Thursday, November 27, 2014

Hot to set up pfSense software raid in 2.1.5-RELEASE (amd64)

Here is an example of how to create a software RAID1 in pfSense 2.1.5.

I created a lab in Virtualbox with two 8GB thin provisioned disks and installed pfSense. "pfsense.vdi "and "pfsense2.vdi"





During the install, I chose "1," to boot with the default settings.
The initialization screen defaults to the LiveCD installer. Skip that and press "I" to install directly.
Accept the default settings for the Video and Keymap
Then we want to choose "Setup GEOM Mirror"
Confirm the selection
Now we choose the Primary disk and press enter
Choose the Mirror disk and press enter.
Verify no errors exist. Press Enter.
Choose the Custom Install
Then we choose the mirror/pfSenseMirror we just created.
Format the disk
Use the default disk geometry (just tab to "Use this Geometry")
Format the mirror/pfSenseMirror
Choose Partition Disk
Accept and Create the default settings
Choose "Yes, partition mirror/pfSenseMirror"
Press "OK"
Now, we want to uncheck "Install Bootblock" and make sure "Packet mode" is unchecked as well.
Accept and install
Press "OK"
Choose the default partition slice.
Confirm "OK", then "OK" again
Choose the defaults for the subpartitions (tab to "Accept and Create")
Once the install writes to the mirror, choose "Symmetric multiprocessing kernel", unless you are creating a headless RS232 serial-only interface.
Eject the virtual CD and Reboot.
Once the system reboots, configure pfSense like normal.


We now have a RAID1 mirror of the disks. We can now test booting by removing either of the virtual disks and booting pfSense. In the lab, I've removed the primary disk "pfsense.vdi" and it's booting off the mirror "pfsense2.vdi"





pfSense lacks notification (by default) on a degraded RAID mirror. You can manually check the status of the disk health by going into the console and typing "gmirror status". You can also see the status of the mirror when I shut down the VM (at about the 58 second mark):
GEOM_MIRROR: Device pfSenseMirror destroyed.


To mimic rebuilding a disk, in my lab I created a new volume called "pfsense3.vdi" and made it a blank 8GB, thin provisioned disk to match what I was replacing.





To rebuild the disk, I first checked the status of the disks, "gmirror status"
I destroyed the mirror "gmirror forget pfSenseMirror"
Now, "gmirror status" shows COMPLETE (with just one disk, ad0)
I looked at which disks were present, "atacontrol list" and saw ad1 available and not part of the mirror. This is the new blank disk we want to become part of the mirror.
Inserted it into the mirror with "gmirror insert pfSenseMirror /dev/ad1"
It will start rebuilding. We can check the sync status with "gmirror status" again.
Once complete, you will get the message:
GEOM_MIRROR: Device pfSenseMirror: rebuilding provider ad1 finished.
This will take some time in a normal install. This VM was installed over a SSD on a blank install. Expect some time for it to synchronize.
"gmirror status" should now show us both ado and ad1 as ACTIVE

Friday, October 31, 2014

Gap for Gimp (gif creator) Windows Installer mirror

Mirror for Gap for Gimp version 2 (Gimp-GAP-2.6.0-Setup2).

MD5 938d9da31c2e9c34de1612e80d5b9a0c
SHA1 4422fb72a27ff73261e3b7ec1ec5c199cd1913ac
SHA256 6c7287cef151dfed96cd8a86a5d097fa40f691c28dcb071b127ee384620ea3fe



Download link  (Current as of 10/31/2014)




Source: http://photocomix-resources.deviantart.com/art/GAP-2-6-for-Gimp-2-6-Windows-135464357

Saturday, October 11, 2014

Re-enable non Chrome Store extensions in Stable/Beta builds - Chrome version 38.0.2125.101 m

I wrote an extension a while back for Chrome to help me export bulk DNS requests in xml format so I could import them into my firewall easier.

Since Google blocked apps/extensions from being installed from outside the Chrome store, I wasn't able to run the app I wrote without becoming an official developer... So I didn't bother.

