Linux

Debian

Patch OpenSSH Only

apt install --only-upgrade  openssh-client openssh-server openssh-sftp-server

Time Zone

timedatectl set-timezone Europe/Zurich

-> set symlink: /etc/localtime -> ../usr/share/zoneinfo/Europe/Zurich

Fix Sudo Stuff

use ‘sudo -i’ and keep SSH_AUTH_SOCK if set

apt update
apt install sudo
usermod -aG sudo stoege
echo "Defaults env_keep+=SSH_AUTH_SOCK" > /etc/sudoers.d/ssh_auth_sock
echo "%sudo ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/group_sudo_nopass

Any Comments ?

sha256: 7e5018c28bea4357e2f6703ec2876e92798e020801a61e46d6e3698151bc5a38

Mikrotik

Some Commands for Mikrotik NewBees

Quick Guide - CCR2004-1G-12S+2XS

CCR2004-1G-12S+2XS - User Manual

MikroTik wired interface compatibility

Copper SFP (not able todo Auto Negotiation)

/interface/ethernet/set sfp-sfpplus1 auto-negotiation=no

Update Packages

/system package update check-for-updates
/system package update install
reboot

Upgrade Firmware

/system routerboard print
/system routerboard upgrade
/system reboot; 

Reset Config

/system/reset-configuration
  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.10.1 (c) 1999-2023       https://www.mikrotik.com/

Press F1 for help

-------------------------------------------------------------------------------
The following default configuration has been installed on your router:

Welcome to RouterOS!
   1) Set a strong router password in the System > Users menu
   2) Upgrade the software in the System > Packages menu
   3) Enable firewall on untrusted networks
-----------------------------------------------------------------------------
LAN:
    IP on ether1:    192.168.88.1/24;

-------------------------------------------------------------------------------
You can type "v" to see the exact commands that are used to add and remove
this default configuration, or you can view them later with
'/system default-configuration print' command.
To remove this default configuration type "r" or hit any other key to continue.
If you are connected using the above IP and you remove it, you will be disconnected.

Initial Config

/interface bridge add name=local
/interface bridge port add interface=ether2 bridge=local
/ip address add address=192.168.88.1/24 interface=local

Backup Config

# show full Config
export

# show non defaults
export compact

# show non defaults, hide sensitive stuff
export compact hide-sensitive

# write config to myconfig
export compact hide-sensitive file=myconfig

Any Comments ?

sha256: 4cffb5ddbd4d0059c71e311bc75a67839be888f15291cec9ac6d0c24478fffdd

Git - Mass Updater

Intro

Let’s assume you have a bunch of GIT Repos in a Folder like this:

/project1/
    /repo1/
    /repo2/
    /repoN/

and you would like to update all of them ? here a little helper.

  • Loop over all Folders
  • check if ‘.git’ exists
  • if so, do a git pull –all

Script

Copy/Paste it to your Terminal and you get a executable Script called ‘git_update_all.sh’.

cat << 'EOF' > git_update_all.sh
#!/usr/bin/env bash

# Get the current script directory
script_dir=$(dirname "$(readlink -f "$0")")

# Change into each directory in the script folder
for dir in "$script_dir"/*; do

    if [ -d "$dir" ]; then

        cd "$dir" || exit 1

        if [ -d ".git" ]; then

            echo "Updating Git repository in $dir"
            git pull --all

        else

            echo "Skipping $dir - not a Git repository"

        fi

        cd "$script_dir" || exit 1

    fi

done

echo "Git update for all repositories completed."
EOF

# make it executable
chmod u+x git_update_all.sh

Usage

and then run it, like it, use it :)

Debian - MinIO

Minio on Debian

Need some S3 Storage for Reasons ? Here a few Lines, how to Setup and enable TLS.

Install Minio

login as root for the whole installation. Or use sudo/doas if preferred.

Upgrade you Box

apt update && apt upgrade -y

reboot if needed

add User

Let’s add User as we don’t wanna run it as root

useradd -r minio-user -s /sbin/nologin

Get Minio

Download, set execute permission and move it

Jetporch - Jet

Intro

did you ever heared of Jetporch, short Jet ? Don’t worry, you’re not the only one ;) Jet Project of Jet is being led by Michael DeHaan, the original creator of Ansible. So, expect something like Ansible, faster, written in rust … same same, but different.

