Apache security headers

A good starting point for apache security headers

<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=86400, enforce"
    Header always set Feature-Policy "\
        geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; \
        magnetometer 'none'; accelerometer 'none'; vr 'none'; \
        speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; \
        microphone 'none'"
    Header always set Content-Security-Policy "\
        default-src 'self' 'unsafe-inline' data:;\
        font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; \
        style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
        script-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header always set Access-Control-Allow-Origin "*"
    Header always set X-Content-Type-Options nosniff
</IfModule>

Convert pfx certificate for apache

This is more or less a hint for me how to do it. Maybe it helps you, too.

openssl pkcs12 -in example.com.pfx -clcerts -nokeys -out example.com.crt
openssl pkcs12 -in example.com.pfx -nocerts -out example.com-encrypted.key
openssl rsa -in cert-encrypted.key -out example.com.key
openssl pkcs12 -in example.com.pfx -cacerts -nokeys -out ca-cert.ca

Then in the apache config

SSLCertificateFile certs/example.com.crt
SSLCACertificateFile certs/ca-cert.ca
SSLCertificateKeyFile certs/example.com.key

Marios’ version of Kimchi

This is my version of Kimchi. There are gazillion versions of Kimchi and this is mine.

Since I’m lazy and don’t want to browse a special Asian store, I changed some ingredients to fit what I can buy and have a similar result.

Paprika powder
Cayenne pepper powder
120g Salt
2 medium sized Onions
4 Garlic cloves
1 thumb sized piece Ginger
1 kg Chinese cabbage
1 tablespoon sugar
2 tablespoons Rice flour
1 small pot
1.5 Liter Jar mit a closing lit
1 Large bowl

Fill the bowl with2  Liters / 8 cups of water and mix  in the salt. Stir until the .salt is resolved
Cut the Chinese cabbage into 1 inch / 2.5 cm size big pieces. Put it into the bowl and leave it there for 3 to 4 hours.

Chop the onions, the garlic, and the ginger very fine.

The Marinade:

Put 250 ml / 1 cup of cold water into the pot. Stir in the rice flour and the sugar. Cook it for 5 minutes with constant stirring. Now let it cool. Add some paprika powder and the Cayenne pepper. Add as much until it fits your spice level. Add the chopped ingredients. Mix it well.

After the 3 to 4 hours drain the Chinese cabbage as much as possible. Add the marinade and mix it well with your hands. You might use gloves as it might be too spicy for your hand. Fill the jar with the result. Push it down so that no air bubbles are inside. Leave a space about an inch / 2.5 cm, otherwise the jar might explode or the juice will come ot of the jar. Close the lid. Let it stand in your kitchen or wherever, but keep it away from sunlight. Once a day open the lid and let the fermentation gases out of the jar. Push the Chinese cabbage down, that nothing is floating on the surface. After 3 days see if it is sour enough for you. You can wait up to 5 days. Now put the jar into a fridge. After 7 days in the fridge the Kimchi is ready to eat. Kimchi can be stored up to 3 month in the fridge. The fermentation process will continue in the fridge, but much slower.After you took out some of the kimchi to consume it, push the rest of it down into the jar. Never use a spoon or something that has your saliva on the to get something out of the jar, your kimchi would spoil very fast.

Influxdb 2.0 lessons learned

I played a bit with influxdb version 2.0.0, telegraf client and two of my raspberry pies.
On my oldest pi  a 1 B+ the telegraf client caused too much performance issues on that light weight single CPU and 480 MB of usable RAM. So I chose a simple bash script with curl to send the CPU temperature to influxdb.

#!/bin/bash
timestamp=$(date +%s)
temp=$(vcgencmd measure_temp)
curl -XPOST \
"https://flux.example.com/api/v2/write?org=none&bucket=pihole&precision=s" \
--header "Authorization: Token asas==" \
--data-raw "cpu-temperature,host=pihole ${temp//\'C/} ${timestamp}"

At first I was running influxdbd by hand. But I didn’t want the usual port of 9999 of the alpha version and I also wanted SSL encryption when I log into the backend. Pretty easy with the already running apache on that server.

<VirtualHost *:443>
	ServerName flux.example.com
	DocumentRoot /var/www/empty

	<Directory /var/www/empty>
		Options Indexes FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	ProxyPass / http://localhost:9999/
	ProxyPassReverse / http://localhost:9999/

	SSLEngine on
	SSLCertificateFile  fullchain.pem
	SSLCertificateKeyFile privkey.pem
</VirtualHost>

so far so good. Starting the influxdb by hand after a reboot or failing isn’t an option.  So I created by on systemd service file

sudo $EDITOR /lib/systemd/system/influxdb2.service

[Unit]
Description=InfluxDB 2.0 service file.
Documentation=https://v2.docs.influxdata.com/v2.0/get-started/
After=network-online.target

[Service]
User=influx
Group=influx
ExecStart=/usr/local/bin/influxd
Restart=on-failure

[Install]
WantedBy=multi-user.target

Do not forget to enable it :D sudo systemctl enable influxdb2

 

So far I made one observation. The telegraf client is doing a lot of DNS requests through the network. If I’m not wrong it does it for every request. If you look at the graphic you see that the bottom a big blue line. That is the DNS requests from telegraf. At some point around 20:00 You see a drop. Well there I change the flush interval to 120 seconds. Later at round 7:30 I wrote the IP and host name into /etc/hosts and the “noise” was gone. That is something you maybe want to do in your devices, too to save some bandwidth and energy.

