Debian 8 update in 2024 Feb

Did you try apt-get update in debian 8? It was easy in the old days, but not today.

Why? Debian 8 reached end of life. By default, apt will get the update from http://httpredir.debian.org/debian. However, this site no longer contains the update/packages for debian 8.

If you search ‘apt-get update debian 8’ , you’ll find a lot of information, but most of them no longer work. (e.g. use http://archive.debian.org but the signature was expired).

Warning!!! The following will make your system insecure

In order to make apt works, change the /etc/apt/sources.list file to

deb [trusted=yes] http://archive.debian.org/debian jessie main contrib non-free
deb [trusted=yes] http://archive.debian.org/debian jessie-backports main contrib non-free
deb [trusted=yes] http://archive.debian.org/debian-security jessie/updates main contrib non-free
deb-src [trusted=yes] http://archive.debian.org/debian/ jessie main contrib non-free"

You should make your own modifications to fit your requirements like removing deb-src line, removing non-free, removing backports, etc. Please bear in mind the keyring/signature expiration message is still shown when you run apt/apt-get.

Since the above change will always trust the non-https site, a better solution (still insecure) is to use “apt-transport-https” and change http to https.

For docker, simple add the following to the Dockerfile

RUN    echo "deb [trusted=yes] http://archive.debian.org/debian jessie contrib main non-free" >  /etc/apt/sources.list \
    && echo "deb [trusted=yes] http://archive.debian.org/debian jessie-backports main contrib non-free" >> /etc/apt/sources.list \
    && echo "deb [trusted=yes] http://archive.debian.org/debian-security jessie/updates main contrib non-free" >> /etc/apt/sources.list \
    && echo "deb-src [trusted=yes] http://archive.debian.org/debian/ jessie main contrib non-free" >> /etc/apt/sources.list

Abusing the use of Biometrics

The use of Biometrics in authentication becomes popular in recent years. But are they more secure than the others such as passwords?

Biometrics authentication can be found in phone unlock, door unlock, bank account login, retail sales, etc. We can foresee more and more services will make use of this technology. However, how many people know how safe they are?

Security Concerns

1. Biometrics cannot be changed
Unlike passwords/ smart card, biometrics can never be changed. Once your biometrics are hacked, there is no way to change your biometrics.

Do you know in every day, your fingerprints/face are exposed to phone manufacturers, banks, law enforcement, retail shops? Can you guarantee they don’t copy/clone/sell your biometrics?

Do you know some phone manufacturers, computer manufacturers, phone app send out data to third party continuously without your consensus?  I don’t know, but you can find the answers from the internet.

2. Never use a single password for all services
Oh, I’m talking about biometrics, not password. But everybody knows that we should use a different password for each services. But how to do it in biometrics authentication?

You have 10 fingers, one face, two eyes, single voice, two ears, summing up … 16 different biometrics for your whole life. So you can enjoy at most 16 services using biometrics authentication for your whole life.

3. Biometrics are not secret and exposed to public
Your face, voice, fingerprints are exposed to public. Anyone can copy them.

Did you hear someone was forced to unlock his phone using his biometric? Except voice, all others biometrics can be obtained quite easy.

Did you know some phones can be unlocked using the owner’s photo?  Yes, this is a flaw in the software, but this is also an alarm to this technology.

Conclusion

Today, cloning biometrics is not quite hard as you can imaging, but reproducing the biometrics is not an easy task.  But I think this is just a matter of time.

The origin of this technology is to identify, not to authenticate.  We are abusing the use of this technology.

