NextCloud and Memcached-APCu

For those of you which update your personal cloud to the lastest stable version of Nextcloud due to CVE (https://www.cert.ssi.gouv.fr/avis/CERTFR-2021-AVI-543/), you could encountered this error :

An unhandled exception has been thrown:
OC\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)

You could solve the issue :

echo 'apc.enable_cli=1' >> /etc/php/7.x/mods-available/apcu.ini

Have fun.

FreeBSD and fail2ban

Hey,

To go on configuring my FreeBSD server, I install my traditionnal package : “fail2ban”. By the way with Linux distro, apt install fail2ban is enough.

Not now 😀

You must add :

root@pluton:/usr/local/etc/fail2ban/jail.d# cat ssh-ipfw.local 
[ssh-ipfw]
enabled = true
filter = sshd
action = ipfw[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
findtime = 600
maxretry = 3
bantime = 3600
root@pluton:/usr/local/etc/fail2ban/jail.d#

And edit action file so that “localhost” is your public IP :

root@pluton:/usr/local/etc/fail2ban/action.d# cat ipfw.conf 
# Fail2Ban configuration file
#
# Author: Nick Munger
# Modified by: Cyril Jaquier
#
#
[...]
# Option:  localhost
# Notes.:  the local IP address of the network interface
# Values:  IP
#
localhost = <YOUR_PUBLIC_IP_ADDRESS>


# Option:  blocktype
# Notes.:  How to block the traffic. Use a action from man 5 ipfw
#          Common values: deny, unreach port, reset
# Values:  STRING
#
blocktype = unreach port
root@pluton:/usr/local/etc/fail2ban/action.d# 

Blog, bsd, apache2, certbot and fun

It was long time ago I used a FreeBSD system. I was really impressed by the way it great evolved. It is easy to add package due to “pkg” tool and “portsnap”.

After :

pkg install apache24 mysql57-server mod_php73 php73-mysqli php73-xml php73-hash php73-gd php73-curl php73-tokenizer php73-zlib php73-zip

I have a really fast install of an HTTP server as I can do with “apt-get”.

I have needed to load some modules by editiing /usr/local/etc/apache24/httpd.conf such as : 

[...]
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule php7_module libexec/apache24/libphp7.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
[...]

Some more work width certbot for Let’s Encrypt SSL certificate :

root@ns326804:/usr/ports/security/py-certbot # make install clean
root@ns326804:/usr/ports/security/py-certbot-apache # make install clean
root@ns326804:/usr/ports/security/py-certbot # rehash

I can now install my SSL certificates with :

certbot --apache -d clucas.fr
certbot install --cert-name www.clucas.fr
certbot install --cert-name blog.clucas.fr

I have moved my SQL data to my fresh FreeBSD install and try yo access my blog (it is using wordpress)… It was a FAIL. It lacks some PHP module : 

pkg install php73-json php73-filter php73-ctype

It was some tips. I have not listed all the tasks I have done but only the one I think which can give you some information. By the way I was really pleased to move some of my contents on this fresh-installed FreeBSD server. Lot of fun to do this.

And Voilà you can read this blog’s post now 🙂


July 15, 2021 01:35pm :

Update : Don’t forget to add AllowOverride on your data directory so that mod_rewrite can do his job correctly such as :

    <Directory "/usr/local/www/apache24/data/blog.clucas.fr">
        AllowOverride All
    </Directory>

Long long time ago, blog and FreeBSD…

It was a long long timeago I wrote here. ot of things happens to me but I don’t think it is the time and place to explain it.

This post is about a new experience to me : hosting this blog on FreeBSD machine. I am in love with BSD but don’t use it everyday. Networking&Telco is not an professional area where you can use it or your employer allow you to use it. Damn Windows, Teams, … and his egemony.

I will move this blog from Debian to FreeBSD server. I think it will lot of fun. If I have FreeBSD’s tips or remarks I will post it here. By the way I am currently studying for Cisco’s CCNP SPCOR (350-501) exam. Either I will try to give me a kick in the ass to post more technical posts.

Have fun 🙂

06/06/19 – D-Day

In memory of all the soldiers who paid with their life the cost to peace and democracy in Europe. Please read these words and keep it in mind.

https://lyricstranslate.com/en/n%C3%A9-en-17-%C3%A0-leidenstadt-born-1917-leidenstadt.html

If I 'd been born in 1917 in Leidenstadt
On top of ruins, in a battlefield
Would I have behaved better of worse than those people
If I'd been German?
 
Born into humiliation, hatred and ignorance
Fed on dreams of revenge
Would I have been one of those unlikely beings with a conscience
Like some teardrops in the midst of a flood?
 
If I'd grown up in the docklands of Belfast
Soldier of a faith, of a class
Would I have had the strength to withstand and fight against my Own kind: to betray, to hold out a hand in friendship?
 
If I'd been born white and rich in Johannesburg
Between the power and the fear
Would I have heard the cries carried by the wind?
Nothing will be like it was before.
 
One never knows what one really has in one's guts,
Hidden behind our appearances
The soul of a brave man, an accomplice, an executioner?
The worst or the best?
Would we be one of those who resist or just those who follow like sheep
If it was a question of more than just words?
 
(Refrain)
If I 'd been born in 1917 in Leidenstadt
On top of ruins in a battlefield
Would I have behaved better of worse than those
If I'd been German?

Cisco & IP NAT

Hi,

It’s been a while I have posted a blog entry. A simple tip from IOS 12.4(20) to 12.4(24) and above to use OID “.1.3.6.1.4.1.9.10.77.1.2.3.0” to graph your NAT translations :


R(conf)# ip nat service enable-mib
%NAT: Old NAT-MIB support enabled
R(conf)#

HTH
++Christophe

R.I.P Jieff

You will be for me the guy who wrote this kind of post and talk technology with Remy Card (ext2).

Path: bga.com!news.sprintlink.net!pipex!oleane!univ-lyon1.fr!ensta!itesec!frmug.fr.net!renux.frmug.fr.net!marouchka.gna.org!not-for-mail
From: ji...@marouchka.gna.org (Jean-Francois Monnet)
Newsgroups: fr.comp.os.linux
Subject: Re: LINUX ET E-IDE
Date: 23 Nov 1994 08:43:22 +0100
Organization: Marouchka, A Private Linux Site, France
Lines: 23
Distribution: world
Message-ID: <3aurqq$3mb@marouchka.gna.org>
References: <3asg5c$sp0@imag.imag.fr>
Reply-To: mon...@dir.univ-rouen.fr (Jean-Francois Monnet)
NNTP-Posting-Host: marouchka.gna.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Newsreader: TIN [version 1.2 PL2]

Yves Arrouye (arr...@petole.imag.fr) ecrit:

> Tu vas peut-etre pouvoir m'aider : je veux mettre un 3e disque (sur un 2e
> controleur). Mon 2e controleur ne tourne que sur irq 14, mais on peut changer
> les adresses des disques (il en a deux plages). Je n'arrive pas a ce que le
> patch reconnaisse gentiment mon 3e disque, quelque soit la config. Au secours
> ! Help !

	Chez moi, le deuxieme controleur n'a ete bien reconnu qu'a partir
du moment ou j'ai pris le fer a souder et devie la piste IRQ 14 -> IRQ 15,
comme explique dans la doc de l'archive atdisk2-0.9.tgz (ancien patch pour
gerer deux cartes controleur IDE). Je crois que cette doc n'est plus
fournie avec les patches ide-x.x*. Je peux te l'envoyer si tu ne trouves
pas l'archive atdisk. Car, meme avec deux adresses I/O differentes pour les
cartes, l'utilisation de la meme IRQ avec plus de 2 disques peut poser des
problemes.

> (Linux 1.1.64 + ide-2.5.patch-64+)

	Je tourne en 1.1.61 + ide-2.01.patch.61+.gz et ca roule sans pbs pour
l'IDE.
-- 
Marouchka - 76 Rouen

And a great linux kernel programmer (Telsat Turbo), rock’n roll & Nina Hagen fan.



Have fun with luxman…

++Jieff :-/


~Christophe

Site to site IKEv2 tunnel

Hello guys,

Here it is a tips / reminder how to implement an site-ot-site IKEv2 tunnel :

crypto ikev2 proposal aes-cbc-256-proposal 
 encryption aes-cbc-256
 integrity sha1
 group 2
crypto ikev2 policy policy1 
 match address local x.x.x.x
 proposal aes-cbc-256-proposal
crypto ikev2 keyring v2-kr1
 peer abc
  address y.y.y.y
  pre-shared-key somesecretpass
 !
crypto ikev2 profile profile1
 description IKEv2 profile
 match address local x.x.x.x
 match identity remote address y.y.y.y 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring v2-kr1

crypto ipsec transform-set myset esp-des esp-md5-hmac 

crypto map mymap 20 ipsec-isakmp 
 set peer y.y.y.y
 set security-association lifetime seconds 27000
 set transform-set ESP-AES-SHA 
 set ikev2-profile profile1
 match address 120

With ACL 120 is your flows / SA and your implement your crypto map on your WAN interface.

bwping patch (catching signals)

diff -urpN bwping/bwping.c bwping-patched/bwping.c
--- bwping/bwping.c     2012-10-11 19:23:17.000000000 +0200
+++ bwping-patched/bwping.c     2017-04-20 09:06:23.449540033 +0200
@@ -26,6 +26,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #ifdef __CYGWIN__
 #include "cygwin.h"
@@ -224,21 +225,39 @@ static int recv_ping (int sock, int iden
         return 0;
     }
 }
+unsigned int   transmitted_number, received_number;
+unsigned long  int received_volume;
+struct timeval begin, end;
+
+void sig_handler(int signo)
+{
+       if (signo == SIGUSR1) {
+                printf("Total: pkts sent/rcvd: %u/%u, volume rcvd: %lu bytes, time: %d sec, speed: %lu kbps, rtt min/max/average: %llu/%llu/%llu ms\n",
+                               transmitted_number, received_number, received_volume, (int)(end.tv_sec - begin.tv_sec),
+                               end.tv_sec - begin.tv_sec?((received_volume / (end.tv_sec - begin.tv_sec)) * 8) / 1000:(received_volume * 8) / 1000,
+                               min_rtt==DEF_MIN_RTT?0:min_rtt, max_rtt, average_rtt);
+               exit(255);
+       }
+}
 
 int main (int argc, char **argv)
 {
     int                    sock, exitval, ch, ident, finish, pktburst, i, n;
-    unsigned int           bufsize, tos, transmitted_number, received_number;
-    unsigned long int      kbps, pktsize, volume, rperiod, received_volume;
+    unsigned int           bufsize, tos;
+    unsigned long int      kbps, pktsize, volume, rperiod;
     unsigned long long int min_interval, interval, current_interval, integral_error;
     char                   *ep, *bind_addr, *target;
     fd_set                 fds;
     struct sockaddr_in     bind_to, to;
     struct hostent         *hp;
-    struct timeval         begin, end, report, start, now, seltimeout;
+    struct timeval         report, start, now, seltimeout;
 
     sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
 
+       if (signal(SIGUSR1, sig_handler) == SIG_ERR)
+               printf("\ncan't catch SIGUSR1\n");
+
+
     if (sock==-1) {
         perror("bwping: socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) failed");

Download : patch-bwping-sig.diff