Zucchini sweet and sour

What you need:
paprika
salt
pepper
white Vinegar
sugar
crème fraiche (if not available use sour cream / heavy cream with at least 50% fat)

500g aka 1 pound minced meat.

1 red bell peper
1 Zucchini
1 white onion

——

Start with bell pepper, zucchini, white onion. Cut them into pieces of your choise.
Braise one after the other in a saucepan.
Season with salt, pepper, paprika, 2 – 3 tablespoons of vinegar and half a teaspoon of sugar. Peel off a 1/4 liter (one cup) of water and cook for 15 minutes with the lid on.

Fry 500g mince in a pan. Season with salt, pepper and paprika.

Then add the mince to the pot. Mix in one tablespoon of crème fraiche.

Traveling through time isn’t enough

Some people think traveling through time is easy. It might look that way. But they don’t consider that you need to travel space, too. Wait, why space, too?
Let’s start easy. If you want to meet me at work you need 4 dimension. You might think it is just an address, but it isn’t. The first dimension is the street. To make is easy the street goes from east to west in a straight line. Well the street is very long. In order to find me you need the house number. That is like drawing another line from north to south (second dimension). If you think that you are able to meet me yet, you are WRONG! I work in a skyscraper. You need to also the number of the have the number of the floor. Now you can meet me!? WRONG! You might show but at the correct place, but at the wrong time. You might be there in the night or during my lunch break. So you need also the fourth dimension the time.
When it comes to GPS navigation you need those information twice, because you need to know from where and when you are coming.

Now with time travel it is even worse. You are standing on the earth. It rotates with about ~ 464 m/s. If you try time traveling while visiting me, and miss the correct time only by a split second you might fall down a long way down from the height of the skyscraper. But it doesn’t end there. The earth orbits the sun. That is 29.85 m/s additional movement to the earth’s rotation. Our solar system rotates in in our galaxy the milky way. The milky way rotates, too. The galaxy is moving through the universe / space. Plus the universe is expanding. And it the expanding speed is increasing. Good luck with time traveling!. Do the math and meet me in my skyscraper, yesterday! I think this the point most science fiction authors didn’t tell you. So next time you travel through time and space and you are very good. Don’t forget your parachute. If you are not so good in math don’t forget your space suite, just in case…

Remember:

  1. The earth rotates
  2. The earth orbits around the sun
  3. The solar system orbits around the in a rotating galaxy
  4. The galaxy is moving in the universe
  5. The universe is ever expanding. Faster and faster.

CISCO router password recovery

– Attach a terminal or PC with terminal emulation to the console port of the router.
Use these terminal settings:

* 9600 baud rate
* No parity
* 8 data bits
* 1 stop bit
* No flow control
– If you can access the router, type show version at the prompt, and record the configuration register setting. See Example of Password Recovery Procedure in order to view the output of a show version command
Note: The configuration register is usually set to 0x2102 or 0x102. If you can no longer access the router (because of a lost login or TACACS password), you can safely assume that your configuration register is set to 0x2102.

 

– Press **Break** (**Ctrl-Break** Windows XP) on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON.
– Type **confreg 0x2142** at the rommon 1> prompt in order to boot from Flash. This step bypasses the startup configuration where the passwords are stored.
– Type **reset** at the rommon 2> prompt. The router reboots, but ignores the saved configuration.
– Type **no** after each setup question, or press **Ctrl-C** in order to skip the initial setup procedure.
– Type **enable** at the Router> prompt. You are in enable mode and should see the Router# prompt.
– Type **configure memory** or **copy startup-config running-config** in order to copy the nonvolatile RAM (NVRAM) into memory. **Important**: Do not type **copy running-config startup-config** or **write**. These commands erase your startup configuration.
– Type **show running-config**. The **show running-config** command shows the configuration of the router. In this configuration, the **shutdown** command appears under all interfaces, which indicates all interfaces are currently shut down. In addition, the passwords (enable password, enable secret, vty, console passwords) are in either an encrypted or unencrypted format. You can reuse unencrypted passwords. You must change encrypted passwords to a new password.
– Type **configure terminal**.
– The hostname(config)# prompt appears.
– Type **enable secret <password>** in order to change the enable secret password. For example: hostname(config)#**enable secret cisco**
– Issue the **no shutdown** command on every interface that you use. If you issue a **show ip interface brief** command, every interface that you want to use should display up up.
– Type **config-register <configuration_register_setting>**. Where **configuration_register_setting** is either the value you recorded in step 2 or **0x2102** . For example: hostname(config)#**config-register 0x2102**
– Press **Ctrl-z** or **end** in order to leave the configuration mode. The hostname# prompt appears.
– Type **write memory** or **copy running-config startup-config** in order to commit the changes.

Author Archive

Archives by Month: