Raspberry Pi and its Hardware Random Number Generator (RNG)

Due to a Stackoverflow Post I got to know the fact the BCM2708 / BCM2835 contains a Hardware Random Number Generator (RNG). Two blogposts described how to setup this little module, however, they were outdated, as the needed kernel module is directly baked into the latest 4.x kernel, which ends with the fact that /dev/hwrng already exists :).

The only thing left to do is the installation of the rng-tools, which is easy as pie:

sudo apt-get update
sudo apt-get install -y  rng-tools

After that, we also need to point rng-tools to the right source, by adding

HRNGDEVICE=/dev/hwrng

to /etc/default/rng-tools (need root rights for that :))

After that, the service can be restarted and used:

sudo service rng-tools restart

PS: This RNG seems to be available on all other RPis as well, not only RPi 1 🙂

How to run pi-hole in a Docker container

Pihole is an awesome little DNS Server with Blacklists for Ad Sites and the ideal tool to install a small and powerful ad filter for the whole network (Intro Video here).

As diginc designed an Docker Image around the Pihole server (which was normally run on a RPi :)) - and made it x86, you can also run it on your normal Homeserver :)!

Important things just before we start: The Docker container needs to bind to ports 53 (DNS) and 80 (HTTP) - so, if you need to run your own DNS - that could interfere. If you need port 80 for some other website - you'll have to make an reverse proxy.

To make the setup easier, I wrote an little docker-compose.yml:

pihole:
  restart: unless-stopped
  container_name: pihole
  image: diginc/pi-hole:alpine
  volumes:
    - /var/pihole:/etc/pihole
  environment:
    - ServerIP=YOURLANIPHERE
  cap_add:
    - NET_ADMIN
  ports:
    - "53:53/tcp"
    - "53:53/udp"
    - "80:80"

You'll need to change the YOURLANIPHERE to the IP Address of your Servers LAN Interface - and you'll need to create the folder /var/pihole and make it writable for your Docker User.

sudo mkdir /var/pihole
sudo chown -R MYLINUXUSER:MYLINUXUSER /var/pihole

After that, we can start the service via docker-compose up -d.

You'll have access to the Web interface of pihole on YOURLANIPHERE/admin

However, this interface is NOT protected - so we'll do this now:

docker exec -it pihole /bin/bash
# create an password protection for your pihole web interface
pihole -a -p somepasswordhere
# You can also remove the password by not passing an argument.
pihole -a -p

Also, pihole does create a lot of log files, which should be removed from time to time, the block lists should be updated and pihole itself should be updated. This can also be achieved via an cron file, available here.

# [...]

# Your container name goes here:
DOCKER_NAME=pihole
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Pi-hole: Update the ad sources once a week on Sunday at 01:59
#          Download any updates from the adlists
59 1    * * 7   root    PATH="$PATH:/usr/local/bin/" docker exec $DOCKER_NAME pihole updateGravity > /dev/null

# Update docker-pi-hole by pulling the latest docker image ane re-creating your container.
# pihole software update commands are unsupported in docker!
30 2    * * 7   root    PATH="$PATH:/usr/local/bin/" docker exec $DOCKER_NAME pihole updatePihole > /dev/null

# Pi-hole: Flush the log daily at 00:00 so it doesn't get out of control
#          Stats will be viewable in the Web interface thanks to the cron job above
00 00   * * *   root    PATH="$PATH:/usr/local/bin/" docker exec $DOCKER_NAME pihole flush > /dev/null

I actually did just open my cron with crontab -e and entered the last lines into there - so that should work. You can now test your new Adblocker by entering the IP of your Server as DNS on your Clients - and if you're happy with it, just replace the DNS server entry on your DHCP server with that IP - to rollout pihole to your complete network :).

More Info:

https://github.com/diginc/docker-pi-hole

https://discourse.pi-hole.net/t/how-do-i-set-or-reset-the-web-interface-password/1328

https://www.reddit.com/r/pihole/comments/5rudb3/running_pihole_in_a_docker_container/

[Keybase.io] Add another E-Mail to your Keybase.io Public Key

Keybase.io is awesome!

