Tech – Page 2 – Ryan Schulze

Odroid XU4 case

September 11, 2018September 11, 2018Ryanodroid

It’s been quiet here lately. I moved back to Germany and have taken on new responsibilities at work. We are slowly getting settled in, although i still have to get the network at the new apartment up and running the way I want it. I expect to post here more often once I have more time for side projects.

One thing I recently acquired and really like, is a new case for my Odroid XU4.
The small 5v Noctua fan fits very nicely in it and is virtually silent, together with the large heatsink it stays cool enough and seldom has to throttle the CPU.
I prefer the odroid over a raspberry pi for “small server” tasks since it has a Gbit interface (that isn’t shared on the USB bus) and supports eMMC modules (no one enjoys waiting on I/O).

A short list of cheap but useful network devices to have handy.

March 20, 2018March 20, 2018Ryango bag, hardware, network

Here is a snort list of useful, off the shelf, network devices that sell for around $50. Not necessarily stuff that you would want use long-term in production, but more for the one-off projects or for troubleshooting.

First off is a 5-Port Gigabit switch from Netgear (the GS105Ev2).
It is interesting because it supports port mirroring and only costs about $35. That’s a really good price. It obviously isn’t going to replace a real network tap and you will lose traffic if the upstream plus downstream you are copying are together more than 1Gbit of traffic (but that’s a problem you always have when mirroring ports 1:1). It is dirt cheap, fanless and small enough to throw in a bag, can’t go wrong with this one. Need a temporary tap to monitor traffic? Just pop it inline and you are good to go.

If you are more of a DIY kind of person, I’d suggest the ESPRESSObin.
It sells for about $50 and is a single board computer with Gigabit network interfaces and a SATA interface. It is based on ARM architecture and runs Linux.
Since it has multiple Gbit interfaces and you can hook a HDD up to it you have a wide array of possibilities you could use it for. A lot of network traffic monitoring situations come to mind, where you would want to keep copies of the traffic in question for later analysis.

Another little useful device is the EdgeRouter X from Ubiquiti.
As the name suggests it’s a router and sells for about $55 The nice thing about this device is that it runs Linux (or more specifically a fork of Vyatta), so you can dig into it to get it to do things not available on the GUI.
5 Gbit ports, RIP and OSPF routing protocols, usual SOHO features like Firewall, VPN, QoS. Behaves a lot like a switch with some routing functionality. Unfortunately I couldn’t get port mirroring to work reliably but aside from that it’s still an impressive little router.

Strict-Transport-Security

March 18, 2018April 3, 2018Ryan

I finally got around to setting the Strict-Transport-Security header on all my HTTPS websites. The current age is set to 1 month and I’ll gradually up that to 6 months if no problems pop up.

In case anyone is curious, I terminate SSL on a haproxy, which then sends requests to various backends (containers on the same physical server). This makes it really easy to deal with Let’s Encrypt (just need one agent/script installed on the haproxy host that deals with all incoming /.well-known/acme-challenge/ requests), and I can keep all HTTPS settings central and don’t have to worry about configuration creep or any settings falling through the cracks for oddball subdomains.

How to use ansible to scan for Spectre/Meltdown vulnerable hosts

February 1, 2018February 1, 2018Ryanmeltdown, spectre

First of all head on over to github and download a spectre-meltdown-checker that supports JSON output. Now all we need is a ansible playbook that calls that script:

- name: Run Spectre/Meltdown checker on hosts
  hosts: all
  gather_facts: false
  tasks:
    - script: tools/spectre-meltdown-checker.sh --batch json --live
      register: spectre_output
      failed_when: false

    - set_fact: 
        spectre_json: "{{ spectre_output.stdout|from_json }}"

    - name: Output vulnerability status
      debug: 
        msg: "Vulnerable to {{ item.NAME }} - {{ item.INFOS }}"
      with_items: "{{ spectre_json }}"
      failed_when: item.VULNERABLE
      when: item.VULNERABLE

- name: Run Spectre/Meltdown checker on hosts

hosts: all

gather_facts: false

tasks:

- script: tools/spectre-meltdown-checker.sh --batch json --live

failed_when: false

- set_fact:

spectre_json: "{{ spectre_output.stdout|from_json }}"

- name: Output vulnerability status

debug:

msg: "Vulnerable to {{ item.NAME }} - {{ item.INFOS }}"

with_items: "{{ spectre_json }}"

failed_when: item.VULNERABLE

when: item.VULNERABLE

Important is to adjust the path to spectre-meltdown-checker.sh in the script: task (the path is relative to wherever your playboook file is). Adapt to your needs however you want. It is basically just feeding the output of the script into the from_json filter, storing it in a variable and then iterating over the result via with_items.

Example output:

(vulnerable to CVE-2017-5715 since Intel retracted their microcode updates and haven’t released new ones yet)

How to colorize manpages

December 15, 2017February 1, 2018Ryanbash

I’m surprised I’ve never posted this here before. Turning manpages from monochrome to color is super easy.

There are a few LESS_TERMCAP_* environment variables you can adjust. Here is a list of useful ones to change

ks      make the keypad send commands
ke      make the keypad send digits
vb      emit visual bell
mb      start blink
md      start bold
me      turn off bold, blink and underline
so      start standout (reverse video)
se      stop standout
us      start underline
ue      stop underline

ks make the keypad send commands

ke make the keypad send digits

vb emit visual bell

mb start blink

md start bold

me turn off bold, blink and underline

so start standout (reverse video)

se stop standout

us start underline

ue stop underline

I prefer to only set them for man, so I put this little function in my ~/.bashrc

man () {
  LESS_TERMCAP_mb=$(tput setaf 4)\
  LESS_TERMCAP_md=$(tput setaf 4;tput bold) \
  LESS_TERMCAP_so=$(tput setaf 7;tput setab 4;tput bold) \
  LESS_TERMCAP_us=$(tput setaf 6) \
  LESS_TERMCAP_me=$(tput sgr0) \
  LESS_TERMCAP_se=$(tput sgr0) \
  LESS_TERMCAP_ue=$(tput sgr0) \
  command man "$@"
}

man () {

LESS_TERMCAP_mb=$(tput setaf 4)\

LESS_TERMCAP_md=$(tput setaf 4;tput bold) \

LESS_TERMCAP_so=$(tput setaf 7;tput setab 4;tput bold) \

LESS_TERMCAP_us=$(tput setaf 6) \

LESS_TERMCAP_me=$(tput sgr0) \

LESS_TERMCAP_se=$(tput sgr0) \

LESS_TERMCAP_ue=$(tput sgr0) \

command man "$@"

}