian.org/debian/ stretch-proposed-updates main contrib non-free
deb http://archive.debian.org/debian-security stretch/updates main contrib non-free

Debian 10 (Buster)
Origian repository URL:

deb http://deb.debian.org/debian/ buster main non-free contrib
deb http://deb.debian.org/debian/ buster-updates main non-free contrib
deb http://security.debian.org/ buster/updates main non-free contrib

Fixing unworking backports for Debian 10 Buster

Change the /etc/apt/sources.list URL with this one

deb http://archive.debian.org/debian buster-backports main contrib non-free

If you want to list packages installed via the backports repository only, that needs to be replaced with newer versions (if such available from the repository)

# apt list –installed | grep backports
# dpkg –list | grep bpo
# dpkg –list | grep -E '^ii.*bpo.*'

ii libpopt0:amd64 1.18-2 amd64 lib for parsing cmdline parameters
ii libuutil3linux 2.0.3-9~bpo10+1 amd64 Solaris userland utility library for Linux
ii libzfs4linux 2.0.3-9~bpo10+1 amd64 OpenZFS filesystem library for Linux

Debian 11 (Bullseye)
Origianl repository address:

deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main contrib non-free

Debian 12 (Bookworm)
Original Repository :

deb http://deb.debian.org/debian bookworm main contrib non-free-firmware non-free
deb http://deb.debian.org/debian bookworm-updates main contrib non-free-firmware non-free
deb http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware non-free

Add Backports to sources.list

deb http://deb.debian.org/debian bookworm-backports main

Thats all, hopefully that would help some sysadmin out there. Enjoy !

Tags: about, administrate, Administration, ALL, amd64, amp, and, ANY, anymore, apache, apt-get, archive, are, article, available, being, Below, broken, bugs, building
Posted in Debian, Linux, Linux Package Management, Migration, OS Update, Remote System Administration, System Administration | No Comments »

Monitoring network traffic tools to debug network issues in console interactively on Linux

Thursday, December 14th, 2023

transport-layer-fourth-layer-data-transport-diagram

In my last article Debugging and routing network issues on Linux (common approaches), I've given some step by step methology on how to debug a network routing or unreachability issues between network hosts. As the article was mostly targetting a command line tools that can help debugging the network without much interactivity. I've decided to blog of a few other tools that might help the system administrator to debug network issues by using few a bit more interactive tools. Throughout the years of managing multitude of Linux based laptops and servers, as well as being involved in security testing and penetration in the past, these tools has always played an important role and are worthy to be well known and used by any self respecting sys admin or network security expert that has to deal with Linux and *Unix operating systems.

1. Debugging what is going on on a network level interactively with iptraf-ng

Historically iptraf and today's iptraf is also a great tool one can use to further aid the arsenal debug a network issue or Protocol problem, failure of packets or network interaction issues SYN -> ACK etc. proto interactions and check for Flag states and packets flow.

To use iptraf-ng which is a ncurses based tool just install it and launch it and select the interface you would like to debug trafic on.

To install On Debians distros

# apt install iptraf-ng –yes

# iptraf-ng

iptraf-ng-linux-select-interface-screen

Session-Layer-in-OSI-Model-diagram

2. Use hackers old tool sniffit to monitor current ongoing traffic and read plain text messages

Those older who remember the rise of Linux to the masses, should remember sniffit was a great tool to snoop for traffic on the network.

root@pcfreak:~# apt-cache show sniffit|grep -i description -A 10 -B10
Package: sniffit
Version: 0.5-1
Installed-Size: 139
Maintainer: Joao Eriberto Mota Filho <eriberto@debian.org>
Architecture: amd64
Depends: libc6 (>= 2.14), libncurses6 (>= 6), libpcap0.8 (>= 0.9.8), libtinfo6 (>= 6)
Description-en: packet sniffer and monitoring tool
Sniffit is a packet sniffer for TCP/UDP/ICMP packets over IPv4. It is able
to give you a very detailed technical info on these packets, as SEQ, ACK,
TTL, Window, etc. The packet contents also can be viewed, in different
formats (hex or plain text, etc.).
.
Sniffit is based in libpcap and is useful when learning about computer
networks and their security.
Description-md5: 973beeeaadf4c31bef683350f1346ee9
Homepage: https://github.com/resurrecting-open-source-projects/sniffit
Tag: interface::text-mode, mail::notification, role::program, scope::utility,
uitoolkit::ncurses, use::monitor, use::scanning, works-with::mail,
works-with::network-traffic
Section: net
Priority: optional
Filename: pool/main/s/sniffit/sniffit_0.5-1_amd64.deb
Size: 61796
MD5sum: ea4cc0bc73f9e94d5a3c1ceeaa485ee1
SHA256: 7ec76b62ab508ec55c2ef0ecea952b7d1c55120b37b28fb8bc7c86645a43c485

Sniffit is not installed by default on deb distros, so to give it a try install it

# apt install sniffit –yes
# sniffit

sniffit-linux-check-tcp-traffic-screenshot

3. Use bmon to monitor bandwidth and any potential traffic losses and check qdisc pfifo
Linux network stack queues

root@pcfreak:~# apt-cache show bmon |grep -i description
Description-en: portable bandwidth monitor and rate estimator
Description-md5: 3288eb0a673978e478042369c7927d3f
root@pcfreak:~# apt-cache show bmon |grep -i description -A 10 -B10
Package: bmon
Version: 1:4.0-7
Installed-Size: 146
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Architecture: amd64
Depends: libc6 (>= 2.17), libconfuse2 (>= 3.2.1~), libncursesw6 (>= 6), libnl-3-200 (>= 3.2.7), libnl-route-3-200 (>= 3.2.7), libtinfo6 (>= 6)
Description-en: portable bandwidth monitor and rate estimator
bmon is a commandline bandwidth monitor which supports various output
methods including an interactive curses interface, lightweight HTML output but
also simple ASCII output.
.
Statistics may be distributed over a network using multicast or unicast and
collected at some point to generate a summary of statistics for a set of
nodes.
Description-md5: 3288eb0a673978e478042369c7927d3f
Homepage: http://www.infradead.org/~tgr/bmon/
Tag: implemented-in::c, interface::text-mode, network::scanner,
role::program, scope::utility, uitoolkit::ncurses, use::monitor,
works-with::network-traffic
Section: net
Priority: optional
Filename: pool/main/b/bmon/bmon_4.0-7_amd64.deb
Size: 47348
MD5sum: c210f8317eafa22d9e3a8fb8316e0901
SHA256: 21730fc62241aee827f523dd33c458f4a5a7d4a8cf0a6e9266a3e00122d80645

root@pcfreak:~# apt install bmon –yes

root@pcfreak:~# bmon

4. Use nethogs net diagnosis text interactive tool

NetHogs is a small 'net top' tool.
Instead of breaking the traffic down per protocol or per subnet, like most tools do, it groups bandwidth by process.

root@pcfreak:~# apt-cache show nethogs|grep -i description -A10 -B10
Package: nethogs
Source: nethogs (0.8.5-2)
Version: 0.8.5-2+b1
Installed-Size: 79
Maintainer: Paulo Roberto Alves de Oliveira (aka kretcheu) <kretcheu@gmail.com>
Architecture: amd64
Depends: libc6 (>= 2.15), libgcc1 (>= 1:3.0), libncurses6 (>= 6), libpcap0.8 (>= 0.9.8), libstdc++6 (>= 5.2), libtinfo6 (>= 6)
Description-en: Net top tool grouping bandwidth per process
NetHogs is a small 'net top' tool. Instead of breaking the traffic down per
protocol or per subnet, like most tools do, it groups bandwidth by process.
NetHogs does not rely on a special kernel module to be loaded.
Description-md5: 04c153c901ad7ca75e53e2ae32565ccd
Homepage: https://github.com/raboof/nethogs
Tag: admin::monitoring, implemented-in::c++, role::program,
uitoolkit::ncurses, use::monitor, works-with::network-traffic
Section: net
Priority: optional
Filename: pool/main/n/nethogs/nethogs_0.8.5-2+b1_amd64.deb
Size: 30936
MD5sum: 500047d154a1fcde5f6eacaee45148e7
SHA256: 8bc69509f6a8c689bf53925ff35a5df78cf8ad76fff176add4f1530e66eba9dc

root@pcfreak:~# apt install nethogs –yes

# nethogs

5;.Use iftop – to display network interface usage

root@pcfreak:~# apt-cache show iftop |grep -i description -A10 -B10
Package: iftop
Version: 1.0~pre4-7
Installed-Size: 97
Maintainer: Markus Koschany <apo@debian.org>
Architecture: amd64
Depends: libc6 (>= 2.29), libncurses6 (>= 6), libpcap0.8 (>= 0.9.8), libtinfo6 (>= 6)
Description-en: displays bandwidth usage information on an network interface
iftop does for network usage what top(1) does for CPU usage. It listens to
network traffic on a named interface and displays a table of current bandwidth
usage by pairs of hosts. Handy for answering the question "Why is my Internet
link so slow?".
Description-md5: f7e93593aba6acc7b5a331b49f97466f
Homepage: http://www.ex-parrot.com/~pdw/iftop/
Tag: admin::monitoring, implemented-in::c, interface::text-mode,
role::program, scope::utility, uitoolkit::ncurses, use::monitor,
works-with::network-traffic
Section: net
Priority: optional
Filename: pool/main/i/iftop/iftop_1.0~pre4-7_amd64.deb
Size: 42044
MD5sum: c9bb9c591b70753880e455f8dc416e0a
SHA256: 0366a4e54f3c65b2bbed6739ae70216b0017e2b7421b416d7c1888e1f1cb98b7

root@pcfreak:~# apt install –yes iftop

iftop-interactive-network-traffic-output-linux-screenshot

6. Ettercap (tool) to active and passive dissect network protocols for in depth network and host analysis

root@pcfreak:/var/www/images# apt-cache show ettercap-common|grep -i description -A10 -B10
Package: ettercap-common
Source: ettercap
Version: 1:0.8.3.1-3
Installed-Size: 2518
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Architecture: amd64
Depends: ethtool, geoip-database, libbsd0 (>= 0.0), libc6 (>= 2.14), libcurl4 (>= 7.16.2), libgeoip1 (>= 1.6.12), libluajit-5.1-2 (>= 2.0.4+dfsg), libnet1 (>= 1.1.6), libpcap0.8 (>= 0.9.8), libpcre3, libssl1.1 (>= 1.1.1), zlib1g (>= 1:1.1.4)
Recommends: ettercap-graphical | ettercap-text-only
Description-en: Multipurpose sniffer/interceptor/logger for switched LAN
Ettercap supports active and passive dissection of many protocols
(even encrypted ones) and includes many feature for network and host
analysis.
.
Data injection in an established connection and filtering (substitute
or drop a packet) on the fly is also possible, keeping the connection
synchronized.
.
Many sniffing modes are implemented, for a powerful and complete
sniffing suite. It is possible to sniff in four modes: IP Based, MAC Based,
ARP Based (full-duplex) and PublicARP Based (half-duplex).
.
Ettercap also has the ability to detect a switched LAN, and to use OS
fingerprints (active or passive) to find the geometry of the LAN.
.
This package contains the Common support files, configuration files,
plugins, and documentation. You must also install either
ettercap-graphical or ettercap-text-only for the actual GUI-enabled
or text-only ettercap executable, respectively.
Description-md5: f1d894b138f387661d0f40a8940fb185
Homepage: https://ettercap.github.io/ettercap/
Tag: interface::text-mode, network::scanner, role::app-data, role::program,
uitoolkit::ncurses, use::scanning
Section: net
Priority: optional
Filename: pool/main/e/ettercap/ettercap-common_0.8.3.1-3_amd64.deb
Size: 734972
MD5sum: 403d87841f8cdd278abf20bce83cb95e
SHA256: 500aee2f07e0fae82489321097aee8a97f9f1970f6e4f8978140550db87e4ba9

root@pcfreak:/ # apt install ettercap-text-only –yes

root@pcfreak:/ # ettercap -C

7. iperf and netperf to measure connecitivity speed on Network LAN and between Linux server hosts

iperf and netperf are two very handy tools to measure the speed of a network and various aspects of the bandwidth. It is mostly useful when designing network infrastructure or building networks from scratch.