But the problem was, you could not really use it for email, nor sign your Github commits, as keybase only entered a non existing email into the public key (yourname@keybase.io). But - you can change that :). You'll need to have GNU PGP / GPG installed.

Download Private and Public Key from Keybase.io (edit Button next to Key on Profile, Export my Private Key, Key Checksum for Export of Public Key)

gpg --allow-secret-key-import --import keybase-private.key
gpg --import keybase-public.key
gpg --edit-key myname@keybase.io

then in the gnupg ‘shell’:

gpg> adduid
Real name: Full Name
Email address: myname@mymail.com
Comment: <canbeleftempty,just enter>

You'll need to enter your Key to allow the changes.

Stay in gpg shell and do following to trust yourself (maybe not necessary):

uid myname@mymail.com
trust
5
y
save

Export your newly generated public key:

gpg --armor --export myname@mymail.com

Upload to Github for Sign (New GPG key): https://github.com/settings/keys

Upload Public Key to Keybase: https://keybase.io/myname (edit, Update my key)

You can sign now on Github with:

git commit -S -m "signed commit"

Infos taken from:

http://superuser.com/questions/293184/one-gnupg-pgp-key-pair-two-emails

https://blog.ochronus.com/signing-your-github-commits-with-your-keybase-io-account-7bf3efe04a10#.eqcmjf4cl

http://stackoverflow.com/questions/22136029/how-to-display-gpg-key-details-without-importing-it

[Ubuntu] Use Molly-Guard to stop shooting your own leg

If you're working on some dozens of linux servers (or even more than 100,.. as in my case), you end up doing administration via SSH - which is the way to go. And chances are, that you'll get dozens of SSH connections open in dozens of tabs and you did some updates on some of those servers and want to restart this thing with a quick sudo reboot now...
I won't lie if I say, it happend more than once that I accidentally rebooted the wrong server - at least that was the case more than a year ago.
For the last year, since I have been using Molly-Guard - that did not happen once. Why? Because Molly-Guard does stop the reboot command if it detects that you're issuing it from an SSH console - and asks for the server name. If you're entering it correctly - it will reboot. If you're in a frenzy, doing your "sudo reboot now" and enter name serverB while you're on serverA - yep, Molly-Guard will stop you from shooting yourself in the leg. Neat, ain't it?

Oh - and the best part? Ease of use: sudo apt-get install molly-guard
Thats it, you're set, bye.

Nope. Really. No configuration needed. Just install that baby and be safe :)!

[Ubuntu] Radsecproy for secure Radius over WAN

Chances are you going to need an radius Auth over WAN - because your Radius and Identity Mngmnt is hosted in the security of the local datacenter of your corp... but the client (i.e. an network switch) is somewhere over the ~~rainbow~~ WAN. You *could* just pipe the radius traffic over the internet - but there be dragons: radius communication is unencrypted. So... just no.

Enter radsecproxy: Radsecproxy is - as the name implies, an radius proxy - which needs to be installed on both servers (the local one in your company, now called SERVER, and the remote one with the switch attached, now called CLIENT) - and does encrypt the communication between both server parts (over WAN i.e.) via TLS.

1.) Install radsecproxy on Server ( sudo apt-get install radsecproxy )
2.) Create CA with generate-CA.sh (in /etc/radsecproxy/) [ https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh - please change keybits to 4096 bits, thanks! ]
3.) Create Certs (Server, Client) with generate-client.sh (in /etc/radsecproxy/) [ at the end of this post, http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt - please change keybits to 4096 bits as well! 🙂 ]
4.) Configure /etc/radsecproxy.conf [UPPERLETTERS are constants which you need to change]