I finally found a (sane) solution to the problem. This was posted on the Google Product Forums. Thought I'd share the steps with a bit more detail:

  1. Download the Chrome group policy templates: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip (Mirror located here: https://drive.google.com/file/d/0B_Kat9gPjQAVdXV2Q3BEOVpja28 MD5 Hash7eac305720bb2f70e9e3940205b45796)
  2. Extract the files. Copy (zip)\policy_templates\windows\admx\chrome.admx to C:\Windows\PolicyDefinitions\
  3. Copy (zip)\policy_templates\windows\admx\en-US\chrome.adml (or your language/region) to C:\Windows\PolicyDefinitions\en-US
  4. Open Chrome and go to Options > Tools > Extensions (Or simply chrome://extensions/) and at the top, check Developer mode (if not already checked)
  5. Scroll for the extension you wish to re-enable. You should be able to double click on the ID to select it, then copy. 
  6. If you've already uninstalled the extension, you can drag the .crx files back into this extension page to reinstall. You will not be able to enable it, yet, but this will give us the ID to allow it to enable it.
  7. Run gpedit.msc from the start menu or command line (Or, if running a Home Edition version of Windows, MMC and add the Group Policy Editor snap-in)
  8. Expand User Configuration > Administrative Templates > Google > Google Chrome (not the Google Chrome with "Default Settings" in the name) > Extensions
  9. Edit the Configure extension installation whitelist on the right pane.
  10. Change the options from Not Configured to Enabled.
  11. Under the Options, click the Show button and paste in the Extension ID(s) you want to re-enable. 
  12. Ok and close out of the group policy editor. Close out of Chrome completely (check the task manager to be sure).
  13. Once you launch Chrome, navigate back to your extensions. You will not have the ability to re-enable your app/extension. 

Tuesday, September 30, 2014

How to get Ubuntu 14.04 security update notifications sent to your inbox using Gmail.

We can set up a cron job to email security updates using Gmail over SSMTP (yes, the same app we used before to send email notifications for someone pressing the doorbell in a previous project). SSMTP, not to be confused with SMTP, is easy enough to use and set up, but it's not the most secure as your password is in plain text. I recommend signing up for and using a throwaway/junk Gmail account for this.

Prerequisites:

  • Ubuntu 14.04 LTS Server
  • A spare gmail account that you don't care about



SU into root and install ssmtp:

sudo su - 
apt-get install ssmtp

Move the default config to a backup:

mv /etc/ssmtp/ssmtp.conf /etc/ssmtp/ssmtp.bkp

We are going to create a new conf file in its place:

vi /etc/ssmtp/ssmtp.conf

(for new vi users press "i" here to enter insert mode... or just use nano or whatever you prefer)

# The user that gets all the mails (UID < 1000, usually the admin)
root=youremail@gmail.com

# The mail server (where the mail is sent to), both port 465 or 587 should be acceptable
# See also http://mail.google.com/support/bin/answer.py?answer=78799
mailhub=smtp.gmail.com:587

# The address where the mail appears to come from for user authentication.
rewriteDomain=gmail.com

# The full hostname
hostname=yourhostname

# Use SSL/TLS before starting negotiation
UseTLS=Yes
UseSTARTTLS=Yes

# Username/Password
AuthUser=youremail@gmail.com
AuthPass=yourpassword

# Email 'From header's can override the default domain?
FromLineOverride=yes

(again, for new vi users save the file by pressing Escape and typing :wq)

Update the security for your conf file since your password is in plain text:
chmod 640 /etc/ssmtp/ssmtp.conf

cd back to root:
cd /root
(or just simply type cd to get home)

Verify your SSMTP is working and has proper permissions:

echo "Hello world" >  test.txt
cat test.txt | ssmtp myemail@gmail.com



Once you receive an email (make sure to check the sent folder on the sending side and the spam folder on the receiving end) now we can check for security updates using my previous post:

/usr/lib/update-notifier/apt-check --human-readable

To break this down, look at what it's doing. /usr/lib/update-notifier/apt-check by itself returns a very unhelpful 0;0. The --human-readable directive adds some verbosity:

0 packages can be updated.
0 updates are security updates.

...but we don't want an email for every chrome/firefox/general bug update. We want to focus in on the security patches. To do this, we can use grep to give us just the security update totals. The script so far is, check for updates, make it easy to read, pipe it to "grep" with a "-i" (case insensitive) with the term "security".

