All posts by Fawcs

The author is working as an IT-Systems Engineer for an Austrian company and has spezialiced on Linux (RHEL), Deployment and Monitoring but is also working with VMware, Windows, Cisco, ...
Ansible, Linux

Ansible handlers (within roles) – run multiple tasks

Leave a comment

Sometimes it could happen that we want to run multiple tasks after configuration file has changed instead of just one.

My specific usecase is, that I’m having a role that configures a SSL-certificate and additional SSL settings for an Apache webserver which could run standalone on a server or as a pacemaker resource.

If it is running directly on the server it’s quite simple and a handler is sufficient to restart the Apache service after the role ran through. In case the Apache is running as a pacemaker resource the resource should be restarted instead of the whole service to make sure pacemaker does not get confused. Therefore it is necessary to first check if we have the service running as a pacemaker resource first and execute the corresponding task afterwards so a single task (within our handler) is not sufficient.
Using the block statement will also not lead to success but fail with : ERROR! The requested handler 'Apply Apache Config' was not found in either the main handlers list nor in the listening handlers list

My approach to tackle this issue was to “missuse” the handler to only set a variable if something changed.
At the end of the role I’m checking if the variable is ture and if so, I’m including/executing my “handler-block”.

defaults/main.yml

common_linux_zabbix_server_web_ssl_path_private_apply_apache_config: no

handlers/main.yml

---
# handlers file for common_linux_zabbix_server_web_certificate

#set a fact which is checked at the end of the role-tasks
- name: "Apply Apache Config"
  set_fact:
    common_linux_zabbix_server_web_ssl_path_private_apply_apache_config: yes

tasks/main.yml

---
...
all your other tasks are executed before these following tasks
...


# workaround to run multiple tasks within a handler -> run the handlers if any of the above tasks did change something to notify the handler
- meta: flush_handlers

- name: "Run multiple tasks as a handler"
  include_tasks: ./restart_apache_resource_or_service.yml

tasks/restart_apache_resource_or_service.yml


---
- name: "Check if cluster resource exists"
  shell: "pcs resource | grep zbx_srv_httpd"
  ignore_errors: yes
  register: check

- name: "Restart cluster resource:"
  shell: "pcs resource restart zbx_srv_httpd"
  register: resource_restart
  when: check.rc == 0

- fail:
    msg: "An error occured when restarting the cluster resurce!"
  when: resource_restart.rc != 0

#Just restart the httpd service if no cluster resource was found
- name: "Restart httpd service"
  service:
    name: "httpd"
    state: restarted
  when: check.rc != 0[
Homeautomaticion

HTTP to Pioneer SC-55 IP Interface

Leave a comment

Pioneers AV receivers support network control over a proprietary protocol (SC-55 IP) that used a raw IP connection to the AV receivers port 8102.

This provides the possibility to easily control the AV receiver from the smartphone with tools like Tasker to automatically turn on the AV receiver, switch to the Bluetooth adapter, connect to the receiver and play music just by pressing one button instead of fiddling around for a minute will everything is working.
However, Tasker itself does not support RAW IP connections and in my experience the Send/Except-Plugin which could be used for sending the commands to the receiver, isn’t as stable as I’d wish that it was.

So I wrote a little flask restful application that works as a HTTP to RAW Pioneer gateway.
The script is hosted on a little Raspberry Pi that runs 24/7 and forwards the commands to the AV receiver.

The Script itself is hosted in the following repository:
https://gitlab.com/weixeflo/pioneer-sc-55-ip-via-rest-gw

To allow the receiver to be woken up when powered of it is necessary to enable the “Network Standy Mode”

Uncategorized

Tasmota/Platformio error when compiling Tasmota for ESP8266 (firmware.elf section `.text’ will not fit in region `iram1_0_seg’ )

Leave a comment

After changing my Tasmota ESP8266-dev environment to Visual Studio Code I ran into the problem that I always got the following error when trying to recompile my customized Tasmota firmware:

c:/users/username/.platformio/packages/toolchain-xtensa@1.40802.0/bin/../lib/gcc/xtensa-lx106-elf/4.8.2/../../../../xtensa-lx106-elf/bin/ld.exe: .pio\build\sonoff-sensors\firmware.elf section `.text' will not fit in region `iram1_0_seg'
collect2.exe: error: ld returned 1 exit status
*** [.pio\build\sonoff-sensors\firmware.elf] Error 1