If you never used netperf in the past here is a description from man netperf

NAME
netperf – a network performance benchmark

SYNOPSIS
netperf [global options] — [test specific options]

DESCRIPTION
Netperf is a benchmark that can be used to measure various aspects of
networking performance. Currently, its focus is on bulk data transfer
and request/response performance using either TCP or UDP, and the
Berkeley Sockets interface. In addition, tests for DLPI, and Unix Do‐
main Sockets, tests for IPv6 may be conditionally compiled-in.

root@freak:~# netperf
MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to localhost () port 0 AF_INET : demo
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec

87380 65536 65536 10.00 17669.96

Testing UDP network throughput using NetPerf

Change the test name from TCP_STREAM to UDP_STREAM. Let’s use 1024 (1MB) as the message size to be sent by the client.
If you receive the following error send_data: data send error: Network is unreachable (errno 101) netperf: send_omni:

send_data failed: Network is unreachable, add option -R 1 to remove the iptable rule that prohibits NetPerf UDP flow.

$ netperf -H 172.31.56.48 -t UDP_STREAM -l 300 — -R 1 -m 1024
MIGRATED UDP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 172.31.56.48 () port 0 AF_INET
Socket Message Elapsed Messages
Size Size Time Okay Errors Throughput
bytes bytes secs # # 10^6bits/sec

212992 1024 300.00 9193386 0 251.04
212992 300.00 9131380 249.35

UDP Throughput in a WAN

$ netperf -H HOST -t UDP_STREAM -l 300 — -R 1 -m 1024
MIGRATED UDP STREAM TEST from (null) (0.0.0.0) port 0 AF_INET to (null) () port 0 AF_INET : histogram : spin interval
Socket Message Elapsed Messages
Size Size Time Okay Errors Throughput
bytes bytes secs # # 10^6bits/sec

9216 1024 300.01 35627791 0 972.83
212992 300.01 253099 6.91

Testing TCP throughput using iPerf

Here is a short description of iperf

NAME
iperf – perform network throughput tests

SYNOPSIS
iperf -s [options]

iperf -c server [options]

iperf -u -s [options]

iperf -u -c server [options]

DESCRIPTION
iperf 2 is a tool for performing network throughput and latency mea‐
surements. It can test using either TCP or UDP protocols. It supports
both unidirectional and bidirectional traffic. Multiple simultaneous
traffic streams are also supported. Metrics are displayed to help iso‐
late the causes which impact performance. Setting the enhanced (-e) op‐
tion provides all available metrics.

The user must establish both a both a server (to discard traffic) and a
client (to generate traffic) for a test to occur. The client and server
typically are on different hosts or computers but need not be.

Run iPerf3 as server on the server:

$ iperf3 –server –interval 30
———————————————————–
Server listening on 5201
———————————————————–

Test TCP Throughput in Local LAN

$ iperf3 –client 172.31.56.48 –time 300 –interval 30
Connecting to host 172.31.56.48, port 5201
[ 4] local 172.31.100.5 port 44728 connected to 172.31.56.48 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-30.00 sec 1.70 GBytes 488 Mbits/sec 138 533 KBytes
[ 4] 30.00-60.00 sec 260 MBytes 72.6 Mbits/sec 19 489 KBytes
[ 4] 60.00-90.00 sec 227 MBytes 63.5 Mbits/sec 15 542 KBytes
[ 4] 90.00-120.00 sec 227 MBytes 63.3 Mbits/sec 13 559 KBytes
[ 4] 120.00-150.00 sec 228 MBytes 63.7 Mbits/sec 16 463 KBytes
[ 4] 150.00-180.00 sec 227 MBytes 63.4 Mbits/sec 13 524 KBytes
[ 4] 180.00-210.00 sec 227 MBytes 63.5 Mbits/sec 14 559 KBytes
[ 4] 210.00-240.00 sec 227 MBytes 63.5 Mbits/sec 14 437 KBytes
[ 4] 240.00-270.00 sec 228 MBytes 63.7 Mbits/sec 14 516 KBytes
[ 4] 270.00-300.00 sec 227 MBytes 63.5 Mbits/sec 14 524 KBytes
– – – – – – – – – – – – – – – – – – – – – – – – –
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-300.00 sec 3.73 GBytes 107 Mbits/sec 270 sender
[ 4] 0.00-300.00 sec 3.73 GBytes 107 Mbits/sec receiver

Test TCP Throughput in a WAN Network

$ iperf3 –client HOST –time 300 –interval 30
Connecting to host HOST, port 5201
[ 5] local 192.168.1.73 port 56756 connected to HOST port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-30.00 sec 21.2 MBytes 5.93 Mbits/sec
[ 5] 30.00-60.00 sec 27.0 MBytes 7.55 Mbits/sec
[ 5] 60.00-90.00 sec 28.6 MBytes 7.99 Mbits/sec
[ 5] 90.00-120.00 sec 28.7 MBytes 8.02 Mbits/sec
[ 5] 120.00-150.00 sec 28.5 MBytes 7.97 Mbits/sec
[ 5] 150.00-180.00 sec 28.6 MBytes 7.99 Mbits/sec
[ 5] 180.00-210.00 sec 28.4 MBytes 7.94 Mbits/sec
[ 5] 210.00-240.00 sec 28.5 MBytes 7.97 Mbits/sec
[ 5] 240.00-270.00 sec 28.6 MBytes 8.00 Mbits/sec
[ 5] 270.00-300.00 sec 27.9 MBytes 7.81 Mbits/sec
– – – – – – – – – – – – – – – – – – – – – – – – –
[ ID] Interval Transfer Bitrate
[ 5] 0.00-300.00 sec 276 MBytes 7.72 Mbits/sec sender
[ 5] 0.00-300.00 sec 276 MBytes 7.71 Mbits/sec receiver

$ iperf3 –client 172.31.56.48 –interval 30 -u -b 100MB
Accepted connection from 172.31.100.5, port 39444
[ 5] local 172.31.56.48 port 5201 connected to 172.31.100.5 port 36436
[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams
[ 5] 0.00-30.00 sec 354 MBytes 98.9 Mbits/sec 0.052 ms 330/41774 (0.79%)
[ 5] 30.00-60.00 sec 355 MBytes 99.2 Mbits/sec 0.047 ms 355/41903 (0.85%)
[ 5] 60.00-90.00 sec 354 MBytes 98.9 Mbits/sec 0.048 ms 446/41905 (1.1%)
[ 5] 90.00-120.00 sec 355 MBytes 99.4 Mbits/sec 0.045 ms 261/41902 (0.62%)
[ 5] 120.00-150.00 sec 354 MBytes 99.1 Mbits/sec 0.048 ms 401/41908 (0.96%)
[ 5] 150.00-180.00 sec 353 MBytes 98.7 Mbits/sec 0.047 ms 530/41902 (1.3%)
[ 5] 180.00-210.00 sec 353 MBytes 98.8 Mbits/sec 0.059 ms 496/41904 (1.2%)
[ 5] 210.00-240.00 sec 354 MBytes 99.0 Mbits/sec 0.052 ms 407/41904 (0.97%)
[ 5] 240.00-270.00 sec 351 MBytes 98.3 Mbits/sec 0.059 ms 725/41903 (1.7%)
[ 5] 270.00-300.00 sec 354 MBytes 99.1 Mbits/sec 0.043 ms 393/41908 (0.94%)
– – – – – – – – – – – – – – – – – – – – – – – – –
[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams
[ 5] 0.00-300.04 sec 3.45 GBytes 98.94 Mbits/sec 0.043 ms 4344/418913 (1%)

UDP Throughput in a WAN

$ iperf3 –client HOST –time 300 -u -b 7.7MB
Accepted connection from 45.29.190.145, port 60634
[ 5] local 172.31.56.48 port 5201 connected to 45.29.190.145 port 52586
[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams
[ 5] 0.00-30.00 sec 27.4 MBytes 7.67 Mbits/sec 0.438 ms 64/19902 (0.32%)
[ 5] 30.00-60.00 sec 27.5 MBytes 7.69 Mbits/sec 0.446 ms 35/19940 (0.18%)
[ 5] 60.00-90.00 sec 27.5 MBytes 7.68 Mbits/sec 0.384 ms 39/19925 (0.2%)
[ 5] 90.00-120.00 sec 27.5 MBytes 7.68 Mbits/sec 0.528 ms 70/19950 (0.35%)
[ 5] 120.00-150.00 sec 27.4 MBytes 7.67 Mbits/sec 0.460 ms 51/19924 (0.26%)
[ 5] 150.00-180.00 sec 27.5 MBytes 7.69 Mbits/sec 0.485 ms 37/19948 (0.19%)
[ 5] 180.00-210.00 sec 27.5 MBytes 7.68 Mbits/sec 0.572 ms 49/19941 (0.25%)
[ 5] 210.00-240.00 sec 26.8 MBytes 7.50 Mbits/sec 0.800 ms 443/19856 (2.2%)
[ 5] 240.00-270.00 sec 27.4 MBytes 7.66 Mbits/sec 0.570 ms 172/20009 (0.86%)
[ 5] 270.00-300.00 sec 25.3 MBytes 7.07 Mbits/sec 0.423 ms 1562/19867 (7.9%)
– – – – – – – – – – – – – – – – – – – – – – – – –
[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams
[ 5] 0.00-300.00 sec 272 MBytes 7.60 Mbits/sec 0.423 ms 2522/199284 (1.3%)
[SUM] 0.0-300.2 sec 31 datagrams received out-of-order

Sum it up what learned

Debugging network issues and snooping on a Local LAN (DMZ) network on a server or home LAN is useful to debug for various network issues and more importantly track and know abou tsecurity threads such as plain text passowd communication via insecure protocols a failure of proper communication between Linux network nodes at times, or simply to get a better idea on what kind of network is your new purchased dedicated server living in .It can help you also strenghten your security and close up any possible security holes, or even help you start thinking like a security intruder (cracker / hacker) would do. In this article we went through few of my favourite tools I use for many years quite often. These tools are just part of the tons of useful *Unix free tools available to do a network debug. Tools mentioned up are worthy to install on every server you have to administratrate or even your home desktop PCs, these are iptraf, sniffit, iftop, bmon, nethogs, nmon, ettercap, iperf and netperf.
If you have some other useful tools used on Linux sys admin tasks please share, I'll be glad to know it and put them in my arsenal of used tools.

Enjoy ! 🙂

Tags: about, ack, admin, administrator, Aid, amd64, and, ANY, architecture, are, arp, bandwidth, console, information, issues, linux network, Monitoring, network stack, root, use
Posted in Computer Security, Linux, Networking | No Comments »

Apache disable requests to not log to access.log Logfile through SetEnvIf and dontlog httpd variables

Monday, October 11th, 2021

Logging to Apache access.log is mostly useful as this is a great way to keep log on who visited your website and generate periodic statistics with tools such as Webalizer or Astats to keep track on your visitors and generate various statistics as well as see the number of new visitors as well most visited web pages (the pages which mostly are attracting your web visitors), once the log analysis tool generates its statistics, it can help you understand better which Web spiders visit your website the most (as spiders has a predefined) IP addresses, which can give you insight on various web spider site indexation statistics on Google, Yahoo, Bing etc. . Sometimes however either due to bugs in web spiders algorithms or inconsistencies in your website structure, some of the web pages gets double visited records inside the logs, this could happen for example if your website uses to include iframes.

Having web pages accessed once but logged to be accessed twice hence is erroneous and unwanted, and though that usually have to be fixed by the website programmers, if such approach is not easily doable in the moment and the website is running on critical production system, the double logging of request can be omitted thanks to a small Apache log hack with SetEnvIf Apache config directive. Even if there is no double logging inside Apache log happening it could be that some cron job or automated monitoring scripts or tool such as monit is making periodic requests to Apache and this is garbling your Log Statistics results.