/usr/lib/update-notifier/apt-check --human-readable | grep -i security

and the output

0 updates are security updates.

While the output is better, now we see  0 updates are security updates, we can distill it even further with awk.

/usr/lib/update-notifier/apt-check --human-readable | grep -i security  | awk '{ print $1 }'

So, that line is reduced to the first set of numbers. Literally the number itself

0

We are passing the argument to awk, $1, which means the first set of numbers in that row. We can now put together a very simple and crude cron job (there are many ways to skin a cat, this is for demonstrative purposes... also because I'm not the worlds best scripter)




Let's start off by creating the script.

vi patch_notify.sh

Now, we can paste in the following:

#!/bin/bash
CURDATE=`date`
TTIME=`date +"%r"`

SECUPD=$( /usr/lib/update-notifier/apt-check --human-readable | grep -i security  | awk '{ print $1 }' )


if [ $SECUPD -eq "0" ]
then
       echo "There are $SECUPD updates."

else

       if [ $SECUPD -eq "1" ]
       then

       ssmtp your-send-to-email@gmail.com <<-EOF
       From: username <youremail@gmail.com>
       To: your-send-to-email@gmail.com
       Subject: Weekly security updates - $CURDATE

       $SECUPD security update is waiting for your installation as of $TTIME.

       EOF

       else

               if [ $SECUPD -gt "1" ]
               then

               ssmtp your-send-to-email@gmail.com <<-EOF
               From: username <youremail@gmail.com>
               To: your-send-to-email@gmail.com
               Subject: Weekly security updates - $CURDATE

               $SECUPD security updates are waiting for your installation as of $TTIME.

               EOF
               fi
       fi
fi


To break this script down, ultimately it's in 3 parts. Is the patch total 0? No emails. Is the patch level 1, yes, email (but with proper syntax; singular vs plural, because I'm anal like that). Is there more than one patch? Yes, send an email.

To get into the guts of it

We are telling it to use (the recently very infamous) bash shell.
#!/bin/bash
Now we are setting the variables for the date and time
CURDATE=`date`
TTIME=`date +"%r"`
You can run date in the command line and see what's copied into the variable, now CURDATE. Also date +"%r" which shows just time time 06:58:46 PM, that is copied as TTIME.

We are also setting the SECUPD variable. This takes the output from awk output and associates itself with SECUPD.

SECUPD=$( /usr/lib/update-notifier/apt-check --human-readable | grep -i security  | awk '{ print $1 }' ) The only difference is the formatting around the command.

The -eq command operator is "equal". So we are saying if the value of $SECUPD is exactly 0,

if [ $SECUPD -eq "0" ]
echo "There are $SECUPD updates."

We display "There are 0 updates." and an email is not generated.


If there is 1 security update for us:

if [ $SECUPD -eq "1" ]

We send an email to our main email address. The subject will show "Weekly security updates" and the current date. The body will show

$SECUPD security update is waiting for your installation as of $TTIME.
or
1 security update is waiting for your installation as of 07:01:32 PM.

The EOF's encapsulate what will be sent to SSMTP


If there is more than one update available:

if [ $SECUPD -gt "1" ]
If the updates are greater than one, (not greater or equal, but literally 2+) then we send this:

$SECUPD security updates are waiting for your installation as of $TTIME.
or
12 security updates are waiting for your installation as of 07:03:13 PM.

We now need to make our script executable

chmod +x patch_notify.sh

You should just be able to run

./patch_notify.sh

If you have no critical patches, you should see:

There are 0 updates.



This script is butchered pretty bad, but it's a good beginner script. You can change the context, remove the dates, the layout, the wording. You can also simplify it to send you an email only if it's above a dozen updates. Or even send you an email, regardless of how many security patches, even 0, at a set interval with cron.

So, now to automate the script (this was written for Debian based systems, specifically Ubuntu 14.04 LTS Server... but should be pretty close to the same across all platforms)

We are going to do a weekly scan, on a Saturday at noon.