Seems the problem is introduced by the updated Platformio 4 environemnt which ships some updated libraries that do not comply to the ESP-requirements. To work with Platformio 4 it is necessary to adapt the platformio.ini to match the following configuration:

[platformio]
build_dir = .pioenvs

[env:myesp8266env]
platform = espressif8266@1.5.0
...
platformio.ini configuration file

https://github.com/platformio/platform-espressif8266/releases/tag/v1.5.0

Discussion on the Github bugtracker for the Tasmota project:
https://github.com/arendst/Sonoff-Tasmota/issues/6073#issuecomment-511111038

Linux, Security, Tools

Get CVE information from NIST NVD and RHEL

Leave a comment

Just two littel scripts that come handy if you want to download all the CVE info in JSON format for offline use.

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0Aurls%3D%24(curl%20https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdata-feeds%23JSON_FEED%20%7C%20grep%20’https%3A%2F%2F’%20%7C%20grep%20-i%20json.gz%20%7C%20sed%20’s%2F.*href%3D%2F%2Fg’%20%7C%20cut%20-d%5C’%20%20-f2)%0A%0Amkdir%20-p%20.%2FnistNvdJson%0Acd%20nistNvdJson%0Afor%20l%20in%20%24urls%3B%0Ado%0Awget%20%24l%0Adone%0Agunzip%20*%0A” message=”Donwload NIST NVD CVEs in JSON” highlight=”” provider=”manual”/]

 

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0A%0A%0AloopVar%3D1%0AdataDir%3D%22rhelCveData%22%0Amkdir%20%24dataDir%20-p%0Aecho%20%22getting%20data%3A%22%0AT%3D%22%24(date%20%2B%25s)%22%0Awhile%20%5B%5B%20%24loopVar%20-ne%200%20%5D%5D%3B%0Ado%0A%20%20%20%20%20%20%20%20echo%20-n%20%22-%24loopVar-%20%22%0A%20%20%20%20%20%20%20%20data%3D%24(curl%20-s%20https%3A%2F%2Faccess.redhat.com%2Flabs%2Fsecuritydataapi%2Fcve.json%3Fpage%3D%24loopVar)%0A%20%20%20%20%20%20%20%20if%20%5B%5B%20%22%24data%22%20%3D%3D%20%22%5B%5D%22%20%5D%5D%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20loopVar%3D0%0A%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20toFile%3D%24toFile%24%7Bdata%3A1%3A-1%7D%22%2C%20%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20let%20loopVar%3DloopVar%2B1%0A%20%20%20%20%20%20%20%20fi%0Adone%0AT%3D%22%24((%24(date%20%2B%25s)-T))%22%0Aecho%20%22%5B%24%7BtoFile%3A%3A-2%7D%5D%22%20%3E%3E%20%22%24dataDir%2FrhelCve.json%22%0Ased%20-i%20’s%2F%5E%5C%5B%5C%5D%24%2F%2Fg’%20%22%24dataDir%2FrhelCve.json%22%0Aprintf%20%22Got%20data%20in%3A%20%2502dd%3A%2502dh%3A%2502dm%3A%2502ds%5Cn%22%20%22%24((T%2F86400))%22%20%22%24((T%2F3600%2524))%22%20%22%24((T%2F60%2560))%22%20%22%24((T%2560))%22%0A” message=”Get CVE infos for RHEL” highlight=”” provider=”manual”/]

 

Additional information:
If you query the NIST NVD Data and search for RHEL CPEs you won’t get a lot of hits as only a smal percentage of the CVEs that affect Red Hat software has the correct CPE attached. However – NIST NVD is nice to have because in the Red Hat CVEs only the total CVSS score is listed but no detailed vulnerability metrics are included.

Linux, Monitoring, VMware, Zabbix

vCenter alarm Polling (v2) – Cross platform version (Windows & Appliance)

Leave a comment

As it has been some time since my last post about a solution on how to get vCenter alarms to Zabbix, and VMware also evolved I followed a new approach on that topic as my initial post only supports Windows vCenters. Furthermore the solution is not as stable as I wished that it would be, so my new approach is to query all alarms from a vCenter via it’s SDK.
Initially all the alarms are discovered and created in Zabbix and in a second step the values for the discovered alarms are polled.
Currently the script used the data center object of the vCenter to discover alarms, so it can’t be used on a standalone ESXi-Server. However – if the code is changed to use whatever object is needed to get the alarms directly from the ESXi-server it should also be possible to get alarms directly from a server without the need of a vCenter (but I didn’t implement that till now as there wasn’t the need/time).

vCenter alarms – SDK (tested with ESXi 6.0+ and Zabbix 3.0 on RHEL 7)

To install the vCenter alarms the attached zip needs to be downloaded and the VMware Perl SDK must be installed on the Zabbix Server.
The template needs to be imported into Zabbix and the vCenter username and password need to be set in the username/password macros of the template.