In this short article hence I'll explain how to do remove certain strings to not get logged inside /var/log/httpd/access.log.

1. Check SetEnvIf is Loaded on the Webserver

On CentOS / RHEL Linux:

# /sbin/apachectl -M |grep -i setenvif
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
setenvif_module (shared)

On Debian / Ubuntu Linux:

# /usr/sbin/apache2ctl -M |grep -i setenvif
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-default.conf:1
setenvif_module (shared)

2. Using SetEnvIf to omit certain string to get logged inside apache access.log

SetEnvIf could be used either in some certain domain VirtualHost configuration (if website is configured so), or it can be set as a global Apache rule from the /etc/httpd/conf/httpd.conf

To use SetEnvIf you have to place it inside a <Directory …></Directory> configuration block, if it has to be enabled only for a Certain Apache configured directory, otherwise you have to place it in the global apache config section.

To be able to use SetEnvIf, only in a certain directories and subdirectories via .htaccess, you will have defined in <Directory>

AllowOverride FileInfo

The general syntax to omit a certain Apache repeating string from keep logging with SetEnvIf is as follows:

SetEnvIf Request_URI "^/WebSiteStructureDirectory/ACCESS_LOG_STRING_TO_REMOVE$" dontlog

General syntax for SetEnvIf is as follows:

SetEnvIf attribute regex env-variable

SetEnvIf attribute regex [!]env-variable[=value] [[!]env-variable[=value]] …

Below is the overall possible attributes to pass as described in mod_setenvif official documentation.

Host

User-Agent

Referer

Accept-Language

Remote_Host: the hostname (if available) of the client making the request.

Remote_Addr: the IP address of the client making the request.

Server_Addr: the IP address of the server on which the request was received (only with versions later than 2.0.43).

Request_Method: the name of the method being used (GET, POST, etc.).

Request_Protocol: the name and version of the protocol with which the request was made (e.g., "HTTP/0.9", "HTTP/1.1", etc.).

Request_URI: the resource requested on the HTTP request line – generally the portion of the URL following the scheme and host portion without the query string.

Next locate inside the configuration the line:

CustomLog /var/log/apache2/access.log combined

To enable filtering of included strings, you'll have to append env=!dontlog to the end of line.

CustomLog /var/log/apache2/access.log combined env=!dontlog

You might be using something as cronolog for log rotation to prevent your WebServer logs to become too big in size and hard to manage, you can append env=!dontlog to it in same way.

If you haven't used cronolog is it is perhaps best to show you the package description.

server:~# apt-cache show cronolog|grep -i description -A10 -B5
Version: 1.6.2+rpk-2
Installed-Size: 63
Maintainer: Debian QA Group <packages@qa.debian.org>
Architecture: amd64
Depends: perl:any, libc6 (>= 2.4)
Description-en: Logfile rotator for web servers
A simple program that reads log messages from its input and writes
them to a set of output files, the names of which are constructed
using template and the current date and time. The template uses the
same format specifiers as the Unix date command (which are the same
as the standard C strftime library function).
.
It intended to be used in conjunction with a Web server, such as
Apache, to split the access log into daily or monthly logs:
.
TransferLog "|/usr/bin/cronolog /var/log/apache/%Y/access.%Y.%m.%d.log"
.
A cronosplit script is also included, to convert existing
traditionally-rotated logs into this rotation format.
Description-md5: 4d5734e5e38bc768dcbffccd2547922f
Homepage: http://www.cronolog.org/
Tag: admin::logging, devel::lang:perl, devel::library, implemented-in::c,
implemented-in::perl, interface::commandline, role::devel-lib,
role::program, scope::utility, suite::apache, use::organizing,
works-with::logfile
Section: web
Priority: optional
Filename: pool/main/c/cronolog/cronolog_1.6.2+rpk-2_amd64.deb
Size: 27912
MD5sum: 215a86766cc8d4434cd52432fd4f8fe7

If you're using cronolog to daily rotate the access.log and you need to filter out the strings out of the logs, you might use something like in httpd.conf:

CustomLog "|/usr/bin/cronolog –symlink=/var/log/httpd/access.log /var/log/httpd/access.log_%Y_%m_%d" combined env=!dontlog

3. Disable Apache logging access.log from certain USERAGENT browser

You can do much more with SetEnvIf for example you might want to omit logging requests from a UserAgent (browser) to end up in /dev/null (nowhere), e.g. prevent any Website requests originating from Internet Explorer (MSIE) to not be logged.

SetEnvIf User_Agent "(MSIE)" dontlog

CustomLog /var/log/apache2/access.log combined env=!dontlog

4. Disable Apache logging from requests coming from certain FQDN (Fully Qualified Domain Name) localhost 127.0.0.1 or concrete IP / IPv6 address

SetEnvIf Remote_Host "dns.server.com$" dontlog

CustomLog /var/log/apache2/access.log combined env=!dontlog

Of course for this to work, your website should have a functioning DNS servers and Apache should be configured to be able to resolve remote IPs to back resolve to their respective DNS defined Hostnames.

SetEnvIf recognized also perl PCRE Regular Expressions, if you want to filter out of Apache access log requests incoming from multiple subdomains starting with a certain domain hostname.

SetEnvIf Remote_Host "^example" dontlog

– To not log anything coming from localhost.localdomain address ( 127.0.0.1 ) as well as from some concrete IP address :

SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog

SetEnvIf Remote_Addr "192\.168\.1\.180" dontlog

– To disable IPv6 requests that be coming at the log even though you don't happen to use IPv6 at all

SetEnvIf Request_Addr "::1" dontlog

CustomLog /var/log/apache2/access.log combined env=!dontlog

– Note here it is obligatory to escape the dots '.'

5. Disable robots.txt Web Crawlers requests from being logged in access.log

SetEnvIf Request_URI "^/robots\.txt$" dontlog

CustomLog /var/log/apache2/access.log combined env=!dontlog

Using SetEnvIfNoCase to read incoming useragent / Host / file requests case insensitve

The SetEnvIfNoCase is to be used if you want to threat incoming originators strings as case insensitive, this is useful to omit extraordinary regular expression SetEnvIf rules for lower upper case symbols.

SetEnvIFNoCase User-Agent "Slurp/cat" dontlog
SetEnvIFNoCase User-Agent "Ask Jeeves/Teoma" dontlog
SetEnvIFNoCase User-Agent "Googlebot" dontlog
SetEnvIFNoCase User-Agent "bingbot" dontlog
SetEnvIFNoCase Remote_Host "fastsearch.net$" dontlog

Omit from access.log logging some standard web files .css , .js .ico, .gif , .png and Referrals from own domain

Sometimes your own site scripts do refer to stuff on your own domain that just generates junks in the access.log to keep it off.

SetEnvIfNoCase Request_URI "\.(gif)|(jpg)|(png)|(css)|(js)|(ico)|(eot)$" dontlog

SetEnvIfNoCase Referer "www\.myowndomain\.com" dontlog

CustomLog /var/log/apache2/access.log combined env=!dontlog

6. Disable Apache requests in access.log and error.log completely

Sometimes at rare cases the produced Apache logs and error log is really big and you already have the requests logged in another F5 Load Balancer or Haproxy in front of Apache WebServer or alternatively the logging is not interesting at all as the Web Application served written in ( Perl / Python / Ruby ) does handle the logging itself.
I've earlier described how this is done in a good amount of details in previous article Disable Apache access.log and error.log logging on Debian Linux and FreeBSD

To disable it you will have to comment out CustomLog or set it to together with ErrorLog to /dev/null in apache2.conf / httpd.conf (depending on the distro)

CustomLog /dev/null
ErrorLog /dev/null

7. Restart Apache WebServer to load settings

An important to mention is in case you have Webserver with multiple complex configurations and there is a specific log patterns to omit from logs it might be a very good idea to:

a. Create /etc/httpd/conf/dontlog.conf / etc/apache2/dontlog.conf
add inside all your custom dontlog configurations
b. Include dontlog.conf from /etc/httpd/conf/httpd.conf / /etc/apache2/apache2.conf

Finally to make the changes take affect, of course you will need to restart Apache webserver depending on the distro and if it is with systemd or System V:

For systemd RPM based distro:

systemctl restart httpd

or for Deb based Debian etc.

systemctl apache2 restart

On old System V scripts systems:

On RedHat / CentOS etc. restart Apache with:

/etc/init.d/httpd restart

On Deb based SystemV:

/etc/init.d/apache2 restart

What we learned ?

We have learned about SetEnvIf how it can be used to prevent certain requests strings getting logged into access.log through dontlog, how to completely stop certain browser based on a useragent from logging to the access.log as well as how to omit from logging certain requests incoming from certain IP addresses / IPv6 or FQDNs and how to stop robots.txt from being logged to httpd log.

Finally we have learned how to completely disable Apache logging if logging is handled by other external application.

Tags: access, admin, amd64, apache2, Below, com, configured, CustomLog, General, httpd, inside, internet explorer, log, logging, MSIE, request, requests, UserAgent, variables, website programmers, www
Posted in Linux, Various, Web and CMS | No Comments »

How to redirect TCP port traffic from Internet Public IP host to remote local LAN server, Redirect traffic for Apache Webserver, MySQL, or other TCP service to remote host

Thursday, September 23rd, 2021

1. Use the good old times rinetd – internet “redirection server” service

Perhaps, many people who are younger wouldn't remember rinetd's use was pretty common on old Linuxes in the age where iptables was not on the scene and its predecessor ipchains was so common.
In the raise of mass internet rinetd started loosing its popularity because the service was exposed to the outer world and due to security holes and many exploits circulating the script kiddie communities
many servers get hacked "pwned" in the jargon of the script kiddies.

rinetd is still available even in modern Linuxes and over the last years I did not heard any severe security concerns regarding it, but the old paranoia perhaps and the set to oblivion makes it still unpopular soluttion for port redirect today in year 2021.
However for a local secured DMZ lans I can tell you that its use is mostly useful and I chooes to use it myself, everynow and then due to its simplicity to configure and use.
rinetd is pretty standard among unixes and is also available in old Sun OS / Solaris and BSD-es and pretty much everything on the Unix scene.

Below is excerpt from 'man rinetd':

DESCRIPTION
rinetd redirects TCP connections from one IP address and port to another. rinetd is a single-process server which handles any number of connections to the address/port pairs
specified in the file /etc/rinetd.conf. Since rinetd runs as a single process using nonblocking I/O, it is able to redirect a large number of connections without a severe im‐
pact on the machine. This makes it practical to run TCP services on machines inside an IP masquerading firewall. rinetd does not redirect FTP, because FTP requires more than
one socket. rinetd is typically launched at boot time, using the following syntax: /usr/sbin/rinetd The configuration file is found in the file /etc/rinetd.conf, unless another file is specified using the -c command line option.

To use rinetd on any LInux distro you have to install and enable it with apt or yum as usual. For example on my Debian GNU / Linux home machine to use it I had to install .deb package, enable and start it it via systemd :

server:~# apt install –yes rinetd
…

server:~# systemctl enable rinetd

server:~# systemctl start rinetd

server:~# systemctl status rinetd
● rinetd.service
Loaded: loaded (/etc/init.d/rinetd; generated)
Active: active (running) since Tue 2021-09-21 10:48:20 EEST; 2 days ago
Docs: man:systemd-sysv-generator(8)
Tasks: 1 (limit: 4915)
Memory: 892.0K
CGroup: /system.slice/rinetd.service
└─1364 /usr/sbin/rinetd

rinetd is doing the traffic redirect via a separate process daemon, in order for it to function once you have service up check daemon is up as well.

root@server:/home/hipo# ps -ef|grep -i rinet
root 359 1 0 16:10 ? 00:00:00 /usr/sbin/rinetd
root 824 26430 0 16:10 pts/0 00:00:00 grep -i rinet

+ Configuring a new port redirect with rinetd

Is pretty straight forward everything is handled via one single configuration – /etc/rinetd.conf

The format (syntax) of a forwarding rule is as follows:

[bindaddress] [bindport] [connectaddress] [connectport]

Besides that rinetd , could be used as a primitive firewall substitute to iptables, general syntax of allow deny an IP address is done with (allow, deny) keywords:

allow 192.168.2.*
deny 192.168.2.1?

