Analog scratched record thinking.

home | blog | Teh Internet | guest blog |rants | placeholder | political | projects | Gwen and Liam | Citadel patched | Tools | Scouts

- Careful Chrome users, this search box might be "Not secure"

3 April 2019, 20:31 UTCnetplan with a plan (dhcp and alt dns servers):

Need to add dns servers to netplan?
Start with the default dhcp setup, and neuter it:
- create /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
- add just this to it: network: {config: disabled}
- take the default netplan.yaml in /etc/netplan, and add:

            addresses: []
            dhcp4: true
    version: 2

And change to add (indents matter!):
            addresses: []
            dhcp4: true
              addresses: [,]
    version: 2

Give it a go with:
netplan try


13 March 2019, 13:21 UTCMore systemd in the way. - deluser.

deluser --force --remove-home --remove-all-files olduser

userdel: user olduser is currently used by process 12345


Don't make me resort to killing a process that should have already been dead.


17 January 2019, 21:46 UTCInstalling .Net 3.5 on Windows 10 and failing?

Try this:

Copy the cab from Windows 10 DVD to the admin user account on the local machine:
D:\Sources\sxs\*.* .

Run a Powershell (as administrator) and issued the following command:
Add-WindowsCapability -Online -Name NetFx3~~~~ -Source c:\users\username


31 December 2018, 23:04 UTCcompgen -c (you complete me)

Give this one a spin - find commands available:

compgen -c
line bash built in for giving command completions.
Best use is to check if hunt the wumpus is installed of course.
man bash, and look for the compgen / complete section for more info.
Lots of fun to be had if you are mischievous.


16 December 2018, 6:03 UTCRIP Timothy C. May - December 2018

Without further ado : cyphernomicon.txt


11 December 2018, 12:43 UTCFirewalld - what is it?

Firewalld seems to be a way to "magic away" some of the manual configuration iptables rules of old.
Here are the main points that I have found:
This is for the "zones" and magic pre-configuration
This is for the more granular rules

So, it would seem there are a set of "zones" that per-configure the traffic assumptions...
I have repeated them here, so I have a snapshot should that link go away:
drop: Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

block: Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4
and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.

public: For use in public areas. You do not trust the other computers on networks to not harm your
computer. Only selected incoming connections are accepted.

external: For use on external networks with masquerading enabled especially for routers. You do not trust
the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

dmz: For computers in your demilitarized zone that are publicly-accessible with limited access to your
internal network. Only selected incoming connections are accepted.

work: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only
selected incoming connections are accepted.

home: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only
selected incoming connections are accepted.

internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your
computer. Only selected incoming connections are accepted.

trusted: All network connections are accepted. 

So, rather than setting some defaults as you would with iptables, you just set the default zone.
The choice of the zone depends on how locked down outbound and inbound traffic needs to be.
It looks like it may interact with network-manager (should you be using that), to set the default zone.
Zones can be filled with services, ports, and protocols using the easy rules from that first link.
firewall-cmd sets them up. The services are not from /etc/services, but rather xml files in its config.
You need to define your own should they not exist for the many services that are not in the defaults.
For the harder work, you need to use the "Rich Language" bit. Looks pretty much like iptables or ip6tables.
If you don't use the --permanent flag to firewall-cmd, your added rule won't survive a reboot / reload, but they
be applied immediately.

So, if you want them to stick, do use the --permanent flag, but with a follow up:
firewall-cmd --reload

So, for example, to add rules to the default zone (public) -
- first make sure it is installed:
apt install firewalld
- make sure it is running (and running at boot):
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --state
- now check for what is what:
firewall-cmd --list-all-zones
-Now to restrict things in the default (public) zone:
firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="your.ip.add.ress" accept' --permanent
- do the same for ipv6, and remove the defaults (have a back way in!):
firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --reload

So you can see how to restrict some of the defaults by adding a "rich-rule", and removing the default allow access.
Don't forget to check the other zones and rules that are in by default, so you can tweak the zone that most closely
matches the level of blocking for your use case.
You might not find a zone that matches what you want to do, so you might need to make one, and tweak it.
To put things back:
# put back the blanket allow from the default public zone, and reload the saved rule:
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --reload
# note, the more restrictive rule is still in there, but the allow all ssh overrides it, it would seem.  Not sure about order.
# To remove it:
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" service name="ssh" source address="your.ip.add.ress" accept' --permanent
# and of course, reload to make the saved rules the default you are currently running:
firewall-cmd --reload
# and recheck:
firewall-cmd --list-all-zones

Funky interaction with fail2ban
I have been having issues with fail2ban and firewalld on reboots. Not sure why yet, but I just purge the package on restricted hosts.