The other two files (vcenterAlarms.pl & vcenterAlarms.wrapper) need to be extracted to the externalscripts folder of the Zabbix Server. The wrapper script is just a shell script that is executed by a Zabbix item to call the per script and send the that to Zabbix via Zabbix Sender.  As the VMware API is quite slow the wrapper also starts itself again with NOHUP because otherwise the timeout defined in the Zabbix Server configuration would cause an exit of the script. For my setup it always took longer than 30 Seconds till tall data where gathered and therefor the Zabbix Server would kill the script in the middle of the execution and no data would be sent to Zabbix. That’s why I added this workaround. Furthermore it also checks if there are less than eleven vcenterAlarms.wrapper processes running, and only starts if there are less, to ensure that Zabbix does not spawn hundreds of NOHUP-processes.

 

 

 

 

Linux, Security, Webserver

Apache – force autocomplete=off for password fields

Leave a comment

If 3rd party software is installed it is quite likely that the autocomplete attribute for password fields is not set to off. Editing such settings directly in the sourceode is possible most of the time, but it’s not the nicest way and you also run into the problem that everything could be gone again after an update of the software.

A nice workaround is to use the substitute module to accomplish that.

[pastacode lang=”markup” manual=”%3CLocation%20%22%2F%22%3E%0A%20%20%20%20AddOutputFilterByType%20SUBSTITUTE%20text%2Fhtml%0A%20%20%20%20Substitute%20%22s%7C%3Cinput%20type%3Dpassword%7C%3Cinput%20type%3Dpassword%20autocomplete%3Doff%7Ci%22%0A%3C%2FLocation%3E” message=”disable autocomplete for password fields” highlight=”” provider=”manual”/]

Uncategorized

Suggested Webserver security settings

Leave a comment

[pastacode lang=”apacheconf” manual=”%0A%23Security%20Settings%20start%0A%23https%3A%2F%2Fsecurityheaders.io%2F%3Fq%3Dblog.fawcs.info%26hide%3Don%26followRedirects%3Don%0A%23HSTS-enabled%0AHeader%20always%20set%20Strict-Transport-Security%20%22max-age%3D31536000%3B%20includeSubDomains%3B%20pre%0A%23Content-Security-Policy%0AHeader%20always%20set%20Content-Security-Policy%20%22default-src%20https%3A%20data%3A%20’unsafe-inline’%20’%0A%23Public-Key-Pins%0A%0A%0A%23X-Frame-Options%0AHeader%20always%20set%20X-Frame-Options%20%22SAMEORIGIN%22%0A%23X-XSS-Protection%0AHeader%20always%20set%20X-Xss-Protection%20%221%3B%20mode%3Dblock%22%0A%23X-Content-Type-Options%0AHeader%20always%20set%20X-Content-Type-Options%20%22nosniff%22%0A%0ASSLProxyEngine%20on%0ASSLEngine%20on%0ASSLProtocol%20all%20-SSLv2%20-SSLv3%20-TLSv1%0ASSLHonorCipherOrder%20on%0ASSLCipherSuite%20%22EECDH%2BECDSA%2BAESGCM%20EECDH%2BaRSA%2BAESGCM%20EECDH%2BECDSA%2BSHA384%20EECDH%2BECDSA%2BS%20!3DES%20!MD5%20!EXP%20!PSK%20!SRP%20!DSS%22%0A%0A%23Custom%20Settings%0ATraceEnable%20off%0AServerSignature%20Off%0AServerTokens%20Prod%0A” message=”” highlight=”” provider=”manual”/]

Deployment, Tools, Windows

Windwos telephone activiation – shortcut

Leave a comment 
When using the telephone activiation select the option that MS sends you a link to an activation page. http://md.vivr.io/XxX0c0C Use the link and the following commands on the computer to extracte the activaition ID from the system, paste it on the webinterface and copy the confirmation ID back to the system. To paste the activiation ID on the Microsoft Website use the cscript command to print the ID to the command prompt, copy it to Keepass in the autotype field and use the autotype option to paste the blocks. To strip the response NPP + the follwoing regex can be used: [A-Z]|\t|\n -> Strips all upper case characters, tabstops and CRs