To enable logging to external file ,you'll have to include in the configuration:

# logging information
logfile /var/log/rinetd.log

Here is an example rinetd.conf configuration, redirecting tcp mysql 3306, nginx on port 80 and a second web service frontend for ILO to server reachable via port 8888 and a redirect from External IP to local IP SMTP server.

#
# this is the configuration file for rinetd, the internet redirection server
#
# you may specify global allow and deny rules here
# only ip addresses are matched, hostnames cannot be specified here
# the wildcards you may use are * and ?
#
# allow 192.168.2.*
# deny 192.168.2.1?

#
# forwarding rules come here
#
# you may specify allow and deny rules after a specific forwarding rule
# to apply to only that forwarding rule
#
# bindadress bindport connectaddress connectport

# logging information
logfile /var/log/rinetd.log
83.228.93.76 80 192.168.0.20 80
192.168.0.2 3306           192.168.0.19 3306
83.228.93.76 443 192.168.0.20 443
# enable for access to ILO
83.228.93.76       8888           192.168.1.25 443
127.0.0.1   25   192.168.0.19 25

83.228.93.76 is my external ( Public ) IP internet address where 192.168.0.20, 192.168.0.19, 192.168.0.20 (are the DMZ-ed Lan internal IPs) with various services.

To identify the services for which rinetd is properly configured to redirect / forward traffic you can see it with netstat or the newer ss command

root@server:/home/hipo# netstat -tap|grep -i rinet
tcp 0 0 www.pc-freak.net:8888 0.0.0.0:* LISTEN 13511/rinetd
tcp 0 0 www.pc-freak.n:http-alt 0.0.0.0:* LISTEN 21176/rinetd
tcp 0 0 www.pc-freak.net:443 0.0.0.0:* LISTEN 21176/rinetd
…

+ Using rinetd to redirect External interface IP to loopback's port (127.0.0.1)

If you have the need to redirect an External connectable living service be it apache mysql / privoxy / squid or whatever rinetd is perhaps the tool of choice (especially since there is no way to do it with iptables.

If you want to redirect all traffic which is accessed via Linux's loopback interface (localhost) to be reaching a remote host 11.5.8.1 on TCP port 1083 and 1888, use below config

# bindadress bindport connectaddress connectport
11.5.8.1 1083 127.0.0.1 1083
11.5.8.1 1888 127.0.0.1 1888

For a quick and dirty solution to redirect traffic rinetd is very useful, however you'll have to keep in mind that if you want to redirect traffic for tens of thousands of connections constantly originating from the internet you might end up with some disconnects as well as notice a increased use of rinetd CPU use with the incrased number of forwarded connections.

2. Redirect TCP / IP port using DNAT iptables firewall rules

Lets say you have some proxy, webservice or whatever service running on port 5900 to be redirected with iptables.
The easeiest legacy way is to simply add the redirection rules to /etc/rc.local. In newer Linuxes rc.local so if you decide to use,
you'll have to enable rc.local , I've written earlier a short article on how to enable rc.local on newer Debian, Fedora, CentOS

# redirect 5900 TCP service
sysctl -w net.ipv4.conf.all.route_localnet=1
iptables -t nat -I PREROUTING -p tcp –dport 5900 -j REDIRECT –to-ports 5900
iptables -t nat -I OUTPUT -p tcp -o lo –dport 5900 -j REDIRECT –to-ports 5900
iptables -t nat -A OUTPUT -o lo -d 127.0.0.1 -p tcp –dport 5900 -j DNAT –to-destination 192.168.1.8:5900
iptables -t nat -I OUTPUT –source 0/0 –destination 0/0 -p tcp –dport 5900 -j REDIRECT –to-ports 5900

Here is another two example which redirects port 2208 (which has configured a bind listener for SSH on Internal host 192.168.0.209:2208) from External Internet IP address (XXX.YYY.ZZZ.XYZ)

# Port redirect for SSH to VM on openxen internal Local lan server 192.168.0.209
-A PREROUTING -p tcp –dport 2208 -j DNAT –to-destination 192.168.0.209:2208
-A POSTROUTING -p tcp –dst 192.168.0.209 –dport 2208 -j SNAT –to-source 83.228.93.76

3. Redirect TCP traffic connections with redir tool

If you look for an easy straight forward way to redirect TCP traffic, installing and using redir (ready compiled program) might be a good idea.

root@server:~# apt-cache show redir|grep -i desc -A5 -B5
Version: 3.2-1
Installed-Size: 60
Maintainer: Lucas Kanashiro <kanashiro@debian.org>
Architecture: amd64
Depends: libc6 (>= 2.15)
Description-en: Redirect TCP connections
It can run under inetd or stand alone (in which case it handles multiple
connections). It is 8 bit clean, not limited to line mode, is small and
light. Supports transparency, FTP redirects, http proxying, NAT and bandwidth
limiting.
.
redir is all you need to redirect traffic across firewalls that authenticate
based on an IP address etc. No need for the firewall toolkit. The
functionality of inetd/tcpd and "redir" will allow you to do everything you
need without screwy telnet/ftp etc gateways. (I assume you are running IP
Masquerading of course.)
Description-md5: 2089a3403d126a5a0bcf29b22b68406d
Homepage: https://github.com/troglobit/redir
Tag: interface::daemon, network::server, network::service, role::program,
use::proxying
Section: net
Priority: optional

server:~# apt-get install –yes redir
…

Here is a short description taken from its man page 'man redir'

DESCRIPTION
redir redirects TCP connections coming in on a local port, [SRC]:PORT, to a specified address/port combination, [DST]:PORT. Both the SRC and DST arguments can be left out,
redir will then use 0.0.0.0.

redir can be run either from inetd or as a standalone daemon. In –inetd mode the listening SRC:PORT combo is handled by another process, usually inetd, and a connected
socket is handed over to redir via stdin. Hence only [DST]:PORT is required in –inetd mode. In standalone mode redir can run either in the foreground, -n, or in the back‐
ground, detached like a proper UNIX daemon. This is the default. When running in the foreground log messages are also printed to stderr, unless the -s flag is given.

Depending on how redir was compiled, not all options may be available.

+ Use redir to redirect TCP traffic one time

Lets say you have a MySQL running on remote machine on some internal or external IP address, lets say 192.168.0.200 and you want to redirect all traffic from remote host to the machine (192.168.0.50), where you run your Apache Webserver, which you want to configure to use
as MySQL localhost TCP port 3306.
Assuming there are no irewall restrictions between Host A (192.168.0.50) and Host B (192.168.0.200) is already permitting connectivity on TCP/IP port 3306 between the two machines.

To open redirection from localhost on 192.168.0.50 -> 192.168.0.200:

server:~# redir –laddr=127.0.0.1 –lport=3306 –caddr=192.168.0.200 –cport=3306

If you need other third party hosts to be additionally reaching 192.168.0.200 via 192.168.0.50 TCP 3306.

root@server:~# redir –laddr=192.168.0.50 –lport=3306 –caddr=192.168.0.200 –cport=3306

Of course once you close, the /dev/tty or /dev/vty console the connection redirect will be cancelled.

+ Making TCP port forwarding from Host A to Host B permanent

One solution to make the redir setup rules permanent is to use –rinetd option or simply background the process, nevertheless I prefer to use instead GNU Screen.
If you don't know screen is a vVrtual Console Emulation manager with VT100/ANSI terminal emulation to so, if you don't have screen present on the host install it with whatever Linux OS package manager is present and run:

root@server:~#screen -dm bash -c 'redir –laddr=127.0.0.1 –lport=3306 –caddr=192.168.0.200 –cport=3306'

That would run it into screen session and detach so you can later connect, if you want you can make redir to also log connections via syslog with ( -s) option.

I found also useful to be able to track real time what's going on currently with the opened redirect socket by changing redir log level.

Accepted log level is:

-l, –loglevel=LEVEL
Set log level: none, err, notice, info, debug. Default is notice.

root@server:/ # screen -dm bash -c 'redir –laddr=127.0.0.1 –lport=3308 –caddr=192.168.0.200 –cport=3306 -l debug'

To test connectivity works as expected use telnet:

root@server:/ # telnet localhost 3308
Trying 127.0.0.1…
Connected to localhost.
Escape character is '^]'.
g
5.5.5-10.3.29-MariaDB-0+deb10u1-log�+c2nWG>B��o+#ly=bT^]79mysql_native_password

6#HY000Proxy header is not accepted from 192.168.0.19 Connection closed by foreign host.

once you attach to screen session with

root@server:/home # screen -r

You will get connectivity attempt from localhost logged : .

redir[10640]: listening on 127.0.0.1:3306
redir[10640]: target is 192.168.0.200:3306
redir[10640]: Waiting for client to connect on server socket …
redir[10640]: target is 192.168.0.200:3306
redir[10640]: Waiting for client to connect on server socket …
redir[10793]: peer IP is 127.0.0.1
redir[10793]: peer socket is 25592
redir[10793]: target IP address is 192.168.0.200
redir[10793]: target port is 3306
redir[10793]: Connecting 127.0.0.1:25592 to 127.0.0.1:3306
redir[10793]: Entering copyloop() – timeout is 0
redir[10793]: Disconnect after 1 sec, 165 bytes in, 4 bytes out

The downsides of using redir is redirection is handled by the separate process which is all time hanging in the process list, as well as the connection redirection speed of incoming connections might be about at least 30% slower to if you simply use a software (firewall ) redirect such as iptables. If you use something like kernel IP set ( ipsets ). If you hear of ipset for a first time and you wander whta it is below is short package description.

root@server:/root# apt-cache show ipset|grep -i description -A13 -B5
Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org>
Architecture: amd64
Provides: ipset-6.38
Depends: iptables, libc6 (>= 2.4), libipset11 (>= 6.38-1~)
Breaks: xtables-addons-common (<< 1.41~)
Description-en: administration tool for kernel IP sets
IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel which can be
administered by the ipset(8) utility. Depending on the type, currently an
IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with
MAC addresses in a way which ensures lightning speed when matching an
entry against a set.
.
If you want to
.
* store multiple IP addresses or port numbers and match against the
entire collection using a single iptables rule.
* dynamically update iptables rules against IP addresses or ports without
performance penalty.
* express complex IP address and ports based rulesets with a single
iptables rule and benefit from the speed of IP sets.
.
then IP sets may be the proper tool for you.
Description-md5: d87e199641d9d6fbb0e52a65cf412bde
Homepage: http://ipset.netfilter.org/
Tag: implemented-in::c, role::program
Section: net
Priority: optional
Filename: pool/main/i/ipset/ipset_6.38-1.2_amd64.deb
Size: 50684
MD5sum: 095760c5db23552a9ae180bd58bc8efb
SHA256: 2e2d1c3d494fe32755324bf040ffcb614cf180327736c22168b4ddf51d462522

Tags: amd64, Below, CentOS, Configuring, Connected, External, How to, incoming connections, information, ip addresses, lan, network server, package description, redirection, remote server, server port, server root, standard, Supports, systemd, tcp, use
Posted in Linux, System Administration, Various | No Comments »

Linux: Add fun to your terminal login screen with boxes, Draw ASCII Art Shapes with date and user info etc. on login