5 December 2018, 15:05 UTCPolicyKit - uid's > max_int allows unprivileged user to run systemctl commands.

Seems that unprivileged users with a uid > int will hold will be allowed to run anything.
You might want to check your uid's!
Should not happen by default, but there might be buggy software out there.


30 November 2018, 3:35 UTCOld Sonicwall - nogo ssh?

Are you getting the following error when trying to ssh to an ancient Sonicwall?

ssh_dispatch_run_fatal: Connection to ip.of.sonic.wall port 22: DH GEX group out of range

Give this a try:
ssh -l admin -o KexAlgorithms=diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa ip.of.sonic.wall


27 November 2018, 20:33 UTCBracketed paste mode \e[200~ (and) \e[201~ (or) 30 7E ... 31 7E (or) ~0 ... 1~

Middle chord not giving you what you expect when pasting?
Check to make sure some misbehaving program did not get your term in to bracketed paste mode.

More here:

In short, put junk in your cut and paste to save yourself from yourself.
To fix in a term, try reset.
Seems to happen quite a bit for me with Ubuntu 18.04 sessions (after cut and paste in that session - especially with VIM 8).
Gotta love progress. Thanks for the extra protection Ubuntu package managers. Please, screw up the
local terminal session with the stuff going on the remote session, so further cut 'n paste stops working!

Can make you think you lost the ability to middle chord paste for passwords.

Might be more to this than I thought:

You might want to consider trying: bind 'set enable-bracketed-paste off'
If that works, chuck it in your inputrc (local or globally) depends on who shares your computer :-)

A quick way to test your term is to issue:
To turn it on;
printf '\e[?2004h'
To turn it off:
printf '\e[?2004l'


28 September 2018, 19:31 UTCAnybody seeing a pattern here? - SYN flood spoofing

So far, I have had the following IP's become what I assume is the brunt end of a spoofed SYN flood attack: <- observed from a server where I could not block - lasted almost 4 hours!

Not sure what the connection is, but if someone knows, feel free to let me know.
Not sure what to make of it yet.

Update Oct 1 2018
The spoofing continues.
Seems to now include some Cloudflare, Google User Content, and random other targets.
The rotating behavior is new as well.
Much of the hate seems directed at: - with other hosts in rotation (off and then on again short burst attacks). - seems to be in second place for the disdain.
others... (the burst ones that seem only to be attacked from 1 to 5 minutes at a shot over a 20 to 40 minute interval)


14 September 2018, 16:48 UTCUbuntu 18.04.1 - Libvirt/KVM/Qemu setup with Wok/Kimchi
23 August 2018, 21:04 UTCOk, now disable SMT / Hyper-threading? This is getting old.
20 August 2018, 20:53 UTCUh, yeah, good one Microsoft: Auto updating AD Sync, and wow....
6 August 2018, 20:02 UTCGet ready for the SegmentSmack and FragmentSmack TCP vulnerabilities.
31 July 2018, 22:19 UTCO Superman - Laurie Anderson
26 July 2018, 16:41 UTCBroken, but just wait! - High CPU usage issue in Azure AD Connect Health for Sync - update - 8/16/18
11 July 2018, 16:50 UTCBeginning of the end
6 July 2018, 5:24 UTCDuff's device
21 June 2018, 20:33 UTCosquery - extensions
16 June 2018, 4:54 UTCTariffs, what can we make of them.
11 June 2018, 4:50 UTCDigital vs analog world
5 June 2018, 15:50 UTCMore Backups... WindowsImageBackup to a share.
4 June 2018, 18:31 UTCNow that Github is on the dark side, here is how to back up your new Gitlab instance :-)
31 May 2018, 19:37 UTCCheck your SSL at the door, and keep your POODLE inside.
30 May 2018, 5:09 UTCDon't give up!
8 May 2018, 15:08 UTCVery Magic! VIM needs hand holding for some sed replacments:
4 May 2018, 4:56 UTCYea! Amateur Radio gets a mention in a scientific paper!
2 May 2018, 3:53 UTCbell labs, xerox parc, (mitre?)
18 April 2018, 19:57 UTCTrusov Ilya Igorevych
29 March 2018, 21:11 UTCDrupalgeddon2

All older entries

[atom feed]