# Master config file for radsecproxy
sourceTLS IPADDR_OF_SERVER
listenTLS IPADDR_OF_SERVER:2083

LogLevel 3
LogDestination file:///var/log/radsecproxy/radsecproxy.log

LoopPrevention on

tls default {
CACertificateFile /etc/radsecproxy/ca.crt
CertificateFile /etc/radsecproxy/SERVER_NAME_FQDN.crt
CertificateKeyFile /etc/radsecproxy/SERVER_NAME_FAQN.key
}

client CLIENT_NAME {
host IPADDR_OF_CLIENT
type tls
certificatenamecheck off
secret PW_OF_CLIENT_RADSEC
}

server SERVER_NAME_auth {
host IPADDR_OF_SERVER:1812
type udp
StatusServer on
secret PW_OF_SERVER_FOR_RADIUS
}

server SERVER_NAME_acct {
host IPADDR_OF_SERVER:1813
type udp
StatusServer on
secret PW_OF_SERVER_FOR_RADIUS
}

realm * {
server SERVER_NAME_auth
accountingserver SERVER_NAME_acct
}

# example config for localhost, rejecting all users
client 127.0.0.1 {
type udp
secret TEST_SECRET
}

realm * {
replymessage "User unknown"
}

5.) sudo service radsecproxy restart

6.) Install radsecproxy on Client ( sudo apt-get install radsecproxy )
7.) Copy client cert and ca.crt to Client /etc/radsecproxy
8.) Configure /etc/radsecproxy.conf [UPPERLETTERS are constants which you need to change]

#sourceUDP 127.0.0.1
sourceUDP IPADDR_OF_CLIENT
listenUDP *:1812
listenUDP *:1813

LogLevel 3
LogDestination file:///var/log/radsecproxy/radsecproxy.log

LoopPrevention on

tls default {
CACertificateFile /etc/radsecproxy/ca.crt
CertificateFile /etc/radsecproxy/CLIENT_NAME_FQDN.crt
CertificateKeyFile /etc/radsecproxy/CLIENT_NAME_FQDN.key
}

client CLIENT_NAME {
#host 127.0.0.1
host IPADDR_OF_CLIENT
type udp
secret CLIENT_RADIUS_SECRET
}

client SWITCH_NAME {
host SWITCH_IP
type udp
secret SWITCH_RADIUS_SECRET
}

server SERVER_NAME {
certificatenamecheck off
host IPADDR_OF_SERVER
type tls
StatusServer on
secret PW_OF_CLIENT_RADSEC
}

realm * {
server SERVER_NAME
accountingserver SERVER_NAME
}

# example config for localhost, rejecting all users
client 127.0.0.1 {
type udp
secret TEST_SECRET
}

realm * {
replymessage "User unknown"
}

9.) sudo service radsecproxy restart
10.) If you now point your switches to the CLIENT_IP with the correct credential, it should go via the radsecproxy to your main radius server and get the connection working. Please pay attention that on your CLIENT site no radiusd daemon is allowed to run, as it would block the ports needed for radsecproxy / radius. Make use of the radsecproxy log files to see, wheter the two radsecproxy servers do connect and talk to each other :).

[Ubuntu] Letsencrypt with Apache and Freeradius

This little tutorial describes how to use Letsencrypt with Apache, Freeradius and Auto-Renewal of the Certificates.

#Install Letsencrypt
sudo apt-get update
sudo apt-get install git
cd /opt
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt

#Become root
sudo su

#"Order" certificates (replace SERVERDOMAIN.COM with the DNS of your Server!)
./letsencrypt-auto --apache -d SERVERDOMAIN.COM --rsa-key-size 4096
Enter Contact Mail: mail@SERVERDOMAIN.COM
Configuration Type: Secure #is best, as it does redirect insecure http to https)

#Read PATH variable
echo $PATH

#Cronjob for certificate renewal
#you should under all circumstances replace the string following PATH= with your own, as read with the command above.
#Seperate with ; from the rest of the command like shown in the example
crontab -e

#letsencrypt
30 2 * * 1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games;/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/freeradius restart
35 2 * * 1 /etc/init.d/apache2 restart