Friday, July 16th, 2021

boxes-ascii-art-generate-cpu-memory-and-disk-system-info-beauty
Some of you might remember my love for Linux ASCII art stuff and fact that I'm daily forced to work on many consoles, which makes life a bit boring at point and you want to have some diversity as this black and white or black and green screen becomes quite of annoyance at times, hence adding some ASCII art kindness really makes sense. In that relation some time ago I've have written the howto add colorful random ASCII art picture and a bible verse on each SSH server login, joyout sysadmins life with cowsay, fortune, caca-utils and others.
Just recently a colleague of mine Georgi Stoyanov to whom I've shown cowsay, while playing around with cowsay, researching on related cool ASCII art entertainment one could add to his boring daily sysadm life stumbled on another nice piece of 1337 h4x0r software called boxes, that is nowadays available amongs most mainstream RPM and Debian distributions out of the box in default package repositories (it is installable on Ubuntu / Debian / CentOS with apt or yum).

root@pcfreak:~# apt-cache show boxes|grep -i desc -A 5 -B5
Version: 1.3-1
Installed-Size: 253
Maintainer: Salvatore Bonaccorso <carnil@debian.org>
Architecture: amd64
Depends: libc6 (>= 2.14)
Description-en: textmode box- and comment drawing filter
Boxes is extremely configurable filter for adding and removing ASCII art
(comments, for example) around chunks of text. Most modern text editors
support filtering text through external filters. Boxes is such a filter.
Description-md5: 71d39f5c7193aab87deb83d15f0b2e82
Homepage: https://boxes.thomasjensen.com/
Tag: implemented-in::c++, interface::commandline, role::program,
scope::utility, works-with::mail
Section: text
Priority: optional

To start using the preset of nice boxes and shapes depending on the distro type:
On Deb based Linuz OS

debian:~# apt install –yes boxes
…

On RPM based Linuxes:

[root@centos ~ ]# yum install -y boxes

…

Once installed to give it a try, do list all the available basic boxen ASCII Art ( template ) shapes beauties – the art pictures is quite high, below is a short 50 line raw example cut:

root@pcfreak:~# boxes -l |tail -n 50

unicornthink
unknown artist, coded by Mike Meyer <boxes@meyer.fm>:

_________________________________
/ \
| E L E C T R O L Y T E S |
\______________________________ '\
() \\
O \\ .
o |\\/|
/ " '\
. . .
/ ) |
' _.' |
'-'/ \

vim-cmt
Bram Moolenaar, coded by Thomas Jensen <boxes(at)thomasjensen(dot)com>:

"
" comments used in the vim editor's config file (.vimrc)
"

whirly
unknown artist, coded by Thomas Jensen <boxes(at)thomasjensen(dot)com>:

.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.
( )
) (
( )
"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"+.+"

xes
Joan G. Stark <spunk1111@juno.com>, coded by Thomas Jensen <boxes(at)thomasjensen(dot)com>:

<\/><\/><\/>
<\/></\></\></\><\/>
</\> </\>
<\/> <\/>
</\> </\>
<\/> <\/>
</\> </\>
<\/> <\/>
</\> </\>
<\/> <\/>
</\><\/><\/><\/></\>
jgs </\></\></\>

If you want to check out the full list of ascii art templates provided by boxes check out a complete dump out of boxes -l shapes here.

Next lets play a bit to give you an idea on some use of boxes you can add to your login /etc/profile or ~/bashrc or even randomize it with some little bash script to print out some cool stuff on each and every Linux SSH or tty physical console login to prit login date your user name, logged in users or whatever you would like shaped in ascii art picture. For example you can great yourself on system login with whoami command printed in one of the offered boxes ASCII art picture templates, etc.

Below is few sample ideas for use:

# boxes -a c -d mouse <<< "today is $(date)"

# boxes -a c -d mouse <<< "Hello $USER,today is $(date)"

# boxes -a c -d mouse <<< "Hello $(whoami),today is $(date)"

# boxes -a c -d mouse <<< "Hello $(whoami),today is $(date)" | lolcat

mouse-login-greeting

# boxes -a c -d unicornthink <<< "Hello $(whoami),today is $(date)" | lolcat

# boxes -a c -d cat <<< "Hello $(whoami),today is $(date); $(echo "Apache processes"; ps -ef|grep -i apache)|grep -v grep" | lolcat

If you have a multiple systems to monitor, it is useful to quickly have an overview of each system and add some artistic qualities for example use some tiny shell script like system_info_on_login.sh and make it look aritistic:

# cat /bashscripts/system_info_on_login.sh
free -m | awk 'NR==2{printf "Memory Usage: %s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2 }'
df -h | awk '$NF=="/"{printf "Disk Usage: %d/%dGB (%s)\n", $3,$2,$5}'
top -bn1 | grep load | awk '{printf "CPU Load: %.2f\n", $(NF-2)}'

Funny cool stuff ain't it is up to your imagination to add whatever beauty you like. If you want to make a little prank you can misteriously place boxes to auto launch on some of the DMZ secured servers and print any strange form to a colleague next time he logs in by adding boxes to launch in his ~/.bashrc with some weird message such as "your account has been pwn3d by a 1337 h4x0r" and watch for his reaction 🙂
Enjoy !

Tags: amd64, ascii art, boxes, info, Linux Add, login, mail, terminal, today, type
Posted in Educational, Entertainment, FreeBSD, Games Linux, Linux, Linux and FreeBSD Desktop | No Comments »

Linux show largest sized packages / Which Deb, RPM Linux installed package use most disk space and How to Free Space for critical system updates

Sunday, January 12th, 2020

linux-show-largest-sized-packages-which-deb-rpm-linux-package-use-most-disk-space-to-free-space-for-critical-system-updates

A very common problem that happens on both Linux installed servers and Desktop Linux is a starting to fill / (root partition). This problem could happen due to several reasons just to point few of them out of my experience low disk space (ending free space) could be due to:

– Improper initial partitioning / bad space planning / or OS install made in a hurry (due to time constrains)
– Linux installed on old laptop machine with low Hard Disk Drive capacity (e.g. 80 Giga / 160 GB)
– Custom user partitioning on install time aiming for a small root partition originally and changing space requirements in time
– Due to increasing space taken by Linux updates / user stored files etc / distribution OS Level upgrades dist-upgrades.
– Improperly assigned install time partitions cause of lack of knowledge to understand how partitioning is managed.
– Due to install being made in a hurry
– Linux OS installed on a Cloud based VPN (e.g. running) in a Cloud Instance that is hosted in Amazon EC2, Linode, Digital Ocean, Hostgator etc.

So here is a real time situation that happened me many times, you're launching an apt-get upgrade / apt-get dist-upgrade or yum upgrade the packages are about to start downloading or downloaded and suddenly you get a message of not enough disk space to apply OS package updates …
That's nasty stuff mostly irritating and here there are few approaches to take.

a. perhaps easiest you can ofcourse extend the partition (with a free spaced other Primary or Extended partition) with something like:

parted (the disk partitioning manipulator for Linux), gparted (in case if Desktop with GUI / XOrg server running)

b. if not enough space on the Hard Disk Drive or SSD (Solid State Drive) and you have a budget to buy and free laptop / PC slot to place another physical HDD to clone it to a larger sized HDD and use some kind of partition clone tool, such as:

dd
clonezilla
rsync
Mondo GPL Rescue Disaster recovery
Fog – Free Open Source network computer cloning tool

or any of the other multiple clone tools available in Linux.

But what if you don't have the option for some reason to extend the paritiotn, how can you apply the Critical Security Errata Updates issued to patch security vulnerabilities reported by well known CVEs?
Well you can start with the obvious easy you can start removing unnecessery stuff from the system (if home is also stored on the / – root partiiton) to delete something from there, even delete the /usr/local/man pages if you don't plan to read it free some logs by archiving purging logs from /var/log/* …

But if this is not possible, a better approach is simply try to remove / purge any .deb / .rpm whatever distro package manager packages that are not necessery used and just hanging around, that is often the case especially on Linux installed on Notebooks for a personal home use, where with years you have installed a growing number of packages which you don't actively use but installed just to take a look, while hunting for Cool Linux games and you wanted to give a try to Battle of Wesnoth / FreeCIV / AlienArena / SuperTux Kart / TuxRacer etc. or some GUI heavy programs like Krita / Inskape / Audacity etc.

To select which package might be not needed and just takes space hence you need to to list all installed packages on the system ordered by their size this is different in Debian based Linuces e.g. – Debian GNU / Linux / Ubuntu / Mint etc. and RPM based ones Fedora / CentOS / OpenSuSE

1. List all RPM installed packages by Size on CentOS / SuSE

Finding how much space each of the installed rpm packages take on the HDD and displaying them in a sorted order is done with:

rpm -qa –queryformat '%10{size} – %-25{name} \t %{version}\n' | sort -n

From the command above, the '%10{size}' option aligns the size of the package to the right with a padding of 10 characters. The '%-25{name} aligns the name of the package to the left, padded to 25 characters. The '%{version} indicates the version and 'sort -n' flag sorts the packages according to size from the smallest to the largest in bytes.

2. List all installed RPM packages sorted by size on Fedora

Fedora has introduced the dnf package manager instead of yum, to get how much size individual rpm package occupies on system:

dnf info samba
Available Packages
Name : samba
Arch : x86_64
Epoch : 2
Version : 4.1.20
Release : 1.fc21
Size : 558 k
Repo : updates
Summary : Server and Client software to interoperate with Windows machines
URL : http://www.samba.org/
License : GPLv3+ and LGPLv3+
Description : Samba is the standard Windows interoperability suite of programs
: for Linux and Unix.

To get a list of all packages on system with their size

dnf info * | grep -i "Installed size" |sort -n

3. List all installed DEB packages on Debian / Ubuntu / Mint etc. with dpkg / aptitude / apt-get and wajig

The most simple way to get a list of largest packages is through dpkg

# dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n
brscan4
6 default-jre
6 libpython-all-dev
6 libtinfo-dev
6 python-all
6 python-all-dev
6 task-cinnamon-desktop
6 task-cyrillic
6 task-desktop
6 task-english
6 task-gnome-desktop
6 task-laptop
6 task-lxde-desktop
6 task-mate-desktop
6 task-print-server
6 task-ssh-server
6 task-xfce-desktop
8 mysql-client
8 printer-driver-all
…
…
207766   libwine
215625   google-chrome-stable
221908   libwine
249401   frogatto-data
260717   linux-image-4.19.0-5-amd64
262512   linux-image-4.19.0-6-amd64
264899   mame
270589   fonts-noto-extra
278903   skypeforlinux
480126   metasploit-framework

above cmd displays packages in size order, largest package last, but the output will include also size of packages, that used to exist,
have been removed but was not purged. Thus if you find a package that is shown as very large by size but further dpkg -l |grep -i package-name shows package as purged e.g. package state is not 'ii' but 'rc', the quickest work around is to purge all removed packages, that are still not purged and have some configuration remains and other chunks of data that just take space for nothing with:

# dpkg –list |grep "^rc" | cut -d " " -f 3 | xargs sudo dpkg –purge

Be cautious when you execute above command, because if for some reason you uninstalled a package with the idea to keep old configuration files only and in case if you decide to use it some time in future to reuse already custom made configs but do run above purge commands all such package saved kept configs will disappear.
For people who don't want to mess up with, uninstalled but present packages use this to filter out ready to be purged state packages.

# dpkg-query -Wf '${db:Status-Status} ${Installed-Size}\t${Package}\n' | sed -ne 's/^installed //p'|sort -n

aptitude – (high level ncurses interface like to package management) can also be easily used to list largest size packages eating up your hard drive in both interactive or cli mode, like so:

# aptitude search –sort '~installsize' –display-format '%p %I' '~i' | head
metasploit-framework 492 MB
skypeforlinux 286 MB
fonts-noto-extra 277 MB
mame 271 MB
linux-image-4.19.0-6-amd64 269 MB
linux-image-4.19.0-5-amd64 267 MB
frogatto-data 255 MB
libwine 227 MB
google-chrome-stable 221 MB
libwine:i386 213 MB

–sort is package sort order, and ~installsize specifies a package sort policy.
installsize means 'sort on (estimated) installed size', and the preceding ~ means sort descending (since default for all sort policies is ascending).
–display-format changes the <you guessed :->. The format string '%p %I' tells aptitude to output package name, then installed size.
'~i' tells aptitude to search only installed packages.