Start privilege Linux daemon when Windows boots without user login

Windows 10 WSL

With WSL, you can install many Linux distros in Windows, e.g. officially Ubuntu, Ubuntu1804, Debian, … and unofficial like Archlinux.  To start a backgroud linux daemon when Windows start, you need

  1. Recent version of  Windows 10 (e.g. 1803, or maybe 1709 but not tested)
  2. Enable Windows subsystem for Linux
  3. Install a linux distro from Windows store (e.g. Ubuntu1804)

To test, create a simple script in your home folder, e.g. /home/username/testscript.sh


#! /bin/bash
while [ 1 ]
do
 echo `date` >> /mnt/c/tmp/test.txt
 sleep 10
done

Now at Windows schedule task, create a new task, with

command=bash

argument = -c /home/username/testscript.sh

Modify this task to “Run whether user is logged on or not”.

wsl-roottask_wintask1

wsl-roottask_wintask2

Here is the output

wsl-roottask

Reboot your windows machine without user login to see if the task is started or not.

Run Linux system daemon in Windows

Warning: You should understand completely before doing the following because it allows normal user to run as root.

You can start any task, even “cron” can be started without problem.  But if you want to start cron, you need a special trick, setuid.  This is because normal user cannot start privilege daemon like /usr/sbin/cron.

The command to start ‘cron’ in Windows task scheduler is similar,


bash -c /etc/init.d/cron start

But before you do it, you must setuid of the task, /usr/sbin/cron (login as root, chmod u+s /usr/sbin/cron).  You may ask some Linux guys on how to limit which user(s) can run the ‘cron’ daemon.

Alternatively, you can modify the sudo configuration, e.g. /etc/sudoers.d and add the default user there so that the default user don’t need password to sudo the cron daemon.

I create the following cron task


* * * * * /bin/bash -c "echo hello from cron" >> /mnt/c/tmp/test.txt

You already notice the tail output screen above consists of this cron task.

 

You can also start the ssh server.  Points to  notice are:

  1. Port, if you also enable Windows 10 openssh server, you should change the Ubuntu’s sshd port to another one.
  2. The command to start is (assuming you can sudo without password):

bash -c "sudo service ssh start"

 

Update 2021-06-18
I try the above on wsl2 with Windows 10, 1909 (details below). It works without problem

Summary (assume windows 10 Pro, 1909 or above, wsl2 enabled):

  1. Execute wsl –set-default-version 2
  2. Install Ubuntu-20.04 (or any distro you like)
  3. Inside the distro, sudo apt install docker.io (you may use the official way to install docker.  But this is the simplier way to install docker)
  4. sudo nohup dockerd & (because wsl2 Ubuntu doesn’t come with systemd, so need to start the executable directly)
  5. Add the default user to the docker group by editing the group file, sudo vi /etc/group
  6. sudo nohup /usr/bin/dockerd  #may add additional options you like, e.g. -H fd:// –containerd=/run/containerd/containerd.sock
  7. Check docker daemon is running or not by “docker ps” or “docker run hello-world”
  8. add a new file, /etc/sudoers.d/username, with entry, username ALL=(ALL) NOPASSWD: /usr/bin/dockerd
  9. kill -s HUP $dockerd_pid  #kill the dockerd in previous step
  10. At windows, try to execute dockerd: wsl.exe -d Ubuntu-20.04 sudo /usr/bin/dockerd 
  11. If everything is ok, kill the dockerd daemon
  12. Add new schedule task, “Run whether user is logon or not”, “do not store password”, Trigger: At system start; Action: wsl -d Ubuntu-20.04 sudo /usr/bin/dockerd
  13. Run the scheduled task created in last step

Native OpenSSH on Windows 10

Just found accidentally, OpenSSH server as well as client are available in Windows 10 Professional 1709 (Fall Creators Update).

You can enable it under Settings -> Apps & features -> Manage optional features -> Add a feature -> OpenSSH Client (Beta) and OpenSSH Server (Beta).

win10-openssh-install

Remember to turn off Windows firewall for ssh (port 22) to access your machine remotely using ssh and/or putty.

win10-openssh

Python Cherrypy Server Sent Event SSE (eventsource)

I hardly find a good example for server sent event using cherrypy (python).  So I wrote a simple one.

@cherrypy.expose
def systime(self):
  cherrypy.response.headers["Content-Type"] = "text/event-stream;charset=utf-8"
  def timedata():
    for ii in range (10):
      yield (bytes('id: {}\ndata:{{"time":"{}"}}\n\n'
        .format(int(time.time()),
        datetime.datetime.isoformat(datetime.datetime.now())),'utf8'))
      time.sleep(1)
return timedata()
systime._cp_config = {'response.stream': True}

 

You should also add some cache control so that the browser doesn’t cache your result.

Cherrypy is not a good tool to publish SSE as it is not an async server.  You may consider using an asyncio version of cherrypy (not official) or use some async servers like Tornado or Twisted.

noob iptables cheat sheet

Notes:

  1. All rules are processed from top to down.  Once a rule is matched (with jump), the rest will be ignored.
  2. Never run iptables -F if the default rules are DROP or your system will be inaccessible.  If possible, set the default rule to ACCEPT and add iptables -A INPUT -j DROP at the end.

List all rules

iptables -L -n -v –line-numbers

Flush all chains (-F) and delete all user-defined chains chains (-X)

Note: Please ensure the default policy is ACCEPT or leave a ssh terminal before issuing

iptables -F

iptables -X

Set default policy (use with care)

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

Block incoming ip address

iptables -A INPUT -s aa.bb.cc.dd -j DROP

Block outgoing sites

iptables -A OUTPUT -p tcp -d  www.microsoft.co.uk -j DROP

Allow ping from specific ip’s only

iptables -A INPUT -s 1.2.3.0/24   -p icmpicmp-type echo-request -j ACCEPT

iptables -A INPUT -p icmpicmp-type echo-request -j DROP

Allow ssh from specific ip’s only

iptables -A INPUT -s 1.2.3.0/24   -p tcp —dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp —dport 22 -m state –state NEW,ESTABLISHED -j DROP

Block incoming web access

iptables -A input -p tcp —dport 80 -j DROP

Port forward

Forward incoming connection to another internal host (aa.bb.cc.dd:22)

iptables -t nat -A PREROUTING -I eth0 -p tcp —dport 1022 -j DNAT –to aa.bb.cc.dd:22

iptables -A FORWARD -p tcp -d aa.bb.cc.dd dport 22 -m state –state NEW,ESTABLISH -j ACCEPT

Delete a rule

iptables -L -n -v –line-numbers

iptables -D input {line-number}

 Download PDF

iptables-cheat-sheet

Snappy Ubuntu Core on Hyper-V

Do you want to test drive the Snappy ubuntu core on hyper-v? Here are some simple steps.

1. Download the ova file from the official ubuntu website

https://developer.ubuntu.com/en/snappy/start/#ova
http://cloud-images.ubuntu.com/ubuntu-core/15.04/core/stable/current/core-stable-amd64-cloud.ova

2. Use 7-zip (Windows) or tar (Linux) to untar the ova file
3. Use a image file converter (like virtualbox) to convert the vmdk file to vhd file.

e.g. VBoxManage.exe clonemedium core-stable-amd64-cloud-disk1.vmdk core-stable-amd64-cloud-disk1.vhd –format VHD

4. You can use standard cloud-init way to setup the system (not discuss here) or;

5. mount the VHD file in any linux machine, modify the /etc/shadow (in partition 3) to clear the root password;

6. Create a ubuntu-core machine in hyper-v and mount the vhd image.

7. Start the machine and enjoy.

Little Windows Batch to get yyyymmdd (year, month, day of month)

Do you need to write a windows batch and need to get yyyymmdd?  It is a nightmare if you deploy your batch file to multiple machines (e.g. different windows version, different locale setting, etc).

Unlike linux, windows build-in date command will output different format for different Windows version (e.g. xp, 2003, 2012) or different localized version.  And the user can also customize the output format.