Installation on Debian 12

grab a fresh machine and patch it

export DEBIAN_FRONTEND=noninteractive
apt-get clean
apt-get autoclean
apt-get update -y
apt-get upgrade -yq
apt-get dist-upgrade -yq
apt-get autoremove -y

Install Rust from Source

jet needs rustc 1.64. Debian install 1.63 from packages :(

Debian behind TLS Proxy

Behind Corp Proxy

let’s assume you’re behing a Corp Proxy which enforce TLS Inspection, you don’t have the Proxy Cert and you want to Upgrade your Boxes …

… and of course, you do this in the LAB and for Research only and not your Productiv Environment!

TLS Inspection enabled

apt-get upate
W: Failed to fetch https://packages.sury.org/php/dists/bookworm/InRelease  Certificate verification failed: The certificate is NOT trusted.
The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: xx.xx.xx.xx yyyy]

Disable TLS Check

touch /etc/apt/apt.conf.d/99verify-peer.conf
echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

Update

apt-get update
apt-get upgrade

Any Comments ?

sha256: 40c39ed441b4690a8644cd63bfd2e6987f06a70c4f922eca14de5dcc27d4fb35

Restricted Shell

Restricting User to Script

Let’s assume you have some Users around and they should be able to run certain Scripts. These Scripts do various things, login to some systems, perform task, get data from an API, whatever you want. All these Actions needs Credentials which must be available to the script, although they are not part of the Script. They could be Provides via OS Env, .env File, Encrypted Password Store or whatever. But if the Script is able to access these Credentials, a logged in User would could access it also.

Docker - IPv6

got Docker running with Traefik as ingress Loadbalancer ?

Just enable IPv6 like this.

daemon.json

cat << EOF > /etc/docker/daemon.json
{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}
EOF

Restart Services

systemctl reload docker

Check Netstat

# netstat -tulpen |grep docker
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          15788      977/docker-proxy    
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          17495      952/docker-proxy    
tcp6       0      0 :::80                   :::*                    LISTEN      0          15791      984/docker-proxy    
tcp6       0      0 :::443                  :::*                    LISTEN      0          15773      963/docker-proxy 

Any Comments ?

sha256: 49c4ced1a834b70c143c7425e72ea72982f07f8d1a3e0a8fce9f08f14d3f7da6

Debian 12

Debian 12 is here !

you may find some of my Posts about Debian useful

Upgrade Script

assuming you have Debian 11.x running

cat << 'EOF' > /root/upgrade_to_v12.sh
#!/usr/bin/env bash

# set Version
sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list.d/*

# Update
apt-get -y update
apt-get -y upgrade
apt-get -y dist-upgrade
apt autoclean
apt autoremove
apt --purge autoremove

# you may add/update -> /etc/apt/sources.list
# deb http://security.debian.org/debian-security/ bookworm-security main
# deb-src http://security.debian.org/debian-security/ bookworm-security main

exit 0
EOF

chmod u+x /root/upgrade_to_v12.sh

Run

run the script and wait a few minutes …

Docker - Swarm

Setup

Let’s assume we have 3 Nodes in a Docker Swarm Setup.

  • Tick
  • Trick
  • Track

Track is the Leader/Manager. All Machines runs Debian 12.0 (RC, as it is not yet released)

Show Nodes

docker node ls
root@track:~# docker node ls
ID                            HOSTNAME    STATUS    AVAILABILITY   MANAGER STATUS   ENGINE VERSION
b2zvkc374v08q2rpocljhkg5n     tick        Ready     Active                          23.0.2
khom3cx05bxqxktjq1k5j16gk *   track       Ready     Active         Leader           23.0.2
lq53s6mhuzvqrehks0j68sr3e     trick       Ready     Active                          23.0.2

Create Simple Service

Run a simple Docker service that uses an alpine-based filesystem, and isolates a ping to 8.8.8.8