How much a certain .deb package removal will free up on the disk can be seen with apt-get as well to do so for the famous 3D acceleration Graphic Card (enabled) or not test game extremetuxracer:

# apt-get –assume-no –purge remove "texlive*" | grep "be freed" |
awk '{print $4, $5}'

Perhaps, the easiest to remember and more human readable output biggest packages occupied space on disk is to install and use a little proggie called wajig to do so

# apt install –yes wajig

Here is how to pick up 10 biggest size packages.

root@jeremiah:/home/hipo# wajig large|tail -n 10
fonts-noto-cjk-extra 204,486 installed
google-chrome-stable 215,625 installed
libwine 221,908 installed
frogatto-data 249,401 installed
linux-image-4.19.0-5-amd64 260,717 installed
linux-image-4.19.0-6-amd64 262,512 installed
mame 264,899 installed
fonts-noto-extra 270,589 installed
skypeforlinux 278,903 installed
metasploit-framework 480,126 installed

As above example lists a short package name and no description for those who want get more in depth knowledge on what exactly is the package bundle used for use:

# aptitude search –sort '~installsize' –display-format '%30p %I %r %60d' '~i' |head

%30p %I %r %60d display more information in your format string, or change field widths, enhanced format string

Meaning of parameters is:

%30p : package name in field width=30 char
%I : estimated install size
%r : 'reverse depends count': approximate number of other installed packages which depend upon this package
%60d : package's short description in field width=60 char

wajig is capable is a python written and idea is to easify Debian console package management (so you don't have to all time remember when and with which arguments to use apt-get / apt-cache etc.), below is list of commands it accepts.

root@jeremiah:/home/hipo## wajig commands
addcdrom Add a Debian CD/DVD to APT's list of available sources
addrepo Add a Launchpad PPA (Personal Package Archive) repository
aptlog Display APT log file
autoalts Mark the Alternative to be auto-set (using set priorities)
autoclean Remove no-longer-downloadable .deb files from the download cache
autodownload Do an update followed by a download of all updated packages
autoremove Remove unused dependency packages
build Get source packages, unpack them, and build binary packages from them.
builddeps Install build-dependencies for given packages
changelog Display Debian changelog of a package
clean Remove all deb files from the download cache
contents List the contents of a package file (.deb)
dailyupgrade Perform an update then a dist-upgrade
dependents Display packages which have some form of dependency on the given package
describe Display one-line descriptions for the given packages
describenew Display one-line descriptions of newly-available packages
distupgrade Comprehensive system upgrade
download Download one or more packages without installing them
editsources Edit list of Debian repository locations for packages
extract Extract the files from a package file to a directory
fixconfigure Fix an interrupted install
fixinstall Fix an install interrupted by broken dependencies
fixmissing Fix and install even though there are missing dependencies
force Install packages and ignore file overwrites and depends
hold Place packages on hold (so they will not be upgraded)
info List the information contained in a package file
init Initialise or reset wajig archive files
install Package installer
installsuggested Install a package and its Suggests dependencies
integrity Check the integrity of installed packages (through checksums)
large List size of all large (>10MB) installed packages
lastupdate Identify when an update was last performed
listall List one line descriptions for all packages
listalternatives List the objects that can have alternatives configured
listcache List the contents of the download cache
listcommands Display all wajig commands
listdaemons List the daemons that wajig can start, stop, restart, or reload
listfiles List the files that are supplied by the named package
listhold List packages that are on hold (i.e. those that won't be upgraded)
listinstalled List installed packages
listlog Display wajig log file
listnames List all known packages; optionally filter the list with a pattern
listpackages List the status, version, and description of installed packages
listscripts List the control scripts of the package of deb file
listsection List packages that belong to a specific section
listsections List all available sections
liststatus Same as list but only prints first two columns, not truncated
localupgrade Upgrade using only packages that are already downloaded
madison Runs the madison command of apt-cache
move Move packages in the download cache to a local Debian mirror
new Display newly-available packages
newdetail Display detailed descriptions of newly-available packages
news Display the NEWS file of a given package
nonfree List packages that don't meet the Debian Free Software Guidelines
orphans List libraries not required by any installed package
policy From preferences file show priorities/policy (available)
purge Remove one or more packages and their configuration files
purgeorphans Purge orphaned libraries (not required by installed packages)
purgeremoved Purge all packages marked as deinstall
rbuilddeps Display the packages which build-depend on the given package
readme Display the README file(s) of a given package
recdownload Download a package and all its dependencies
recommended Display packages installed as Recommends and have no dependents
reconfigure Reconfigure package
reinstall Reinstall the given packages
reload Reload system daemons (see LIST-DAEMONS for available daemons)
remove Remove packages (see also PURGE command)
removeorphans Remove orphaned libraries
repackage Generate a .deb file from an installed package
reportbug Report a bug in a package using Debian BTS (Bug Tracking System)
restart Restart system daemons (see LIST-DAEMONS for available daemons)
rpm2deb Convert an .rpm file to a Debian .deb file
rpminstall Install an .rpm package file
search Search for package names containing the given pattern
searchapt Find nearby Debian package repositories
show Provide a detailed description of package
sizes Display installed sizes of given packages
snapshot Generates a list of package=version for all installed packages
source Retrieve and unpack sources for the named packages
start Start system daemons (see LIST-DAEMONS for available daemons)
status Show the version and available versions of packages
statusmatch Show the version and available versions of matching packages
stop Stop system daemons (see LISTDAEMONS for available daemons)
tasksel Run the task selector to install groups of packages
todo Display the TODO file of a given package
toupgrade List versions of upgradable packages
tutorial Display wajig tutorial
unhold Remove listed packages from hold so they are again upgradeable
unofficial Search for an unofficial Debian package at apt-get.org
update Update the list of new and updated packages
updatealternatives Update default alternative for things like x-window-manager
updatepciids Updates the local list of PCI ids from the internet master list
updateusbids Updates the local list of USB ids from the internet master list
upgrade Conservative system upgrade
upgradesecurity Do a security upgrade
verify Check package's md5sum
versions List version and distribution of given packages
whichpackage Search for files matching a given pattern within packages

4. List installed packages order by size in Arch Linux

ArchLinux is using the funny named package manager – pacman (a nice prank for the good old arcade game).
What is distinctive of pacman uses libalpm (Arch Linux Package Management (ALPM) library) as a back-end to perform all the actions.

# pacman -Qi | awk '/^Name/{name=$3} /^Installed Size/{print $4$5, name}' | sort -hr | head -25
296.64MiB linux-firmware
144.20MiB python
105.43MiB gcc-libs
72.90MiB python2
66.91MiB linux
57.47MiB perl
45.49MiB glibc
35.33MiB icu
34.68MiB git
30.96MiB binutils
29.95MiB grub
18.96MiB systemd
13.94MiB glib2
13.79MiB coreutils
13.41MiB python2-boto
10.65MiB util-linux
9.50MiB gnupg
8.09MiB groff
8.05MiB gettext
7.99MiB texinfo
7.93MiB sqlite
7.15MiB bash
6.50MiB lvm2
6.43MiB openssl
6.33MiB db

There is another mean to list packages by size using a ArchLinux tool called pacgraph

# pacgraph -c | head -25

Autodetected Arch.
Loading package info
Total size: 1221MB
367MB linux
144MB pacgraph
98MB cloud-init
37MB grub
35MB icu
34MB git
31698kB binutils
19337kB pacman
11029kB man-db
8186kB texinfo
8073kB lvm2
7632kB nano
7131kB openssh
5735kB man-pages
3815kB xfsprogs
3110kB sudo
3022kB wget
2676kB tar
2626kB netctl
1924kB parted
1300kB procps-ng
1248kB diffutils

4. Debian Goodies

Most debian users perhaps never hear of debian-goodies package, but I thought it is worthy to mention it as sooner or later as a sysadmin or .deb based Desktop user it might help you somewhere.

Debian-goodies is sall toolbox-style utilities for Debian systems
These programs are designed to integrate with standard shell tools,
extending them to operate on the Debian packaging system.
.
dglob – Generate a list of package names which match a pattern
[dctrl-tools, apt*, apt-file*, perl*]
dgrep – Search all files in specified packages for a regex
[dctrl-tools, apt-file (both via dglob)]
.
These are also included, because they are useful and don't justify
their own packages:
.
check-enhancements
– find packages which enhance installed packages [apt,
dctrl-tools]
checkrestart
– Help to find and restart processes which are using old versions
of upgraded files (such as libraries) [python3, procps, lsof*]
debget – Fetch a .deb for a package in APT's database [apt]
debman – Easily view man pages from a binary .deb without extracting
[man, apt* (via debget)]
debmany – Select manpages of installed or uninstalled packages [man |
sensible-utils, whiptail | dialog | zenity, apt*, konqueror*,
libgnome2-bin*, xdg-utils*]
dhomepage – Open homepage of a package in a web browser [dctrl-tools,
sensible-utils*, www-browser* | x-www-browser*]
dman – Fetch manpages from online manpages.debian.org service [curl,
man, lsb-release*]
dpigs – Show which installed packages occupy the most space
[dctrl-tools]
find-dbgsym-packages
– Get list of dbgsym packages from core dump or PID [dctrl-tools,
elfutils, libfile-which-perl, libipc-system-simple-perl]
popbugs – Display a customized release-critical bug list based on
packages you use (using popularity-contest data) [python3,
popularity-contest]
which-pkg-broke
– find which package might have broken another [python3, apt]
which-pkg-broke-build
– find which package might have broken the build of another
[python3 (via which-pkg-broke), apt]

Even simpler by that is to use dpigs shell script part of the debian-goodies package which will automatically print out the largest packages.

dpigs command output is exactly the same as 'dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -nr | head', but is useful cause you don't have to remember that complex syntax.

5. Checking where your space is gone in a Spacesniffer like GUI manner with Baobab

In my prior article Must have software on a new installed Windows 2 of the of the precious tools to set are Spacesniffer and WinDirStat.
Windows users will be highly delighted to know that SpaceSniffer equivallent is already present on Linux – say hello baobab.
Baobab is simple but useful Graphic disk usage overview program for those who don't want to mess to much with the console / terminal to find out which might be the possible directory candidate for removal. It is very simplistic but it does well what it is aimed for, to install it on a Debian or .deb based OS.

# apt install –yes baobab

baobab-entry-screen-debian-gnu-linux-screenshot

baobab Linux Hard Disk Usage Analyzer for GNOME. – It can easily scan either the whole filesystem or a specific user-requested branch (Iocal or remote)

baobab-entry-screen-debian-gnu-linux-directories-taking-most-space-pie-screenshot

Baobab / (root) directory statistics Rings Chart pie

baobab – Treemap Chart for directory usage sorted by size on disk

!!! Note that before removing any files found as taking up too much space with baobab – make sure this files are not essential parts of a .deb package first, otherwise you might break up your system !!!

KDE (Plasma) QT library users could use Qdirstat instead of baobab

qdirstat-on-gnu-linur checking what is the disk space bottleneck qdirstat KDE

6. Use ncdu or duper perl script tool to generate directory disk usage in ASCII chart bar

ncdu and duper are basicly the same except one is using ncurses and is interactive in a very simplistic interface with midnight commander.

# apt install –yes ncdu
# ncdu /root

# apt-get install –yes durep
# durep -td 1 /usr
[ /usr 14.4G (0 files, 11 dirs) ]
6.6G [############# ] 45.54% lib/
5.5G [########### ] 38.23% share/
1.1G [## ] 7.94% bin/
552.0M [# ] 3.74% local/
269.2M [ ] 1.83% games/
210.4M [ ] 1.43% src/
88.9M [ ] 0.60% libexec/
51.3M [ ] 0.35% sbin/
41.2M [ ] 0.28% include/
8.3M [ ] 0.06% lib32/
193.8K [ ] 0.00% lib64/

Conclusion

In this article, I've shortly explained the few approach you can take to handle low disk space preventing you to update a regular security updates on Linux.
The easiest one is to clone your drive to a bigger (larger) sized SATA HDD or SDD Drive or using a free space left on a hard drive to exnted the current filling up the root partition.