#Configure Freeradius
cp -r /etc/freeradius/certs/ /etc/freeradius/certs_bkp
rm /etc/freeradius/certs/*.pem
cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf_bkp

vi /etc/freeradius/eap.conf

#certdir = ${confdir}/certs
#cadir = ${confdir}/certs
certdir = /etc/letsencrypt/live/SERVERDOMAIN.COM
cadir = /etc/letsencrypt/live/SERVERDOMAIN.COM
#dh_file = ${certdir}/dh
dh_file = ${confdir}/certs/dh
#private_key_password = whatever
private_key_file = ${certdir}/privkey.pem
certificate_file = ${certdir}/cert.pem
CA_file = ${cadir}/fullchain.pem

#Configure access rights on /etc/letsencrypt
cd /etc/letsencrypt/
chgrp -R ssl-cert archive csr keys live options-ssl-apache.conf renewal # set group of cert/key dirs to ssl-cert
find . -type d -exec chmod g+xs {} \; # directories executable and setguid (set group ssl-cert for new files/dirs)
find . -type f -exec chmod g+r {} \; # files readable

#Restart Freeradius
service freeradius stop
service freeradius start

Additional infos: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

[Ubuntu] Networked UPS with apcupsd, APC 750 and Windows

Due to some serious power outages, I had to install an UPS at the Office of one client. It is an rather small setup: One low-power Ubuntu Server, one Laptop with one TFT Screen, one i3 Desktop with two TFT Screens, one network switch. All in all, about 400VA. I had an old APC Smart UPS 750 VA at hand and used it.
Idea was to connect the UPS via USB directly to the Server and hook Laptop and Desktop to that Server via Network. As soon as the Server found that the whole Powergrid went offline, all pcs should shutdown automatically: Enter apcupsd.

Power installation:
Connect the UPS input to the power grid, connect the UPS out to your PCs. NEVER CONNECT ANY LASER PRINTER TO THAT OUTPUT!
Power up the UPS.

Server installation:
Connect the UPS USB Port to the Server.
Install apcupsd:
sudo apt-get install apcupsd
Configure apcupsd:
sudo vi /etc/apcupsd/apcupsd.conf
In my case I configured that settings:

UPSNAME blaUPS # How you want to name your ups
UPSCABLE smart # in my case, it is a smart cable
UPSTYPE usb # on usb
POLLTIME 60 # poll ups every 60 seconds
ONBATTERYDELAY 10 # delay alarm for 10 seconds
BATTERYLEVEL 10 # on less than 10 percent battery level shutdown server
MINUTES 3 # on less than 3 minutes battery runtime shutdown server
NETSERVER on # activate network server
NISIP 0.0.0.0 # allow access from all nics
NISPORT 3551 # default port for network server

Allow port 3551, tcp through iptables!

Restart apcupsd:
sudo service apcupsd restart

Give status of current apcupsd session:
sudo service apcupsd status

Client installation on Windows:
Download latest version for Windows (i.e. winapcupsd-3.14.13.exe), you only need apcupsd Service and Tray Applet.
Leave everything on default on setup and configure apcupsd.conf

UPSNAME blaUPS # How you want to name your ups
UPSCABLE ether # network to server
UPSTYPE net # on network
DEVICE IP:3551 # for IP, enter the IP of the server
POLLTIME 15 # poll ups every 15 seconds
ONBATTERYDELAY 10 # delay alarm for 10 seconds
BATTERYLEVEL 20 # on less than 20 percent battery level shutdown client
MINUTES 3 # on less than 3 minutes battery runtime shutdown client
NETSERVER on # activate network server
NISIP 127.0.0.1 # allow access only from localhost

And thats it 🙂

[Windows/Ubuntu] Install chromeIPass: KeePass2 to Chromium Password Management

This post is outdated, the plugin in question does not exist anymore. I would recommend to use "Kee" (https://www.kee.pm/) plugin - but please as bridge to KeePass Password Safe 2 - and not in its own database mode 🙂

I really loved KeeFox, an cool tool which let you use KeePass2 as Password Safe for your Firefox Passwords.
But today, I use Chrome - so no KeeFox for me anymore. And I really do not like the "Synchronize Password" Feature of Google.
So... chomeIPass it is ;)!