 

Tools Needed:

  • KeePass (or any other autotype tool)
  • Notepad++
    NPP-Regex for search and replace: [A-Z]|\t|\n

 

Commands:

#Install Productkey
slmgr /ipk <ProductKey>

#Display activation ID
cscript C:\Windows\System32\slmgr.vbs /dti

From <https://social.technet.microsoft.com/Forums/windows/de-DE/3ead2d77-00fc-4c06-b4c0-82eae0ebc2bc/save-slmgr-dli-output-to-text-file?forum=w7itproinstall>

#install confirmation ID from Microsoft
slmgr /atp <Confirmation ID>

#Check Status
slmgr /dlv
OR
slmgr /dli

From <http://www.thewindowsclub.com/view-licensing-status-activation-id-windows-slmg

Linux, Network

Create you onw 4to6-tunnel / Access IPv6 service from IPv4 address

Leave a comment

With my recent ISP-change for my internet at home there where quite a lot of changes. One of that changes was, that UPC – my current provider – uses DualStack Lite.
For me it’s the first ISP that really provides IPv6. So that’s pretty cool and I finally had the chance (was forced) into digging deeper into IPv6.

In general everything is working quite well but, as it’s dual stack lite my router doesn’t provide an option to do some portforwarding to one of my hosts inside my local network. At least not for IPv4 connections. So I have no chance to access one of my devices via my public IPv4 address what becomes a problem when I want to connect to my home network via VPN from an IPv4 only network.

I couldn’t find any suitable 4to6 tunnel broker that lets me access my IPv6-devices through an IPv4 address, but luckily I have a VPS that runs on real dualstack and therefor has an IPv4 and IPv6 address.

So to access my IPV6 VPN server in my private network from an IPv4 only network I created an SSH-tunnel from my VPN-server (that runs on a Raspberry PI) to my VPS and forwarded the OpenVPN port.

To do that the VPS’ sshd-configuration needs to be adapted to expose forwarded ports to it’s public IP-address(es). For that the following setting needs to be added to/ changed in the sshd_config:

[pastacode lang=”bash” manual=”GatewayPorts%20yes” message=”” highlight=”” provider=”manual”/]

 

After that I created the following script on my VPN-Raspberry:

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0A%0AvarConnectionString%3D%22-nNT%20-R%201194%3Alocalhost%3A1194%20%3Cusername%3E%40%3Cservername%3E%20-p%20%3Cport%3E%22%0A%0Aif%20%5B%5B%20%24(ps%20aux%20%7C%20grep%20-v%20%22grep%22%20%7C%20grep%20%22%24(echo%20%24varConnectionString%20%7C%20sed%20’s%2F%5E-%2F%5C%5C-%2Fg’)%22)%20%5D%5D%3B%20then%0A%0Aecho%20%22Found%20active%20connection%22%0A%0Aelse%0A%0Aecho%20%22No%20active%20connection%20found%22%0Assh%20%24(echo%20%24varConnectionString)%20%26%0Afi” message=”create SSH-tunnel” highlight=”” provider=”manual”/]

That script is added to be exectuted every half hour as a cronjob. So if the connection (for whatever reason) gets diconnected it will automatically reconnect to the VPS and forward the port again.

 

Database, Linux

ORACLE – Convert datetime to epoch / unixtimestamp

2 Comments

It seems Oracle DB doesn’t provide a function to create a unix timestamp from an internal datetime. I have to admit – I’m kinda disappointed about that, but OK – its Oracle …

So, how can we get a timestamp from Oracle. I have googled quite a time, but non of the solutions google offered me worked, so i it’s time to think about it by myself and ended up with the following solution:

[pastacode lang=”sql” manual=”select%20(extract(day%20from%20(EVENT_TIME%20%20-%20to_date(’01-JAN-1970’%2C’DD-MON-YYYY’)))*86400%2Bextract(hour%20from%20EVENT_TIME)*3600%2Bextract(minute%20from%20EVENT_TIME)*60%2Bextract(second%20from%20EVENT_TIME))%20as%20EPOCH%20from%20SOMETABLE%20order%20by%20event_time%20DESC%3B%0A” message=”” highlight=”” provider=”manual”/]

At first I subtract the start of the epoch from my current timestamp. this will provide me the days since 1970-01-01. Afterwards I extract hours, minutes and seconds from the timestamp and with all those data it’s possible to calc the timestamp of the specific datetime.