Further, I looked through the common reasons for endind with a disk being low spaced and a quick work around to free disk space through listing and purging larges sized package, this is made differently in different Linux distributions, because different Linux has different package managers. As I'm primary using Debian, I explained thoroughfully on how this is achieved with apt-get / dpkg-query / dpkg / aptitude and the little known debian-goodies .deb package manager helper pack. For GUI Desktop users there is baobab / qdirstat. ASCII lovers could enjoy durep and ncdu.

That's all folks hope you enjoyed and learned something new. If you know of other cool tools or things this article is missing please share.

Tags: about, again, ALL, alternative, alternatives, amazon, amd64, and, another, ANY, approximate number, apt-get, aptitude, archive, archive files, are, around, article, Ascii, audacity, baobab, check linux package size, deb, durep, ncdu, qdirstat, rpm, supertuxkart, wajig
Posted in Linux, Linux on Laptops, Various | 1 Comment »

Howto Pass SSH traffic through a Secured Corporate Proxy server with corkscrew, using sshd as a standalone proxy service with no proxy installed on remote Linux server or VPS

Tuesday, November 19th, 2019

howto pass ssh traffic through proxy to remote server use remote machine as a proxy for connecting to the Internet

Working in the big bad corporate world (being employed in any of the Fortune 500) companies, especially in an IT delivery company is a nasty thing in terms of User Personal Data Privacy because usually when employeed in any of a corporation, the company ships you with a personal Computer with some kind of pre-installed OS (most often this is Windows) and the computer is not a standalone one but joined in Active Directory (AD) belonging to Windows Domain and centrally administered by whoever.

As part of the default deplyed configuration in this pre-installed OS and software is that part or all your network traffic and files is being monitored in some kind of manner as your pre-installed Windows or Linux notebook given by the Corporation is having a set of standard software running in the background, and even though you have Windows Administrator there are many things you have zero control or even if you have changed it once the Domain Policy is triggered your custom made changes / Installed Programs that happen to be against the company policy are being automatically deleted, any registry changes made are being rewinded etc. Sometimes even by trying to manually clean up your PC from the corporate crapware, you might breaks access to the corporate DMZ firewalled network. A common way to secure their employee PC data large companies have a Network seperation, your PC when not connected to the Corporate VPN is having a certain IP configuration and once connected to the Demilitarized Zone VPN those configuration changes and the PC have access to internal company infrastructure servers / router / switches / firewalls / SANs etc. Access to corporate Infrastructure is handled via crypted VPN clinet such as Cisco AnyConnect Secure Mobility Client which is perhaps one of the most used ones out there.

Part of the common software installed to Monitor your PC for threats / viruses / trojans among which is MCafee / EMET (Enhandced Mitigation Experience Toolkit) the PC is often prebundled with some kind of anti-malware (crapware) :). But the tip of the iceberg on user surveillance where most of surveillance happens is the default installed proxy on the PC which usually does keep track of all your remote accessed HTTP Website URLs accessed in plain text – traffic flowing on Port 80 and crypted one on standard (SSL) Port 443. This Web Traffic is handled by the Central Corporate proxy that is being deployed via some kind of Domain policy, every time the Computer joins the Windows domain.

This of course is a terrible thing for your Browsing security and together with the good security practice to run your browser in Incognito mode, which makes all your browsing activity such as access URLs History or Saved Cookies data to be cleared up on a Browser close it is important to make sure you run your own personal traffic via a separate browser which you will use only for your own concern browsing such as Accessing your Bank Money Accounts to check your Monthly Sallary / Purchase things online via Amazon.com / Ebay.com, whether all of the rest traffic company related is trafficed via the default set corporate central proxy.
This is relatively easy sometimes in companies, where security is not of a top concern but in corporations with tightened security accessing remote proxy, or accessing even common daily news and Public Email websites or social media sites Gmail.com / Twitter / Youtube will be filtered so the only way to reach them will be via some kind of Proxy and often this proxy is the only way out to the Free world from the corporate jail.

Here is where the good old SSH comes as a saving grace as it turns out SSH traffic could be trafficed over a proxy. In below article I will give you a short insight on how Proxy through SSH could be achieved to Secure your dailty web traffic and use SSH to reach your own server on the Internet as well as how you can copy securely data via SSH through corporate Proxy.

1. How to view your corporate used (default) proxy / Check Proxy.pac file definitions

To get an idea what is the used proxy on your Corporate PC (as most corporate employee given notebooks are running some kind of M$ Windows) you can go to:

Windows Control Panel -> Internet Options -> Connections -> Lan Settings

internet-properties-microsoft-windows-screenshot

Under the field Proxy server (check out the Proxy configured Address and Port number )

local-area-network-lan-settings-screenshot-windows-1

Having that as browsers venerate the so-called Proxy.pac file, to be rawly aware on some general Company Proxy configured definitions you can access in a browser the proxy itself fething the proxy.pac file for example.

http://your-corporate-firewall-rpoxy-url:8080/proxy.pac

This is helpful as some companies Proxies have some proxy rules that reveal some things about its Internet architecture and even some have some badly configured proxy.pac files which could be used to fool the proxy under some circumstances 🙂

2. Few of the reasons corporations proxy all their employee's work PC web traffic

The corporate proxying of traffic has a number of goals, some of which are good hearted and others are for mostly spying on the users.

1. Protect Corporate Employees from malicious Viruses / Trojans Horses / Malware / Badware / Whatever ware – EXCELLENT
2. Prevent users from acessing a set of sources that due to the corporate policy are considered harmful (e.g. certain addresses
of information or disinformation of competitors, any Internet source that might preach against the corporation, hacking ralated websites etc.) – NOT GOOD (for the employee / user) and GOOD for the company
3.Spy on the users activity and be able to have evidence against the employee in case he decided to do anything harmful to the company evidences from proxy could even later be used in court if some kind of corpoate infringment occurs due to misbehave of the employee. – PERFECT FOR COMPANY and Complete breach of User privacy and IMHO totally against European Union privacy legislation such as GDRP
4. In companies that are into the field of Aritificial Intelligence / Users behavior could even be used to advance Self-learning bots and mechanisms – NASTY ! YAECKES

…

3. Run SSH Socks proxy to remote SSHd server running on common SSL 443 port

Luckily sysadmins who were ordered the big bosses to sniff on your Web behaviour and preferences could be outsmarted with some hacks.

To protect your Browsing behaviours and Secure your privacy perhaps the best option is to use the Old but gold practice o Securing your Networkf traffic using SSH Over Proxy and SSH Dynamic tunnel as a Proxy as explained in my previous article here.

how-to-use-sshd-server-as-a-proxy-without-a-real-proxy-ssh-socks5_proxy_linux

In short the quest way to have your free of charge SOCKS Remote proxy to your Home based Linux installed OS server / VPN with a Public Internet address is to use ssh as so:

ssh -D 3128 UserName@IP-of-Remote-SSHD-Host -p 443

This will start the SOCKS Proxy tunnel from Corporate Work PC to your Own Home brew server.

For some convenience it is useful to set up an .alias (for cygwin) / linux users in .bashrc file:

alias proxy='ssh -D 3128 UserName@IP-of-Remote-SSHD-Host -p 443';

To start using the Proxy from browser, I use a plugin called FoxyProxy in Chrome and Firefox browsers
set-up to connect to localhost – 127.0.0.1:3128 for All Protocols as a SOCKs v5 Proxy.

The sshd Socks proxy can be used for multiple others for example, using it you can also pass on traffic from Mail client such as Thunderbird to your Email server if you're behind a firewall prohibiting access to the common POP3 port 110 or IMAP port TCP 143.

4. How to access SSH through Proxy using jumphost SSH hop

If you're like me and you have on your Home Linux machine only one Internet address and you have already setupped an SSL enabled service (lets say Webmail) to listen to that Public Internet IP and you don't have the possibility to run another instance of /usr/bin/sshd on port 443 via configuration or manually one time by issuing:

/usr/sbin/sshd -p 443

Then you can use another ssh another Linux server as a jump host to your own home Linux sshd server. This can be done even by purchasing a cheap VPS server for lets say 3 dollars month etc. or even better if you have a friend with another Linux home server, you can ask him to run you sshd on TCP port 443 and add you an ssh account.
Once you have the second Linux machine as JumpHost to reach out to your own machine use:

ssh -J Your-User@Your-jump-host.com:443 hipo@your-home-server.com -v

To easify this a bit long line it is handy to use some kind of alias like:

alias sshhome='ssh -J Your-User@Your-jump-host.com:443 hipo@your-home-server.com -v'

The advantage here is just by issuing this sshd tunnel and keeping it open in a terminal or setting it up as Plink Putty tunnel you have all your Web Traffic Secured
between your Work Corporate PC and your Home Brew Server, keeping the curious eyes of your Company Security Officers from your own Web traffic, hence
separating the corporate privacy from your own personal privacy. Using the just established own SSH Proxy Tunnel to home for your non-work stuff browsing habits
from the corporate systems which are accessed by switching with a button click in FoxyProxy to default proxy settings.

5. How to get around paranoid corporate setup where only remote access to Corporate proxy on TCP Port 80 and TCP 443 is available in Browser only

Using straight ssh and to create Proxy will work in most of the cases but it requires SSH access to your remote SSH running server / VPS on TCP Port 22, however under some Fort-Nox like financial involved institutions and companies for the sake of tightened security, it is common that all Outbound TCP Ports are prohibited except TCP Port 80 and SSL 443 as prior said, so what can you do then to get around this badful firewall and access the Internet via your own server Proxy?
The hack to run SSH server either on tcp port 80 or tcp port 443 on remote Host and use 443 / 80 to acess SSHD should work, but then even for the most paranoid corporations the ones who are PCI Compliant – PCI stands for (Payment Card Industry), e.g. works with Debit and Credit Card data etc, accessing even 80 or 443 ports with something like telnet client or netcat will be impossible.
Once connected to the corporate VPN, this 2 two ports firewall exceptions will be only accessible via the Corporate Proxy server defined in a Web Browser (Firefox / IE / Chrome etc.) as prior explained in article.

The remedy here is to use a 3rd party tools such as httptunnel or corkscrew that are able to TUNNEL SSH TRAFFIC VIA CORPORATE PROXY SERVER and access your own resource out of the DMZ.

Both httptunnel and corkscrew are installable both on most Linux distros or for Windows users via CygWin for those who use MobaXterm.

Just to give you better idea on what corkscrew and (hts) httptunnel does, here is Debian packages descriptions.

# apt-cache show corkscrew
" corkscrew is a simple tool to tunnel TCP connections through an HTTP
proxy supporting the CONNECT method. It reads stdin and writes to
stdout during the connection, just like netcat.
.
It can be used for instance to connect to an SSH server running on
a remote 443 port through a strict HTTPS proxy.
"

# apt-cache show httptunnel|grep -i description -A 7
Description-en: Tunnels a data stream in HTTP requests
Creates a bidirectional virtual data stream tunnelled in
HTTP requests. The requests can be sent via a HTTP proxy
if so desired.
.
This can be useful for users behind restrictive firewalls. If WWW
access is allowed through a HTTP proxy, it's possible to use
httptunnel and, say, telnet or PPP to connect to a computer
—
Description-md5: ed96b7d53407ae311a6c5ef2eb229c3f
Homepage: http://www.nocrew.org/software/httptunnel.html
Tag: implemented-in::c, interface::commandline, interface::daemon,
network::client, network::server, network::vpn, protocol::http,
role::program, suite::gnu, use::routing
Section: net
Priority: optional
Filename: pool/main/h/httptunnel/httptunnel_3.3+dfsg-4_amd64.deb

Windows cygwin users can install the tools with:

apt-cyg install –yes corkscrew httptunnel

Linux users respectively with:

apt-get install –yes corkscrew httptunnel

yum install -y corkscrew httptunnel

You will then need to have the following configuration in your user home directory $HOME/.ssh/config file

Host host-addrs-of-remote-home-ssh-server.com
ProxyCommand /usr/bin/corkscrew your-corporate-firewall-rpoxy-url 8080 %h %p

howto-transfer-ssh-traffic-over-proxy

Picture Copyright by Daniel Haxx

The best picture on how ssh traffic is proxied is the one found on Daniel Haxx's website which is a great quick tutorial which originally helped to get the idea of how corkscrew works in proxying traffic I warmly recommend you take a quick look at his SSH Through or over Proxy article.