Edit the crontab:

crontab -e

To edit the cron job (also crontab -l to list jobs you already have)

0 12 * * 6 /root/patch_notify.sh

This tells the cron daemon to run your script in its relative path /root/ every Saturday at noon.

Feel free to bug me and ask questions (or correct me... I know I probably screwed up somewhere... but it's working for me so far)

Check how many security updates are available on Ubuntu 14.04 LTS

/usr/lib/update-notifier/apt-check --human-readable | grep -i security


This can be added to a cron job or via your favorite notification method. It's part of the MOTD when you first log in, but if you are like me, you do not log out that often, so it comes in handy.

Saturday, July 19, 2014

Use Arduino Yun to send emails (simple instructions for new users)

To send emails for your projects in Arduino Yun, you can install SSMTP. SSMTP allows you to send emails directly from the yun and is a package you can install from the browser or over ssh.

I'll create a simple project to demonstrate pushing a button to sending an email. First, we need to set up the Yun. Make sure it's connected to wifi and you can connect to it over SSH.

Using putty (or your favorite terminal) log into the Yun as root and update your packages:
opkg update

Install SSMTP 
opkg install ssmtp

Once installed, make a backup of the current ssmtp conf file
mv /etc/ssmtp/ssmtp.conf /etc/ssmtp/ssmtp.bkp

Create a new conf file
vi /etc/ssmtp/ssmtp.conf

(for new vi users press "I" here to enter insert mode)

Paste this in and update your email, password and username (works with Google Hosted email accounts as well)
# The user that gets all the mails (UID < 1000, usually the admin)
root=my@email.com

# The mail server (where the mail is sent to), both port 465 or 587 should be acceptable
# See also http://mail.google.com/support/bin/answer.py?answer=78799
mailhub=smtp.gmail.com:587

# The address where the mail appears to come from for user authentication.
rewriteDomain=gmail.com

# The full hostname
hostname=YUN

# Use SSL/TLS before starting negotiation
UseTLS=Yes
UseSTARTTLS=Yes

# Username/Password
AuthUser=my@email.com
AuthPass=password

# Email 'From header's can override the default domain?
FromLineOverride=yes


(again, for new vi users save the file by pressing Escape and typing :wq)

Update the security for your conf file since your password is in plain text
chmod 640 /etc/ssmtp/ssmtp.conf

Go back to /root
cd /root

Create a new test file called test.txt with "Hello world"
echo "Hello world" >  test.txt

Now we can test this out by sending it to an email
cat test.txt | ssmtp myemail@gmail.com

If it works you should get an email from "root" with no subject and "Hello world" in the body



Once this works, we can create a simple push button project to send that email whenever a button is pressed.

Make sure your Arduino app is installed and you have selected the board Arduino Yun and the port is set to the correct IP. 
  • Tools > Board > Arduino Yun
  • Tools > Port > YUN at 192.168.x.x (Arduino Yún)
Clear out the blank sketch and paste this


#include <FileIO.h>
#include <Process.h>

int pushButton = 2;

void setup() {
Bridge.begin();  
Serial.begin(9600);
FileSystem.begin();
}

void loop() {

 // read the pin number 2
 int buttonState = digitalRead(pushButton);

Process p;
if (buttonState > 0)
  p.runShellCommand("cat /root/test.txt | ssmtp myemail@gmail.com");
  delay(5);  // wait 5 milliseconds before you do it again
}

Unplug the Yun and wire it up like this. I'm using a 10K ohm resistor.




Power it up and wait for it to connect to wifi. Now you should be able to press the button and get an email.




Some notes on this setup.

The code is very small so it has some shortcomings. The delay is set to 5 milliseconds, which should be good for a quick press... but if you hold it down too long you will get multiple emails. There are ways around this using (millis) and other tricks, but the purpose of this example is for a simple code to use so you can build on.

Also, you can modify the test.txt file to include a subject, or even insert values. vi the file again and use this template instead:

From:arduino yun
Subject: put subject here
put message body here

Saturday, June 14, 2014

Debugging Elertus (and a general review)

Since no information on the hacking of the Elertus door/water sensor is available, I thought I'd share some basic information about the device.