Windows:
( from http://diantokam.blogspot.de/2013/12/integrating-keepass-2-with-chrome.html )
1.) Install Chrome and KeePass2 ( http://keepass.info/download.html )
2.) Download KeePassHttp.plgx from the Github Repo: https://github.com/pfn/keepasshttp/blob/master/KeePassHttp.plgx?raw=true
3.) Move the KeePassHttp.plgx to the C:\Program Files (x86)\KeePass Password Safe 2\ folder
4.) Start KeePass2
5.) Install the Chrome Plugin: https://chrome.google.com/webstore/detail/chromeipass/ompiailgknfdndiefoaoiligalphfdae
6.) Click on the new KeePass Icon in Chrome, click on Connect and check KeePass which should Ask for a "New Key Association" - aka Pairing from Chrome with KeePass2. Give it a uniqe Key name, like Chrome Windows Main PC - and klick Save.
7.) Go to a password protected website - a pop up from KeePass2 should ask wheter it is allowed to give the already saved credentials to Chromium, Allow it.

Ubuntu:
( from http://askubuntu.com/questions/130627/how-to-integrate-keepass-and-chrome-chromium-using-chromipass )

Hint: As correctly pointed out by "H.R." in the comments, it is not recommended to install software from an untrusted source, like jtaylors keeps ppa. It is correct that jtaylor does not seem to be a part of the keepass2 team, hence his ppa is flagged as outside of keepass and "untrusted" - however, his ppa linked and recommended by the keepass team to install on Ubuntu. You can always build the program from sourcecode yourself, which I will not describe here, hence this post is over 4 years old and not applicable anymore, as the Chromium Password Manager does not even exist anymore.

1.) Install Chromium and KeePass2:
sudo apt-add-repository ppa:jtaylor/keepass
sudo apt-get update
sudo apt-get install keepass2 mono-complete chromium
2.) Download KeePassHttp.dll and Newtonsoft.Json.dll from the Github Repo: https://github.com/pfn/keepasshttp/blob/master/mono/KeePassHttp.dll?raw=true
https://github.com/pfn/keepasshttp/blob/master/mono/Newtonsoft.Json.dll?raw=true
3.) Move both files to /var/lib/keepass2
cd ~/Downloads
sudo mv KeePassHttp.dll /usr/lib/keepass2/
sudo mv Newtonsoft.Json.dll /usr/lib/keepass2/
4.) Start KeePass2
5.) Install the Chrome Plugin: https://chrome.google.com/webstore/detail/chromeipass/ompiailgknfdndiefoaoiligalphfdae
6.) Click on the new KeePass Icon in Chrome, click on Connect and check KeePass which should Ask for a "New Key Association" - aka Pairing from Chrome with KeePass2. Give it a uniqe Key name, like Chrome Windows Main PC - and klick Save.
7.) Go to a password protected website - a pop up from KeePass2 should ask wheter it is allowed to give the already saved credentials to Chromium, Allow it.

Letsencrypt - Now secured

Hello there,

now that finally the Letsencrypt.org project is alive, I did secure this blog with an SSL Certificate (yes, was about time!).
I did already pariticipate in the closed beta and secured about 5 websites (among them some RPis, of course!) and private hosted embedded devices.
Worked like a charm :)!
If you want to find out more about this awesome project or secure your website - go to https://letsencrypt.org/.
Let's encrypt all the things :)!

Open-source / private Evernote alternative: Paperwork

I use tools like Google Keep and Evernote from time to time to manage my pile of recipies, data and "knowledge" (what ever that'd be ;)). However, I don't feel really comfortable and looked for alternatives. There are certain plugins for ownCloud, however, these are basically text-editors at best... Never liked that idea. So I came around Paperwork: http://paperwork.rocks/.
Truth beeing told: It is still in development. It is as bleeding edge as it gets. Sharp as a knife. And yes - I forgot to do backups of my (until then not used) database and lost a lot of data on an simple update... (Yep, the reason why I introduced you to automysqlbackup some days ago...).
But at the moment, it is working very well and I like it very much. I think it will become an really great tool :)!