Host-addrs-of-remote-home-ssh-server.com could be also and IP if you don't have your own domain name in case if using via some cheap VPN Linux server with SSH, or alternatively
if you don't want to spend money on buying domain for SSH server (assuming you don't have such yet) you can use Dyn DNS or NoIP.

Another thing is to setup the proper http_proxy / https_proxy / ftp_proxy variable exports in $HOME/.bashrc in my setup I have the following:

export ftp_proxy="http://your-corporate-firewall-rpoxy-url:8080"
export https_proxy="https://your-corporate-firewall-rpoxy-url:8080"
export http_proxy="http://your-corporate-firewall-rpoxy-url:8080"
export HTTP_PROXY="http://your-corporate-firewall-rpoxy-url:8080"
export HTTPS_PROXY="http://your-corporate-firewall-rpoxy-url:8080"

6. How to Transfer Files / Data via SSH Protocol through Proxy with SCP and SFTP

Next logical question is how to Transfer your own personal encrypted files (that contains no corporate sensitive information) between your Work laptop and home brew Linux ssh server or cheap VPN.

It took me quite a lot of try-outs until finally I got it how Secure Copy (scp) command can be used toto transfer files between my Work Computer and my Home brew server using JumpHost, here is how:

scp -o 'ProxyJump Username@Jumpt-Host-or-IP.com:443' ~/file-or-files-to-copy* Username@home-ssh-server.com:/path/where/to/copy/files

I love using sftp (Secure FTP) command Linux client to copy files and rarely use scp so I have a lot of try-outs to connect interacitvely via the Corporate Proxy server over a Jump-Host:443 to my Destination home machine,

I've tried using netcat as it was pointed in many articles online, like so to traffic my sftp traffic via my localhost binded SSH Socks proxy on :3128 together with netcat as shown in article prior example, using following line:

sftp -oProxyCommand='/bin/nc -X connect -x 127.0.0.1:3128 %h %p' Username@home-ssh-server.com 22

Also tried proxy connect like this:

sftp -o ProxyCommand="proxy-connect -h localhost -p 3128 %h %p" Username@home-ssh-server.com

Moreover, tried to use the ssh command (-s) argument capability to invoke SSH protocol subsystem feature which is used to facilitiate use of SSH secure transport for other application

ssh -v -J hipo@Jump-Host:443 -s sftp root@home-ssh-server.com -v
…

open failed: administratively prohibited: open failed

Finally decided to give a try to the same options arguments as in scp and thanks God it worked and I can even access via the Corporate Proxy through the Jump Host SSH interactively via Secure FTP 🙂

!! THE FINAL WORKING SFTP THROUGH PROXY VIA SSH JUMPHOST !!

sftp -o 'ProxyJump Username@Jumpt-Host-or-IP.com:443' Username@home-ssh-server.com

To save time from typing this long line every time, I've setup the following alias to ~/.bashrc

alias sftphome='sftp -o 'ProxyJump Username@Jumpt-Host-or-IP.com:443' Username@home-ssh-server.com'

Conclusion

Of course using own Proxy via your Home brew SSH Machine as well as transferring your data securely from your Work PC (notebook) to Home does not completely make you Surveillance free, as the Corporate Windows installed OS image is perhaps prebundled with its own integrated Keylogger as well as the Windows Domain administrators have certainly access to connect to your PC and run various commands, so this kind of Security is just an attempt to make company has less control and know less on your browsing habits and the best solution where possible to secure your privacy and separate your Personal Space form Work space by using a second computer (if having the ability to work from home) with a KVM Switch device and switch over your Work PC and Home PC via it or in some cases (where companies) allows it, setup something like VNC server (TightVNC / RealVNC) on work PC and leave it all time running in office and connect remotely with vncviewer from your own controlled secured computer.

In article I've explained shortly common scenario found in corporate Work computers proxy setup, designed to Surveil all your move, mentioned few common softwares running by default to protect from Viruses and aimed to Protect user from malicious hacking tools, explained how to view your work notebook configured Proxy, shortly mentioned on Proxy.pac and hinted how to view proxy.pac config as well as gave few of the reasons why all web traffic is being routed over central proxy.

That's all folks, Enjoy the Freedom to be less surveilled !

Tags: access, alias, amd64, cygwin, Debian, fedora, get around corporate firewalls, good, hipo, host, How to, kind, linux users, Luckily, network traffic, pc-freak, pcfreak, personal privacy, ports, proxy socks ssh, Socks Proxy, ssh over proxy, ssh proxy without proxy, sshd, tcp, TightVNC, using
Posted in Company onboarding basics, Computer Security, Hacks, Various | 3 Comments »

☩ Walking in Light with Christ – Faith, Computing, Diary

Posts Tagged ‘amd64’

Fix Update KB5060999 Not Installing On Windows 11 Version 23H2/22H2 / Fix windows Update failed

1. Check logs and find error message / problems in CBS.log

2. Download from Windows catalog the Update

3. Use Winrar or 7Zip to extract the msu in local Directory

4. Remove old package existing on the Windows 11 OS with the same name using DISM tool with /online /remove-package options

5. Use DISM /online /add-package to manually insatall windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7\Windows11.0-KB5049624-x64-NDP481.cab

6. Force a Windows chkdsk (Check disk on next restart) to make sure no physical hard drive or some other inode Windows Filesystem errors are there

7. Stop / start wuauserv and do sfc /scannow to refresh some Windows update components

8. Download Manually failing update from Windows catalog download site:

9. Run Manually again failing Update from command line

10. Resync the device to the Computer Domain (mandatory step) only if your PC is part of large organizational Domain

11. Force the PC to sync itself with remote Global Domain policies (mandatory only if PC is part of Domain)

Howto Pass SSH traffic through a Secured Corporate Proxy server with corkscrew, using sshd as a standalone proxy service with no proxy installed on remote Linux server or VPS

1. How to view your corporate used (default) proxy / Check Proxy.pac file definitions

2. Few of the reasons corporations proxy all their employee's work PC web traffic

3. Run SSH Socks proxy to remote SSHd server running on common SSL 443 port

4. How to access SSH through Proxy using jumphost SSH hop

5. How to get around paranoid corporate setup where only remote access to Corporate proxy on TCP Port 80 and TCP 443 is available in Browser only

6. How to Transfer Files / Data via SSH Protocol through Proxy with SCP and SFTP

Conclusion

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

About Myself

Recent Comments

Top Post Views

blogtopsites

Posts Tagged ‘amd64’

PipeWire buffer/quantum size too aggressive?

1. Check logs and find error message / problems in CBS.log

2. Download from Windows catalog the Update

3. Use Winrar or 7Zip to extract the msu in local Directory

4. Remove old package existing on the Windows 11 OS with the same name using DISM tool with /online /remove-package options

5. Use DISM /online /add-package to manually insatall windows11.0-kb5049624-x64-ndp481_6990e824379adc100fd7895adb30e692697381d7\Windows11.0-KB5049624-x64-NDP481.cab

6. Force a Windows chkdsk (Check disk on next restart) to make sure no physical hard drive or some other inode Windows Filesystem errors are there

7. Stop / start wuauserv and do sfc /scannow to refresh some Windows update components

8. Download Manually failing update from Windows catalog download site:

9. Run Manually again failing Update from command line

10. Resync the device to the Computer Domain (mandatory step) only if your PC is part of large organizational Domain

11. Force the PC to sync itself with remote Global Domain policies (mandatory only if PC is part of Domain)

gocryptfs – simple. secure. fast encryption.

Step-by-step: Encrypting a Directory with gocryptfs

# apt-cache show gocryptfs

1. Install gocryptfs

2. Create Two Directories

3. Initialize Encrypted Directory

4. Mount the Encrypted Directory

5. Use the Decrypted View

6. Unmount When Done

# ls -1 /decrypted_dir/ ├── gocryptfs.conf ├── 2YI8IfnpP6qThZUE1Mo-YA ├── 8o8TUS3LgI6K0WZjaPAjkg └── WmJyYmAKoLJINkWyXr3UAw/

7. AutoMount on boot

8. Use Case Example for gocryptfs -reverse

First, create a gocryptfs config:

Mount in reverse mode:

9. Create Archive or Sync Backup

10. Few more Tips

10. Use gocryptfs cppcryptfs (native Windows port)

1. Debugging what is going on on a network level interactively with iptraf-ng

2. Use hackers old tool sniffit to monitor current ongoing traffic and read plain text messages

3. Use bmon to monitor bandwidth and any potential traffic losses and check qdisc pfifo Linux network stack queues

4. Use nethogs net diagnosis text interactive tool

5;.Use iftop – to display network interface usage

6. Ettercap (tool) to active and passive dissect network protocols for in depth network and host analysis

7. iperf and netperf to measure connecitivity speed on Network LAN and between Linux server hosts

Testing TCP throughput using iPerf

Test TCP Throughput in Local LAN

Test TCP Throughput in a WAN Network

UDP Throughput in a WAN

Sum it up what learned

1. Check SetEnvIf is Loaded on the Webserver

2. Using SetEnvIf to omit certain string to get logged inside apache access.log

3. Disable Apache logging access.log from certain USERAGENT browser

4. Disable Apache logging from requests coming from certain FQDN (Fully Qualified Domain Name) localhost 127.0.0.1 or concrete IP / IPv6 address

5. Disable robots.txt Web Crawlers requests from being logged in access.log

6. Disable Apache requests in access.log and error.log completely

7. Restart Apache WebServer to load settings

What we learned ?

1. Use the good old times rinetd – internet “redirection server” service

+ Configuring a new port redirect with rinetd

[bindaddress] [bindport] [connectaddress] [connectport]

+ Using rinetd to redirect External interface IP to loopback's port (127.0.0.1)

2. Redirect TCP / IP port using DNAT iptables firewall rules

3. Redirect TCP traffic connections with redir tool

+ Use redir to redirect TCP traffic one time

+ Making TCP port forwarding from Host A to Host B permanent

1. List all RPM installed packages by Size on CentOS / SuSE

2. List all installed RPM packages sorted by size on Fedora

3. List all installed DEB packages on Debian / Ubuntu / Mint etc. with dpkg / aptitude / apt-get and wajig

4. List installed packages order by size in Arch Linux

4. Debian Goodies

5. Checking where your space is gone in a Spacesniffer like GUI manner with Baobab

6. Use ncdu or duper perl script tool to generate directory disk usage in ASCII chart bar

Conclusion

1. How to view your corporate used (default) proxy / Check Proxy.pac file definitions

2. Few of the reasons corporations proxy all their employee's work PC web traffic

3. Run SSH Socks proxy to remote SSHd server running on common SSL 443 port

4. How to access SSH through Proxy using jumphost SSH hop

5. How to get around paranoid corporate setup where only remote access to Corporate proxy on TCP Port 80 and TCP 443 is available in Browser only

6. How to Transfer Files / Data via SSH Protocol through Proxy with SCP and SFTP

Conclusion

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

# ls -1 /decrypted_dir/
├── gocryptfs.conf
├── 2YI8IfnpP6qThZUE1Mo-YA
├── 8o8TUS3LgI6K0WZjaPAjkg
└── WmJyYmAKoLJINkWyXr3UAw/

3. Use bmon to monitor bandwidth and any potential traffic losses and check qdisc pfifo
Linux network stack queues