In the old days, I’ll write a little program to do this.  But now there is a little tool, yyyymmdd.bat, https://github.com/litalidev/yyyymmdd which seems to work on different Windows versions.

Step by Step Guide on Setting Up git Server in Arch Linux (pushable)

Warning: This guide will create a git server readable/writable by everyone. That is no user/authentication control

# Login as root
pacman -S git

# If you want to push to the repository, do the following (2 steps).
vi /usr/lib/systemd/system/git-daemon\@.service
# Append --enable=receive-pack to the line of ExecStart

systemctl start git-daemon.socket

# If you want the git server starts on every reboot, do the following step
systemctl enable git-daemon.socket

cd /srv
mkdir git
chown git:git git
cd git

# Create a repository named project1.git
git --bare init project1.git
chown -R git:git project1.git

# at the working station (can be linux or windows machine), not root is required
# cd to your project base folder and clone the project1.git to local folder
cd /projects
git clone git://git_server_hostname_or_ipaddress/project1.git cloned_project1
cd cloned_project1
git push origin master
# Now, you can do anything to the project (E.g. create a file file1.txt)
vi file1.txt
git commit -a
git push

Openwrt sysupgrade on x86 (barrier breaker)

WARNING: Before upgrading, you should backup the system first!!!

Disclaimer: This is just my experience.  It is not guarantee the steps listed will work on your system.

 

Openwrt upgrade on x86 can be very tricky in the old days.  However, it becomes an easy task starting from attitude adjustment (12.09) and onward.

The following lists the steps to upgrade to the latest snapshot (barrier breaker).  You should change the image to be downloaded in step 4 for the desired version.

  1. Do a full system backup to avoid any lost.  This is very import!!!
  2. login the system as root
  3. cd /tmp
  4. wget http://downloads.openwrt.org/snapshots/trunk/x86/openwrt-x86-generic-combined-ext4.img.gz
  5. sysupgrade -v /tmp/openwrt-x86-generic-combined-ext4.img.gz

Image

Openwrt in Hyper-V

Update: 2017-11-21 The below procedures also work in LEDE 17.01.4

Want to add a openwrt machine in hyper-v for testing?  Sadly, the openwrt did not include the hyper-v device driver for the network device.

(Un)luckily there is a legacy network driver in hyper-v that can be used in openwrt.

Steps to add openwrt machine inside hyper-v:

  • In hyper-v, add a machine with 64-128MB ram, legacy network device.
  • Copy the openwrt image to the virtual hard disk.
  • Mount the virtual hard disk (mount /dev/sda2 /mnt) and copy the tulip driver to the hard disk.
  • Boot the openwrt machine.
  • Inside the openwrt machine, add the tulip driver (cd /; opkg install kmod-tulip_3.3.8-1_x86.ipk)
  • ifconfig -a to check the name of the network device.
  • Modify /etc/config/network as usual and restart the network (or reboot).

Installation of ssh server for debian-in-android (gnuroot)

Update (2014-11-20): After rebooting the phone, the the sshd (openssh-server) failed to start again (some error message like “chroot /var/run/sshd” failed). So the reliable way is still using dropbear.

Update (2014-11-06): I can install openssh-server successfully under gunroot.  No special tricks (don’t why it failed in my first trial) except changing the port to > 1024 (/etc/ssh/sshd_config) and chmod og-rwx /etc/ssh/*.  After the modification, issue /etc/init.d/ssh start

Unlike traditional debian machine, you cannot install/run openssh-server inside a debain-in-android (gnuroot).  However, dropbear can be used instead.

Steps:

– Install android app GNURoot.

– Install android app, GNURoot Wheezy.

– Inside Debian terminal, install dropbear (apt-get intall dropbear).

– Modify /etc/default/dropbear and change the DROPBEAR_PORT to anything > 1024.

– (Update on 2014-07-04) Start the dropbear: /etc/init.d/dropbear start