The Elertus is a simple, but powerful, wifi alert sensor. It captures temperature, humidity, light, movement and optionally a door sensor or water sensor. It then sends an email/sms/push notification to your Android.

There's not much in the way of a custom Android app for this to tie in with IFTTT and the app itself is pretty basic. The device connects to Elertus every hour (or more frequent if movement is detected). The app connects to the Elertus server. The app never connects directly to the device, except during initial setup.

Using Wireshark to capture the packets, it looks to be a very basic POST to 108.166.81.152 with the following information:


device_type=1
posix_time=1402786108
email_id=test@test.com
mac_address=000680000000
alert_flags=
light=5
temp=301
humidity=50
battery=100
motion=1
int_contact=1
ext_contact=1
ext_temp=-1
fw_ver=4.0.1_EL_v7
debug=rssi:49


The device itself seems to be a very basic. The CPU is a Freescale Kinetis K (K10 48pin series) with the following specs:



Silicon - Rev 2.0
MC Partnumber - MK10DN512VLK10(R)
Superset - PK10DN512ZVLK10
CPU Frequency - 100MHz
Package - 80LQFP
Total Flash Memory - 512KB
Flash - 512KB
SRAM - 128KB




The Elertus device lacks in some basic areas:

  • No graphing
  • No "all clear" when the threshold for alert situation subsides
  • No IFTTT integration
  • Fixed hourly check-ins with no option to adjust
  • Battery powered only
  • Fixed external IP with information sent cleartext, unencrypted
  • No Android integrated features (widgets, nested api, deep links)
  • The alerts advise you of an alert, but not what the alert is. You have to open the app.
  • No way of updating the firmware, from what I've seen... but I could be wrong...
I've tackled the graphing issue by setting up a small VM with wireshark to continually monitor any traffic from the mac address to the external IP with a filter for the POST traffic. This in turn updates a very basic sql server with the temperature and humidity levels and displays this information on an internal webserver. While not ideal, this is the only way I can find to hack the Elertus to enable historical view. 

While I hope changes are made, I still think this was a good purchase. It does what I need, but can do more. Hopefully an update is in order.

Monday, May 26, 2014

Convert Scribd offline documents to PDF using Android

(Current info as of 2014-05-26 using Android 4.4.2 and Scribd version 3.5.1)

Documents saved offline using the Scribd Android app are stored in

     /data/media/0/document_cache/<DOC ID>

For instance, if the file you are trying to access is:

http://www.scribd.com/doc/20628549/Linux-Commands

The location would be:

     /data/media/0/document_cache/20628549/

The actual file would be:

     /data/media/0/document_cache/20628549/content

This file has no extension, but if you copy it and rename it to a .pdf file you can access it from other PDF viewers or export it to Google Drive/Dropbox

Tuesday, March 25, 2014

Create a DNS ad blocklist in pfSense

The steps are 100% identical to the post about configuring the dns in IPCop (see this) with one extra step

Instead of:

vi /var/ipcop/dhcp/dnsmasq.local

Do this

vi /usr/local/etc/dnsmasq.conf

You will notice that this will create a new file if it's your first time. All other steps are identical (here).

Verified working on pfSense 2.1-RELEASE (amd64) 

Wednesday, January 1, 2014

Flash Maguro AOKP ROM on Toroplus Galaxy Nexus

AOKP stopped support for ToroPlus (Sprint) devices since jb-mr1, but you can still flash the Maguro version on top of it. This will probably prevent the phone from functioning as a phone, but will allow you to use the phone as a wifi only device (or possibly pluck the radio roms individually out of the old rom... but I have not tested this method as I'm no longer a Sprint customer).

First get the Maguro versions of the ROM and GAPPS 4.4

http://aokp.co/devices/maguro

Open the zip for the ROM and navigate to the folder: META-INF > com > google > android

Open the file updater-script and save it. Delete the file from the zip. We want to modify this file and remove this assert tag entirely:

assert(getprop("ro.product.device") == "maguro" || getprop("ro.build.product") == "maguro" || abort("This package is for \"maguro\" devices; this is a \"" + getprop("ro.product.device") + "\"."););

Save the file and drag it back into the zip file in the same directory as before.

Flash maguro AOKP ROM and GAPPS like normal.